Common CMMC Misconceptions

The below two misconceptions are based on my personal interactions with DoD contractors.

I have heard this one many times from DoD contractors and it genuinely breaks my heart. If everyone had level three or higher CMMC requirements then there would be justification for more concern. Thankfully most contracts will have either level one or two CMMC requirements. This means that companies will only need to maintain either basic or intermediate levels of cyber hygiene which are not particularly difficult or expensive to achieve. So if you are a small company or have a tight budget don’t freak out about CMMC.

As of August, 2020 no company can be “CMMC Compliant”. A company can only be “CMMC Compliant” if they actually have a cybersecurity maturity model certification. As of August 2020 you can not earn this certification. You can definitely undergo an internal or external assessment to help determine where you are but that in itself will not make you compliant although it is something all DoD contractors should be doing now if they haven’t already. Many DoD contractors I have interacted with cited their “IT Service Provider” as the source for the claim that they are CMMC compliant. These reckless claims can put contractors at risk as they begin to bid on contracts with CMMC requirements.

The above misconceptions show that the CMMC community needs to up its game in educating the defense industrial base. This responsibility doesn’t only fall on the CMMC accreditation board but also on professionals and companies who are offering CMMC related services to the defense industrial base.