CMMC Doesn't Exist
This is a direct quote from our good friend at the Defense Acquisition University, Chris Newborn. It may sound odd, weird, wrong, or even crazy. But it is true, and is an important distinction to make. Right now, until the actual lawmaking efforts are complete, CMMC does not exist. What does exist is DFARS 7012, 7019, and 7020. These are the current requirements: NIST 800-171, the DOD Assessment Methodology score, and the submissions of the score to SPRS.
As we all have had so much focus on CMMC, and we hear the potential for up to 24 months until the rulemaking process is complete, many defense contractors have pulled back, delayed, or even stopped their preparation efforts. This is a very dangerous game to play. The reality is that defense contractors with the DFARS 7012 clause in an active contract are already expected, required, and liable for being compliant with NIST 800-171.
Becoming compliant with 800-171 is not easy. It is not quick. It is not cheap. Cybersecurity is a risk management investment now. Many small business defense contractors are taking 12-18 months to fully implement all of the requirements, technology, culture changes, practices and procedures to be ready to be assessed. Delaying until the rulemaking is complete is a roll of the dice in a game you can't win. If you delay, you will be behind the curve, potentially losing competitive advantage, and the ability to do business with many of the large prime contractors that are expecting/requiring that their subcontractors be compliant ASAP or they will no longer do business with you.
There is word from the DoD that companies that are able to get certified by a C3PAO, once that process is started, before the rulemaking is done, will not have their three year renewal window start until rulemaking is complete. This could be a 1-year to 2-year increase in your renewal window. This would save time, and significant money spent on preparation, but also on the actual cost of having the assessment done.
KNCSS is here to help you, however you need it. We can compliment your existing team, or help manage the entire preparation process. Our goal is for you to do everything you want to, and for us to only help with what you do not want to do, or cannot do. We team with our client's as trusted partners. We provide our Red, White, and Blue Glove service to our clients and treat them as friends.