Author: V. Amira Armond (CISSP, CISA, PMP, MBA) is a CMMC Provisional Assessor and Instructor, computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC.
Kieri Solutions LLC is an Authorized CMMC Third Party Assessment Organization providing CMMC assessment services. Amira is also the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification.
Disclaimer: This is an opinion article. If you want official guidance, talk to your paid cybersecurity consultant or lawyer.
CMMC level 2 and DFARS 252.204-7012 is expensive.
For a 200 person company with little complexity, my workload calculations are that you will need one compliance officer (CISO) and three full time IT staff to perform all the required activities of CMMC level 2 or DFARS 252.204-7012. For the DC region, this comes out to $500,000 – $700,000 per year just in labor costs. I’d add an additional $3,000 per employee for back-end information systems, and now your IT budget is at least $1.1 – 1.4 million per year before you add CMMC assessments.
The DoD justifies security requirements by saying that they will pay for cybersecurity as an allowable cost.
This will be true, but it isn’t true today. Not all bidders have a high quality cybersecurity program. The ones that don’t have good cybersecurity can reduce their price and win the contract. This means that if a contractor adds “allowable” cybersecurity costs to their bid today, they are disadvantaged compared to less secure competitors.
I’m hoping that the recent DFARS Interim Rule which requires posting a summary score to SPRS will make contract officers choose more secure networks despite the increased cost, but that is yet to be seen. I also expect to see plenty of companies posting a perfect “110” just because they can, not because their network is secure. Will contract officers make the playing field even more uneven by prioritizing the false 110’s? There is no way for the government to win in this situation, except by enforcing the False Claims Act.
In order from easiest to hardest, how can a small/medium company comply with CMMC?
Note: from this point onward, I’m using CMMC to refer to CMMC level 2 as well as the DFARS 252.204-7012 and NIST SP 800-171 security requirements for CUI.
1. Nuclear option. Avoid DoD contracts that require CMMC Level 2 for now.
You don’t need to bid on contracts that require CMMC level 2 or DFARS 252.204-7012. Over the next years, industry will probably develop a strategy to provide high-security networks at reduced cost. Keep your ear to the ground and jump back in when things are easier.
2. Avoid CMMC by not accepting CUI to your systems.
Many contractors have the DFARS 7012 clause in their contract, but actual performance doesn’t require dealing with CUI. Tell the government that they need to get permission from you before sending CUI and they MUST label all CUI. Ask for it in paper form rather than electronic. Make no exceptions.
Even if the contract requires CMMC level 2, your systems will not be “in scope” unless you have CUI on them. Fun note: This brings up a logic problem with the current CMMC implementation plans. I’ve seen official statements saying that CMMC certification and roll-down to subs will be required to win a contract. I’ve also seen statements that companies bidding on a contract can hold lower levels if they use (certified) partner systems for CUI. Will contract officers accept a bid when only one team member (such as the prime) holds a certification at the required level?
June 2022 update: If you are a prime, you will almost certainly need to have a CMMC certified information system even if you don’t currently handle CUI, because the contract might require you to handle CUI in the future. For subcontractors, you really need to discuss your work and need for CUI with your prime and see what they say.
3. Avoid CMMC by using government networks exclusively for CUI.
Many contractors provide full time employees to work inside government organizations. If some or all of your staff have been issued government computers, why in the world would you forward sensitive data to your corporate network? If you need to share data with other staff that don’t have government computers, consider options like asking the staff to join you in-person to view the data.
June 2022 update: Again, unfortunately, you will still probably need a CMMC certified system even if you don’t have CUI. This may be an argument for paying for a cheap enclave system and not using it for anything.
3. Avoid CMMC by using a partner network for your contract.
Go to your prime and ask if you can use their secure network and computers to work on the contract. By my calculations, even for larger networks with economy of scale, the cost for a CMMC level 2 information system is about $6-8k per user per year. Plan to pay your partner for this service.
In my opinion, the largest defense contractors should be offering this to their subs, rather than doing what is happening now, which is demanding their subs all become compliant with CMMC level 2 yesterday.
June 2022 update: To my knowledge, no one has attempted this tactic for a real contract yet. But it should work.
4. Lease a compliant network and oversight from a MSP.
Essentially, you’d use the Managed Service Provider’s (MSP) highly secure network. They’d send you laptops and grant you access to your own file share and email. They’d make sure that all the actions required by CMMC level 2 are performed, such as audit log reviews, incident reporting, personnel screening, patching, and vulnerability scans. Your team would be separated from other users on the network through role-based security groups.
Or the MSP will build a very secure CMMC level 2 compliant network in a reproduceable manner. Templates, scripts, standard images, etc. The MSP will provide staff and procedures to enforce all the manual activities relating to security. You will need to have a contract that specifies how the MSP will uphold compliance activities, and will need to do some due-diligence to verify that this is performed (such as having regular small audits performed). Any leased network will probably prevent your employees from installing software or using less common device types.
This concept doesn’t really exist right now, but I foresee it becoming more and more popular over time. Katie Arrington called for it during her first presentations of the CMMC model – she asked industry to create “tools” which offer easy CMMC compliance in a package. I’ve seen lots of tools that handle technical problems, but nothing that moves the oversight role from the contractor to a vendor.
June 2022 update: The C3PAO Stakeholder Forum published a paper which describes the process of assessing a provider’s network so that you can use it for certification later. A key part is the requirement for a Shared Responsibility Matrix. The paper can be found here: Evaluating inheritable practices by Service Providers.
There is a liability problem with using other networks.
This liability problem is faced by the MSP or by your partner if they host you on their information system.
Whoever is hosting the network needs to make sure that they can pass a CMMC assessment. There is a good chance that an assessor would fail the network on Access Control if multiple unrelated organizations are using the same system.
In my opinion, the only “safe” way to host other organizations without risk of a failed assessment is to do it in a formal partnership agreement. Both parties performing on the same DoD contract as prime and sub, or as multiple teaming partners on the same contract.
If you can’t be formal partners on the same DoD contracts, then you’d want to put each organization on their own completely separate network (not using the same Active Directory, for example). But at that point, you’d need separate assessments for each customer and duplicate setup and maintenance tasks, which returns us to the cost issue.
My challenge to the DoD and the CMMC-AB:
Please identify a path for MSPs to perform one assessment on a “model network” which can then be cloned for each client and renewed with a single assessment. Or state that it is acceptable (with major role-based restrictions and diligent access control) to host multiple organizations inside one highly secure information system. Or allow assessment of service providers with inheritable evidence as described in the C3PAO Stakeholder Forum’s paper.
We need precedent to show that hosting secure networks for other organizations is allowed. The risk of letting our customers down by failing an assessment is discouraging potential vendors from offering this solution.
Non-Easy-Mode Solution
4. Segment your organization and network to split out a Defense-oriented group.
If you can figure out a way for only a few employees or a few machines to need CUI, build out a network just for them.
I recommend also moving some support staff to this network, such as sales, accounting, and the chain of command (just the ones that deal with DoD contracts). This is because FCI needs to be contained as well.
Some international organizations choose to split their organization into different business units for each government they serve. While this is painful, it makes it very clear to the government that your United States-specific organization can be trusted.
A segmented network is still going to be incredibly expensive. If you only have 10 employees using it, expect costs of around $20,000 per employee per year to get it certified and maintain the required levels of process maturity for CMMC level 2. This assumes a part-time cybersecurity person and use of cloud solutions.
I’ve said my piece. What do you think?
Please comment!
If you know Ms. Katie Arrington, do me a favor and forward my challenge to her about hosting other organizations on a single assessed information system. I think this solution is what she wanted when she asked industry to develop solutions for the CMMC.
Please register for our newsletter for more timely articles and news!
Cheers! Amira
Author: V. Amira Armond (CISSP, CISA, PMP, MBA) is a CMMC Provisional Assessor and Instructor, computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC.
Kieri Solutions LLC is an Authorized CMMC Third Party Assessment Organization providing CMMC assessment services. Amira is also the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification.
Next articles:
CMMC Compliance FAQs – Organizations seeking certification
How to submit a NIST SP 800-171 self assessment to SPRS
DFARS 252.204-7012 or 252.204-7021 enforces NIST 800-171 and CMMC
Very detailed and concise information. I am a beginner and finds this article very insightful.
Well it’s now 2022 and where are the “CMMC in a Box” solutions?
I sure can’t find any.
Dear Editor, Can a company register for C3PAO and RPO so that we can do functions under one company but not mixing the Auditors and RPs
Each will be separated in functionality.
We might also think of separating clients to avoid conflicts.
We have a client base of 65 contractors whom we certify (3rd Part Audits) to other standards such as ISO CMMI and FedRAMP.
Please advice.
Thanks
Jag Kottha
Great Article…I encourage all readers to review the Public comments section to the DFARS Interim Rule. Many insights and facts. Like the published CMMC rollout plan covers only the smaller 79% of the industry…yet the top 15 companies handle 91% of the DoD business. Also, the published plan shows capacity for 59% of those smaller companies to be CMMC certified. Hence, 41% of the currently qualified small businesses won’t be qualified to work on DoD contracts by 2025
https://beta.regulations.gov/document/DARS-2020-0034-0001
I think the MSP solution in Option 4 … call it “CMMC in a Box” is a viable path forward for many small businesses. ..it wouldn’t be shrink wrapped but it wold certainly address most of the too-hard-to-do items and allow the small business to have a predictable cost and professional level support. This would certainly be a viable approach for those non-DoD businesses that need to meet FAR 52.204-21 (basically the same as CMMC Level 1 except self certified).
I’m disturbed by the entire methodology of the CMMC roll out. They’ve essentially created a number of very expensive cottage industries that will be required to meet these requirements. The issues that they initially targeted dealt with security breaches caused by lack of oversight on the part of contractors, so, rather than bringing the solution in house and providing a clear way forward, they turned around and will now (still) require Industry to monitor the cybersecurity, but will also hand over the assessment of that certification – to Industry. The notion that this cost will be written into proposals on contracts is as you noted… unlikely to really work out that way. It, in fact, will give larger companies with big staffs and budgets an edge on almost any CMMC stamped contract, and will effectively (if they force the roll down) push small and medium sized companies out of fair competition even as sub-contractors. On top of all of that, regardless of how many different people break down the controls and the requirements, there is not a simple, plain English way forward to certification. It requires pre-assessments, re-assessments, an incredible amount of monitoring – probably the biggest cost we are facing as a company will be logging, monitoring, and auditing, which I believe will only be possible with a 3rd party add-on at a bare minimum, and likely not without a managed add-on. This is a great article, and puts a much clearer light on the expenses and challenges.
Wow – good stuff! I agree, MSP’s could lead the charge in providing CMMC CaaS. I look forward to reading more about this from you!
Great article!
Outstanding article!
Thanks for your insights and “reality checks”.
Great questions as always Amira!