Fingerprint Access

CMMC and Baere

Security Guard

What is this CMMC?  The latest activity for Baere is our introduction to "CMMC".  First, we discovered that Baere, as a government contractor was expected, nay required, to be compliant with "CMMC".  That meant we needed to find out what that was.  Turns out that means Cybersecurity Maturity Model Certification, a set of cybersecurity standards developed by the Department of Defense (DoD) to protect defense contractors from cyber attacks.  This sounded reasonable, and legitimate.  After all, we have seen the after effects of an aggressive ransomware attack.  Ask Colonial Pipeline.  We at Baere have always taken ALL of our security seriously, so this seemed like the new page in an existing book.

Then we attended a webinar on the topic.  And we discovered if you are a small company like Baere, this is a more than daunting endeavor.  After scribbling down an endless arrays of acronyms, "Start with getting your SPRS filled out."  My what?  "Supplier Performance Risk System".  Oh.  Just assess your status on these 110 items.  After the second webinar, we here at Baere came to the realization that this is not going to be trivial.  It is something that is likely to take a professional IT person two or three months to go through.  Do you have your PO&M's written up?  Are you working on them?  Have your written you SSP?  Are you following it?  Have you controlled your access to your enclave? 

To do business with the DoD as either a prime contractor or a subcontractor to a prime, you are required to be in compliance with specified DFARs (Defense Federal Acquisition Regulations), one of which is about your cybersecurity.  In the past, we have agreed that should a contract be awarded, the company will provide the necessary documentation to demonstrate compliance to the specified DFARs.  Ah, yeah, here comes the rub.  Compliance with this new DFAR will take MONTHS to achieve.  So demonstrating it at the time of a contract is really not an option.  Okay, Baere is nothing if not dedicated to compliance.  Then we discover, not only do you have to "do" all these things and tell people you have, "say what you do, do what your say", you must have a third party assessment group come and certify your company.  But these C3PAOs are not certified yet, so they don't exist.  And like anything else, supply and demand.  When demand is high and supply is low, the cost goes up.  In the webinars, the expected cost for an average company was provided.  And it was more than nearly two years of Baere's current income.  Not profit, INCOME.

At this point we were terrified, defeated, and ready to close our doors.  We don't have an IT department, we cannot begin to understand the jargon, it is obvious it requires an IT professional full time for months, and getting certified is probably not attainable just by cost.  Then we talked to some people in the field.  And we are interviewing IT companies who specifically want to help small businesses like Baere perform CMMC activities.  And we have been given some pointers to get us to the minimums for today.  We are by no means out of the woods, but we are more calm.  There is a lot that has to happen, but Baere is not alone.  We'll take it one step at a time. 

In the meantime, we will continue to provide you fuels and lubricants consulting to the same high quality we have always done.  We will continue to protect your data as we have always done.  And if you are a small business doing business with the DoD and are as harried as we are, I would recommend contacting John Libby at Exostar for help.  Attend their webinars.  Ask questions.  And most importantly, don't wait!