Here we sit amidst a calm before the storm with many contractors in the Defense Industry Base (DIB) becoming complacent, resting idly rather than taking proactive steps towards CMMC compliance.
It’s Too Quiet
Can you blame the idle DIB? The CMMC has been on hold since March 2021, when Deputy Defense Secretary Kathleen Hicks initiated an “internal assessment” of the program. Initially scheduled to last 30 days, the defense industry’s wait for guidance has now stretched into August.
The last substantial CMMC news came from Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, when he assumed oversight of the CMMC program in May 2021. Deputy Salazar presented a statement to the Senate Armed Services Committee, Subcommittee on Cybersecurity in which he focused on the importance of mitigating cybersecurity risk within America’s DIB.
Bubbling Beneath the Surface
President Biden issued an Executive Order (EO) in May 2021 outlining plans to spur public, private, and the federal government to identify and protect against ever increasing malicious cyber threats. The EO on “Improving the Nation’s Cybersecurity (14028)” charges multiple agencies – including NIST– with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
Without much fanfare or announcement, branches of the DoD sunsetted the platform in June 2021 which Commercial Virtual Remote (CVR) resided in Microsoft’s commercial environment. What platform did the branches of the DoD migrate to? Finding the answer takes a little digging, but the short answer is that migration to the Microsoft Azure Government sovereign cloud on Microsoft 365 DoD has occurred. Everyone including the Army, Navy, Airforce and Marines have made the transition.
In addition, the first group of Authorized C3PAO’s passed the DIBCAC assessments in June and are listed in the CMMC-AB’s Market Place.
Trying to Predict the Weather
This has caused a lot of frantic scurrying about by the DIB trying to ‘Read the tea leaves’ under the premise that CMMC will still be around after Kathleen Hicks’ review. It is my opinion that the DoD would not invest so much effort into certifying Candidate C3PAO’s if they were not planning to have some form of CMMC in place.
With all this confusion, many in the DIB are falling back into the ‘wait and see’ mentality. Unfortunately this will catch up to them since there are requirements in place to submit a self-assessment NIST 800-171 score up to the Supplier Performance Risk System (SPRS) per DFARS 252.204.7019.
Any new contract bids coming out of the DoD will have the requirement of having a score in place prior to award. NIST 800-171 is not a new requirement for a DIB and has been around since 2016. The change is around the DIB needing to verify that they have performed their due diligence and are working to improve their cybersecurity stance over time since the self-assessment is due once every three years.
Even though there is no official word from the DoD on whether or not a DIB’s self-assessment score will play a part in contract awards, this should not deter a company from making improvements. Use this calm before the storm to get prepared!
For more information, contact us at firstname.lastname@example.org. We have CMMC-RP’s on staff ready to answer your questions.