Yes… You Can Afford Compliance!
If you are a Small Business and are part of the Defense Industrial Base (DIB), you may be a bit stressed out. A week doesn’t go by without a company telling me they can’t afford security. I have heard hundreds of stories as to why a company skimps on implementing good security controls.
“It’s too expensive”
“I don’t have a budget”
“Our margins are too thin”
“We are not a target”
“Nobody is checking our security”
“DFARS allows me to get away with just having a plan”
CMMC is changing the story. Bluntly, you don’t have a choice anymore – implement the required controls or get out of the DoD business. In short, the DoD isn’t messing around. The good news is they are willing to put money towards solving the problem.
The DoD knows they may have to help you get to compliance and stay there. Emagined Security as an RPO with Provisional Assessors on staff is ready to help you move quickly through the analysis and preparation and support you along the path to passing a CMMC assessment. This approach is in line with Emagined Security’s CMMC Clear Path: CMMC Clear Path and if curious about the costs, you can check out our service pricing using the link at the bottom of the page. Follow this method with our support (or on your own) and you can manage the costs of compliance without going broke.
STEP 1: IDENTIFY CMMC CERTIFICATION LEVEL REQUIRED
This means you need to “Know Where You Need to Be”. Keep in mind good security brings compliance along with it but now is not the time to buy everything in sight. This chart gives you a better understanding of what is required to achieve each level and a lot of it does not require a capital expenditure:
STEP 2 CONDUCT READINESS ASSESSMENT
Now it’s time to “Know Where You Are”. With this information, you will be able to make decisions going forward.
Identify your CUI Scope:
What systems have access to CUI data?
What security controls are in place to limit your architectural scope?
Are any systems shared by DoD contracts but are also used for non-DoD projects?
Do you have access to ITAR data?
Are your DoD projects limited to US persons and US locations?
Does your DoD business use any cloud systems?
Measure your compliance using the Level 1 Approach “Interviews Based Review” but assess yourself for all 130 of the Level 3 Requirements:
Be very critical as you review each requirement
Try to apply a “What would an auditor say” perspective to each requirement and your solution(s)
Ensure you can provide evidence of compliance
Gather Business Statistics:
Determine how much money you are bringing in from DoD Business
Determine how much money you are profiting from DoD Business
STEP 3: CALCULATE THE ROI OF CERTIFICATION (COST VS REVENUE)
Start to “Measure the Value” of the DoD revenue to the business.
Determine executive management’s commitment to remaining in the DoD Business
It may be cheaper to retool the business away from DoD if it’s not strategic
Find out how much money you have to work with:
Identify % of revenue management will commit to comply with CMMC
Identify % of revenue management will commit to maintaining compliance with CMMC
Perform a cost vs revenue analysis
Acquire agreement from management to fund the CMMC compliance project:
Do not stop until you have an actual dollar amount agreed upon
Or determine to get out of the DoD business
Determine if you can “Acquire Additional Funding”. The DoD has already stated they understand they may need to fund security programs to keep their supply chain in business and secure. Every dollar you can negotiate with your Prime Contractor or the DoD can be added to your CMMC budget. You should be getting close to having a pretty good budget to work from. You may be working on small margins so each percent you increase can be a large sum of money. One client we work with takes in about $80 million in revenue from the DoD and has an average of 7.5% profit margin. They make $6 million in profit each year. For every 1% they can raise their rates, increases their security budget by $800 thousand. That can make a huge difference.
Use chargebacks to get additional funding
Negotiate new funding when security requirements are added
Re-evaluate your commitment to the DoD business before signing contracts as you are would be signing a contract with legal and financial implications
“Schedule Your Spending” to synchronize with budgets and new funding source payments.
When you start to create a spending schedule, work backward your CMMC anticipated contract renegotiation dates
Build processes you can quickly implement after capital expenditures
STEP 4: UPDATE CONTROLS, POLICIES & PROCEDURES
“Evaluate Current Tools” to determine if they can meet the CMMC requirements.
Determine which existing tools can be enhanced or configured to comply with CMMC:
This is not the time to enhance to enterprise-class
You will need the funds to comply with areas you are deficient
Create a list of tools to be replaced or purchased but don’t buy them yet:
Wait for funding to come in; see next section
Prepare for the tools by getting administration controls ready
Compile a needed additional funding amount:
Cost for developing policies and procedures
Cost for additional controls (hardware / software / licenses)
Cost for documentation and evidence
Cost for services/consultants
Cost for auditing
“Start Getting Healthy” by implementing CMMC enhancements and allow for improvements over time.
Start with administrative enhancements first using existing personnel
Get policies and procedures documents and in place
Then start enhancing current tools to meet requirements
Begin an effort to make bigger changes as funding comes up in the schedule
STEP 5: C3PAO ASSESSMENT
Be smart as you “Contract with a 3CPAO”. We recommend contracting with auditors who understand your compliance goals and situation.
Contract with a 3CPAO who allows for 10% reassessment deltas
Try to include a remediation window (e.g., 90 days) with the auditors
STEP 6: RESOLVE FINDINGS (IF ANY)
If you are getting close (>90%), “Schedule Your Audit” but give make sure you give yourself enough time to complete your enhancements. Take the following into account as well as you determine the audit dates.
The DoD has stated they will not delay awards while waiting for audits
Auditors will be busy so can include some audit delays into your schedule
Have a team ready to perform remediation quickly
STEP 7: C3PAO RE-ASSESSMENT
“Request Your Re-Assessment” once you feel you are ready.
Take advantage of the remediation window you got into the contract
Pass your audit
STEP 8: C3PAO SUBMITS ASSESSMENT TO CMMC AB
“Congratulate Yourself” for getting this far.
STEP 9: FORMAL CMMC REVIEW & APPROVAL
“Begin Maintaining and Enhancing Your Compliance” to ensure you have a long successful DoD business.
This approach can help you get to your CMMC goals and keep you in the DoD business. We are here to help and guide you through the entire process or you can do it on your own. Just remember, Emagined Security is just a phone call away.