CMMC, the Quick and the Dead

Why Start CMMC Compliance Now

By William Baugh CISA, CPA, CSM, SSGB, CCP

Principal CMMC Solutions

CMMC, the Butterfly Behind the Coming Storm

While implementing regulatory standards is not new, and the markets often adapt with minimal disruption, CMMC is very different.  Likely, the DoD’s CMMC initiative will drastically change the defense industry creating a market shake-up rewarding a new breed of market leaders who leverage cybersecurity for market advantage.

How would CMMC create a market advantage versus other initiatives? The devil is in the details and the nature of the human-animal and its organizations.  Over the past 15 years, our company (Corporate Visions) has guided clients through various IT risk and cybersecurity initiatives without too much change to the industry. But CMMC is different. We can divide the industry into two groups, companies with proactive management (the Proactive) and reactive management (the Reactive).  The Proactive will reap the rewards as always with the occasional scratches and bumps suffered by all trailblazers.  However, with CMMC, it is the impact on reactive management that may prove much less forgiving with CMMC.

The Quick and the Dead

The Reactive, whether from caution, higher perceived priorities, apathy, etc., can generally recover or even benefit from not adapting quickly to new initiatives. Reactive companies often enjoy the lessons from the trials of early adopters. However, CMMC has three distinct variables that will challenge Reactive companies.

  1. CMMC Failure is Not an Option: The reasons for CMMC are too crucial for this initiative to fail. Even if our nation’s security were to lose to politics, the politics would not change the threat, and the DoD is unlikely to favor companies it deems cannot keep secrets.
  2. CMMC Implementation Timing Risk: The timeline to implement CMMC is likely much longer than most companies anticipate. And, for the reasons stated above, the DoD cannot afford to use contractors who cannot keep secrets. Contractors that delay too long may lose opportunities.  However, uncertified contractors will need to quickly find a way to quickly find value for the products and services the DoD covets.
  3. Security as a Competitive Strategy: Companies who lack the required security may either find that they lose the business to a more secure competitor or acquired by one. The market changed by CMMC will reward companies that value security and be a bonanza to company’s who use security as a competitive strategy.

Reason 1: CMMC Failure is Not an Option

If CMMC fails, we fail. Something like CMMC needed to happen.  Specifically, defense contractors in possession of defense secrets need to be held accountable for their cybersecurity. Further, their accountability for cybersecurity needs to be validated.  In a world of competing priorities, it is human nature to not focus on the requirements that are not verified.  Who coined the phrase “Trust but Verify.” To illustrate, When the DoD did audit it’s contractor compliance with the cybersecurity requirements, they found that only one percent of the contractors complied. In other words, a 99% cybersecurity fail rate. The DoD estimates it losses $660 Billion a year from cyber attacks.  Yes, Billion! Based on the Defense Industrial Base’s (DIB’s) cybersecurity record, the more appropriate phrase should be. “Don’t Trust Until Verified.”

The value of a defense project whose usefulness stems from its secrets is not only wasteful when the secrets are exposed, but dangerous to our country and those who protect us. Contracting defense secrets from companies that cannot protect them is reckless.

Contractors in possession of defense secrets need to be held accountable for their cybersecurity.

The Danger is Real

It is a fact that the defense supply chain is under constant attack from criminals and foreign adversaries.  Many defense contractors and especially their sub-contractors have not accepted this reality and locked into an outdated “paradigm that what was enough yesterday is enough now.” For cybersecuirty paradigm is “what is enough now will not be enough tomorrow.” CMMC addresses a real danger. Our enemys have been successful attacking the weakest cybersecurity links in the defence supply chain.

The weakest links in the US defense supply chain are softened by those unaware of the extent of the threat.  CMMC attempts to strengthen the chain through enforcement of minimum cybersecurity hygiene.

At this Point, Are There Options?

While there are strong arguments for improving CMMC, failure is not an option.  Also, the DoD and the CMMC Accreditation Body (AB) will tell you that continuously improving CMMC is the plan.  So while there are reasoned arguments that CMMC is less than perfect and its rollout is challenging, the calls to eliminate or delay CMMC are unacceptable.  To date, there are no other viable options for CMMC.

Reason 2: CMMC Implementation Timing Risk

For the sake of argument, let us assume that I (and the DoD) am right that CMMC is going to happen. And, lets further assume that CMMC will be rolled out as planned with the renewal of defense contracts in 2021.  If this is the case, the new defense market will select winners and losers by a contractor’s ability to demonstrate they can protect secrets via CMMC Certification. The CMMC Accreditation Body (AB) defines ten steps to CMMC certification.  The AB also states companies should plan at least six months to complete the certification steps. However, this assumes that the company is already compliant with the existing cybersecurity requirements under DFARS 252.204-7012, specifically NIST SP 800-171.  If a company is not compliant with the current DFARS requirements, then CMMC compliance could be much longer than the AB’s six-month estimate. 

If a company is not compliant with the existing DFARS requirements, then CMMC compliance could be much longer than the AB’s six-month estimate.

Do you see the problem yet?  Earlier, I pointed out that according to audit data, only one percent of defense contractors were compliant with the existing DFARS requirements.  Many of the cybersecurity compliance gaps will take contractors months to fix.  Take the CMMC practices that require the implementation of a process.  Often processes require hiring qualified people.  That alone could take months, especially for cybersecurity professionals who are in short supply.  Companies that have not completed a CMMC or NIST SP 800-171 self-assessment would not know if they are six months or a year from reaching CMMC compliance. Also, the requirement that subcontractors also need to be CMMC certified could extend the certification time for prime contractors.  You don’t have to be a PMP to realize there are too many unknown variables that could extend the CMMC compliance timeline well beyond six months.  Companies who are late to understand this risk could end up easy prey to their competition

The Proactive and the Reactive

It is our experience that compliance initiatives divide companies into Proactive (companies quick to respond) and Reactive (companies who wait to respond).  While many initiatives can favor or at least not penalize the Reactive too much, CMMC is different.

CMMC will have more substantial penalties for the Reactive contractors because the time it will take to be compliant is likely longer than expected. Also, CMMC has hard deadlines since the contracts will require it, and the DoD does not have room to compromise or delay CMMC implementation.  Further, because CMMC compliance is independently validated to ensure there are no exceptions to the standard, contractors will not have any wiggle room to short cut compliance.  However, the DoD has wiggle room, Proactive competitors.

Reason 3: Security as a Competitive Strategy

CMMC could not only lead to distinct winners and losers among those competing for defense contracts but could lead to a reshuffling of the defense market, with a distinct advantage to the companies that value cybersecurity.  With CMMC, the early adopters will enjoy a significant advantage over its lagging competitors.

The CMMC certification advantage could extend to acquisition opportunities for certified companies.  Consider contractors that realize too late they cannot become CMMC certified in time to win a contract.  These companies would be motivated to salvage some value for their operations by selling to a CMMC certified company.

Additionally, limited cybersecurity talent helps to create market conditions where Proactive companies can use their security talent to build scalable cybersecurity to facilitate the acquisition of defense projects from competitors. This size of a company would be secondary to its ability to scale its cybersecurity for new projects. These Proactive cyber security-savvy competitors and MSPs could leverage CMMC to bend the defense market in their favor.

Security is not going away; it is growing.  All indications are that other areas of government will adopt a CMMC like cybersecurity model for its agencies.  The broader adoption of the CMMC model multiplies competitive advantage for early adopters in their respective markets.

CMMC is poised to be a seismic event, changing the competitive landscapes for the markets requiring it.  Like most seismic market changes, it has the potential to divide the market into the Quick and the Dead.