Issue link: https://iconnect007.uberflip.com/i/1489269
54 SMT007 MAGAZINE I JANUARY 2023 government has to put a stake in the ground. To be honest, that stake isn't an unreason- able one. e first level of CMMC compliance amounts to little more than straightforward cyber-hygiene and a system security plan—the things that any manufacturer should be doing to protect itself, its employees, and customers from cyber-threats, be they phishing scams, ransomware, or targeted hacking. CMMC 2.0's interim rule is scheduled to be released in March 2023, and let's say it's the very last day—Friday, March 31, 2023. What happens next? Sixty days later—call it May 31—to bid or to be included in a bid package, contractors must be able to demonstrate their compliance if asked. Remember that Level One compliance only requires self-attestation—and while that's an improvement in terms of cost and complexity from requiring third-party assessment, it cre- ates another potential can of worms. Come the spring of 2023, I can imagine the tempta- tion to self-attest and then get compliant as fast as possible will be great but talk about a gam- ble. It's one thing to miss out on an opportu- nity while you become compliant. It's another thing entirely to commit fraud. But I can almost guarantee that it will happen. I certainly hope it won't happen in your case. You Need an Individualized Plan Maybe the contractors that are waiting think that compliance will be quick—just a nip here and a tuck there. Or maybe there's an off-the- shelf, cookie-cutter solution they can buy online and give to their IT guy to apply. I can see why they might think that. Blog aer blog, website aer website, and article aer article mention checklists to ensure you meet all 17 of the Level One controls. My own company publishes one. e thing is, while the 17 controls apply to everyone, each company will have to take its own path to meet them. Take, for example, access control (and I'm not even getting into physical access—meaning if your servers are kept under lock and key in a properly protected area). Some companies (many I've worked with personally) have an open-access policy. Just about anyone can access just about anything on the network. While this has advantages from a convenience standpoint, it's a nightmare from a compliance standpoint. I've had to help several clients map their business processes to actually understand who needs access to what. If these processes haven't been mapped before, this alone can be a very time-consuming activity. Speaking of time, let's look at how long it might take to get compliant. I'm assuming there will be contractors who start in the new year, and those who will wait until March 31 (or whatever the actual date proves to be). Act Now and Fast If you've read this far, I assume you haven't started yet, so I'll make it personal. If you hit the ground running on Jan. 3, you might very well get to a level of confident self-attesta- tion by the end of May—and maybe sooner— depending on the size, complexity, and degree of readiness of your technology environment. It will help if you are already compliant with other standards, say ISO 9001. Because you've already gone through a compliance process, you know how to meet a standard. You likely have document controls in place, you under- stand the versioning process and the training process. You might even have solid IT policies in place, so there would likely be some overlap between what you are already doing and where