How Are You Budgeting For CMMC Expenses In 2021?
You’re running out of time to plan your budget for next year. Beyond the pandemic-related considerations that will affect the process, you’ll also need to incorporate costs associated with CMMC compliance.
The Department of Defense (DoD) recently issued their much-anticipated interim rule, which has put all contractors on the clock — by November 30, 2020, you will need to comply with the National Institute of Standards and Technology (NIST) Assessment methodology. From that date on, your DoD contracts will contain DFARS clause 252.204-7012, requiring you to be fully NIST compliant. And after that, you’ll have to get started on CMMC compliance
All of this will cost money — have you budgeted for it?
What Clauses Have Been Added To DFARS?
While the Interim Final Rule was largely concerned with NIST and CMMC, the document does include some other important details to take note of.
In particular, it adds three new DFARS clauses:
This clause sets a requirement for an assessment of NIST 800-171 in new contracts from Nov. 30, 2020 onward. Building off the DCMA program, it will act as the bridge to CMMC over the coming years.
Assessments fall into three categories:
- Basic (self-assessment)
- Medium (conducted by DCMA)
- High (conducted by DCMA)
The results of any such assessments are required to be uploaded to the Supplier Performance Risk System (SPRS). The SPRS will act as the central database, holding results of NIST assessments and the CMMC certifications for DoD review.
This clause lays out two requirements:
- Contractors are to provide access to “facilities, systems, and personnel” in support of assessments.
- Subcontractors have results of a current assessment in SPRS prior to contract award.”
These requirements consolidate all assessment-associated info and ensure that assessors can access systems for the purpose of an assessment.
This clause requires CMMC to be included in all contracts moving forward from the deadline. The details of CMMC compliance are in line with previous versions released by the DoD.
Furthermore, it’s important to note that DFARS 252.204-7012 hasn’t been modified. This means the underlying requirements for FedRAMP Moderate, NIST 800-171, and clauses (c) through (g) will continue unchanged.
Regardless of how secure your organization is, you should assume you will have to make some investment in CMMC readiness and compliance throughout 2021. You will need to budget for new technology, the time spent to develop and implement new policies, perform assessments, and prepare for audits.
CMMC Considerations For Your 2021 Budget
To start, take stock of the state of your systems and how they may need updating. Additionally, you’ll want to consider how your systems may or may not be compliant — particularly if you’re in the cloud.
Answer the following questions:
- Will your IT systems need updating within the next year?
- Are your systems on-premise or cloud-based?
- If on-premise, will you be planning on a cloud migration in the coming year?
- If cloud-based, are you using the provider’s compliant cloud solution?
With these points in mind, you can better understand how much you’ll need to budget for major projects in the coming year. Whether that means a full cloud migration, or switching to a compliant cloud solution, it’s better to know now instead of later.
Mature & Compliant Policy Development
A core component of Level 3 compliance with CMMC is to both possess and demonstrate documented policies.
Take stock of your current policies and associated practices by answering the following questions:
- Do you have documented policies?
- Has your team been trained to follow them, and are they tested on their knowledge?
- Have your policies been reviewed by a third party?
- Do you have a process for updating policies?
- Regardless of whether you hire outside support for your policy development or handle it entirely in-house, you’ll need to budget for that time and expense.
- Assessments And Audits: There are two primary expenses you’ll want to include in your budget when it comes to demonstrating your CMMC compliance efforts:
Clause 7019 requires contractors to, at a minimum, conduct a Basic Assessment which is a self-assessment of NIST 800-171 compliance. Make sure you’ve allotted for that time and any expenses stemming from hiring outside support.
- CMMC Audits: Later on, you’ll also need to have an audit performed by C3PAO’s — unfortunately, the cost of this type of audit isn’t widely known right now, given how new the system is.
- Supply Chain Management: The Interim Final Rule is also intended to standardize cybersecurity through your supply chain too. Make sure that you consider the additional resources needed to ensure a maturity level commensurate with the information you are sharing with any third parties in your supply chain.
Need Expert Assistance Budgeting For CMMC In 2021?
The Advantage team can help you prepare your budget and business as a whole for CMMC compliance. Let’s get started right away.
If you do, you’ll receive a FREE Dark Web scan, and furthermore, 4 out of 5 businesses that Schedule a meeting with us can also qualify for a FREE network security scan. This scan will give you valuable information on the state of your network and the scale of remediation you can expect.
Put simply, this is the best way to start your NIST compliance process ahead of the deadline at the end of November.