[annoyingnoob]

If you want to work in the DoD supply chain after 2024 then you'll have to implement NIST 800-171 and some level of CMMC. Its no longer a self-attestation and requires a 3rd party audit and certification. Its not trivial.

[xxpor]

The compliance costs aren't what worry me. The part that worries me is ending up with FIPS but even worse everywhere. Just because of how slowly it evolves and how people are stuck on old things because of that.

[annoyingnoob]

I cant argue. I dont love all of the things we are required to do. I'm sure my current VPN is better than what I'll have to implement. The things I'm required to implement are major attack targets with histories of vulnerabilities - but they are certified.