You’re in a tunnel, standing between railroad tracks, that low engine roar grows louder and that shining white dot you’re staring at keeps getting brighter and brighter!
CMMC is coming…
On Friday, September 13th , 2024, the Office of Information and Regulatory Affairs (OIRA) submitted 32 CFR part 170, otherwise known as the Title 32 CMMC Program Rule, over to the Federal Register for publication.
What that means is that companies will see CMMC requirements in DoD contracts not long after Title 32’s effective date, which very likely is at the end of November 2024.
Title 32 Soon Published
Is CMMC Right for Your Business?
Deciding to engage in DoD business is a strategic choice. Companies must evaluate whether the revenue potential justifies the investment in compliance. We call these the “Three Buckets.” Here are those common responses we’ve seen firsthand to the CMMC question:
- Staying Commercial: Companies that have done some DoD work but choose to focus solely on the commercial sector. No DoD contracts mean no need for CMMC compliance.
- Wanting to Sell: Companies heavily involved in DoD contracts but unable or unwilling to meet compliance requirements. Most are preparing to sell their business.
- Fully Committed: Companies dedicated to DoD work, seeing growth opportunities and investing in compliance.
Each company’s decision is unique, but understanding your position can help you navigate the CMMC landscape.
Assess Your Company’s Readiness for CMMC
1. Understand the Requirements: Familiarize yourself with the CMMC framework and NIST SP 800-171r2 controls to know what’s expected.
2. Conduct a Gap Analysis: Compare your current cybersecurity practices against CMMC requirements to identify areas needing improvement. We call this a CMMC Roadmap.
3. Perform a Self-Assessment: Use tools like the DoD’s Supplier Performance Risk System (SPRS) for a clearer picture of your compliance level. Currently, the SPRS score is mandatory for doing DoD contracts.
4. Engage a Consultant: Hire a cybersecurity consultant experienced in CMMC for expert guidance through the certification process.
5. Develop a Plan: Create a detailed plan to address identified gaps, including timelines, resources, and specific actions.
6. Implement Changes: Execute your plan by updating policies, training staff, and investing in necessary technologies.
7. Continuous Monitoring: Establish ongoing monitoring and auditing to ensure continuous compliance.
8. Prepare for Assessment: Once confident in your compliance, schedule an assessment with a CMMC 3rd Party Assessor Organization (C3PAO).
Ready to get started? Schedule a consultation with us today!