Expect GovCon's compliance focus to only increase

A common refrain in the world of business goes like this: a Democratic administration ramps up the oversight and regulatory engines, while a Republican administration ramps them down.

Government contracting marches to a different rhythm on those fronts of course and the scrutiny has been turned up in recent weeks, especially with respect to certain kinds of consulting work.

The short-term focus on oversight also points to CMMC, the four-letter acronym representing the Defense Department’s new cyber and supply chain security standard for the industrial base. CMMC is in the midst of a phased rollout ahead of the rule’s inevitable finalization and addition to contracts this year.

Defense companies “have known for a really long period of time, that there there's a target on their back on high levels of cybersecurity compliance,” said Jeffrey Noolas, chief executive of Jamis, a GovCon business management software provider.  “It's not going away, it’s only going to get bigger and bigger.”

Noolas and Jeff Smedley, a former chief information officer at J&J Worldwide Services and now a CMMC consultant to the industry, both pointed to that initiative as a disruptor that will reshape the entire ecosystem one way or another.

Smedley said that in his role as an industry CIO, getting through CMMC was priority number one because of how important it was to the “nature of survival.”

“If you don’t do it, then you won’t be able to participate in the procurement process, so you might as well shut the doors if you’re 100% DOD and have no diversification,” Smedley added. “I see that being the main disruptor for military contractors.”

But as Smedley also pointed out and reminded, CMMC also is there to enforce what contractors should have been doing since 2016.

That year represents when the Defense Department finalized a regulation that requires adequate protection and security of controlled unclassified information.

DOD based that regulation on the guidance, best practices and compliance framework laid out by the National Institute of Standards and Technology’s 800-171 publication. CMMC is structured around that very standard and includes the network of third-party assessment organizations to certify contractors as compliant.

The ongoing work to get those assessors approved and in place to do the assessment also coincides with workforce reductions across government, including at DOD. Many of those are on hold and remain in the midst of a legal fight, but Noolas indicated it as still something to watch.

“If you're trying to cut government agencies, government employees and so on, having them do five times as much with far fewer resources is an interesting equation,” Noolas said. “I’ll be curious to see how that one works.”