Many companies are currently evaluating how they might fund initiatives necessary to move their businesses towards compliance with the Cybersecurity Maturity Model Certification (CMMC). There are a few ways to fund these initiatives, but many key items have the potential to impact the amount of funding needed to prepare your organization for certification. So, where do you start to appropriately scope the project, and how do you know how much it will actually cost?
Whether your company plans to meet the CMMC objectives or to stop doing business with the Federal Government, keep in mind that cybersecurity is an important part of maintaining your business health and ensuring resiliency in the future. When businesses suffer a cyberattack and cannot afford the cost to recover, they often go bankrupt. In addition to the new federal regulations being pushed out by the Defense Federal Acquisition Regulations (DFARS), many states have laws requiring levels of protection for different types of information. Other federal governments have also enacted cybersecurity protection measures for their citizens (such as GDPR). Not doing so can also leave you open to lawsuits in the event of a breach or incident.
5 Phases for Cybersecurity Compliance
- Scope: You must understand the Scope that the compliance requirements apply to. This can include activities such as mapping data flows or user workflows, controlling their Scope wherever possible.
- Gap Assessment: Perform a Gap Assessment to measure your current compliance posture for the Scope identified in comparison to your compliance requirements. The results of unmet compliance requirements will be entered into a Plan of Actions and Milestones (POA&M).
- Compliance Cross Walk: Perform a Compliance Crosswalk during the Gap Assessment to see what controls, policies, processes, procedures, and practices you have already implemented from other compliance requirements for your Scope.
- Remediation: Implementation of identified remediation strategies identified during the Gap Assessment and Cross Walk that was entered into the POA&M.
- Formal Assessment: Receiving the Formal Assessment from an authorized assessment team for the certification you are applying for.
How Much Will It Cost?
Estimating is a way to anticipate costs for a project. If your company is unsure of whether they will continue to do business with the DoD, or prime contractors that levy the FAR and DFARS requirements on your organization, you should run through some of the exercises Critical Prism Defense has created to provide a medium to high level of confidence about the possible costs associated with continuing that line of business. If you need to know the complete costs for a project, you will likely need to spend more money up front to get a true estimate of the work.
If you receive estimates from third parties to assist in CMMC in one capacity or another, use their estimates to question yourself:
- Did we properly Scope the requirement?
- Does the third party really understand what we need?
- Is the third party knowledgeable, and do they have trained/certified staff to support CMMC for the technology we need it applied to?
- Will the third party support me through the CMMC assessment?
- Will the third party cover any expenses for objectives not met?
- Does the third party have professional liability insurance to cover my loss of business if they misguided my organization?
I encourage you to download the white paper “Funding and Scoping for CMMC 2.0,” by Critical Prism Defense. It’s a 29-page paper authored along with some trusted experts that dives into more detail on the 5 phases of compliance. It can be used as a guide to walk you through the steps to begin estimating costs. You will have CMMC assessments every 3 years (at least), and your hardware and software have a lifecycle as well. Many of the costs identified will become recurring costs in some sort of cycle. These guidelines are not a one-size-fits-all method, but they are a great place to get started.
Download the “Funding and Scoping for CMMC 2.0” white paper here.
