The CMMC 2.0 Countdown: Will You Be Ready When the Clock Hits Zero?

Estimated reading time: 2 minutes

If you influence IT decisions at your workplace, you need to hear this. If you make the decisions, you need to listen, not just hear: Unless you start acting on CMMC compliance now, you are putting yourself at a disadvantage—one that will take much more time to correct than you might expect.

Think of me as a spokesperson for the industry I represent: we are concerned about you. From what I’ve heard and seen over the last few months, too many of you are listening to suppliers, upstream and downstream partners, or other business owners on how seriously to take CMMC. As a result, far too much wishful thinking is guiding decision-making. So, listen to the experts.

The DoD says we can expect CMMC 2.0’s final rules in March 2023. Given the delays, rollbacks, and revisions that have characterized the program’s rollout to this point, I’d be very surprised if they miss this deadline. Sixty days after the rules come out, CMMC certification will be a non-negotiable requirement for manufacturers in any part of the DoD’s supply chain.

Sixty days is not enough time to prepare.

I recently spoke with the IT director of a company I know well. This individual is very much aware that CMMC is coming, and that DoD business represents a fairly significant portion of the company’s revenue. He also knows that, to get compliant in time, his company needs to start working on it now. The owner of the company also knows this, and is a very smart, very capable person, but the decision came down that the company is putting compliance efforts on the back burner.

I was dismayed but not entirely surprised to learn the reason for the delay. The owner had reached out to other suppliers and manufacturers to hear their CMMC plans and most of them were doing nothing. I heard similar kinds of reasoning at a recent CEO forum—from my rough estimate, fewer than 10% of them were taking active steps toward compliance.

It seems there’s a feeling out there that if most small suppliers don’t comply, it will somehow force the DoD into waiving the requirements or kicking the deadline farther down the calendar.

This is nonsense.

Granted, there have been mixed signals regarding CMMC and small to medium contractors, but here’s the thing to ask: In the three years or so since the program has been in development, have the threats of cyberattacks or the effectiveness of phishing scams decreased? No, they have not; across the board, cyberattacks have done nothing but increase, especially targeting small businesses.

Someone needs to tell you this: The wait-and-see approach is a very bad strategy for small businesses, even in the unlikely event of further delay from the government. It only takes one or two of the giant prime contractors to make a government deadline irrelevant, and I know of certain large primes who have put CMMC regulations into their contracts already. Do you really believe the prime contractors you support or large manufacturers you supply want to risk their own multi-million-dollar contracts by working with vulnerable suppliers? I don’t.

To read this entire article, which appeared in the August issue of SMT007 Magazine, click here.