In a recent interview between Robert Metzger and GovExec360 president Troy Schneider, Metzger urged DoD contractors to not wait for a final rule to come out on CMMC to start meeting compliance requirements — a stance that SysArc has taken for the last several years.
Metzger is considered to be the ‘father’ of the Cybersecurity Maturity Model Certification (CMMC) due to the fact that he co-authored the “Deliver Uncompromised”, a report from Mitre, a nonprofit research firm behind many of the principles of CMMC.
When asked about the date he would expect CMMC requirements to show up in contracts, Metzger said, “It doesn’t really matter. The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business. Don’t let yourself think that it matters what day you happen to get a request for information or request for proposals that requires an assessment. Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors. And then also your regulator.”
Many DoD contractors say they find CMMC to be too difficult, expensive, and complex to implement. This sentiment has led many contractors to shy away from implementing the very important requirements. In response to this, Metzger said, “We cannot decide that security is unimportant for small businesses. We cannot give them a waiver. But we must facilitate a means by which small businesses can accomplish security economically. That takes us away from on premise measures and towards external service providers. But we haven’t yet established a means by which a smaller company can look at a managed service provider, a managed security as a service provider, or some other external resource and say — “If I do my part and they do their part, then I’m going to accomplish some percentage of the CMMC requirements. We need that.”
What many small and mid-size businesses might not be aware of is that the market has been rapidly developing solutions for businesses to meet requirements already for the last several years. SysArc, for example, has been at the forefront of implementing cybersecurity requirements for our DoD contractor customers since 2017 when DFARS first became law. Since then we’ve been able to refine our offerings and considerably reduce the time and expense required to secure contractor information systems and get them properly prepared for CMMC — whenever the final rule is made.
For more information on SysArc’s economical solutions for CMMC compliance, consider requesting a consultation here. Our team is happy to learn about your business and walk you through our process and associated costs to prepare for CMMC.