A CMMC ‘Plan B’

Reading time ( words)

As I attend industry events and connect with the leaders of manufacturing companies in the defense industrial base (DIB)—everyone seems aware that CMMC 2.0 rules are coming soon. I see a bit more activity and I’m fielding more questions. Some DIB contractors are getting it, and that’s good news. But there’s also bad news: Too many still bet they can win a high-stakes game of “chicken” with the DoD.

Running a business means balancing risk tolerance and aversion. Many of us will take risks to grow revenues or achieve strategic goals; just as many of us want to avoid risk (especially in terms of expense) if the status quo is running well. That’s a fancy way to say, “If it ain’t broke, why fix it?” Normally, that’s a legitimate question, but asking it requires you to know what “broke” looks like. When a piece of production equipment breaks, it’s obvious. When it comes to your IT network, “broke” is anything but obvious. Your operations could be running along fine yet you have cybersecurity holes big enough to drive a truck through. That’s just what the DoD wants to avoid.

Will the Government Blink?

When business leaders act as if they don’t feel any particular urgency to hit the compliance deadline, I often hear, “If enough of us don’t comply, the government will blink. It will have no choice but to either kick the compliance deadline back again (it worked once, after all) or maybe even exempt us small operators. The DoD is going to swerve first.” That sounds like wishful thinking to me, and in the words of Vince Lombardi, “Hope is not a strategy.”

The DoD will not budge this time. Not for Levels One and Two—and those will cover the vast majority of small- and mid-sized contractors. If for no other reason than credibility, the government has to put a stake in the ground. To be honest, that stake isn’t an unreasonable one. The first level of CMMC compliance amounts to little more than straightforward cyber-hygiene and a system security plan—the things that any manufacturer should be doing to protect itself, its employees, and customers from cyber-threats, be they phishing scams, ransomware, or targeted hacking.

CMMC 2.0’s interim rule is scheduled to be released in March 2023, and let’s say it’s the very last day—Friday, March 31, 2023. What happens next? Sixty days later—call it May 31—to bid or to be included in a bid package, contractors must be able to demonstrate their compliance if asked.

To read this entire article, which appeared in the January 2022 issue of SMT007 Magazine, click here.

03/27/2023 | Patty Goldman, I-Connect007

Garry McGuire of the Jacobs Space Exploration Group at Marshall Space Flight Center in Huntsville, Alabama, reflects on the serendipitous moment that led to a leadership role at IPC and the enduring relationships he’s built through his participation in the organization. With the rapid advance of technology constantly pushing the industry forward, Garry urges newcomers to jump in and experience all IPC has to offer.

03/20/2023 | Nolan Johnson, I-Connect007

When Canadian artificial intelligence company Darwin AI was founded in 2017, machine learning and deep learning were still relatively new terms. In the past five years, CEO Sheldon Fernandez and his team have been working with this technology to develop some foundational IP to simplify implementation. About a year ago, Sheldon took a “part happenstance, part deliberate” opportunity to develop a vertical offering for EMS manufacturing. Here’s what happened.

03/14/2023 | Patty Goldman, I-Connect007

Christina Trussell is a harness design engineer at Blue Origin and a recipient of the IPC Rising Star Award. Since she was a young child, she wanted to fly through the skies. In this interview, she talks about her dreams and what it’s like to work in the electronics industry.