While this thought exercise applies to organizations in the Defense Industrial Base (DIB) that need to meet the Cybersecurity Maturity Model Certification (CMMC), if you aren’t in the DIB, then replace “DIB” with “your industry” and “CMMC” with “cybersecurity” and you will find this applies equally to your organization. (Find background on CMMC at the close of this article.) I trust you will appreciate that I offer these reasons in jest, as an example of the absurdity of these common objections to CMMC certification.

Reason #1 – NIST 800-171 is hard

It is currently 2024, and NIST 800-171 v1 was released in 2016. It spent a lot of time in draft prior to that date while NIST sought input from the DIB and other sources about the standard. V2 came along later, but was primarily changed for clarity. Considering how fast technology changes, the same people who would correctly suggest that implementing technology from 2016 is ridiculous are now saying that NIST 800-171, an old standard, is “too hard.” That might be acceptable reasoning if it were because organizations were exceeding the old cyber controls, or that those controls were outdated, but they are not.

The reality: Implementing a reasonable and robust cyber program requires a culture change, and culture change is hard. Every year, cyber risk ranks as one of the top concerns across all industries, the financial losses are staggering, and there is a consensus that improvement is needed. But when it comes to investing in that change, we often hear “not here, and not today.” Soon, NIST 800-171 v3 will be released, bringing the first substantial changes to NIST 800-171 since its inception. So, as threat actors continue to wreak havoc, some are still debating why old cyber standards are too difficult to meet. It is time all organizations implement a reasonable and robust cyber program. If you are in the DIB, that starts with NIST 800-171. For all organizations, this should be the starting point. NIST 800-171 is part of a reasonable and robust cyber program; it is not the complete program. If you meet v2 today, the move to v3 is a natural progression: evolutionary, not revolutionary. If you do not, the ground floor just got higher.

Reason #2 – CMMC rulemaking is not complete

While this is true, it does not matter. The DOD is using the rulemaking process to make sure that defense contractors complete their journey to meet NIST 800-171 v2. Yes, it will require that your organization be certified by a CMMC Third-Party Assessor Organization (C3PAO). The DIB originally failed to meet this standard on its own, so now contractors will need to supply third-party evidence that they are meeting this standard.

The reality: There is nothing in the rulemaking process that changes the imperative to meet NIST 800-171 v2. It is just a question of when the certification will be enforced. The DOD has stated that they do not have the bandwidth to certify compliance to CMMC, so they have authorized C3PAOs (via the Cyber AB). Waiting means there is a real probability that you won’t be able to engage advisors to help you prepare for your CMMC audit and the C3PAOs who must certify you. Until you become certified, you will not be able to work on new contracts. I would not want to be the leader who stands in front of the board explaining business losses resulting from a decision to not implement a cyber standard from 2016.

Reason #3 – CUI is confusing

“The notion of controlled unclassified information (CUI) is unclear. It is poorly marked, complicated to define, and prevalent everywhere.” Perhaps all true, but if we think of CUI simply as “important stuff you do not want to be public,” it is easier to comprehend. This includes your business plans, your personal diary, the painting you are creating, your expansion plans, and upgrades to your business app. All this information is important to you, or your organization, and if it were made public, it would cause harm and embarrassment, help your competitors, or otherwise make executing your plans more difficult. CUI is that kind of information: data the DOD wants contractors to also keep confidential and protected.

The reality: Yes, the DOD can do a better job of more clearly marking CUI. On the other hand, if all organizations had a reasonable and robust cyber program, and treated CUI as their “important stuff,” then they would naturally protect the DOD’s CUI at the same time. It is time we embrace protecting our “important stuff.”

Reason #4 – Here, there, or everywhere

CMMC has sparked debates about an old concept: enclaving. An enclave is a great idea and encouraged, but not limited to CMMC. Enclaving and CMMC belong together, if you are putting all your communication environment in a communication enclave, all your finance environment in a separate finance enclave, and so on. The often-stated objection is that trying to make a “CMMC Only” enclave to reduce the breadth of your CMMC implementation makes no sense because CMMC has established that all organizations need to protect their important stuff, whether it is defense-oriented information (CUI) or employees’ health records.

The reality: Are you going to tell your cyber insurance broker that you have a reasonable and robust cyber program, but only on a portion of your overall environment, and then insist they give you the best pricing on your entire environment? Are you going to proudly display on your website that you have your CMMC certification, but then tell your non-DIB customers, vendors, and suppliers that you do not have a robust and reasonable cyber program for them, but “Hey, trust us anyway”?

Reason #5 – Meeting CMMC is too expensive

While the cost varies for every company, it is time to view the expense of reasonable cybersecurity as fundamental to any organization. The days of pretending that your organization does not have important data and IP to protect are long gone.

The reality: If you have a reasonable and robust cyber program, the added lift to meet CMMC requirements is not onerous, and could be as simple as passing your certification. If you do not have reasonable cybersecurity, however, you will need to invest time, effort, and money to prepare to pass your CMMC certification. This effort amounts to paying more for deferred maintenance (technical debt = increased expenses). You must catch up now. Recognize the imperative of having a reasonable and robust cyber program as a key to success, just like your employees and products. In that light, cybersecurity expense is not a cost burden, but a fundamental part of your strategy for achieving your business outcomes.

Reason #6 – Getting started is hard

It can be, but the alternative is worse. The CMMC calendar is not your friend! Going through an audit readiness process can take 6-18 months, depending on how much deferred maintenance you have in your cybersecurity program. The place to start is changing your organizational mindset. Is there any reason you do not want a reasonable and robust cyber program?

The reality: Starting can be as simple as picking up the phone to call CohnReznick or another advisor to help you meet your CMMC responsibilities and prepare to pass your certification.

In closing

CohnReznick believes that there are no Reasons to Skip CMMC, or for not having a reasonable and robust cyber program. In today’s world, that’s just not acceptable. As a C3PAO that has been through our own DIBCAC assessment, we know what you must be prepared for. We’ve been dealing with CMMC since before it was called CMMC, and with cybersecurity since before the Cyber Defense Federal Acquisition Regulation Supplement (DFARS) was drafted. Let us help you reap the benefit of our experience helping clients become audit-ready.

CMMC: Extra background

For those not in the DIB: The DOD publishes the Defense Federal Acquisition Regulation Supplement (DFARS), and when the DFARS clause is part of your contract, you must follow its requirements. DFARS 252.204-7012, more commonly called the Cyber DFARS, requires defense contractors to meet NIST 800-171.

Several years after the Cyber DFARS, the DOD had data to show that cybersecurity in the DIB had not improved. The Cyber DFARS required the DIB to meet NIST 800-171, but did not set a firm date to do so. DIB organizations were allowed to have a Plan of Action and Milestones (POAM) for controls that were not met. The gaps in the POAM were not being closed.

So, the DOD rolled out CMMC v1 in 2020, followed in 2021 by v2, which streamlined the approach released in v1. In simplified terms, the DOD wanted defense contractors to meet 100% of NIST 800-171, and that would be certified by a C3PAO. Contractors would have to renew their certification every three years. There is more to CMMC, but that is the core of it.