One of the most common questions we get from DoD / Federal contractors is "Should we wait to start getting compliant?"
This could be waiting for upcoming regulations like CMMC 2.0 and the DFARS Final Rule, waiting for the Government to provide more clarity on requirements, waiting for a time you're less busy, or waiting for compliance to become an absolute necessity to win or keep a big contract.
The Answer We Give
Never wait to start or get more compliant, and let us help you choose short-term and long-term compliance goals that make sense for your business.
- Time. Fixing compliance issues takes time, whether you are doing it yourself or leveraging the expertise of Peerless. Time can vary from weeks to months to fiscal years, and the funds need to be budgeted. Compliance often requires making significant changes to your IT environment and operations, making it something you want to plan for and give enough time. Using migration to Government cloud as an example, many vendors require 3-6 months before the project even starts (though Peerless can start such a project for you within weeks). Waiting for compliance to be an absolute necessity is already too late, so it's important to start planning and implementing it now.
- Cybersecurity Risk. Compliance is not just about protecting the Government's data, it is also critical to your organization's overall Cybersecurity, protecting your system and data. Ransomware, phishing, and hacking are all threats to your business that can be defended against with the Cybersecurity measures that come with compliance. With continually increasing cyber threats, there is never a better time than now to begin improving your organization's cybersecurity.
- Business Risk. When a contract is on the line, it's probably already too late to start planning for compliance! Delaying compliance is going to increase the risk of losing contracts and partnership opportunities. Prime contractors, teaming partners, and customers are using compliance to decide which contractors to work with now and in the future. Enforcement of compliance is also coming, both from Government and through Primes.
- Competitive Advantage. Getting compliant in advance of your competitors puts you at an advantage. Not only will you be ahead of the curve, it also makes your organization more marketable to customers and teaming partners. Not to mention, it demonstrates the maturity and trustworthiness of your business.
- Right Solutions. Choosing the wrong IT solutions for your compliance can mean over-spending and/or unnecessary investments. This means re-doing or replacing solutions at great time and expense. For example, companies have come to Peerless after modernizing to a Commercial cloud, only to discover that they need to be in a Government cloud. We hope to reach DoD / Federal contractors before they make such an expensive mistake, but Peerless specializes in cost-efficient Government cloud migration to make it right.
- Increased Demand. Contractor demand for compliance continues to grow and will peak every time regulations are updated. This happened with DFARS 252.204-7012 and the DFARS Interim Rule. It will peak again with CMMC 2.0 (expected March 2023) and its associated DFARS Final Rule (expected Fall 2024). Demand will increase even further as Prime contractors and the Government step up enforcement. Companies with the best expertise (like Peerless) may have limited availability due to the surge in demand. The impact to contractors will be: compliance help will be harder to get, compliance solutions will be more expensive, and projects will take longer to implement.
- Increased Costs. With software and cloud licensing prices increasing1,2 due to inflation and rising energy costs, locking in contracts at current rates will result in significant savings over time. At Peerless, we leverage bundled licenses and services to significantly reduce the cost (and complexity) of solutions, while often increasing their effectiveness.
- Already Required. Compliance is already a requirement of DoD and Federal contracts. Waiting for updated regulations only puts you further behind the curve. Contractors not meeting compliance requirements should already consider their contracts to be at-risk. Misrepresentation of compliance and security violations that reveal non-compliance can lead to adverse actions3, such as: False Claims Act (FCA)4 criminal and civil penalties, loss of contracts, fines, and/or suspension of the ability to continue doing business with the U.S. Government. Partnering with experts in the industry like Peerless can demonstrate due diligence and proper care in meeting your obligations.
- Federal contracts: FAR 52.204-215 already mandated that you be compliant with 15 requirements, represented by 17 NIST SP 800-171 controls (CMMC 2.0 Level 1).
- DoD contracts: Per the DFARS Interim Rule, the DFARS 252.204-7012/7019/70206,7 clauses have been added to most new contracts, contract extensions, and orders since November 2020. It already mandated that you become compliant with the 110 NIST SP 800-171 controls (CMMC 2.0 Level 2). Additionally, cloud requirements often necessitate a Government Cloud offering like Microsoft GCC, Microsoft GCC High, or AWS GovCloud. Contracts with the DFARS 7012 clause cannot be awarded until all contractors, vendors, and suppliers on the contract have a System Security Plan (SSP) and have submitted an SPRS Score.
- Export Control contracts (e.g., ITAR / EAR, U.S. Sovereignty, U.S. Citizenship, NOFORN): These often necessitate a Government Cloud offering like Microsoft GCC High or AWS GovCloud.
- Future Requirements. Be proactive, not reactive. Government has repeatedly signaled that current compliance requirements for contractors are just the beginning. Regular updates to multiple regulations are phasing in more stringent requirements and more aggressive enforcement. New compliance initiatives are also forming that will impact DoD / Federal contractors. Executive Order 140288 is driving additional compliance requirements for the Federal Acquisition Regulations (FAR), Cyber Supply Chain Risk Management (C-SCRM), Software Bill of Materials (SBOM), and Zero Trust Architecture.
How We Can Help
- Creating a Plan for Compliance. No time is better than now to start getting your compliance ducks in a row. Peerless will conduct an expert Gap Assessment / Gap Analysis of your business to plan your compliance efforts. This will affordably provide you with: an accurate SPRS Score, a custom System Security Plan (SSP) and Plan of Action & Milestones (POA&M); thorough Policy documents for the 110 controls and their 320 control objectives; recommendations to prioritize short-term and long-term compliance goals based upon risk; and additional findings to improve Cybersecurity to further protect your business.
- Consulting for Compliance. Whether or not you have an IT team, Cybersecurity team, or Compliance team... there is no substitute for experience and expertise in DoD / Federal compliance. This ensures required methodology is followed and security requirements are properly interpreted. Peerless will provide you with expert, flexible guidance customized to your organization, in order to support you, your staff, and your business requirements.
- Implementing Solutions for Compliance. Leverage an expert Engineering Team and/or Managed Service Provider (MSP) that specializes in compliance like Peerless to determine and implement the most effective and cost-efficient solutions for your business. Peerless will partner with you from the first steps, starting with obtaining an accurate SPRS Score to improving your score and getting compliant with ITAR / EAR, DFARS 7012, NIST SP 800-171, CMMC 2.0, and beyond. As compliance requirements evolve, Peerless will continue to partner with you to provide reliable, compliant, and trusted solutions.