Issue link: https://iconnect007.uberflip.com/i/1496178
APRIL 2023 I SMT007 MAGAZINE 41 C y b e r s e c u r i t y A s s e s s m e n t Center (DIBCAC). Who must comply with CMMC? Hernandez: Any company that wants to do business with the DoD must comply with the CM MC requirement s. Thi s includes both prime contractors and subcontractors at all tiers of the supply chain. The CMMC requirements apply to all DoD contracts, including those for goods and services. It's important to note that compliance is mandatory and that companies must undergo a CMMC assessment to verify their compliance level before being awarded a contract. The CMMC framework is designed to ensure that contractors are meeting a minimum level of cybersecurity readiness, so it's crucial for companies to take these requirements seriously and invest in cybersecurity measures to protect themselves and their clients. When will CMMC come into effect? A n d e r s o n : Fr a n k l y, t h e C M M C r o l l o u t continues to be a moving target, and, in fact, it now appears there may be further delays in CMMC 2.0 reaching final ruling as the Pentagon considers additional revisions to the proposed rule. As might be expected, much of the delay can be attributed to internal politics and concerns related to business impact. Notwithstanding these delays, which could push the CMMC rollout into 2024, it is important to remember that the underlying NIST 800-171 requirements—excepting the third-party audit requirements—have been in place for defense contractors since Dec. 31, 2017, and those remain. What happens if a company fails to comply? Takanti: In the near f uture, as existing DoD contracts come up for renewal and the DoD seeks partners for new programs, solicitations will include DFARS clause 252.204-7021, which links to CMMC. Solicitations also will include the Matur ity Level accreditation which must be possessed by the prime contractor and subcontractors at all tiers. Fa i l u r e t o p o s s e s s t h e p r o p e r C M M C M a t u r i t y Level accreditation affects all members of the DIB. Pr ime contractors lacking accreditation may be unable to bid, costing them anticipated renewal revenue or new business opportunities. Subcontractors at any tier will face being left off the bid team by the prime contractor and replaced by one of their competitors. DIB companies that received CMMC Matur ity Level 1 or 2 accreditation as the result of a self-assessment may be subject to audit by DIBCAC. Consequences for an inaccurate assessment can be steep, possibly including termination of contract, corporate prosecution under the False Claims Act, and personal liability for executives who must sign a document verifying the accuracy of the self- assessment. How long will it take a business to prepare for CMMC compliance? Hernandez: The time it takes to prepare a business for CMMC compliance will depend on several factors, including the company's current level of cybersecurity readiness, the size and complexity of its IT infrastructure, and the level of CMMC certification it is seeking. Each of the three CMMC Maturity Levels comes with its own set of requirements, and the higher the level, the more rigorous the requirements. For a small business with a basic IT infrastructure, achieving a Maturity Level 1 certification may only take a few months, while a larger enterprise with more complex systems Vijay Takanti