As the Cybersecurity Maturity Model Certification (CMMC) rule comes into effect, many organizations in the Defense Industrial Base (DIB) are concerned about how they will become compliant to retain their current Department od Defense (DoD) contracts and gain new ones.  We have seen several of these challenges firsthand helping clients to become compliant and will discuss the top ones here to help you be prepared for what is coming.

Challenge #1 – Timeline

While the timeline for the full effect of CMMC has been moving, it will come to fruition soon and as such organizations need to ensure that they are ready.  The process as we have seen it can take 18-24 months for an average sized organization which includes several phases.

  • Gap Assessment – 3 months
  • Remediation of Gaps – 3-12 months
  • Operationalizing Controls – 3-6 months
  • Audit Planning and Scheduling – 3-6 months

With this timeline potentially spanning years, organizations that have not started yet will need to get moving on their CMMC journey soon to be compliant in time.

Challenge #2 – Investment

Becoming CMMC compliant will have 3 buckets of costs.  These will include capital expenses as well as operational expenses.  Planning for this is critical for organizations to understand so they can plan and budget appropriately.  Additionally, as some of those expenses will be in the current year, if they have not planned for it already, they may need to shift funds from other budget items to start down the CMMC compliance path.

Challenge #3 – Government Approved Cloud Storage for Email/Files

One of the requirements for CMMC is that your email and cloud stored files must be in a government cloud approved system.  If you are using Microsoft 365 or Google Workspace commercial versions, you will need to migrate to the government cloud versions of these tools.  This is not a standard migration and will cost more than the commercial versions.

Challenge #4 – Operational Changes

When implementing cybersecurity controls, there will be inevitable operational challenges.  This could be as simple as requiring multi-factor authentication for users or as complex as segregating non-compliant devices that are required for operations from the rest of the network.  These changes will affect how you work on a day-to-day basis and will cause some level of disruption to your organization.

Becoming CMMC compliant is not optional for organizations who want to continue working in the DIB and as such, these challenges will be faced by many organizations.  Being prepared for them can be the difference between a smooth CMMC journey and a more disruptive one for your organization.