top of page
Brennan Egan
5 min read

CMMC AND THE SMB

Yes… You Can Afford Compliance!


If you are a Small Business and are part of the Defense Industrial Base (DIB), you may be a bit stressed out. A week doesn’t go by without a company telling me they can’t afford security. I have heard hundreds of stories as to why a company skimps on implementing good security controls.

  • “It’s too expensive”

  • “I don’t have a budget”

  • “Our margins are too thin”

  • “We are not a target”

  • “Nobody is checking our security”

  • “DFARS allows me to get away with just having a plan”

CMMC is changing the story. Bluntly, you don’t have a choice anymore – implement the required controls or get out of the DoD business. In short, the DoD isn’t messing around. The good news is they are willing to put money towards solving the problem.


CMMC Clear Path

The DoD knows they may have to help you get to compliance and stay there. Emagined Security as an RPO with Provisional Assessors on staff is ready to help you move quickly through the analysis and preparation and support you along the path to passing a CMMC assessment. This approach is in line with Emagined Security’s CMMC Clear Path: CMMC Clear Path and if curious about the costs, you can check out our service pricing using the link at the bottom of the page. Follow this method with our support (or on your own) and you can manage the costs of compliance without going broke.

STEP 1: IDENTIFY CMMC CERTIFICATION LEVEL REQUIRED

This means you need to “Know Where You Need to Be”. Keep in mind good security brings compliance along with it but now is not the time to buy everything in sight. This chart gives you a better understanding of what is required to achieve each level and a lot of it does not require a capital expenditure:


CMMC level and steps to audit

STEP 2 CONDUCT READINESS ASSESSMENT

Now it’s time to “Know Where You Are”. With this information, you will be able to make decisions going forward.


  • Identify your CUI Scope:

    • What systems have access to CUI data?

    • What security controls are in place to limit your architectural scope?

    • Are any systems shared by DoD contracts but are also used for non-DoD projects?

    • Do you have access to ITAR data?

    • Are your DoD projects limited to US persons and US locations?

    • Does your DoD business use any cloud systems?


  • Measure your compliance using the Level 1 Approach “Interviews Based Review” but assess yourself for all 130 of the Level 3 Requirements:

    • Be very critical as you review each requirement

    • Try to apply a “What would an auditor say” perspective to each requirement and your solution(s)

    • Ensure you can provide evidence of compliance


  • Gather Business Statistics:

    • Determine how much money you are bringing in from DoD Business

    • Determine how much money you are profiting from DoD Business


STEP 3: CALCULATE THE ROI OF CERTIFICATION (COST VS REVENUE)

Start to “Measure the Value” of the DoD revenue to the business.

  • Determine executive management’s commitment to remaining in the DoD Business

    • It may be cheaper to retool the business away from DoD if it’s not strategic


  • Find out how much money you have to work with:

    • Identify % of revenue management will commit to comply with CMMC

    • Identify % of revenue management will commit to maintaining compliance with CMMC

    • Perform a cost vs revenue analysis


  • Acquire agreement from management to fund the CMMC compliance project:

    • Do not stop until you have an actual dollar amount agreed upon

    • Or determine to get out of the DoD business


Determine if you can “Acquire Additional Funding”. The DoD has already stated they understand they may need to fund security programs to keep their supply chain in business and secure. Every dollar you can negotiate with your Prime Contractor or the DoD can be added to your CMMC budget. You should be getting close to having a pretty good budget to work from. You may be working on small margins so each percent you increase can be a large sum of money. One client we work with takes in about $80 million in revenue from the DoD and has an average of 7.5% profit margin. They make $6 million in profit each year. For every 1% they can raise their rates, increases their security budget by $800 thousand. That can make a huge difference.

  • Use chargebacks to get additional funding

  • Negotiate new funding when security requirements are added

  • Re-evaluate your commitment to the DoD business before signing contracts as you are would be signing a contract with legal and financial implications

CMMC Compliance simplified

“Schedule Your Spending” to synchronize with budgets and new funding source payments.

  • When you start to create a spending schedule, work backward your CMMC anticipated contract renegotiation dates

  • Build processes you can quickly implement after capital expenditures


STEP 4: UPDATE CONTROLS, POLICIES & PROCEDURES

“Evaluate Current Tools” to determine if they can meet the CMMC requirements.

  • Determine which existing tools can be enhanced or configured to comply with CMMC:

    • This is not the time to enhance to enterprise-class

    • You will need the funds to comply with areas you are deficient


  • Create a list of tools to be replaced or purchased but don’t buy them yet:

    • Wait for funding to come in; see next section

    • Prepare for the tools by getting administration controls ready


  • Compile a needed additional funding amount:

    • Cost for developing policies and procedures

    • Cost for additional controls (hardware / software / licenses)

    • Cost for documentation and evidence

    • Cost for services/consultants

    • Cost for auditing


“Start Getting Healthy” by implementing CMMC enhancements and allow for improvements over time.

  • Start with administrative enhancements first using existing personnel

  • Get policies and procedures documents and in place

  • Then start enhancing current tools to meet requirements

  • Begin an effort to make bigger changes as funding comes up in the schedule


STEP 5: C3PAO ASSESSMENT

Be smart as you “Contract with a 3CPAO”. We recommend contracting with auditors who understand your compliance goals and situation.

  • Contract with a 3CPAO who allows for 10% reassessment deltas

  • Try to include a remediation window (e.g., 90 days) with the auditors


STEP 6: RESOLVE FINDINGS (IF ANY)

If you are getting close (>90%), “Schedule Your Audit” but give make sure you give yourself enough time to complete your enhancements. Take the following into account as well as you determine the audit dates.

  • The DoD has stated they will not delay awards while waiting for audits

  • Auditors will be busy so can include some audit delays into your schedule

  • Have a team ready to perform remediation quickly


STEP 7: C3PAO RE-ASSESSMENT

“Request Your Re-Assessment” once you feel you are ready.

  • Take advantage of the remediation window you got into the contract

  • Pass your audit


STEP 8: C3PAO SUBMITS ASSESSMENT TO CMMC AB

“Congratulate Yourself” for getting this far.

STEP 9: FORMAL CMMC REVIEW & APPROVAL

“Begin Maintaining and Enhancing Your Compliance” to ensure you have a long successful DoD business.

This approach can help you get to your CMMC goals and keep you in the DoD business. We are here to help and guide you through the entire process or you can do it on your own. Just remember, Emagined Security is just a phone call away.


CMMC compliance levels

14 views
bottom of page