One of the reoccurring themes as of late is a “wait and see” approach – as in executive and senior management will wait and see what the Department of Defense will do. Just a few problems with the approach as it is not in line with reality.

  1. If your organization has not started implementing NIST 800-171 in accordance to DFARS 252.204-7012, your organization is behind the curve. As of December 31, 2017, all contractors (prime or subcontractors at any tier) are required to implement the security requirements specified in NIST 800-171 standards. The CMMC Level 3 standard is effectively NIST 800-171, with a few additional security objectives added to reflect the evolution of technology, threats, and vulnerabilities.
  2. A well done cybersecurity implementation takes time. A proper CMMC implementation isn’t as simple as going to Amazon, buying antivirus and installing it. It also takes time to deploy, rollout, and train users how to use some of the new technology. It also requires updating existing policies, processes, and technologies. Solid implementations can easily take six to nine months depending on your organization’s cybersecurity posture. Have managed IT and assume they have been doing security? Well, I have some thoughts on that point. We will save it for a future blog article.
  3. Fast, Good, Cheap. In business, you can only pick two from the following: Fast, Good, and Cheap.If you selected Fast and Good, it is going to not be cheap. More than likely, it’s going to be very expensive. That might be okay for some businesses, but if you’re a small business, you probably don’t have very deep pockets to spend on implementing CMMC.If you selected Cheap and Fast, it is not going to be the best quality. Your organization is more likely to fail your CMMC assessment, and will have to redo the assessment again, making it more expensive.If you selected Good and Cheap, it is not going to be very fast. It will take time to deliver, but you are more likely to spread the costs out and you’ll also able to implement what needs to be implemented properly at a much more cost effective, thus increasing the likelihood of successfully passing your CMMC assessment.

Wait and see is a valid business strategy, but it is also a risky business strategy. If the ‘wait and see’ strategy goes in a direction you do not want it to, it will be a huge impact to your bottom line.