Do You Have CMMC Expenses In Your 2021 Budget?
You’re running out of time to plan your budget for next year.
Beyond the pandemic-related considerations that will affect the process, you’ll also need to incorporate costs associated with CMMC compliance.
The Department of Defense (DoD) recently issued their much-anticipated interim rule, which has put all contractors on the clock — by November 30, 2020, you will need to comply with the National Institute of Standards and Technology (NIST) Assessment methodology. From that date on, your DoD contracts will contain DFARS clause 252.204-7012, requiring you to be fully NIST compliant. And after that, you’ll have to get started on CMMC compliance.
All of this will cost money — have you budgeted for it?
What You Need To Know About CMMC & The Interim Final Rule
While the Interim Final Rule was largely concerned with NIST and CMMC, the document does include some other important details to take note of.
In particular, it adds three new DFARS clauses:
This clause sets a requirement for an assessment of NIST 800-171 in new contracts from Nov. 30, 2020 onward. Building off the DCMA program, it will act as the bridge to CMMC over the coming years.
Assessments fall into three categories:
- Basic (self-assessment)
- Medium (conducted by DCMA)
- High (conducted by DCMA)
The results of any such assessments are required to be uploaded to the Supplier Performance Risk System (SPRS). The SPRS will act as the central database, holding results of NIST assessments and the CMMC certifications for DoD review.
This clause lays out two requirements:
- Contractors are to provide access to “facilities, systems, and personnel” in support of assessments.
- “Subcontractors have results of a current assessment in SPRS prior to contract award.”
These requirements consolidate all assessment-associated info and ensure that assessors can access systems for the purpose of an assessment.
This clause requires CMMC to be included in all contracts moving forward from the deadline. The details of CMMC compliance are in line with previous versions released by the DoD.
Furthermore, it’s important to note that DFARS 252.204-7012 hasn’t been modified. This means the underlying requirements for FedRAMP Moderate, NIST 800-171, and clauses (c) through (g) will continue unchanged.
Regardless of how secure your organization is, you should assume you will have to make some investment in CMMC readiness and compliance throughout 2021. You will need to budget for new technology, the time spent to develop and implement new policies, perform assessments, and prepare for audits.
4 CMMC Items You Need To Cover In Your Budget Planning
Plan Your Resources
To start, take stock of the state of your systems and how they may need updating. Additionally, you’ll want to consider how your systems may or may not be compliant — particularly if you’re in the cloud.
Answer the following questions:
- Will your IT systems need updating within the next year?
- Are your systems on-premise or cloud-based?
- If on-premise, will you be planning on a cloud migration in the coming year?
- If cloud-based, are you using the provider’s compliant cloud solution?
With these points in mind, you can better understand how much you’ll need to budget for major projects in the coming year. Whether that means a full cloud migration, or switching to a compliant cloud solution, it’s better to know now instead of later.
Developing Compliant Policies
A core component of Level 3 compliance with CMMC is to both possess and demonstrate documented policies.
Take stock of your current policies and associated practices by answering the following questions:
- Do you have documented policies?
- Has your team been trained to follow them, and are they tested on their knowledge?
- Have your policies been reviewed by a third party?
- Do you have a process for updating policies?
Regardless of whether you hire outside support for your policy development or handle it entirely in-house, you’ll need to budget for that time and expense.
Cover Assessments, Audits & Testing
There are two primary expenses you’ll want to include in your budget when it comes to demonstrating your CMMC compliance efforts:
- Self-Assessments: Clause 7019 requires contractors to, at a minimum, conduct a Basic Assessment which is a self-assessment of NIST 800-171 compliance. Make sure you’ve allotted for that time and any expenses stemming from hiring outside support.
- CMMC Audits: Later on, you’ll also need to have an audit performed by C3PAO’s — unfortunately, the cost of this type of audit isn’t widely known right now, given how new the system is.
Don’t Forget About Your Supply Chain
The Interim Final Rule is also intended to standardize cybersecurity through your supply chain too. Make sure that you consider the additional resources needed to ensure a maturity level commensurate with the information you are sharing with any third parties in your supply chain.
Need Help Budgeting For CMMC & NIST Compliance?
LaScala IT prepares DoD contractors, manufacturing companies, and other organizations for CMMC. We get to work to make sure you’re ready for an assessment which reduces your cost and effort by you to reach certification.
Let’s get started:
- Schedule Your CMMC Pre-Assessment Readiness Evaluation
- LaScala IT Conducts CMMC Pre-Assessment Evaluation
- Win More Government Contracts