top of page
Search

CMMC: Compliance Mt. Everest

Writer's picture: Vincent Scott Vincent Scott

Certifications aren’t so hard. Right?


C-Suite executives have generally have plenty of experience with certification requirements. As such, they know vendors often hype their wares in an attempt to panic a company into buying their (very expensive) solution.  But practiced executives understand it’s never really that hard. Right? 


“We have some people who produce policies based on the requirements, the assessors read the policies and give you some things to change, you pay them, and they certify you.” Then, you can go back to getting business done until you have to be certified again. Each certification amounts to a bureaucratic drill imposed by the government or other authority, after which the company can move on to once again running a viable business, in spite of the obstacle. 


There is a lot of hard-won business experience out there that fits this model. There is only one problem. The DoD did not read that playbook when they made CMMC.  


Instead, they based their approach on the NIST Assessment Guide. Smart NIST system engineers worked to build a rigorous assessment method; a truly good one, with details. They did so, in my view, assuming that (like most NIST pubs) it would be a guide for performing the ideal assessment process. However, the DoD chose to mandate its implementation fully, down  to the last phrase and period. Every word. Fully implemented. This was, I think, not the model that NIST anticipated when they wrote 171a, and as a result, DIB companies are faced with implementing an incredibly rigorous, unique standard. 


This is the fundamental disconnect on CMMC. Almost no one really understands, except for a few people trying to implement this in the trenches, how difficult the assessment method for this framework is. When implementers break it down and start asking, “How do I make this a reality?” they rapidly realize what a huge undertaking CMMC compliance really is. 


The DoD does not realize this. Rather, they continue to spread the myth that this is “just the basics” and comparable to what “people do to protect their Netflix account at home.” Much of the government cybersecurity apparatus does not realize this, either. It is often assumed that CMMC is easier than RMF, since it technically has fewer controls. By extension, most of the DIB does not realize just how challenging 171 and 171 are to implement, if only because what the DoD says matches their experience with other certifications. 


Make no mistake. This is hard. 


I heard an executive recently made the statement, “We have been passing DCSA inspections for years. This will be no different.” DCSA is the Defense Counterintelligence and Security Agency, the arm of government focused on managing contractor handling of classified information. They inspect every two years. The vast majority of companies receive a 3 on a 5 point scale, have some discrepancies, and move on. Compare that to CMMC; effectively, a 5 on a 5 point scale is required as the minimum baseline, and if you fail to meet that baseline, then you are ineligible for contracts. Existing contracts can be canceled. Passing a DCSA inspection is no indicator of your readiness for CMMC, and no indicator of the level of effort required to prepare for a C3PAO assessment.


Business executives - CMMC is at a new level. I would assert that it is by far the most challenging cybersecurity standard and assessment methodology ever put forward; the federal compliance Mt. Everest. You cannot have aspirational but vague policies (and pass). Rather, you must prove, with evidence, that you are doing what your policies say, and ensure that those policies specifically align to all 320 Assessment Objectives of the 171A guidance. 2025 is the year CMMC truly comes down the pike; further delay could place your next contract out of reach.


bottom of page