Information Technology Navigator

Tips, Advice & Insights from Technology Pros

The Risks of Delaying CMMC 2.0 Compliance

Posted by Bobby Hurstak

Wed, Sep 28, 2022

Now Later Image

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD framework designed to enhance cybersecurity and protect against compromise of sensitive defense information on contractors’ systems. Some defense industrial base organizations (DIB) have mistakenly taken a “wait and see” attitude about preparing for CMMC compliance, believing that they will wait until the government finalizes 2.0 requirements. While holding off on the time, resources and budget to prepare for CMMC may seem prudent (and frankly easier to delay), the risks of waiting could have a significantly negative impact on contractors’ revenue. Here’s why: 

The majority of CMMC 2.0 rules are already in place today.


While many organizations are waiting for CMMC 2.0 final rules to be released, we remind our partners in the DIB community that there are already contractual requirements to meet today like DFARS 7019 which requires self-assessment of NIST SP 800-171 requirements (using the DoD Assessment Methodology) for government contracting officer review. All that CMMC 2.0 changes is adding the third-party assessment to audit and penalize those who are not in compliance through loss of contracts or inability to bid on new contracts. It's also important to note that the third-party assessment will be an “all or nothing” audit as opposed to measuring each organization's readiness on a scale. Organizations must be ready today to meet existing rules, as there will be no leniency for those that are non-compliant come July 2023.


The journey to becoming "audit ready" will take time.


Many in the DIB do not appreciate how long the process to compliance will take until they experience it firsthand. For those in initial discovery phases, it will take many months, and the clock is ticking. In fact, we're seeing that it takes somewhere between 6 and 12 months to get from minimal preparedness to audit ready status. Additionally, expertise in CMMC 2.0 readiness is in short supply. It is quite realistic to expect that as the July 2023 deadline approaches, organizations like Daymark, that have the skills to match CMMC controls to solutions that can be implemented to prepare for compliance, will have a backlog of business and not be able to accommodate requests in time to meet the CMMC 2.0 deadline.


Start your compliance journey today


The next 9 months will be critical for organizations to prepare for CMMC 2.0, and finding an RPO (Registered Provider Organization) is more important than ever in order to fully understand the timeline of CMMC 2.0, the rules that are in place today, as well as the skills required to ensure organizations are assessment-ready come July 2023. Given these factors, we are quickly transitioning our clients from the "early adopters" phase of CMMC, to ensuring that they do not miss the boat.

Our Government Services Team provides the services and solutions required for CMMC readiness. We help DIB contractors as small as 10 and up to 6,000 users:

  • Map existing security and compliance policies to CMMC controls and provide gap analysis
  • Build secure enclaves using Swivel Seat and green field methodologies
  • Design and implement complex hybrid or full cloud IaaS and PaaS secure environment
  • Migrate data, applications and systems from existing environments to secure enclaves
  • Ensure readiness for CMMC self-assessment with step-by-step, pre-audit guidance 

Contact us to start your compliance journey today.