CMMC Compliance: How to Win DoD Contracts & Avoid Costly Mistakes

Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacey. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hard guns getting companies fast track to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're diving into one of the most critical topics for DoD contractors. How CMMC compliance affects your ability to win and keep defense contracts. So, Brooke, why does CMMC matter when it comes to DOD contracts?

Well, if you're in the DOD uh sector uh space now, uh manufacturing or or related, uh then you already know that cybersecurity compliance is a is a is kind of a huge deal. Uh there's uh been no shortage of talk about it, there's been no shortage of uh communications coming from primes to their subcontractors, you know, hey, we you need to meet this compliance, you need to do this, you need to do that. So uh that's that's no secret, and uh it's been out there. Uh so we'll kind of talk today a little bit about uh you know why it's important and what it you know what it means for those contracts and uh how to keep those contracts.

Do you have to have a CMMC certification to get DOD contracts or can you just do it retroactively?

Currently, no. You don't have to have a CMMC certification. In fact, uh CMMC certification, CMMC level two certifications just became available to to go through that process uh just recently, so uh just towards the end of the year. So those are just now available and so they're not required on contracts yet. Compliance is, but not those CMMC certifications. However, whenever the next 48 CFR rule comes into place, goes final and then uh in effect, uh, then you will absolutely have to have a CMMC uh your your certification, if that's a level that you're told you have to have, then you have to have that in place before you'll you can be have that contract.

Are you seeing that companies that are CMMC compliant win more than their competitors?

So uh course this is this is uh kind of uh third hand, I guess, if you would, uh, because we're we're not on the uh winning contract side necessarily, but we're uh we help uh our customers uh meet that compliance. And so uh what we see is they uh the ones that are compliant uh are getting more contracts. It's easier for them to get contracts because they're green in the uh you know the um primes system or they're you know they meet those uh requirements already for directly for direct you know government contracts. So yes.

So based off of what you've been seeing, how strict is the DOD getting with these requirements and what should businesses expect in the next coming years?

You know, as uh uh just to alluded to, uh, you know, coming up here, uh you know, we're expecting maybe the quar uh the Q1 of uh 25 uh for the 48 CFR rule to go final. And so uh if it does, when it does, uh not if, but when it does, um that's gonna that's going to uh make CMMC and certifications uh required on contracts. It won't be all contracts all at once. There's gonna be a uh four phases, uh, but uh it is coming. Uh the train is coming. You ought to be able to see that big headline in the tunnel because it's uh big and bright and shining. Uh but uh it is coming. Uh it is gonna start. That CFR, 48 CFR rule should go final, should come out. Uh Q1. Of course, that's a guesstimate. You know, the government could surprise us. The DOD could surprise us. But um anyway, it should go final sometime soon, uh, and then have 60 days for it to go into effect. And then phase one is gonna be self-addestation. Basically, what you're doing right now with a few changes because of this 32 CFR uh that was finalized. But self-addestation for the first year, each of these phases is a year long. Uh, the second phase is really where it starts, uh, and that second phase uh is where they are gonna start requiring CMMC level two certifications on contracts. Like I said, it won't be all at once. They did leave wiggle room in the wording. If you look, they can, you know, say, hey, we can on this contract, we're gonna, it's not gonna be mandatory on the first year, but on option years it may be, or maybe, you know, here's a special contract and it's not quite time yet, but here's a special contract and we're gonna go ahead and require it on this one. So they did we leave themselves a little wiggle room, but basically a year after that goes that 48 CFR goes into effect, that is gonna start being required on contracts.

So I know there are certain levels of compliance, and each company may have a different level of compliance they need to adhere to. Can you get into that a little bit further?

You know, there's level one, level two, and level three. Level one is gonna be uh your basic cots, uh off the shelf things. Level two, which is gonna be m most everybody we deal with. In fact, I I don't have I don't think we have any clients that are actually have been told they're just gonna be level one. Likewise, we have not had any any people, any clients that uh have been told they're gonna have to be level three either. Uh but there is level one, level two, level three. Level two is the basic uh NIST 800-171 controls with CMMC wrapped around it, of course, that we have to uh have to be compliant with and get certifications on. Uh level three follows NIST 800-172, and it is uh uh like I said, I it is a lot more stringent. We don't have any clients yet who have been told they have to be level three compliant, but there are different levels.

Would it make sense for someone to get CMMC compliant even if they're not asked to or required?

You know, it's funny you asked that question. I actually talked to somebody on the phone the other day. Uh they were curious about what we did and uh this whole CMMC stuff and the compliance. What in the world is that? And of course, since he asked that question, uh I realized that uh he probably wasn't he probably wasn't in the dib in the uh defense industrial base, right? And uh so uh basically told him uh you know what we what we do, of course, but what this means to companies. And and the the fact is real that the government and primes are gonna be looking for uh companies who are already certified when this comes out, uh when everything goes final. They're gonna be looking for uh companies that are already certified. Uh they're also going to be uh looking now, they're right now, I I can tell you that the primes are are really, I guess, rewarding uh is a is a good good phrase anyway. They're they're subcontractors that are green in their system, which means they're compliant, fully compliant. Uh so if you're fully compliant, you're that is that's an easy call for them, you know. So um, and if you want to go get certified, and uh that's a that's a good way to get in and have a marketing tactic to say, here's my certification, I'm ready to go. You know, that's a really good marketing tactic. Like I said, contractors are looking for that. Uh main prime contractors are, so uh that would be a a really good thing to do. And he was very the person I talked to was very interested in in uh doing this and doing what he does currently, but getting more into DOD contracts can be a good thing. We also have other clients that are already in the dib that want they're to this point, they they want to get their certification now, you know, uh so they can be ahead of the curve and ahead of the game and and go ahead and get those contracts rolling in and say make it easy, but you know, the whole process is not easy. That kind of that's uh kind of a uh ironic uh kind of an irony there, but so yes.

What is your take on businesses preparing for semency level two versus level three? Should they go beyond the minimum requirements?

So that's a very good question. Um for level three, it is uh it is uh pretty intense, and and uh a lot of people tell you level two is intense and there's a lot to it, and there is. Uh, but uh level three is is uh is another giant step uh to take. Uh so um if all you need is level two, I would say stick with level two. If you really need to go level three, um, or or there's some business you want to win, you know, that that may be level three, then then I would say definitely go for it. But level two is gonna cover the basics of everything else.

What can business owners do to prevent the loss of their hard-earned contracts?

Really, I mean I don't wait uh to get certified, don't wait to start the process. You know, uh it's a it's a long, hard process. Not only that, the um the process to uh the process to get compliant is a long process, the process to get certified, because that's a little that's different, uh, is a is a long process. And right now I can tell you, I think I talked about it in the last podcast we had, uh, but the uh assessors, the see-through PAOs, they're a few months out before they can even start right now. So uh and then that's you know, if you're ready and you think you're compliant, ready to go, it's probably at least a two-month process. So you're talking six months, maybe a little longer before you can if you decide to pull the trigger today, uh, before you can get that certification. Uh so if you have a contract you want to bid on, um you need to plan to have that uh certification uh in hand uh you know, by the time you win that contract. Don't wait.

You mentioned that compliance and being certified is different. Could you actually just quickly go over what the key difference is maybe?

Yeah, sure. So uh compliance, really compliance is uh you you are compliant with all the controls and all the CMMC standards that you that you have to have to be compliant with. Getting certified uh is is another another step where you have to have your, and this is what we're talking about, you know, you hire the uh C through payAO to come in and do the certification assessment. That is certification. They s they look over everything and go, yep, you are compliant. Here you're gonna get a certification. I wish it were that easy, but but that's basically the difference.

So if a business owner wants to be compliant, how would they go about handling the paperwork?

So uh as far as handling the paperwork goes, there's there's a couple of pieces to that, but um uh basically you need to make sure I've said this before uh in other podcasts, so if you've watched the podcast, you know the documentation, documentation, and more documentation. Uh but the uh you need to have good clear policies uh to where if if you give me the policies, I need to be able to read them and go, I understand that, you know. Um so good clear policies, uh detailed policies. You need to have all your documentation in one spot, which could be one folder on your network, or it could be a protected folder, of course, but one folder on your network, uh, but really a GRC platform, a governance, risk, and compliance platform, some software, uh is uh really the best thing to do because you can have a basically a living, breathing, SSP, POAM, all your policies, everything else right there in one spot. So uh that would be a great way to first make sure you have all that documentation, make sure it's clear, concise, uh well, detailed, I should say, I guess, uh, and then make sure it's in one place, easy to get to, easy to manage, which would be a good GRC platform.

If business owners don't want to do this themselves, is there someone else they can put in charge of this?

Well, there absolutely is. I mean, there's uh so you could uh hire an external consultant uh to come in and help you out. Um you could hire uh I guess another form of an uh external consultant would be an IT service services provider like us. Uh, but of course, you know, either just a just an external consultant or an IT service services provider, I can't talk today, uh, would be you want to make sure that they know what they're talking about, that they do this. And so you can look for uh people that are registered practitioners, uh, and registered with a registered practitioning organization. You can find that on the Cyber A B in their marketplace. Uh you could find um CMMC certified professionals, um CCPs. So we for instance, uh we have RPs and CCPs on staff because we wanted to go get trained and understand and really know, you know, what the assessor is going to be looking for and how to implement all these controls. Uh so it's good to look for those kind of people who have those uh who have those kind of controls. Or the certifications, I should say.

In your experience, what's the biggest mistake businesses make when it comes to staying compliant?

Uh one of the biggest uh failures, I guess, uh to people staying compliant is they make a change in their network and and don't change any of their paperwork or any of their they don't change their policies, they don't change their procedures, they don't even change their network diagram, you know. Uh that so changes uh should result in changes in all your documentation. You've got to remember that because so if if you've had network changes, um then you're you're not compliant until you've made sure you're compliant documented it. The other big thing I'd say actually right now that's going on, I just uh probably would have said this first because I've seen it a lot. There is a lot of MA activity, a lot of mergers and acquisitions. There's a lot of MA activity. And so when uh a company comes in and buys up a company that's already uh they've got their SSP, they've got all their policies, uh, their cage code, they're doing business with the federal government or primes, uh, that larger entity or that other entity, it doesn't have to be larger, but that other entity comes in and buys them, then that's a structural change to the pro to to that company. Now they could actually keep it the keep everything the same and have that as a wholly owned subsidiary. But however you want to do that, but that is a that is a change in that business and you're no longer compliant. Um like I said, it kind of depends on how you do business, but a lot of times what happens is they come in and then they start integrating their IT infrastructure, uh, uh, or maybe even people and processes. So uh that is that is the biggest thing I really see uh that that happens that people don't address right away.

So for the business owners that do have those existing contracts, is there a way that they could lose those lucrative contracts?

Yeah, I mean there's there's a couple of ways they could do that. So um if you currently have contracts and uh you said, hey, I made all these uh I made all these certifications, we're at 110. We're good. Um our SPRS score is 110, and then you get ready and you come in and have a certification and you fail that certification, uh, then I would probably get a little worried that I might lose some contracts. So uh it's very important, make sure you're on top of the game. Um of course then the other thing is if you know you have a uh some sort of breach or anything like that uh that exposes a uh uh a problem that you weren't addressing properly and and maybe you didn't uh tell the whole truth or you stretch the truth a little bit, uh uh you could be uh liable to the uh for the False Claims Act, which would be you which would be a big deal. Uh just ask, I think it's uh Georgia Tech and uh I can't remember the other one, but ask them and and and uh they can tell you.

Let's say a business owner failed an assessment, could they get more assessments in the future or are they stuck with that failed assessment?

Uh yeah, so if you fail an assessment, um you can absolutely get another assessment. Um now that the uh timing is a thing. So I mean if you f uh like we were just talking about a minute ago, uh there's uh you know, there's assessors, uh see-through PAOs are not uh they're booked several months out, a few months out right now. Uh you know, three three months, four months, something like that. So anyway, but they're booked a few months out. Uh so getting the assessment might take some time. Going through the assessment will take at least a couple of months probably. Um and so you know, you're talking about at the very least another five months before you could possibly get that certification. Uh, but you also have to address what it was that caused the problem. So is that something that you can address in a week? Is that something you could address in two or three months, you know? So you have to add that time to it as well. Um, so absolutely you can go through and get another assessment. Timing is the deal, you know, you it it won't be immediate, it won't be quick, it'll be relatively slow. So uh but the other part of that is um question as to your current contracts, what happens with those? If they say, hey, you told us you you were at 110 and you've been that way for three years, and now you fail an assessment. You know, what's the deal? That's a basically a a lack of trust now. You know, is there something that changed that caused it? Is there, you know, what what's the deal? Uh so now you have a loss of trust and you have to build that trust again. Even if everything turns out fine and it's just something minor and uh and you got it fixed within a week, and they don't have to wait several months to go back through it, but anyway, uh you know, you got it fixed within a week, then there's that you gotta build that trust back and and make sure that they know that everything's good, and sometimes that's uh that's the uh gray area because they're you know they're like, hey, I we can we even trust you now. So I we've we've seen that happen with some other incidents, um uh email incidents where people didn't necessarily want to turn in turn on something simple like MFA. So uh that's a that's a really good story. Buy me a beer sometime, I'll tell you about it. Um But yeah, the reputational uh reputational thing is is is a big thing.

What are the legal consequences of not being compliant if you're required to?

Well, the legal consequences, um well, first of all, if if you're not compliant and and you don't get that certification, you just won't get a contract. Uh but second of all, if you're supposed to be compliant and you said you were, uh, and it's found out you're not, then you could be held to the uh held liable for the false claims act. Um and that is a that is a big deal. That is a very big deal. That has some teeth in it, and uh, you know, it can cost you contracts, it can cost you millions of dollars, or it may even cost you some jail time. But it's a uh it's a big deal. Um they are at the arguably, I guess, anyway, they're making a they're making some examples of a couple of of a couple of entities right now. And Georgia Tech is one of those, I believe. Uh off the top of my head, I can't remember who the other one is. Uh, but they're you know, they they said they were doing all these things. Now they were pretty egregious from what it looks like. They said they were doing these things and they just completely weren't. It wasn't a difference of opinion of, yeah, we're doing this, and it meets that control, and the government says, you know, well, it doesn't really meet that control. It wasn't like that. It was they just weren't doing those things. So it was pretty egregious. Uh so if it's pretty egregious, I would expect to be hit with a false claims act. Uh and that is nothing that I would want to have happen to me or my company, I can tell you that.

What is the worst case scenario for a business that assumes they can just wing it with compliance?

Uh well, if you're gonna like a lot of things in life, I mean, if you're gonna if you're gonna wing it, then uh it may not turn out well for you. We just talked about the False Claims Act, you know. Uh that could come into play there. Um uh winging it with something this complex and this uh um strict, I guess, uh as this compliance goes, um, winging it is is asking for is asking for trouble. It's either asking for to have to recover and spend a whole lot more money, a lot more time, uh have to recover your reputation, have to, you know, there's there's a lot of things winging it can uh can damage. And uh there's several things winging it is not a big deal in. I went to the rodeo last night and I'm sure some of those guys winged it. They came out of the chute. So uh but uh you know winging it does not have a place in CMMC compliance, I can tell you that much.

So for the subcontractors out there, would they have to make sure their suppliers are compliant?

Yes, they do. Um and this is nothing new, uh, but it was specifically called out in the last uh CFR. Um and it's like I said, nothing new, but you're so you you're supposed to make sure that your subcontractors, anybody that you use, uh that is gonna be handling the the data in question, so the CUI or the FCI, uh, that they have to meet the appropriate uh compliance. Um so if you're level two, they're likely gonna need to be level two as well. Unless all you're giving them is contract information, and then I guess at that point they may just need to be level one. I would make darn sure that's the case though, before you before you make that decision to think it's okay. Uh, but it is up to you to make sure uh that your subcontractors are are compliant, uh, just like you are, and that that is that is exactly what these uh primes are doing and what they're they've been required to do. Lockheed, Bell, Raytheon, all those, uh, you know, they're saying, you know, we have to be compliant. Now our subcontractors that get business from us, they have to be compliant. That's what they've been doing all along. Those subcontractors don't realize necessarily uh that they were supposed to be doing the same thing all along, and um but it's spelled out and and you have to do that. It's I'm not saying you have to do that now, you've been having to do it all along, but you really need to start now, I guess, if uh if you hadn't been doing it.

How can they hold their vendors accountable?

That's a good question. I would just take a page out of uh the Primes uh playbook, really. Uh so um I don't know the correct answer a uh um assessor is necessarily gonna want, but they're gonna want some sort of proof that you tried to make sure that your subs were uh are c are compliant. Uh so it could be a simple questionnaire, it could be some contract language just like they do to you, you know. The you know, here are you subject, or you you have to be uh are you're subject to DFARS 252-204-7012, right? Uh or whatever it may be. Um and when they sign that contract, they just said yes to that. So uh I would probably go a little bit further uh and clarify, you know, hey, here's a separate questionnaire, please fill us out so we can verify that you are CMMC level one, two, or three compliant.

What are the best ways to ensure vendors don't become a weakly in your compliance efforts?

Really, it goes back to what I just was just talking about. Um if you are uh, especially if you're get looking for some new suppliers, uh, that would be one of the questionnaires that I give them. You know, are you are you compliant with CMMC level whatever? You know, um it could even be more detailed uh questionnaire that they have to fill out. Um uh if you have to be certified, the question would be, are you certified? Do you have a do you hold a level two certification? Please provide me some proof of that. Uh so that would be that would be what you uh, you know, the kind of things you want to vet your your new vendors with. Same thing with your current vendors. You want to say, hey, we've been doing the business for 150 years, but now I need you to uh sign this for me.

So that wraps up our episode over CMMC compliance and how to maintain and win those lucrative DOD contracts. If you have any questions about what we covered, please reach out to us. We're here to help you. So you can text, email, or call in your questions, and we'll answer them here for free on the podcast. Just reach out to us at cmccomplianceguide.com.