top of page

CMMC AND THE SMB

Yes… You Can Afford Compliance!


If you are a Small Business and are part of the Defense Industrial Base (DIB), you may be a bit stressed out. A week doesn’t go by without a company telling me they can’t afford security. I have heard hundreds of stories as to why a company skimps on implementing good security controls.

  • “It’s too expensive”

  • “I don’t have a budget”

  • “Our margins are too thin”

  • “We are not a target”

  • “Nobody is checking our security”

  • “DFARS allows me to get away with just having a plan”

CMMC is changing the story. Bluntly, you don’t have a choice anymore – implement the required controls or get out of the DoD business. In short, the DoD isn’t messing around. The good news is they are willing to put money towards solving the problem.



The DoD knows they may have to help you get to compliance and stay there. Emagined Security as an RPO with Provisional Assessors on staff is ready to help you move quickly through the analysis and preparation and support you along the path to passing a CMMC assessment. This approach is in line with Emagined Security’s CMMC Clear Path: CMMC Clear Path and if curious about the costs, you can check out our service pricing using the link at the bottom of the page. Follow this method with our support (or on your own) and you can manage the costs of compliance without going broke.

STEP 1: IDENTIFY CMMC CERTIFICATION LEVEL REQUIRED

This means you need to “Know Where You Need to Be”. Keep in mind good security brings compliance along with it but now is not the time to buy everything in sight. This chart gives you a better understanding of what is required to achieve each level and a lot of it does not require a capital expenditure:



STEP 2 CONDUCT READINESS ASSESSMENT

Now it’s time to “Know Where You Are”. With this information, you will be able to make decisions going forward.


  • Identify your CUI Scope:

  • What systems have access to CUI data?

  • What security controls are in place to limit your architectural scope?

  • Are any systems shared by DoD contracts but are also used for non-DoD projects?

  • Do you have access to ITAR data?

  • Are your DoD projects limited to US persons and US locations?

  • Does your DoD business use any cloud systems?


  • Measure your compliance using the Level 1 Approach “Interviews Based Review” but assess yourself for all 130 of the Level 3 Requirements:

  • Be very critical as you review each requirement

  • Try to apply a “What would an auditor say” perspective to each requirement and your solution(s)

  • Ensure you can provide evidence of compliance


  • Gather Business Statistics:

  • Determine how much money you are bringing in from DoD Business

  • Determine how much money you are profiting from DoD Business


STEP 3: CALCULATE THE ROI OF CERTIFICATION (COST VS REVENUE)

Start to “Measure the Value” of the DoD revenue to the business.

  • Determine executive management’s commitment to remaining in the DoD Business

  • It may be cheaper to retool the business away from DoD if it