CMMC for Manufacturers, FAQs
Download our CMMC for Manufacturers guide and review FAQs.
Late in 2023, in fact, on one of the last days of 2023, CMMC was published as a proposed rule. It may seem like there is plenty of time to establish compliance with NIST SP 800-171 so that you can earn your CMMC certification with time to spare. The reality is that if you have not yet achieved compliance to 800-171, the timeline is shorter than you may realize. Here are three reasons why your NIST SP 800-171 compliance journey should start now, before the first quarter of 2024 is over.
Complying with NIST 800-171 is supremely important. It is focused on securing CUI (Controlled Unclassified Information) and the U.S. Department of Defense will not shrug off flaws in your company’s policies and procedures. It should not be surprising then that achieving compliance is not a simple endeavor. Currently, there are 110 controls and 320 assessment objectives. Not only should these items be checked off as “done,” but you must also provide documentation of the policies and procedures that have brought you into compliance. Many experts have noted that it can take businesses 12-18 months to complete the process. The only exceptions are businesses that have a very small enclave of CUI that needs to be protected. Even then, it is a multi-month initiative. It is possible that if you have not yet started your journey by the start of the second quarter, you will be getting contracts mandating CMMC before you are ready.
As of this writing, the CyberAb Marketplace lists 50 accredited C3PAOs (CMMC Third-Party Assessor Organizations). According to CISA there are 100,000 companies in the Defense Industrial Base or DIB. The math is not difficult to evaluate. There are probably always going to be more companies needing certification than there will be assessors able to implement the certification. Once CMMC is mandated, the competition to be near the top of a C3PAO’s client list will be high. If you are not yet compliant with NIST SP 800-171 when that competition starts, you may find yourself left behind by many of your competitors.
Speaking of competitors, announcing NIST 800-171 certification as early this year as possible will potentially represent a significant competitive advantage. Not only will this allow for the production of press releases and other customer communications, but it will also give you an early edge as you strive for more defense contracts. Companies who have successfully completed the NIST 800-171 compliance process will also likely have a leg up when pursuing CMMC certification, which will further widen the competitive gap.
CMMC 2.0 has had its ups and downs over the last three years, and it has been easy, perhaps, to assume it will never happen. However, those days have come to an end. CMMC is coming, and NIST 800-171 compliance, which has been mandatory since 2018, is now more important than ever. Are you ready to begin? Contact us today to learn more.