It’s not that the pricing regulations are made up. They are just set in a different reality. DFARS 252.204-7012 gave companies until Dec, 2017 to be compliant with NIST 800-171.
Therefore your #DFARS interim assessments should not be too cost prohibitive. You aren’t breaking the law and fibbing a bit on your SRP and POA&M are you?
…..no, nobody would do that. Thus the day rate set in that reality.
Yet if that reality existed than 7019, 7020, and 7021 and the #cmmc would not exist.
I see the DOD perspective, “Why would we include covering your past fraud in our pricing models?”
Still in the reality we live in many DIB who currently touch CUI have work to do for 7019,7020, and 7021 compliance.
The math scares me and this is why I think we look to states (kinda bad time I know) to cover this important economic development cost.
(I am no cybersecurity expert, my opinions do not reflect those of the CMMC-AB or the CMMC Training working group. You need to consult with real cybersecurity SMEs and lawyers. I am just a dude with a blog).