A Different Perspective
I’ve got an analogy for you…
Let’s say you cherish your old homestead ranch (in this case, it’s your company doing DoD contracts), and the county (the DoD) wants to pay you good money to lease it for public events.
They’ve been leasing it from you fairly often, and you’ve come to rely on the income, but now there’s a catch. Some time ago you were told that you must bring what they lease—house, barn, shed and all—up to code or else they’ll stop leasing it (work with me here… this is analogous to if your company is not CMMC/NIST compliant, then no more DoD contracts—and a significant part of your business is working on DoD contracts).
The first question you ask yourself is, “are they really going to stop leasing my ranch for all those fun events (will they really stop renewing my DoD contracts)?”
The answer is, Yes.
But you also know that there aren’t a lot of ranches (companies) that can get to code, and if you get to code soon, then you have an advantage.
The next question is, “I know they’ve been talking about this for years, but if they are really going to stop leasing, when?”
Indeed, the can’s been kicked down the road for years now (CMMC became an official thing in January 2020, and its enforcement has since been delayed more than once, plus the requirements have changed, and they’re still changing, without the official requirements being finalized yet), but the county is starting to show they’re serious. They’re even giving a likely date they’ll require the ranch be up to code (a date when CMMC will be enforced).
Maybe you still don’t believe it. They could just kick the can down the road again.
Maybe you think it’ll be easy to fix. Maybe you’ve tried to fix a few things, had the ranch hand fix the flooring, put in new pipes under the sink, re-roof the house, but there’s still that sinking feeling that maybe, just maybe, it isn’t quite right.
Could it be there’s something you’re missing?...
You’ve read all the requirements, but they’re in Greek and you only speak Latin (Okay, just kidding, CMMC isn’t quite written in a completely different language, but it can seem that way). So, more accurately, the requirements are written in your language, but the terminology and what exactly is required is still very hard to understand.
Because of that, there’s a chance you brought in a consultant, or paid for a solution.
But things are not yet complete. You have that underlying suspicion that if you’re assessed, you’re not sure you’d pass.
Why Ask Why?
With that analogy of the ranch behind us…
Often questions arise as to why does the DoD need CMMC?
Fact is, US DoD contractors have been leaking data to adversaries. Plus, many (not all, of course) DoD contractors have been signing contracts promising to protect data, and they simply haven’t followed the NIST framework that’s required. The NIST framework and upcoming CMMC assessments are here to slow that sensitive data transfer to those who might do us harm.
The DoD has deemed maintaining information security by using the NIST 800-171 framework reduces important data leakage and supports the US’s technological overmatch in military conflicts. This ultimately safeguards the warfighter, and thus the citizens the military is bound to protect. To us, this is a strong motivator.
CMMC will soon be enforced as the assessment protocol to assure the NIST framework is being implemented.
That’s why.
NIST/CMMC Pain Points
Nobody likes pain.
Facing the challenges of meeting the NIST requirements and being responsible for future CMMC assessments is definitely a cold prickly and not a warm fuzzy.
Implementing and adopting NIST 800-171 is far from easy.
And it’s expensive.
Our belief is defining what the pain points are, and then understanding the specific solutions, is the best way to solve most problems.
In that vein, here is a list of CMMC Pain Points as we see them, a solution summary, and an approximate cost range for small to mid-sized businesses. This list and the definitions just scratch the surface of what to be aware of, but they do offer a basis for further research and for more informed questions.
The numbers stated are very general, and should only be used as rough estimates for companies ranging from just a few people to a couple hundred people (low end to high end). Cost ranges come from DoD sources and from FNI’s own direct experience in working with scores of defense manufacturers and service providers.
As an aside, FNI has a full enclave solution at a surprising low cost for it’s installation, including training. FNI’s enclave solution starts at a cost far less than the aggregate of even the lowest combined costs below.
Pain Points, Solutions, Value
- Understanding CMMC Requirements
Pain Point: Many organizations struggle to understand the specific requirements of CMMC, especially with the different levels of certification.
Solution: Engage with a qualified consultant to help interpret the requirements and create a roadmap for compliance.
Value: This gives a snapshot of where you are and can save time and reduce the risk of implementing unnecessary or non-compliant solutions. Estimated cost: $15,000 - $50,000.
- Resource Allocation
Pain Point: Allocating sufficient resources (time, money, personnel) to achieve and maintain compliance can be difficult.
Solution: Develop a detailed project plan that includes budgeting for necessary tools, training, and personnel. Consider obtaining qualified consulting services and outsourcing certain tasks to managed security service providers (MSSPs) qualified to provide NIST/CMMC solutions.
Value: Efficient resource allocation can lead to more effective compliance efforts and reduce overall costs by avoiding redundant or unnecessary expenditures. Estimated cost: $7,500 - $100,000.
- Technical Implementation
Pain Point: Implementing compliant technical controls and ensuring they are properly configured can be complex.
Solution: Vet hardware, software and cloud services to meet the specific compliance requirements, including Export Controlled CUI (ITAR, EAR) if such data accessed, transmitted, stored or processed. Utilize automated compliance tools and platforms that can help manage and monitor security controls. Regularly update and patch systems to maintain security. Have your internal IT department provide this service or have a qualified MSSP provide this service.
Value: Proper technical implementation can enhance security posture, reduce vulnerabilities, and ensure continuous compliance. Estimated cost: $25,000 - $200,000+.
- Employee Training and Awareness
Pain Point: Ensuring all employees are aware of and adhere to cybersecurity policies and procedures is challenging.
Solution: Conduct regular training sessions and awareness programs to educate employees about cybersecurity best practices and CMMC requirements. This can be done either in-house, with possible software support, or by an outsourced training company, consultant, or your qualified MSSP.
Value: A well-informed workforce can significantly reduce the risk of security breaches and improve overall compliance. Estimated cost: $4,000 - $20,000.
- Documentation and Reporting
Pain Point: Maintaining thorough documentation and reporting for compliance purposes can be time-consuming and prone to errors.
Solution: Implement a centralized documentation system that automates the collection and reporting of compliance data. Make sure policies, procedures and plans and other required documentation is fully accessible, regularly reviewed, and updated as needed.
Value: Streamlined documentation processes can save time, reduce errors, and provide clear evidence of compliance during audits. Estimated cost: $5,000 - $50,000.
- Continuous Monitoring and Improvement
Pain Point: Achieving compliance is not a one-time effort; it requires ongoing monitoring and improvement.
Solution: Establish a continuous monitoring program that includes regular audits, vulnerability assessments, penetration testing, and updates to security policies and controls.
Value: Continuous monitoring ensures sustained compliance and helps identify and mitigate risks promptly. Estimated cost: $5,000 - $100,000.
Bottom Line Summary
Adding the lowest to the highest costs ranges from $61.5k to over $490k. If done piecemeal, this is reasonably accurate for very small companies on up to 200 employees or so. Costs vary depending on scale of implementation, the types and quantity of solutions that are implemented, the knowledge and activities of those within the company itself and the expertise of the service providers that are hired.
FNI achieves cost savings through their comprehensive and well-integrated solutions.
Make an appointment with FNI if you’re serious about NIST and CMMC.