Most CFOs feel that they have all the bases covered when it comes to cybersecurity risk and that they have plenty of time to meet the CMMC compliance requirements for safeguarding their DoD contracts. After all, at the end of the day, this is not the first time the United States government has cried wolf on enacting regulations. And again, the technology team has got this covered and net margins are at an all-time high.

What many fail to realize is that their tech team’s confidence in readiness ranks at about 30% while those being held accountable to regulatory fines and contract loss, i.e. the CFO, CEO, etc. feel a degree of confidence of 87%. With the average of  $3.4M personal liability on the line that’s like playing Russian roulette with EBITA and complete organizational failure. Picture cost-cutting to the tune of laying off 50% of your employees.

Financial statements as scorecards are the “true north” for an organization’s fiscal fitness. CFOs are truly remarkable at making financial statements tell a compelling story with a symphony of numbers. “Numbers don’t lie”. In a world of digital distrust, CFOs deliver true magic to stakeholders through numbers.

 

The Risk of Landing New Contracts

Regardless, many CFOs are seeing this as an opportunity to secure financial fitness and win over the competition. They know that this will be a veritable feeding frenzy of new contracts. Think simple acquisition concepts but instead with those lucrative contracts sales have not been able to win. What they are doing is paying close attention to risks and prepping for what many know is a minimum of 18 months of hard work to meet the deadline if they started last fall.

The Department of Defense (DoD)has been rolling out significant updates for a proposed rule related to the Cybersecurity Maturity Model Certification (CMMC). This isn’t just a procedural shift; it’s a clarion call indicating that the CMMC framework is set to become a linchpin in our future government engagements.

Consider the recent legal repercussions faced by Penn State University under the False Claims Act (FCA) as a stark reminder of the high stakes involved in non-compliance and false attestations. Picture this – falsified documents, misleading attestations, and intentional mishandling of sensitive information. These allegations expose organizations to heightened legal risks, substantial financial penalties, and even the specter of incarceration under the FCA.

CFOs understand that these risks aren’t just monetary; they extend to the very fabric of an organization’s reputation and long-term success in government contracting. Proactively comprehending and addressing these challenges isn’t just about compliance; it’s about safeguarding financial resilience, protecting reputation, and ensuring continued success in the competitive government contracting arena. It underscores the critical need for accurate, honest, well-documented, and demonstrable representations to the Government – a strategic imperative for financial stability and enduring success.

 

The Update

In December 2023, the DoD entered a 60-day comment period for a proposed rule related to the Cybersecurity Maturity Model Certification (CMMC). The implications of these changes are profound and expansive. Understanding the intricacies and proactively preparing for these proposed alterations is paramount for maintaining a competitive edge and ensuring compliance in an environment that is becoming increasingly regulated. Being proactive in comprehending and preparing for the impending CMMC requirements is crucial for the long-term success and security of your business in government contracting.

Cost Implications. There’s potential for reduced program costs through provisions like self-assessments and streamlined assessments for specific levels, that impact your budgeting and planning.

The long pole is that maturity takes time. Cultural change takes time. Organizations will need to require practice. Excuses will not be accepted in the case of a data breach or mishandling of the information you have taken responsibility for as an organization.

 

Who Does the CMMC Ruling Affect

This development significantly influences Federal Contracting, particularly for organizations involved with NASA SEWP, GSA, DoD, and other government entities. The proposed rule introduces streamlined requirements and levels of compliance tailored to the sensitivity of the information handled and the nature of the threats faced. Surprisingly, this affects a lot more organizations than you would expect.

What Should Organizations Be Aware Of? Let’s face it. Threat actors are compounding. Daily we hear of hacks. In the case of Target, it was an HVAC subcontractor that gave way to exposing protected information. CUI, while seemingly simple, will have far-reaching repercussions. Starting now is what organizations should be aware of. This is not rocket science.

Threat actors are ahead of the game. By the time CMMC 2.0 is enacted those in strategy already know they are behind in cyber crime.  Regardless of the final ruling release, the best outcome is a proactive outcome. Securing government contracts or otherwise. Furthermore, a follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule for CMMC is anticipated in 2024 as well, with potential modifications aligning with the 32 CFR rule for CMMC. This proposed DFARS rule will modify the existing 48 CFR rule to align with the CMMC’s new structure, impacting how contracts are awarded and managed.

 

What’s Next?

Be Prepared.Grasping the proposed changes allows for a more strategic approach to becoming compliant by any deadline, let alone the proposed 2025 deadline. The changes provide a more precise roadmap for achieving compliance, allowing for a more strategic and informed approach to meeting CMMC requirements.

Resource Allocation. Get a head start on where to begin. Managing risk for financial health needs a digestible scorecard and continual management of the “proof” necessary to get and stay compliant with all new regulatory arms. Those successful have gone away from spreadsheets and old file management and replaced them with governance (oversight), risk, and management tool. However, tools are just the beginning. The most successful continually govern as a living organism.

 

ROI is key to the CFO role. Those managing risks need a GRC Platform that is managed and administered by RPOs prepping for C3PAO audits. They need visibility and therefore governance utilizing a GRC platform, with the knowledge, not only deployment of the platform but also streamlined mapping. Understanding of enclaves and ways to outsource output at a fraction of the cost of a full-time equivalent employee and provide proof incrementally instead of a wildfire at the end of the year or fiscal period.

Omnistruct checks all the boxes. In addition, we are the only Governance as a Service (GaaS) organization that is also an RPO that sees risk and passing audits as financial health and ensures your audit readiness at the necessary time. Not just once and done but continual compliance or governance. We do this at a fraction of the cost of a full-time equivalent in-house team while offering SaaS and contract payment models to fit all budgets.