As the summer ends and the calendar turns to fall, most companies start the planning process for their annual budget. This is a key time to make the case for top priorities and necessary investments across the organization, including IT. Most years, we would talk about a hardware refresh, or maybe digital transformation, and of course cybersecurity in general.
However, this year is different. The recent DFARS Interim rule which implements the rollout of CMMC starting on November 30th as well as NIST 800-171 reporting will require companies to invest in the tools, policies, and assessments designed to ensure their baseline of security. Most importantly, and for the first time ever, these investments will be required for any contract to be awarded by any DoD agency.
Here’s why its important to your budget process
The DFARS Interim Rule that was issued on September 29th has several impacts on every DoD contractor. These include:
Clause 7012 is unchanged meaning that all current contractual obligations remain in place.
Clause 7019 requires contractors to, at a minimum, perform a self-assessment on NIST 800-171 compliance and document that status to SPRS.
Clause 7020 ensures that every contractor throughout the supply chain is included in this rollout and clarifies the government’s right to access facilities, systems, and personnel in order to conduct assessments.
Clause 7021 embeds the CMMC program into the contractual obligations featuring a five year rollout and a phased approach to contract inclusion.
Regardless of where you are in your cyber maturity, you need to assume there will be some investment in CMMC readiness and compliance in the coming year. This will include technology, policy development, and preliminary assessments, all in order to prepare for audits (which will also cost money).
Contractors that have made good faith efforts to meet the existing DFARS 7012 clause, as well as those that have achieved ISO status will obviously have less incremental effort to meet the new requirements. Those that have so far under-invested in IT, much less cyber, should prepare for a shock to the system.
To plan appropriately for these requirements, companies must first prepare for the associated expense and plan accordingly during their budget process.
The old saying goes that resource planning is all about, “people, process, and technology.” And being a service provider, we naturally like to start with technology. Let’s start with some things to consider as you develop your plans:
In our experience, most contractors are accelerating their move to the cloud and in many cases, choosing the Microsoft Government Cloud to consolidate their core services and then layer in security capabilities on top. Microsoft 365 is the core of this approach, with the GCC High version gaining more mainstream adoption. Combined with Azure Government, this has the advantage of reducing vendors, eliminating service gaps and simplifying administrative obligations. Last but certainly not least, GCC High is Microsoft’s recommendation for CMMC Level 3 certification. If you are considering this approach, you need to plan for licensing, professional services, and ongoing administration.
Licensing within Microsoft 365 is very flexible with many different choices and associated cost profiles. However, while Microsoft 365 in general, and GCC High in particular, provide a significant amount of capability, compliance ultimately is a shared responsibility. This means that you need to purchase the right license and configure the right features to meet your compliance requirements. As you might expect, the more you consolidate services on the Microsoft Cloud, the higher level of license you will need. For clients pursuing a Microsoft-centric strategy, this usually will mean the Microsoft 365 Enterprise E5 license, complemented with Azure Sentinel for SIEM, and possibly other complementary services such as third-party back-up.
Professional services include onboarding, data migration, and configuration. Generally speaking, data migration, and to a lesser extent, configuration costs will scale according to the size of the organization and the complexity of the legacy environment. A small company with little data footprint and no customizations will be very different than a midmarket organization with terabytes of data and significant automation in place.
Ongoing administration has both an operational and security component to it. First, your support services will need to be in alignment with the policy directives listed below. With respect to security, administration includes periodic review of reports and evaluations of whether your technology or policies need to change. Most importantly, someone needs to watch all over everything and be able to respond if there is an event. These Security Operations Center (SOC) services can provide detection, response, and even remediation to potential events.
Maturity Level 3 compliance in CMMC requires contractors to not just have documented policies, but to also demonstrate that they are following them. This is a key component to the “maturity” portion of the program. Some things to consider as you evaluate the potential cost of developing policies:
“As organizations prepare for CMMC, it is important to understand that the technical implementation must align with documented artifacts that in turn corroborate the implemented practice,” says Soda Sultana, President and CEO of Kreative Corporation. “This is a unique element that demonstrates the institutionalization of organizational maturity while also driving an enterprise security posture consistent with its targeted maturity level.” Companies that do not use their policies and procedures to deploy and manage their environments are going to struggle when audits come around.
Technology-centric biases aside, we generally recommend you develop a technology strategy so that your policies are written for the solutions you are deploying. There are plenty of approaches to policies and many templates which can be downloaded from the Web and customized. If you have expertise in-house, then you might be able to grind through this. However, if this isn’t an internal capability, there are plenty of consultants who can work with you to develop a technology strategy. Our friends at Kreative Corporation are great at working with small and mid-market companies to put policies in place.
Whether you take an internal or external approach, there are costs associated with developing policies that need to be accounted for.
While CMMC is the goal, don’t ignore Clause 7019 in the new interim rule. This clause requires contractors to, at a minimum, conduct a Basic Assessment which is a self-assessment of NIST 800-171 compliance. This is widely seen as a bridge to CMMC which means that it needs to be prioritized and has more of a near-term impact. Resources, either internal and/or external will need to be allocated to get through this requirement.
Even before this, many contractors were doing pre-assessments to identify gaps and develop Plans of Action and Milestones (PO&AM). There are good consultants that can support this process and you might expect, costs typically scale with the size, scope and complexity of the environment.
Finally, there will also be costs associated with your CMMC audits performed by C3PAO’s although the costs for these services will likely be developed by the C3PAO’s themselves and as such, remain unknown for the time being.
A key goal of the interim rule is to formalize the cybersecurity requirements throughout the supply chain. Contractors will need to verify a subcontractor’s maturity before awarding contracts at every layer of the supply chain. From a budgeting perspective, you should consider the additional resources to ensure all of your teaming partners have a maturity level commensurate with the information you are sharing with them.
Budgeting for the cost of developing, executing and maintaining your compliance strategy will set aside resources and help your organization accelerate its plans. Remember, this will not be a one-time cost. CMMC is purposefully intended to embed a sustained culture of cybersecurity into contractors’ environments. Financially, this will have both implementation component, as well as ongoing costs.
We’re working with many of our clients to provide budgetary scenarios and support this exercise. To learn more about how C3 can help you plan for CMMC compliance contact us at firstname.lastname@example.org
Bill Wootton is the Founder and President of C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Bill is passionate about bringing cyber-awareness, and cyber-maturity to the nation’s Defense Industrial Base, working with clients to help them achieve CMMC and NIST 800-171 compliance by providing MSP, security and Office 365 integration services.