Issue link: https://iconnect007.uberflip.com/i/1475010
68 SMT007 MAGAZINE I AUGUST 2022 start working on it now. e owner of the com- pany also knows this, and is a very smart, very capable person, but the decision came down that the company is putting compliance efforts on the back burner. I was dismayed but not entirely surprised to learn the reason for the delay. e owner had reached out to other suppliers and manufac- turers to hear their CMMC plans and most of them were doing nothing. I heard similar kinds of reasoning at a recent CEO forum—from my rough estimate, fewer than 10% of them were taking active steps toward compliance. It seems there's a feeling out there that if most small suppliers don't comply, it will somehow force the DoD into waiving the requirements or kicking the deadline farther down the cal- endar. is is nonsense. Granted, there have been mixed signals regarding CMMC and small to medium con- tractors, but here's the thing to ask: In the three years or so since the program has been in devel- opment, have the threats of cyberattacks or the effectiveness of phishing scams decreased? No, they have not; across the board, cyberattacks have done nothing but increase, especially tar- geting small businesses. Someone needs to tell you this: e wait- and-see approach is a very bad strategy for small businesses, even in the unlikely event of further delay from the government. It only takes one or two of the giant prime contrac- tors to make a government deadline irrelevant, and I know of certain large primes who have put CMMC regulations into their contracts already. Do you really believe the prime con- tractors you support or large manufacturers you supply want to risk their own multi-mil- lion-dollar contracts by working with vulnera- ble suppliers? I don't. For those of you thinking that coming into compliance with CMMC's Level One require- ments is something you can do quickly, please think again. I've been part of compliance efforts for several manufacturers, and it is not a fast process, even when you run an already tight ship. One of my clients received a notification from their client, a DoD prime contractor. In it, they were given six months from the date of the notification to self-attest to CMMC Level One compliance or they would be disqualified from bidding on any further opportunities. CMMC Level One has six domains (high- level categories) each of which is further bro- ken down into several capabilities and prac- tices. On their face, they sound straightfor- ward enough and some of them are. For exam- ple: Limit physical access to systems and data to authorized users (I'm paraphrasing). But in practice, determining which users currently have access to what, and who should actually be authorized to access what, can take a good deal of time and effort. is particular client was AS 9100 certified, and certain the Level One requirements were already in place when the notification came— access control was in good shape, for example. But that is not the case for most businesses we see. Simply put, access control requires you to define and limit who has access to what on your networks. Simply giving everyone access to everything is not a compliant answer—shared drives and open networks are significant rea- sons CMMC exists in the first place. For your networks to be secure, user access must be traceable and specifically defined. at means no more shared passwords. at means only The owner had reached out to other suppliers and manufacturers to hear their CMMC plans and most of them were doing nothing.