720-891-1663

Best Practices, Legal

The CMMC Conundrum

Leave a comment

I have noticed something recently from some members of the CMMC consulting community. Create fear.

Statements like CMMC will be in contracts in May of next year and if you are not CMMC compliant you will not be able to get DoD contracts are in their sales pieces.

Here is the reality.

  • CMMC is really just NIST SP 800-171 with a third party certification requirement (only in some cases). At least some companies will still be able to self-certify.
  • DoD does not control what is in 800-171, the Department of Commerce (NIST) does.
  • DoD tried voluntary compliance with 800-171 for several years and to be polite, that did not work.
  • If you have DFARS 252.204-7012 in ANY of your current contracts, by signing that contract you attested that you are fully compliant with 800-171 (AKA CMMC without the third party certification part).
  • The Justice Department says they will use the False Claims Act to go after people who lie about their security readiness. They have settled False Claims Act charges against two companies in the last couple of months.
  • One “feature” of the False Claims Act is that the person who tells the DoJ about the false claim can get up to 30% of whatever the fine is. In one of the two settlements above, the company agreed to pay a $9 million fine and the whistle blower got almost $2.9 million.
  • That whistle blower could be a former employee, competitor, contractor or upset current employee. 30% is a big motivator and the government did that on purpose.
  • It will take years before all contractors will need to be CMMC certified – either by themselves or by a third party and DoD understands that. They understand what it will take to get there and they don’t want small businesses, especially, to exit the DoD contracting space.

So, don’t worry about the CMMC certification process unless you are working on a high profile project.

What you do need to be working on – actively – is getting into compliance with 800-171 – something that you should already doing. Or, more accurately, something that should already be done. And, doing that will put in line for CMMC certification when you need to do that.

If you need help with 800-171, please contact us.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy