A parable for the Defense Industrial Base: It’s time to face the music

NOTE: Expressions here are mine, not my employer's.

Imagine you’ve been given a life-changing opportunity: the chance to perform on a world stage, but only if you learn to play an instrument.

You were told about this years ago. At first, it didn’t feel urgent—maybe you doubted the performance would ever happen. Or perhaps the costs of lessons, the complexity of mastering an instrument, or competing priorities got in the way.

Fast forward to today, and the concert date is fast approaching. The stakes are higher than you ever imagined. Without the skills, you won’t just miss this performance—you’ll lose credibility and access to future opportunities.

This is where many defense contractors find themselves today.

For years, the Department of Defense has required compliance with NIST SP 800-171 and DFARS 252.204-7012. These are the essential “skills” for protecting Controlled Unclassified Information (CUI). However, the implementation process has proven complex, costly, and disruptive to productivity. Faced with competing operational investments, many organizations delayed action, some even hoping the CMMC requirements would never truly take effect.

But here we are. The music is playing, and you must be ready to perform.

The Federal CMMC Program (32 CFR 170) was introduced precisely because too many organizations failed to fully implement the existing requirements. And the urgency is only growing: by mid-2025, under new 48 CFR rules, contractors will need to either self-attest or obtain third-party certification to prove full implementation of NIST SP 800-171. Without this certification, you will no longer qualify for DoD or DoD-funded contracts involving CUI.

Understanding the criticism

Well-meaning thought leaders often point out that these requirements have been in place since 2016, with a compliance deadline of December 31, 2017. While some organizations rose to the challenge, many others took a different path. Plans of Action and Milestones (POAMs) were created but left incomplete. Others implemented partial solutions, then failed to maintain or update them.

As practitioners working within the Defense Industrial Base, it’s easy to feel like this criticism is aimed directly at us. After all, many of us have spent years trying to convince our organizations to allocate the necessary resources and prioritize compliance.

The reality, however, is that the criticism isn’t about us—it’s about urging leadership to commit. These conversations serve as tools to help us advocate for what’s needed to succeed: sufficient budgets, clear timelines, and active support.

This isn’t about blame. It’s about action.

Here’s the good news: It’s not too late.

Even if you’re behind, there are practical steps you can take to accelerate your compliance journey. And with the right focus, you can minimize disruption to your operations while meeting these critical requirements.

Seven steps to get back on track

1. Acknowledge the reality

Denial isn’t a strategy. Leadership must understand that failure to comply with CMMC/NIST SP 800-171 puts contracts and the organization’s reputation at risk. Use real-world examples, such as lost contract opportunities or penalties imposed on non-compliant contractors, to emphasize the urgency.

2. Engage external expertise

Don’t navigate this journey alone. Partnering with specialists like a CMMC Registered Practitioner Organization (RPO) or a Certified Third-Party Assessor Organization (C3PAO) can save valuable time. These experts—armed with Certified CMMC Professionals (CCPs) and Certified Assessors (CCAs)—can provide:

• Tailored compliance roadmaps.
• Readiness assessments to pinpoint gaps.
• Guidance on how to avoid common pitfalls.

3. Conduct a thorough gap analysis

Identify exactly where you stand versus where you need to be. Break this down into three categories:

• Fully compliant controls: Document and maintain them.
• Partially implemented controls: Determine the minimal actions needed for compliance.
• Non-existent controls: Develop a phased approach to address these gaps.

4. Prioritize quick wins

Start with the low-hanging fruit:

• Enabling multi-factor authentication (MFA) for all users.
• Encrypting CUI at rest and in transit.
• Documenting existing security practices and formalizing them into policies. Quick wins not only build momentum but also demonstrate progress to stakeholders and assessors.

5. Invest in tools and training

Compliance tools can streamline your journey:

• Use software to track POAMs, document evidence, and automate reporting.
• Train staff on cybersecurity best practices and their specific roles in safeguarding CUI. Building a security-first culture reduces human error and strengthens compliance.

6. Adopt a sprint roadmap

Tackle compliance in manageable phases:

• Phase 1: Address urgent gaps that are critical for certification.
• Phase 2: Implement mid-level tasks that require team collaboration.
• Phase 3: Focus on creating sustainable, long-term processes for compliance monitoring and improvement.

7. Commit to the long term

Compliance isn’t a one-and-done effort. It’s an ongoing requirement that needs to be woven into the fabric of your organization. Establish:

• Regular internal audits.
• A plan to update and close POAMs proactively.
• A team or role dedicated to monitoring updates to DoD regulations.

Turning hesitation into action

The journey to compliance may seem overwhelming, but every step you take now reduces the risks and pressures ahead. By investing in expert guidance, leveraging the right tools, and focusing on achievable milestones, you can still cross the finish line—successfully.

Compliance isn’t just about maintaining contracts. It’s about protecting your organization’s reputation and securing its place in the Defense Industrial Base.