CMMC Compliance Mid-Size Contractors Can Afford

November 19, 2024

I recently participated in a webinar titled “CMMC Compliance Mid-Sized Contractors Can Afford”, alongside our friends at Carahsoft and Hypori, Google, and ATX Defense. If you would like to watch the webinar in its entirety, you can find it here.

 

Now, on to the key takeaways.

 

The webinar focused on a variety of factors that impact the cost of compliance for CMMC. The reality is that CMMC compliance will cost more than non-compliance, and as a result we can expect those costs to be transferred to the customer, the Department of Defense (DoD).

 

The wrinkle to this is that the DoD has is not keen on having to pay more for compliance that has been a contractual obligation for years. CMMC implements NIST SP 800-171, and 171 has been on contract for years. I can somewhat understand their position, “Since I’m sure you’ve been compliant since 171 was put on your contract, there really is no justification for increasing your prices due to CMMC.”

 

The realities are that CMMC will cost more, if nothing else for the additional paperwork and the external auditors involved. The DoD includes some estimates in the CMMC public regulations, but they intentionally avoid estimating the cost to come into compliance if you are not today (although I'd hate to have to make that estimate).

 

This comes back to our webinar. I think we did a good job of looking at how a small or medium business can at least manage the costs related to CMMC. I think the changes regarding managed service providers is huge in this respect. The new rules will allow you to keep your existing managed service provider (MSP) or managed security service provider (MSSP), as long as they don’t handle either Federal Contract Information or Controlled Unclassified Information. This should significantly reduce the cost of CMMC implementation, and if nothing else, avoid any company from having multiple MSSP providers just due to CMMC.

 

Also discussed in some detail was the use of cloud services such as Google Workspace or Microsoft O365. The discussion was focused on the need to really understand well if your preferred vendor can meet your CMMC requirements. It was clear that there is some confusion out there, so before you assume you must move to a new provider, ask some very pointed questions to include if it is possible to reconfigure your existing solution to be compliant. I think this is an important point, don’t give up on your preferred solution until you have certainty that you must migrate. I’m sure there will be many that will have a hard requirement to migrate. Hopefully, the majority of companies can simply reconfigure their existing solutions to be compliant.

 

In the webinar a question was asked about what we thought the future would bring to CMMC. We ran out of time to really address that, but I will share my thoughts here. I believe that the DoD made the changes from the final draft to final rules primarily to increase the success of the launch of CMMC. I would bet that they want it out, and to start building up a compliant Defense Industrial Base (DIB). Launch it, grow it, and stabilize it. Perhaps in a year or two, we will start hearing about lessons learned from the DoD, and depending on where we are as a community, we will either see CMMC 2.1 or CMMC 3.0.

 

I think CMMC 2.1 will update the controls to NIST SP 800-171 Revision 3 (CMMC is currently based on Revision 2), and I think they will start selectively walking back the loosened restrictions on external service providers. I wouldn’t be surprised if the whole concept of Level 2 self-assessment will go away.

 

If CMMC 2.0 suffers the same fate as CMMC 1.0, then I think we will see the DoD go back to the drawing board and we’ll see CMMC 3.0. I can’t imagine the requirement to protect government data (the FCI and CUI) will ever go away, but I can imagine another major change to CMMC like we did from 1.0 to 2.0. It is too early in this process to declare either success or failure of CMMC 2.0, and I have no clue at this what I’d even want CMMC 3.0 to look like if I had the ability to decide.

 

The key is that CMMC is now real, and is really happening. The DoD made some changes to lessen the burden, particularly on small and medium companies, but that burden still exists. I did enjoy engaging with the other panelists, and I hope to participate in more webinars in the future.

John Allison
Sr. Director of Federal Advisory Services | Optiv + ClearShark
John Allison spent 24 years in the Air Force, doing systems engineering, weapons research, program management, and intelligence analysis. He retired in 2015 and started his civilian career focusing on bringing to market compliant cloud solutions including DoD and FedRAMP offerings for both large companies and small startups. Throughout his career he's been called on as the technical and compliance expert and has a passion for bridging the gap between the Government's need for solutions and innovative non-traditional companies.

About Optiv + ClearSharkTM

Optiv + ClearShark is a cybersecurity and IT solutions provider focused exclusively on serving the U.S. federal government. From the data center, cloud and to the edge, we have decades of experience securing and modernizing federal agency data and infrastructure. Our world-class advisory and engineering team is comprised of mission-focused, results-driven subject-matter experts with deep technology and agency domain knowledge and security clearances.

 

Now part of Optiv, the cyber advisory and solutions leader, Optiv + ClearShark partners with federal agencies to advise, deploy and operate complete cybersecurity programs.