This is a great warning from Bobby Guerra that should be heeded!
In Phase 1 of CMMC, starting early to mid-next year, many companies will need to perform self-assessments. The temptation to simply "put the right score" in SPRS to stay eligible for contracts will be strong. It’s tempting to think, "Others have done it—why can’t I?" Listen closely: it’s a TRAP. 32 CFR explicitly states that companies are affirming and attesting to their self-assessment scores. The Department of Justice even requested that the DoD include a requirement for companies to keep documentation proving they conducted the assessment, with records maintained for seven years! This means the DOJ is preparing themselves if needed for False Claims Act cases against any misleading claims. Per 32 CFR, Section 170.22, the "Affirming Official" at each company must confirm in SPRS that the company’s CMMC status is accurate, with annual updates. Executives, don’t ignore pushback from your Affirming Official if they tell you, "We aren’t ready." Moving forward despite being unprepared might make that person more likely to report any violations—and, under the False Claims Act, they may even receive a portion of any awarded funds if a case is won. There are at least two major pitfalls to consider if you don’t take your self-assessment seriously. First, when it’s time for your third-party C3PAO assessment, one of the initial questions will be to see your self-assessment score and evidence. If they see glaring inaccuracies, it won’t go well. Second, if your C3PAO finds a major gap in your compliance and submits a large delta to SPRS, it could have significant contractual implications. Per 32 CFR: "Within the period of performance of a contract, standard contractual remedies will apply, and the OSC will be ineligible for additional awards with a requirement for the CMMC Status." In other words, major non-compliance may leave a company open to more than just fines—it could mean contract ineligibility. In the DiB space, trying to “game” the CMMC system is a risky strategy that will likely backfire. Running a business is tough enough without taking unnecessary compliance risks. Instead, approach CMMC as a proactive, strategic advantage that strengthens your business. This doesn't have to go down a dark path, but the DoD/DoJ will most likely make some examples to help straighten the ranks. Don't be unlucky enough to plucked out of the crowd. Brian Hubbard, Amira Armond, Kaleigh Floyd, Adam Evans, CISSP, Shel Philips, PMP CCP RP, Vincent Scott, Koren Wise, Kyle Lai, Robert Metzger, Jonathan Weadon, Karen Stanford, Jacob Horne, Jason Sproesser, Joy Belinda Beland CMMC CCA, PI, QTE, CISM #CMMC #DoDCompliance #Cybersecurity #CFR32 #FalseClaimsAct #SelfAssessment #MSPCommunity #RiskManagement #ComplianceJourney #DiBSpace