Someone just sent me an article about the new CMMC 2.0 regulations and another article about the basics of conducting an audit and figuring out where your data is. They're talking about privacy information and CMMC. The article was less than a page long. It was horribly light and very generic.
CMMC is going to become law on December 16th. The time for review and discussion is over. It's time for marketeers to turn off the fear, uncertainty, and doubt marketing tactics and start being helpful. Like it or not, it's time to line up and make our contractor community cyber-safe. I'm growing tired of watching publishers, pundits, and influencers (and wanna-be influencers), many of whom have never been operational security, architects, or incident responders, repeatedly trying to sell you things through fear, uncertainty, and doubt in CMMC marketing. It's making me a little crazy.
I've talked to dozens and dozens of companies about CMMC. Here's what I know:
- No CEO doubts that cyber requirements are a good thing. Most just don't know where to start.
- The idea that they would have to swallow the entire cost of 110 controls to go straight to level 2 is daunting. They're looking at easily $100,000 plus audits for even some of the smallest companies.
So there's an opportunity to go to level 1 now and then level 2 as long as the contracting officers don't screw this up. The one consistent comment I've received in nearly every conversation? This worries me: Government contracting officers have yet to learn what CUI is. This was the concern in 2009 when we started having these conversations across the tables in big conference rooms: What exactly is CUI? There is a list: https://www.archives.gov/cui/registry/category-list. It's pretty generic. There's a boatload of room for interpretation, and it's easy to see why a CO might not want to try and label something CUI. It's much easier to simply overclassify.
This list can't be genericized. Not every contract requires CMMC Level 2 or a perfect SPRS score.
If the COs do start blanket requiring everything to be CMMC level 2 (and I'm hearing that it is becoming normal to do so) because contracting officers have little or no training for what's a requirement for level 1 and level 2, you're going to drive a lot of small businesses out of work.
My recommendation for any defense contractor is, and will continue to be:
- Get level 1,
- Go to level 2 when required,
- Be able to show your work.
Don't cheat. Don't cut corners. DOJ will get you. They're making it advantageous for whistleblowers to let them know that you've got a problem, and real cash prizes are involved.
If you need help, contact us. We've been working in this space. My leadership team consists of serial senior chief information security officers. We know how to write policies and procedures. We've been tracking on CMMC for a long time, and we can make this much easier for you. Better yet, we can just tell you how to get started.
Drop us a note. staysafeonline@trustedinternet.io
https://trustedinternet.io/compliance