The below two misconceptions are based on my personal interactions with DoD contractors.
âCMMC Will Prevent My Company From Competing on DoD Contractsâ
I have heard this one many times from DoD contractors and it genuinely breaks my heart. If everyone had level three or higher CMMC requirements then there would be justification for more concern. Thankfully most contracts will have either level one or two CMMC requirements. This means that companies will only need to maintain either basic or intermediate levels of cyber hygiene which are not particularly difficult or expensive to achieve. So if you are a small company or have a tight budget donât freak out about CMMC.
âI am Already CMMC Compliantâ
As of August, 2020 no company can be âCMMC Compliantâ. A company can only be âCMMC Compliantâ if they actually have a cybersecurity maturity model certification. As of August 2020 you can not earn this certification. You can definitely undergo an internal or external assessment to help determine where you are but that in itself will not make you compliant although it is something all DoD contractors should be doing now if they havenât already. Many DoD contractors I have interacted with cited their âIT Service Providerâ as the source for the claim that they are CMMC compliant. These reckless claims can put contractors at risk as they begin to bid on contracts with CMMC requirements.
The CMMC community needs to Step Up to The Plate
The above misconceptions show that the CMMC community needs to up its game in educating the defense industrial base. This responsibility doesnât only fall on the CMMC accreditation board but also on professionals and companies who are offering CMMC related services to the defense industrial base.
