Realizing the Total Cost of Compliance
Companies in the defense industrial base (DIB) have less than a year before the Interim Rule is in effect. We’ve spoken to many small to medium businesses (SMBs) in the DIB and one concern comes up over and over again. The cost of CMMC 2.0 compliance seems out of reach.
Compliance with CMMC Level 2 requires a combination of technology and procedure to adequately protect CUI. Deploying the appropriate technologies alongside secure procedures can take a lot of time and a lot of money. That’s a lot of impact on your bottom line.
Fortunately, there are ways to mitigate the costs of CMMC compliance. Here are some practical ways to manage your compliance costs.
CMMC Cost Drivers
The bigger the project, the greater the cost. Costs will be proportionate to the number of people and technologies managing CUI. Every person and device who has access to CUI will need to be included in the scope of your CMMC compliance policies, procedures, and training.
Think carefully about which systems you use to manage CUI. For example, if you include CUI in your Enterprise Resource Planning (ERP) system, like Oracle, that ERP platform and everyone working on that system is included in the scope of your CMMC compliance project.
By contrast, you could store CUI in secure enclaves in your network and limit access to a subset of employees and devices. That would limit your scope correspondingly.
The more you’ve already done to secure your network per the NIST 800-171 standards, the less you have left to do. Less to do means lower costs.
How mature are you? For example:
- Have you already worked on a ISO 27001 compliant project, or similar?
- Do you have an incident response plan describing how your team should respond to a network outage?
- Do you have robust documentation describing training and policies?
Answering yes to one or more of the above means you’re likely on a good path towards maturity. If you answered no to all questions, you should expect a significant investment of time and money to develop these plans and policies.
Your organization’s platform must support secure storage and sharing of CUI in compliance with NIST 800-171 and DFARS 7012 requirements. All devices in scope will also need to have appropriate endpoint protection, including antivirus protection and multi-factor authentication (MFA). Network level devices, such as routers and firewalls, must also be protected with encryption meeting NIST 800-171 requirements.
The cost of licenses, deployment, and user training for these technologies will contribute to your overall CMMC compliance cost.
There’s no way to avoid consultants entirely. Consultants can be very helpful in guiding you towards potential flaws in your System Security Plan (SSP) and where you need remediation. However, they can be expensive. So, by planing wisely, you can ensure you are using their talents wisely.
How to Manage CMMC Compliance Costs
Don’t blunder through your CMMC journey. The very first thing you should do is conduct a self-assessment to see where you stand.
If you’re seeking CMMC Level 2 compliance, conducting a self-assessment is straightforward. You just need to determine how well you’re meeting the existing NIST 800-171 controls. Here are some questions to get you started.
- Does your organization have a password complexity policy?
- Do your networks have policies to limit access to only authorized users?
- What types of policies do you have for reporting malicious cyber incidents?
- Do you have artifacts to demonstrate the policies and procedures your team has in place for compliance with each of the 110 NIST 800-171 controls? Spreadsheets, files, and training schedules are examples of such artifacts.
If you know where you are, you can efficiently chart where you need to go.
The more CUI you have in scope, the greater your cost of CMMC certification. Make sure you limit your scope to the extent possible.
For example, don’t include CUI in your ERP. Those systems proliferate where CUI is touched. Every endpoint, printer and server that touches CUI is in scope and must meet NIST 800-171 requirements.
Keep CUI contained in small enclaves in your network. Only those employees who must handle CUI should have access to CUI and to the systems and devices that manage CUI. This will keep your scope small and your costs down.
Elect a Leader
Appoint an IT point person within your organization to manage your compliance process. This ensures someone is keeping oversight, and that someone isn’t an expensive consultant.
Choose Affordable Technologies
When it comes to technologies to protect your CUI, expensive doesn’t always mean better. You can spend as little as $30/user per month to protect CUI in email and files, or you can spend upwards of 10x that much. Choose wisely.
Manage Consulting Time
Do as much as you can yourself. Bring consultants in to assist with policies you really need help implementing and/or to review your compliance package for assessment readiness.
Potential Gotchas – Caveat Emptor
Do it right the first time. Redoing steps only makes your total costs higher. Here are some common pitfalls to watch out for in your CMMC compliance process.
Any old encryption won’t do. Make sure any FIPS 140-2 encryption you use to manage CUI has been validated by NIST.
While using templates can save you time and money, make sure that your documentation is based on the way you work. Don’t just blindly copy.
Further, make sure that you have documentation to demonstrate how you are implementing each NIST control. If you create the documentation as you go, you won’t have to spend hours patching up the gaps later.
Keep your CUI access locked down. It’s easy to have people and technologies creep across the compliance boundary over time. Don’t let that happen. Scope creep raises your costs and can put you on the wrong side of compliance.
Implementation and Sustainability
Set up a solution that’s both easy to use and affordable. If your systems are difficult to use, your team won’t use them. If training is complex, new employees will fail to retain what they learned and won’t be able to implement the lessons. If licenses are prohibitively expensive, they won’t be purchased.
Make sure you can manage your system without excessive expense. The best security is the security you actually use.
PreVeil’s Cost Effective Path to Compliance
PreVeil is focused on making its CMMC compliance solution for file sharing and email affordable, easy to deploy and easy to use. Here’s how we do that for SMBs in the DIB.
Only Pay for What You Need
We help you minimize your scope. With PreVeil, you can easily form trusted communities within your networks where CUI lives. That way, only the employees and devices that need to access CUI are within scope.
DoD contracts often involve work with third parties. PreVeil provides free service for any third parties you’re working with.
Keep It Simple
PreVeil integrates with familiar GSuite and O365 platforms that you’re used to. This significantly cuts down on training, reducing costs and admin overhead. It also means your team will actually use the secure system, because it’s effortless.
CMMC Documentation Templates
Don’t spend hundreds of hours building documentation from scratch. PreVeil provides a documentation that organizations can customize to match their unique policies and procedures.
PreVeil’s platform and documentation help support compliance with 102/110 controls of CMMC 2.0. For the remaining controls, our MSP and MSSP partners can take you the rest of the way.
Consulting Fee Minimization
We’ve proven our ability to take an SMB across the finish line to CMMC compliance quickly and affordably. By using PreVeil’s weapons-grade encryption and prefilled CMMC documentation, you can take your organization over 75% of the way to compliance. With the aid of knowledgeable consultant you can get to the finish line.
The best thing you can do for your CMMC compliance journey is get started right away. The Interim Rule deadline is less than a year away and failing to prepare is preparing to fail.
The cost of CMMC compliance doesn’t need to be overwhelming. Get your bearings, limit your scope, and work efficiently. Need a hand? We’re here to help.