Recent industry working groups have found times to comply with CMMC ranging from 6-18 months, and requiring the classic initial assessment, implementation plan, budgeting, audit and accreditation, and long-term management.
What businesses really look at it is the cyber value of data relevant to their business, which is where CMMC runs into the financial realities of running a business. If the value (or harm) of data release becomes more than the cost of protecting the data (including the time value of an incident), then the ability to recoup those costs predict whether it is a profitable endeavor of if businesses will look to hold the optimized level of data security that can yield the best profits while conforming with cyber regulations.
How to comply therefore becomes a complicated calculation, since businesses need to evaluate when their contracts will up for renewal and include a DFARS 252.204-7012 clause, based against how long compliance will take, and what is the optimized value of data against future profits. The DFARS rule skews that calculation somewhat, because it’s no longer even the true value of the data, but the business and personal costs of being prosecuted for non-compliance. While more amorphous, this is a very real business risk that there’s no good way around. Cyber insurance is a great alternative for shifting risk in a consumer or commercial environment, but in the government contracting space, it’s a issue of compliance, black and white, and ensuring that the certifications and “true and correct” attestations are actually supported by data assessments and implementations.
The bureaucracies that deal with cyber acquisition and compliance are getting better, however. There are multiple working groups developing and espousing best practices for communities of knowledge and experience, including for small and medium-sized businesses. The experience is effectively the economies of experience and time-developed efficiency.
Given the state of implementing cybersecurity, and maturity of processes, the next 24 months are going to be an especially exciting and focused time for cyber compliance and CMMC. The window to implement is rapidly closing, but tools and processes to “right-spend” are also coming on-line. Hopefully the most critical areas of compliance will be secure during the next two years, and raise the bar for security in our market. We need to protect our infrastructure, and the time to start … is now.