As I approach my first full year of working exclusively with the Defense Industrial Base and selling NIST 800-171 solutions, I wanted to blog about my experience. I have been in the IT industry for over a decade, but this last year has been one of the most interesting of my career.
Over the past year, I have watched:
As contractors and providers roll with the punches of DIB and DoD controls, it's tempting to get caught up in the latest industry news or seemingly urgent requirements. However, an effective compliance strategy requires a clear view of the current state of affairs, with a level-headed approach to in-flight developments and proposed changes.
I have spoken with hundreds of small and medium-sized businesses about how the DoD is ratcheting up the pressure to tighten compliance posture. While we think the 110 controls that exist today will eventually turn into 130 with CMMC L3, the rest — timelines, execution, and, ultimately, requirements from the DIB moving forward — are clear as mud. The overwhelming consensus from DoD and Government contractors is simple: the guidance from the DoD hasn’t been enough.
At Peerless, our mantra for years now has been “get ahead, stay ahead.” However, that doesn't mean contractors should skip over current controls in an attempt to fast-track future ones. For example, as more and more providers push CMMC Level 3 (even 4 and 5 in some cases), an ever-growing group of contractors is asking for “CMMC compliance” while brushing past the standards of NIST 800-171.
The reality is, NIST 800-171 is the current requirement and will be for the foreseeable future. The Interim Rule bolstered NIST 800-171, and the final rule, once released, will add even more weight to these already-critical controls.
Why are we focusing on a pre-beta (CMMC) framework that potentially won’t be in place until 2023? Instead, our focus should be on NIST 800-171 solutions.
And instead of worrying about the 'what ifs' of CMMC, contractors should focus on the state of compliance as it is today. Step one towards solving CMMC's 130 controls is solving the 110 controls associated with the NIST and the DFARS Interim Rule. That means NIST 800-171 in its current form will allow your business to achieve 85% of what level 3 is asking for, which puts your organization well on its way to full CMMC compliance when the new rule goes into effect.
Speaking of NIST, DFARS, and CMMC, let's talk about this looming list of controls. We work with various prospects that are determined to charge ahead to CMMC L3 when they likely aren't anywhere near adherence to DFARS and/or NIST.
To help paint the complete picture here, I've pulled some high-level statistics based on the aggregate scores of the 30+ companies we have assessed since November 30th, 2020.
These assessments help identify an organization's “cyber score”, with 110 being the highest and -203 being the lowest.
At Peerless, the current average score, using the DoD scoring methodology, is -52. That's a far cry from achieving NIST compliance, much less CMMC L3 or above. Simply put, if DCMA or an auditing body executed a NIST 800-171 audit, most companies in the DIB wouldn’t pass.
I make this point to underscore that if we added those 20 additional controls for CMMC and raised the top score to 130, we’d see scores dip even further into the negative. It would make it even more daunting for our clients to prioritize remediation efforts.
Compliance is hard. Compliance is a journey – these numbers highlight those points. We shouldn’t be overly concerned about 130 controls when we, on average, are seeing companies with 30-40 deficient controls out of 110. Checking the CMMC “box” should begin with checking the NIST 800-171 “box” which puts any business in a higher leverage position than most.
The true intentions of compliance are pure: to protect our countries' data and, ultimately, the boots on the ground.
Peerless can help you identify the best approach for your business, from initial assessment to ongoing system maintenance. Our services are designed to help you stay ahead of the compliance curve and win high-value Defense contracts as new rules and regulations go into effect.
Let’s have a real conversation about the current requirements, including how those requirements may change, and start the journey together.