Last Updated on October 23, 2022
Episode 101: Your Top CMMC Questions Answered
As the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program moves closer to “going live” and appearing in contracts, questions and concerns loom larger across the defense industrial base (DIB).
To ease stress and provide clarity on a wide range of CMMC topics, this episode of The Virtual CISO Podcast features George Perezdiaz, CMMC/NIST Security Consultant with Pivot Point Security and one of the top CMMC experts out there. Along with host John Verry, Pivot Point Security CISO and Managing Partner, George addresses the most frequently asked questions we’re hearing on CMMC.
This episode covers too many topics, but several common themes echo throughout.
Pay close attention to what the DoD, your contract officer and prime contractors are telling you
Does CMMC become effective for my org as of May 2023 when the rulemaking is predicted to be complete? Do we need to be CMMC certified by then? Do we still need a score in the DoD’s SPRS database at that point?
These are all good questions. But as CMMC is phased in, a lot of the specifics on what your business needs to do will come in the form of direct guidance from the DoD and primes. Read contracts and correspondence carefully, and stay on top of news from the DoD about CMMC. For example, posting a score in SPRS is only mandatory if your contract has a DFARS 7019 clause. But if your contract officer and/or prime contractor is requesting that you post a score, failure to do so could hurt your competitiveness.
“Generally speaking, look at the contract and what you have agreed to do on behalf of the DoD or the DoD client.” — George Perezdiaz
Precisely when you need to be CMMC Level 2 certified depends on multiple factors
When exactly does your org need to be CMMC Level 2 certified? The short answer is, when a CMMC Level 2 requirement appears in a contract you want to bid on. When that will happen depends on factors like when the CMMC rulemaking is finalized, whether the DoD provides any lead time between the rulemaking and when CMMC language appears in contracts, the criticality of the services that you provide, and the priorities and availability of C3PAO and/or DIBCAC assessors once you’re ready for your audit.
The bottom line is that if your business is serious about participating in DoD contracts, the sooner you’re ready for a CMMC Level 2 audit, the better off you will be. What is the benefit of waiting to take steps you know you need to take very soon?
There are various factors that will dictate how quickly you can actually get to CMMC Level 2. — George Perezdias.
If you think CMMC Level 2 is too expensive for you to stay in the DIB, think again
Many SMBs in the DIB are concerned that meeting the requirements for CMMC Level 2 will be too financially onerous. Should they simply exit the DIB?
In a word, no. The key is to look more closely at your options and opportunities. There is most likely a path that will allow your business to continue to grow in the DIB space.
For example, be sure the investments you’re contemplating are “right-sized” to the correct project scope, with the right amount of effort. Also keep in mind that the DoD has been saying all along that “security is an allowable cost.” Look for ways to recover your security investment.
Never think about exiting the DIB. Look for your options and opportunities there and find a motivation or a path that will allow you to continue to grow in this space. — George Perezdiaz
How much will CMMC Level 2 certification cost and how long will it take? It depends, but…
Obviously, the lift to get your org to CMMC Level 2 compliance depends on how big you are, how many locations you have, how close you are now to meeting the requirements, how receptive your company culture is to new technology, how committed your senior leaders are to CMMC certification, and so on.
But as George points out, he’s rarely seen any org prepare for CMMC in less than 9 months. As for costs, careful planning and a clear roadmap can help ensure you spend only what you really need. As a guideline, John sees most efforts falling within the $50,000 to $150,000 range. Within that, most companies will incur C3PAO assessment “hard costs”—which are likely to go up as demand escalates. And John suggests figuring a 1.5 FTE cost to drive implementation and then manage and maintain the environment.
The key is to be ready. The key is to start generating your evidence today for each one of those requirements, for each one of those objectives. Document it; log it. — George Perezdiaz