Does Your 2021 Budget Include CMMC Planning?

As we move further into 2021, have you developed a plan for CMMC compliance?

Thanks to the recently released DFARS Interim Final Rule that went into effect Nov. 30 2020, all DoD contractors and subcontractors are now required to submit scored self-assessments against NIST 800-171 requirements. Furthermore, over the course of 2021 and the following years all DoD contractors will need to meet CMMC requirements.

All of this will cost money — have you budgeted for it?

Interim Final Rule 101

In case you didn’t already know, the DFARS Interim Final Rule adds new clauses:

DFARS 252.204-7019

This clause requires a scored self-assessment of a company’s status with existing NIST 800-171 controls from Nov. 30, 2020, onward. Assessments fall into three categories:

Basic (self-assessment)
Medium (conducted by DCMA)
High (conducted by DCMA)

The results of these assessments are to be uploaded to the Supplier Performance Risk System (SPRS).

DFARS 252-204-7020

This clause lays out two requirements:

Contractors are to provide access to “facilities, systems, and personnel” in support of assessments.
“Subcontractors have results of a current assessment in SPRS prior to contract award.”

These requirements consolidate all assessment-associated info and ensure that assessors can access systems for the purpose of an assessment.

DFARS 252-204-7021

This clause requires CMMC to be included in all contracts moving forward from the deadline. The details of CMMC compliance align with previous versions released by the DoD.

No matter how secure your organization is, it’s wise to plan for some degree of investment in CMMC readiness and compliance for 2021 and beyond. New technology tools, the time spent to develop and implement new policies, perform assessments, and prepare for audits could all be required to fully meet CMMC requirements.

4 Considerations For Your CMMC Budgeting

Resource Planning: To start, take stock of the state of your systems and how they may need updating. Additionally, you’ll want to consider how your systems may or may not be compliant with existing NIST 800-171 controls and CMMC practices.
Mature & Compliant Policy Development: A core component of CMMC Level 3 compliance is to both possess and demonstrate documented policies.

Take stock of your current policies and associated practices by answering the following questions:

Do you have documented policies?
Has your team been trained to follow them, and are they tested on their knowledge?
Have your policies been reviewed by a third party?
Do you have a process for updating policies?

Regardless of whether you hire outside support for your policy development or handle it entirely in-house, you’ll need to budget for that time and expense.

Assessments And Audits: There are two primary expenses you’ll want to include in your budget when it comes to demonstrating your CMMC compliance efforts:
1. Self-Assessments: Clause 7019 requires contractors to, at a minimum, conduct a Basic Assessment which is a self-assessment of NIST 800-171 compliance. Make sure you’ve allotted for that time and any expenses stemming from hiring outside support.
2. CMMC Audits: Later on, you’ll also need to have an audit performed by C3PAO’s — unfortunately, the cost of this type of audit isn’t widely known right now, given how new the system is.
Supply Chain Management: The Interim Final Rule is also intended to standardize cybersecurity through your supply chain too. Make sure that you consider the additional resources needed to ensure a maturity level commensurate with the information you are sharing with any third parties in your supply chain, including your existing IT provider or MSP!

Need Expert Assistance Planning for CMMC in 2021?

CMMC compliance will not be a one-time cost, as it is not a one-time snapshot. It is an ongoing state and requires ongoing practices, policies, and support to maintain compliance.

SSE has been recognized as a Registered Provider Organization (RPO) by the CMMC- Accreditation Body (CMMC-AB), and our team is available to help you analyze your current compliance with NIST 800-171 and identify what is needed to meet the new standards required for CMMC certification.

Contact our team and book your Readiness Assessment at a time that fits your schedule
Our team will assess your environment and IT tools to determine your current state and challenges
Our team will lay out the necessary steps for your company to meet NIST 800-171 and CMMC requirements

Learn More About CMMC and NIST Compliance

Check out some of our technology and DOD cybersecurity articles.

Does Your 2021 Budget Include CMMC Planning?