When the concept of Cybersecurity Maturity Model Certification (CMMC) was first developed, nobody envisioned the roller coaster ride it would take since its inception with Executive Order 13556 in 2010 with its emphasis on Controlled Unclassified Information. 

The goal was to assess and enhance the cybersecurity posture of contractors who serve the DoD.  The target framework was a document from NIST called 800-171.  Over the years the CMMC guidelines have evolved and so have recommendations from NIST.

Over this period of time communication from the DoD about CMMC has ranged from constant briefings to a period where the DoD was incommunicado.  The result of that unusual series of events is a deadline in November of 2023, or possibly earlier, when companies will be expected to comply with the revised regulations.

Today, we sat down with Igor Volovich from Qmulos to put a framework around CMMC to give the 300,000 members of the Defense Industrial Base a handle on today’s status. During the interview Igor repeats his core message: don’t wait until the last minute to begin the process.  You could end up looking at your competition in full compliance and your company running out of time.

He suggests that you start with a thorough understanding of the basis for CMMC, the NIST 800-171 document.  Next, don’t forget your company is part of a matrix of vendors; you should contact your partners or affiliates to see where the shared responsibility lies.  Finally, Igor suggests you speak to vendors who may be able to help. 

Chances are, if you wait, you will be overwhelmed with work. The normal reaction is to seek out help at that point.  However, you may encounter CMMC compliance experts with a serious backlog,

The lesson: understand the requirements, seek help from affiliates, contact people with expertise to help with the rough spots, and most of all . . . DO NOT DELAY.