Calm before the storm

CMMC: The Calm Before The Storm

Here we sit amidst a calm before the storm with many contractors in the Defense Industry Base (DIB) becoming complacent, resting idly rather than taking proactive steps towards CMMC compliance.

It’s Too Quiet

Can you blame the idle DIB? The CMMC has been on hold since March 2021, when Deputy Defense Secretary Kathleen Hicks initiated an “internal assessment” of the program. Initially scheduled to last 30 days, the defense industry’s wait for guidance has now stretched into August.

The last substantial CMMC news came from Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, when he assumed oversight of the CMMC program in May 2021. Deputy Salazar presented a statement to the Senate Armed Services Committee, Subcommittee on Cybersecurity in which he focused on the importance of mitigating cybersecurity risk within America’s DIB.

Bubbling Beneath the Surface

President Biden issued an Executive Order (EO) in May 2021 outlining plans to spur public, private, and the federal government to identify and protect against ever increasing malicious cyber threats. The EO on “Improving the Nation’s Cybersecurity (14028)” charges multiple agencies – including NIST– with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

Without much fanfare or announcement, branches of the DoD sunsetted the platform in June 2021 which Commercial Virtual Remote (CVR) resided in Microsoft’s commercial environment. What platform did the branches of the DoD migrate to? Finding the answer takes a little digging, but the short answer is that migration to the Microsoft Azure Government sovereign cloud on Microsoft 365 DoD has occurred. Everyone including the Army, Navy, Airforce and Marines have made the transition.

In addition, the first group of Authorized C3PAO’s passed the DIBCAC assessments in June and are listed in the CMMC-AB’s Market Place.

Trying to Predict the Weather

This has caused a lot of frantic scurrying about by the DIB trying to ‘Read the tea leaves’ under the premise that CMMC will still be around after Kathleen Hicks’ review. It is my opinion that the DoD would not invest so much effort into certifying Candidate C3PAO’s if they were not planning to have some form of CMMC in place.

With all this confusion, many in the DIB are falling back into the ‘wait and see’ mentality. Unfortunately this will catch up to them since there are requirements in place to submit a self-assessment NIST 800-171 score up to the Supplier Performance Risk System (SPRS) per DFARS 252.204.7019. 

Any new contract bids coming out of the DoD will have the requirement of having a score in place prior to award. NIST 800-171 is not a new requirement for a DIB and has been around since 2016.  The change is around the DIB needing to verify that they have performed their due diligence and are working to improve their cybersecurity stance over time since the self-assessment is due once every three years. 

Even though there is no official word from the DoD on whether or not a DIB’s self-assessment score will play a part in contract awards, this should not deter a company from making improvements. Use this calm before the storm to get prepared!

More Info

For more information, contact us at We have CMMC-RP’s on staff ready to answer your questions.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Related Posts

Let’s Talk Security

As the IT security landscape evolves, new threats crop up almost daily and security teams face a heavy burden to keep pace. To provide some

Read More »

Cloud Based Solutions for Meeting CMMC Requirements

CMMC requirements vary depending on your business and industry. Manufacturing, IT consulting, engineering, construction, etc. may all have different infrastructures, but if you’re in the DoD supply chain, CMMC requirements are on the way. Compounding the new CMMC requirements are the challenges of remote work.

Read More »