If you do business with the Department of Defense (DoD), then the Cybersecurity Maturity Model Certification (CMMC) is known to you. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) approved the first company to become a certified assessor in May 2021. Since then, three additional companies have been approved. That\u2019s it. Four companies have been approved to be a Certified Third-Party Assessment Organization (C3PAO) and assessed DoD contractor cybersecurity compliance with the CMMC.Approximately 300,000 suppliers to the DoD will be impacted by the implementation of the CMMC.Only 100 CMMC assessors available--5,000 neededIn an interview with Federal News Network, Chris Goldman, a founding member of the CMMC accreditation body and director of infosec at Horizon Blue Cross Blue Shield of New Jersey opined how CMMC had some shortcomings. He detailed how the DoD is planning to invoke the process with 500 pilot contracts requiring the assessments. This equates to five assessments per provisional assessor, given there are currently 100 provisional assessors. Goldman noted, \u201cwe\u2019re certainly going to need to scale to over 5,000 assessors in the ecosystem to do more than 100,000 assessments per year.\u201dOne potential downside to the DoD\u2019s CMMC effort affects the SMBs. The cost of adhering to the CMMC process may cause many entities to self-select out as, according to Goldman, \u201cIts too expensive, I can\u2019t participate in the ecosystem anymore.\u201d Thus, companies providing goods and services the DoD needs are no longer available, as these companies look for more profitable customers.What this means, according to Don Kulp, director of business development at Saalex, is that the government is using the CMMC process to push good cyber hygiene into the ecosystems of the private sector, including educational institutions. The DoD will have the \u201cmaturity level of bidders contained in the actual bid and include the entire supply chain associated with the contract.\u201d He continues how the implementation will include waivers, with the ultimate goal of ensuring \u201cthe level of maturity that all bidders must be certified to as well the entire supply chain associated with those contracts.\u201d That isn\u2019t to say it will be smooth sailing, he notes that those contracting communities may make execution of contracts difficult for those doing business with the government.Navy Submarines not audited due to lack of auditorsOne needs only look to the US Navy to see the potential effect of not having timely audits of cybersecurity postures. The Navy Times obtained an internal audit of the submarines in the US Naval Submarine Force Pacific that revealed the 41 submarines and their support ships didn\u2019t have their required \u201cinternal and external cybersecurity inspections\u201d conducted from 2016 to 2018.The checks and balances built into a system to ensure known vulnerabilities are mitigated wasn\u2019t taking place. The Navy Times continued how the Navy lacked the personnel and bandwidth to conduct the inspections. The publication obtained via an FOIA request a more precise answer, \u201cPersonnel informed us that they do not have enough staff to meet the triennial inspection requirement for all information systems, so they excluded Navy submarine networks.\u201dThe rational: \u201cThe boats disconnect from the network\u201d while at sea, the risk to the DoD\u2019s information network? The auditors opined, \u201cExcluding submarine networks from inspection workload may expose the Department of Defense Information Network to an unacceptable level of risk.\u201dThe submarine example demonstrates what occurs when triage occurs due to lack of resources. The US Navy cyber auditors had only so many cycles in their days and thus had to choose between two bad choices, audit all entities quickly (perhaps superficially) or not inspect one entity and ensure the security of the other entities are the best they can be.With thousands of companies needing certification and approximately 100 provisional assessors approved to conduct C3PAO, one can do the math. A shortage of auditing companies is a reality, which makes 2023 deadline look a bit like the Sword of Damocles hanging over DoD contracting processes. There is going to be constipation. The CMMC accreditation body DIBCAC will need to double-down and invest heavily in efficient training of assessors, in a world where cybersecurity savvy personnel at all levels are a much sought after commodity.