Self-Assessments. So we are off the hook. Right?
CMMC version 2.0 has arrived and the government has let us all off the hook, right? Well, not quite all of us.
Contractors who work on particularly sensitive programs we'll need CMMC Level 3 Expert which is a government led assessment. If we have CUI deemed "critical to national security," we will still need a C3PAO validated assessment. According to some estimates, that means between 30,000 and 50,000 companies will need 3rd-party assessments.
Using DoD’s numbers, that means 180,000 companies or more can simply self-assess their environments. DoD’s “risk-based approach” sounds great, and those 180,000+ contractors we are off the hook, right?
Not so fast.
Now, regardless of whether you handle CUI or FCI, senior management will have to sign off on a legal attestation and submit that attestation to SPRS. That signature will create a potential liability for the signer and the company. For starters that signature states that you actually did a self-assessment. Further, the signature attests to completeness and truthfulness of the self-assessment, and any corresponding POA&Ms. If any of that isn't true, and there is a breach, and maybe even if there isn't one, trouble will follow.
If you sign off every year and, where needed, submit a score to SPRS, you get to bid on DoD contracts. If you have all the major items done, they'll even give you more time on the minor ones.
Breaches happen. No matter how great anyone's cybersecurity program is, it is built to defend against the past efforts of ever-creative hackers. No one is impenetrable. This is true regardless of how many tools you have in place, or how compliant you are against the alphabet soup of standards.
In the fine print of your government contract are FAR and DFARS regulations. They allow the government to come knocking on the door to validate your self-assessment. If you signed blindly or optimistically "fudged it," trouble will follow. At a minimum, you'll possibly lose your contract, lose your reputation, and the ability to win others.
Under the False Claims Act, companies face fines of three times the value of the contract plus $11,000 or more per government claim, and every time you ask the government for payment, that is considered a claim. And this is IT we are talking about. Lots of details that, without a good governance program, are easy to miss. So, when there is one violation, there are likely many.
To make things even more challenging, whistleblowers can bring actions on behalf of the government and, if successful, stand to win 25% to 33% of the fines. This creates a significant incentive for employees to report misrepresentations. We’re already seeing cases like this coming to court, and the Department of Justice’s recent announcement about false claims act claims means we will likely see the number of cases skyrocket.
So, even without a breach, there may be jeopardy for the thoughtless signer.
CMMC v2.0 delivers more flexibility. Think before you act. Ensure your response to the requirements considers the full ROI picture.