Reading time ( words)
As I attend industry events and connect with the leaders of manufacturing companies in the defense industrial base (DIB)—everyone seems aware that CMMC 2.0 rules are coming soon. I see a bit more activity and I’m fielding more questions. Some DIB contractors are getting it, and that’s good news. But there’s also bad news: Too many still bet they can win a high-stakes game of “chicken” with the DoD.
Running a business means balancing risk tolerance and aversion. Many of us will take risks to grow revenues or achieve strategic goals; just as many of us want to avoid risk (especially in terms of expense) if the status quo is running well. That’s a fancy way to say, “If it ain’t broke, why fix it?” Normally, that’s a legitimate question, but asking it requires you to know what “broke” looks like. When a piece of production equipment breaks, it’s obvious. When it comes to your IT network, “broke” is anything but obvious. Your operations could be running along fine yet you have cybersecurity holes big enough to drive a truck through. That’s just what the DoD wants to avoid.
Will the Government Blink?
When business leaders act as if they don’t feel any particular urgency to hit the compliance deadline, I often hear, “If enough of us don’t comply, the government will blink. It will have no choice but to either kick the compliance deadline back again (it worked once, after all) or maybe even exempt us small operators. The DoD is going to swerve first.” That sounds like wishful thinking to me, and in the words of Vince Lombardi, “Hope is not a strategy.”
The DoD will not budge this time. Not for Levels One and Two—and those will cover the vast majority of small- and mid-sized contractors. If for no other reason than credibility, the government has to put a stake in the ground. To be honest, that stake isn’t an unreasonable one. The first level of CMMC compliance amounts to little more than straightforward cyber-hygiene and a system security plan—the things that any manufacturer should be doing to protect itself, its employees, and customers from cyber-threats, be they phishing scams, ransomware, or targeted hacking.
CMMC 2.0’s interim rule is scheduled to be released in March 2023, and let’s say it’s the very last day—Friday, March 31, 2023. What happens next? Sixty days later—call it May 31—to bid or to be included in a bid package, contractors must be able to demonstrate their compliance if asked.
To read this entire article, which appeared in the January 2022 issue of SMT007 Magazine, click here.