We have all been hearing about Cybersecurity Maturity Model Certification (CMMC). Cyber Self-Defense has been posting quite a bit about this program as we want you to be well-informed. As we begin preparations for 2021, I thought I would write another article that answers two of the questions we are asked by everyone who calls us; and we have been receiving plenty of questions.
The first question I receive most often is, “Do I have to be compliant with CMMC?” My initial response is that as business leaders, it is our responsibility to protect our company and customers. Cybersecurity is another business risk that MUST be addressed. This theory does not take into account whether or not you have a legal requirement to do so, so let me dig in some more. A NON-CMMC question I receive often is, “What standard for cybersecurity should I follow?” My answers vary, based on the needs of the company. Having looked at many companies, I think a middle of the road approach is the CMMC. This standard is laser focused and one that allows for certification, without the heavy overhead required by many of the standards. It is well mapped out and provides a realistic approach to cybersecurity, while being adaptable to the needs of the organization.
Let’s now discuss the “legal” stuff. I am not an attorney, nor do I play one on television. What I keep hearing is that the Department of Defense has the ability to hold companies accountable for three times the cost of the contract plus per claim in accordance with the False Claims Act. If you are currently doing business with the DOD, you are already accountable for compliance. If you plan on doing business with the DOD, you will (eventually) have to achieve compliance. In addition, your employees have an incentive to report your non-compliance; they receive between 15% and 30% of any award under the False Claims Act. I have read that the Department of Justice has already obtained over $3 Billion dollars in settlements and judgements in fiscal year ending September 30, 2019. Based on this, I recommend the certification.
Another question/statement we receive is something to the effect of “I am going to wait and see if the DOD will enforce it, I don’t have to be complaint right now, do I?” On November 23rd, 2020, I received a communication from Idaho PTAC that stated, “Idaho’s PTAC has been made aware of a fast-approaching deadline for prime and sub-contractors working with the Department of Defense (DoD). All contractors must complete and submit a NIST SP 800-171 cyber self-assessment to the DoD Supplier Performance Risk System (SPRS) through their approved vendor, Project Spectrum, in compliance with CMMC requirements. The deadline for this self-assessment is Monday, November 30, 2020. Those who do not complete and submit this initial self-assessment are at risk of losing their contracts with the DoD.” In every circle I belong to, I am hearing that this WILL be enforced. If you wait until the last minute, you will not make it!!! The CMMC is based on maturity, so if you think you will be able to put a plan together, last minute, and pass the certification; you are incorrect!!! This program is designed to ensure that you are mature, not that you threw something up overnight.
As this is a program that we care about and REALLY want to help you with, please reach out to us for answers to your questions. We have put together a PowerPoint with key information and this is a free service we offer, to help you with your decision as to whether you should prepare for the certification. Just give us a call at (866) 292-3796 to start the conversation!