What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

August 27, 2024

Attrition, Opportunities, & Unintended Consequences

I've had many conversations colleagues over the past few months about what exactly CMMC will mean to small businesses in the Defense Industrial Base (DIB). There seems to be a general consensus on a few things:

Attrition: some SMBs will leave the DIB rather than comply with CMMC L2. The first step for those that do only a small amount of DOD work, especially if it involves CUI, is to do the math. Do you make enough profit off your DoD work to cover the expense of implementing 800-171 and getting a CMMC L2 Certificate? If not, you have a decision to make. Or, if you don't handle CUI and only need L1, then sticking around may be the best thing to do. L1 isn't very difficult to achieve and it keeps you available for contracts that don't involve CUI.

Opportunities: those that stay in the DIB have an unexpected opportunity to grow. Think about the SMBs who are leaving the DIB -- who's going to take over those contracts? The ones who are prepared. The ones who have doubled down on becoming compliant, who have made the investment to be CMMC certified as early as possible. Whether you do only a small amount of DoD work now or a lot, the possibility of doing more is definitely out there.

Unintended Consequences: Primes will be requiring compliance of their subs well before the official rollout. I don't think DoD saw this coming, but I'm already seeing signs of this. If you have handled CUI in the past, the primes you work for will be pressing you to get certified ASAP. They need to know who their subs will be before they bid on contracts, and they can't count on you if you aren't already certified. This will be the biggest impetus to certification for most OSCs. The phased three-year rollout designed by DoD puts the CMMC clause in the original contract, but then it has to be flowed down to all subs that will receive CUI.

I think this one sentence from DELIVER UNCOMPROMISED: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, says it all:

"Risk-based security should be viewed as a profit center for the capture of new business rather than a “loss” or an expense harmful to the bottom line."

The choice is yours. Which direction will your business go?

If you decide to double down, I'm here -- email, call or schedule a time to chat.

How old is your SPRS self-assessment score? Might want to review this.



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy