The Department of Defense’s new Cybersecurity Maturity Model Certification (CMMC) is complete. It’s also still evolving. On top of that, it’s not exactly clear how CMMC will continue to change. Much will depend on the makeup of the next administration — so 2024 will be a key year for the cybersecurity standard.

No wonder why government contractors are feeling anxious and confused about CMMC.

We recently attended the CMMC Implementer’s Conference in San Diego. This conference was focused on empowering industry professionals with information to create and maintain a secure, compliant environment. Among the keynotes and sessions, we came away with three main takeaways:

  1. CMMC is done, so suppliers need to start doing it now.
  2. SPRS scores are critical.
  3. Industries such as education, fintech, and healthcare are the next main areas of focus under CMMC.

Let’s unpack these takeaways.

Related: Take These Action Steps to Become CMMC Compliant

1) Don’t Wait to Start CMMC

Yes, CMMC has undergone a lot of changes up to now, and more changes are coming. But CMMC is live and the DoD is now evaluating contractors using CMMC. The remaining updates will be refinements to the existing structure, not overhauls. They will clarify and enhance what already exists, rather than fundamentally change the security standard.

That means if you’ve been sitting on the sidelines waiting for the dust to settle, you shouldn’t wait any longer to get started with CMMC.

Although CMMC is still an evolving standard, it is considered done and DoD contractors need to go through certification now.

CMMC is basically the new NIST 800-171 — although it’s an expansion on NIST. If you’ve gone up against NIST 800-171 in the past, CMMC won’t be a huge change for you. But as CMMC continues to evolve, more controls will undoubtedly be added to the standard.

The good news for TCT customers is that NIST 800-171 has been available in TCT Portal for years. Switching to CMMC will be a snap for you.

2) Your SPRS Score Is the Most Important Metric

As of CMMC 2.0, the SPRS score is king. The better your score, the better your chances of winning a government contract. A poor SPRS score can eliminate you from consideration.

CMMC requires you to perform a self-assessment of your cybersecurity stance. As you evaluate your program, your score goes up from a starting point of -203. A perfect score is 110, although it’s rare to achieve. The self evaluation is submitted to SPRS, the DoD’s system for analyzing supplier risk.

Under a new rule by the DoD, the information in SPRS, which also includes other supplier (i.e., contractor) risk information, will be considered along with price when evaluating proposals.

There’s more than just the SPRS score that goes into the DoD’s hiring process — not the least of which is how much you’re charging them and how good your work is. That said, going forward, the SPRS score will be the most important aspect of CMMC, because it provides a simple data point for summarizing your cybersecurity stance.

Related: CMMC and the SPRS Score: What It Means for DoD Contractors

3) Expansion to New Verticals

Katie Arrington, former CISO of the United States and an architect of CMMC, was the keynote speaker at the recent CIC conference. During her talk, she spoke about the expansion of CMMC to other verticals.

Expect to see a focus on higher education, healthcare, and fintech in the future. It’s imperative to the DoD to have a unified regulatory control over suppliers that work with the government, from every industry — and these three verticals are among the most common government suppliers.

The healthcare space and higher education will probably have an interesting time adjusting to CMMC. It will be unfamiliar territory especially for many research universities, because they’ve never had to abide by a government standard like CMMC before. For these suppliers, it will be very beneficial to have a compliance management system that keeps everything organized and streamlines the process.

CMMC Is More Doable Than You Might Think

As CMMC has come online, we’ve seen a wave of DoD suppliers drop out of government contracts. They’ve decided to wash their hands of it, because they don’t want to deal with the pain of going through CMMC. They don’t gain enough business from government contracts to make the time, effort, and energy worthwhile.

As CMMC’s expansion continues into these additional verticals, time will tell how many of those government contracts will go by the wayside as well. If you’ve done some amount of DoD contracting in the past, you’ll probably need to evaluate whether or not it makes sense to go up against CMMC.

At the same time, don’t be scared off by a set of unfamiliar letters. If you’ve had to go up against other security and compliance standards in the past, chances are good that you’re already doing most of the work that CMMC requires.

TCT Portal can make it simple to apply your existing compliance engagements towards CMMC. Even if this is your first time going up against a security standard, TCT’s compliance management tool streamlines your efforts, clarifies the requirements, and makes your path forward smoother.

Find out more about how to tackle CMMC effectively — subscribe to our blog.


Get equipped with insider expertise

Subscribe to the TCT blog


You may also like