Our team recently participated in CMMC Day 2024, a conference bringing together the top experts and industry leaders in the security compliance space. We had the privilege of hearing from CISOs, practice leaders, government officials, and more about the latest trends and insights in CMMC.
Throughout our conversations, a few key themes emerged. Here are the top seven insights every Defense Industrial Base (DIB) organization should consider when building their CMMC strategy.
1. Urgency in Booking a C3PAO
One of the most pressing takeaways from the conference was that there’s a massive shortage of Certified Third-Party Assessment Organizations (C3PAOs).
With only about 50 C3PAOs and 170 certified assessors available for over 300,000 DIB organizations, demand far exceeds supply. Many assessors are already booked out through August, and this wait time is only expected to grow.
Securing an assessment slot now is crucial for organizations aiming to remain competitive in contract bidding. Remember – companies that achieve Level 2 certification before CMMC becomes official are the ones that the government will turn to first for contracts.
2. Key Changes in NIST 800-171 Revision 3
NIST 800-171 Revision 3 introduced significant changes that should be reflected in your organization’s compliance strategy. From updated requirements to new tailoring criteria and supplemental resources, staying informed about these changes is essential for achieving compliance without errors.
Here’s a quick guide we put together recapping these changes.
3. The Growing Impact on Higher Education
Another commonly discussed topic was the government’s increasing focus on colleges and universities. With the Free Application for Federal Student Aid (FAFSA) now being classified as Controlled Unclassified Information (CUI), almost every university in the US is now subject to CMMC compliance.
4. International Expansion of CMMC
CMMC’s reach is expanding globally, with countries like Canada announcing a CMMC reciprocity program and the United Kingdom Ministry of Defence participating in joint surveillance assessments. According to the Cyber AB, discussions are underway for similar reciprocity initiatives in Germany, France, Austria, Australia, Japan, and South Korea, with target dates of 2025-2026.
5. Necessity of a Tailored Approach
One recurring theme echoed throughout our conversations was that CMMC is not one-size-fits-all. Every organization faces unique challenges and hurdles, and the cookie-cutter approach that many consulting firms offer simply doesn’t suffice.
It’s essential to be strategic with your choice of both a consulting firm and a C3PAO. Selecting an assessor that aligns with your organization’s needs can save you crucial amounts of time and money.
6. Impact of Ransomware
Ransomware attacks aren’t slowing down — in fact, one presentation revealed that ransomware attacks on the DIB have surged by 95% within the last year.
The US government loses over 600 billion annually due to cyber theft of intellectual property tied to CUI and FCI. As such, it’s critical that DIB organizations incorporate ransomware protection into their cybersecurity strategy.
7. Misconceptions Around the Three-Year Expiration Date
Previously, many organizations believed that the three year period before needing to undergo an additional C3PAO assessment starts when rulemaking drops.
Instead, the countdown begins immediately after you’ve undergone your assessment. If your organization has already taken a Joint Surveillance Voluntary Assessment (JSVA), for instance, your clock has already begun.
Bonus: Correction to a Cyber AB Comment
At one point during the conference, a Cyber AB official stated that a DIBCAC High Assessment offers equivalency to CMMC Level 2; however, this is NOT the case. A DIBCAC High Assessment will not translate into CMMC Level 2 certification.
Simplify CMMC Through SP6’s Individualized Services
At SP6, we know that compliance isn’t one-size-fits-all. Our Certified CMMC Professionals and Assessors have 15+ years of experience helping companies achieve compliance with meticulous security standards like NIST 800-171.
Talk with one of our experts today to discover which of our customized DFARS and CMMC services are right for your organization.