It was September 20, 2017, BostonCOMPLY was participating with a partner at a seminar in Groton, CT co-sponsored by CONNSTEP and the SBA addressing DFARS and the fast-approaching NIST 800-171 implementation deadline of December 31, 2017. What happened? In truth, very little. Was it a waste? Yes and no. Had we skipped the event, we would not have truly understood the orientation of real business owners and executives facing these very real compliance hurdles.
I would estimate there were 60-70 attendees, mostly small to medium Defense Industrial Base (DIB) contractors from coastal Connecticut. As it was the “early days” of DoD compliance, everyone was there simply trying to understand exactly what NIST800-171 was and how it was going to impact their business. As the day progressed, I was shocked that many or even most of the companies were not taking the NIST 800 mandate seriously. As a person who pays their taxes on time, stops at STOP signs (mostly) and generally follows the rules, I could not grasp how many of these businesses were risking all their future DoD work by largely ignoring this mandated compliance standard.
The air in the room did get tense as the SBA and NIST representative delivered the doomsday notification that 12/31/17 was a mere 3 months away. Best story of the day: one gentleman raised his hand and asked the NIST presenter to clarify the deadline. She clearly stated 12/31/17, and inquisitively, inquired why he asked; the man’s response was, “I just need to know the date I want to retire.”
What stands out about this seminar was that I may have been the only one in the dark, the follower of the straight and narrow, and the believer that we must protect ourselves, businesses, and country against all enemies, foreign and domestic (read cybersecurity). Naive, maybe, I thought the government was serious, but it seems everyone else in the room knew that 12/31/17 was simply New Year’s Eve which came and went with virtually no impact on DIB contractors and the compliance mandate.
FAST FORWARD to 2020/2021 –
Have you heard about the Cybersecurity Maturity Model Certification – better known as “CMMC?”
This time the BostonCOMPLY team and our growing DoD supply chain customers are seeing a different and decisive picture. The DoD and the Prime Contractors are serious about their subcontractors’ stringent adherence to the NIST 800-171 compliance framework. Every contractor needs to perform a proper self-assessment in 2021. A select group will also need to be audited and certified by the CMMC Accreditation Body or (CMMC-AB) in 2021 and everyone will need to be certified in 2022. This is real.
All designated supply chain members need to establish and maintain a full NIST800 compliance program, proper cybersecurity controls and a CMMC compliance score of 3 or above. Anyone not meeting these standards will be prevented from future bidding and supplying government contracts. As I mentioned in the title of this article, all indications are that the DoD is really “Double Secret” serious this time. Given that US businesses have seen over $600 billion in losses due to cybersecurity breaches and other ransomware attacks, there is no turning back.
If you need help, BostonCOMPLY is ready with the resources to support you and your business today! We will create a practical compliance program that will not crush your organization and will perform your CMMC self-assessment and create a plan with actions to address security/compliance gaps, also called the Plan of Action & Milestones (POA&M). BostonCOMPLY’s Practical Compliance Automation™ program will have your business ready for your CMMC certification. Let BostonCOMPLY be your light at the end of the tunnel, avoiding the CMMC train running at you 60 mph.