720-891-1663

Federal Civilian Agencies May Have to Comply with CMMC-Like Security Requirements

If you sell to the federal government – any agency – you need to pay attention to this. Until now only DoD contractors were going to have to comply with CMMC or NIST SP 800-171. The standard requires 100% compliance with 110 controls; some of them pretty straight forward like having each user having their own, unique user account and some of them complex like real time event logging and alerting.

Stacy Bostjanick, head of the CMMC program at the DoD, says it is inevitable that a new rule, called a FAR (Federal Acquisition Regulation), will apply across all civilian federal government agencies as well.

Already a few agencies are requiring it, such as the Department of Education where student loans are involved.

What Ms. Bostjanick is lobbying for is a single standard across the federal government rather than different standards and it appears, that the process to make this mandatory is already in the works and the rule might come out as soon as next month.

Assuming this happens, what likely will follow is state governments and then local governments applying the same standard.

What this means is that if you sell anywhere in the public sector, this rule will, eventually, apply to you.

And, guess what happens after that?

Large non-government organizations are going to say, as a matter of contract, this is our standard too. We have already seeing this in the private sector. In fact, companies are losing out to business because they are not compliant and their potential customers are saying we will find someone else, thank you very much.

You have three choices here.

  1. You can choose to only sell to mom & pop private sector companies or directly to consumers, but not to larger companies or the public sector. Depending on your business, that could work.

2. You can choose to wait and see if this cybersecurity thing blows over and the government and large private companies, some of whom are already requiring this and more, change their mind and say this was only an April Fool’s joke (don’t count on this).

or

3. You can start your journey to improve your cybersecurity and privacy practices so that when the inevitable happens, you are already on your way to being prepared.

Which strategy makes the most sense to you?

If you want to start your journey, please contact us.

Credit: Fedscoop

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *