‍

Though there is currently significant focus on defense sectors under CMMC, it seems clear that emerging frameworks are moving toward a similar regulatory regime. While the DoD has set the stage for this transformation, industry experts predict that CUI and CMMC-like expectations will soon extend beyond DoD contracts.

Case in point: many other federal agencies are starting to treat certain data as CUI, which will likely extend CMMC-style compliance beyond the defense sector.

Should this come to pass (it’s really a matter of when, not if), CMMC assessor shortages will extend outside of DoD supply chains, turning the bottleneck into a full-on logjam.

At Essendis, we’ve been predicting this movement for some time now, and we stand firm in the belief that the whole country will likely have to become CMMC-compliant within the next five years.

Do we have data to support this? Not yet. But the writing is on the wall, and we can see the direction we’re headed.

Data is sorely lacking. Currently, there are no longitudinal, cross-sector studies or media investigations tracking how CMMC (or CUI governance) evolves beyond DoD subcontractors, and precious little even for the defense sector.

Sectors that could see the most immediate impact include academia, research, healthcare, commercial enterprises, and other non-defense federal contractors.

Bottom line: any firm that handles sensitive data should consider whether it is, or could become, CUI. If there is any inkling that this is the case, preparing for CUI-driven compliance should be part of their five-year cybersecurity strategy.

Minding the Gaps: Why They Are Underreported and Why They Matter

The cumulative effect will be most evident where compliance intersects across sectors.

The increased regulatory burden is a given, as affected organizations will be tasked with compliance measures based on the level of CUI they handle or have access to based on their contractual relationships.

Audits will overlap, specifically regarding export controls, FedRAMP, and other cybersecurity frameworks, but there is little clarity on how firms should navigate this hurdle. Many firms will likely underestimate the risks, putting their continuity at risk.

CMMC compliance mandates and the effort to meet them often reveal hidden chicanes, as international stakeholders contend with how to securely handle sensitive or restricted information within the evolving compliance framework. It’s already an issue, due to advances in the threat environment, so one can imagine how much more complicated it will become when CMMC alignment becomes standard.

Ultimately, it’s a positive step in the right direction. However, organizations that have thus far resisted will find themselves at a disadvantage.

Among the concerns that represent the greatest amount of risk:

• Cost burden and viability of CMMC compliance for smaller organizations may force some contractors out of the market, reducing competition and encouraging consolidation.
• Some firms may initially achieve compliance but drift over time, still clinging to insecure or noncompliant methodologies.
• Fewer contractors could reduce diversity and expose the defense supply chain to catastrophic risks.
• Assessor shortages will either enable noncompliant orgs to continue or disrupt business continuity.

Obviously, we need history to identify patterns and draw conclusions about what the shifts may bring. Looking beyond the defense environment could forecast larger shifts in how U.S. companies handle data governance and cybersecurity, with significant implications for regulators, contractors, and auditors across every sector.

Looking to the Future

We’ve touched on many points today, but we’re just scratching the surface on what we predict will be a hot topic in the years to come.

How will your organization meet the compliance challenge? Connect with an expert today, and let’s talk about it.