No Penalty for SolarWind Hack Victims Working Toward CMMC Certification

Hooded cyber criminal stealing secrets with laptop

A massive SolarWinds hack was exposed recently, just around the same time as the Pentagon started to roll out a new way of approaching cybersecurity. The CMMC certification, or Cybersecurity Maturity Model Certification, was designed to make sure that businesses are kept as safe and secure as possible. 

As the CMMC is designed with safety and security in mind for any contractor bidding on contracts, and it is also there to reward the businesses who do meet the required expectations. CMMC certification allows companies to include security as part of the cost when they are making a bid. This makes sure that any business that restricts or cuts out areas of protection, won’t win the bids. But what does the SolarWinds hack mean for contractors who were working toward CMMC certification?

The SolarWinds Attack and What It Means for Contractors

The whole process has been designed to help to protect against any areas of negligence, not to look to punish any business with the inability to predict what is going to happen in their future. 

CMMC does involve a lot of strict measures in compliance measures. But what happened with the SolarWinds hack wasn’t something normal or expected, so any organizations who were working toward CMMC compliance, won’t be penalized as a result of the SolarWind attack, if the organization was affected. 

The scale of the attack was not one that could have been anticipated. As an example, the military were not prepared for it, so as a result, there won’t be punishments for any companies that were not able to anticipate what happened and weren’t able to plan accordingly. That is why IT services for defense contractors can help you to improve what you do, and make sure that going forward, you do have the defenses in place that you need, in order to comply with CMMC.

CMMC Certification and Penalties Moving Forward

With what happened, it was unprecedented and not expected, so for those working toward CMMC certification, there is a little leeway. But if you experience a cyber incident at your business, and the attack happened as a result of you not deploying multi-factor authentication or taking the steps that you need to take, then you are putting your business at risk. 

With different levels of CMMC, including a variety of qualifications needed for each maturity level, each organization’s maturity level is based on the level of CUI it handles. No matter what level of CMMC the business has, it gives a base to work on and improve on, which is an asset for the future when it comes to bidding on contracts.

However, if the company was to be audited and it was found that the company wasn’t doing something that it should be, then that is negligent and that would involve penalties. At the end of the day, the system one that is built on verification, rather than one that is built on trust. Doing your due diligence and being prepared is the best way to avoid any penalty.