top of page

What will CMMC mean for the rest of us?

This guest post was contributed by Edward Tuorinsky, Managing Principal and Founder, DTS

Ed Tuorinsky, DTS

Mark my words: This is the start of something big. 

When the Department of Defense released a Proposed Rule for the Cybersecurity Maturity Model Certification (CMMC) program, it intended to shore up the Defense Industrial Base (DIB) by asking contractors to prove that their cybersecurity was up to standards. A much bigger impact, however, will be felt throughout American business. 

In essence, it’s a brand-new era for cybersecurity. What might it mean for you? And when?

The Proposed CMMC Rule is expected to be implemented over 30 months, starting sometime later this year, and encompass 500,000 DoD contract awards annually. But it won’t stop there. The CMMC rule will fundamentally change how we view cybersecurity, nearly making it a requirement to do business in the United States. 

Protecting American innovation

Bad actors and sophisticated cyber schemes have outpaced cybersecurity protections. Daily, American companies fight off hacks, data breaches, and fraud. According to global statistics from AAG, nearly 1 billion emails were exposed in a year, and in 2022, data breaches cost businesses an average of $4.35 million.

These aren’t victimless crimes. Stolen data leads to identity fraud. Ransomed data forces companies to close their doors. Phishing schemes let viruses and bad actors in where they quickly use connections to other systems and companies to wreak havoc.

Although standards, techniques, tools, and procedures are available to defend against cyber-attacks, the cost and commitment mean many small and mid-sized companies have already denied their risk or delayed their spending. 

Now that the DoD is requiring robust cybersecurity, contractors will need to tidy their supply chain by demanding that all subcontractors, suppliers, vendors, and service providers also meet CMMC standards. And those companies will certainly ask their networks to do the same.

The flow of cybersecurity

You might think, “This doesn’t apply to my company—we’re not in manufacturing or defense.” But you might be surprised just how close your connection is to government funding. By supplying a supplier. By supporting an organization that gets federal grant money. By working with those who also work with a government contractor, you are connected.

Within the next 3-5 years, your company could be asked to provide proof of your cybersecurity posture as the requirements trickle down. While advanced cybersecurity might not be needed for a local ice cream stand, an artist who sells their work, or a small lawnmowing company, savvy customers will ask even the smallest mom-and-pop businesses about their security before providing personal or financial information.

By my estimate, 80 percent or more of all U.S. businesses will need cybersecurity because of their (distant but related) connection to the federal government. Based on the latest GDP numbers, economists suggest that government spending has an even greater impact on the economy.

Faced with the prospect of implementing cybersecurity or losing business, companies that cannot (or will not) take the steps to meet cybersecurity standards may find themselves fading into history, following in the footsteps of other dinosaurs who failed to keep up with technology evolution.

I’ll repeat my prediction: This will be big! We are witnessing a moment in American business history that will propel cybersecurity forward, permanently embedding it in everyday operations. Only one question remains: Will your company take the necessary steps to achieve CMMC-compliance and enhanced cybersecurity? 

Edward Tuorinsky, Founder and Managing Principal of DTS, a government and commercial consulting business, brings more than two decades of experience in compliance and management consulting, information technology and cybersecurity services. 


bottom of page