April 19, 2023
Are you a small or midsize business that’s part of the Defense Industrial Base? Then you need to comply with CMMC, plain and simple. To put it bluntly, there isn’t a choice anymore. You either obtain it, or you no longer work in defense.
The biggest hurdle for most companies however is the cost.
But there is good news: The cost of compliance can be managed without going broke. How? Just follow these simple steps.
Identify which CMMC level you require.
Each level of CMMC has progressively more stringent guidelines. Most businesses are going to want to shoot for at least Level 2, and many will need to aim higher. Unfortunately, each level also comes with additional costs associated with implementation. So if you’re trying to budget, the first thing to do is know exactly where your organization needs to be. To start, click here for a simple rundown of each CMMC level to help you determine where you stand and what level you should be going for.
Identify which CMMC guidelines you’re already following.
Some more good news about CMMC is that most businesses are (hopefully) already following many of the components outlined in Level 1 and some in Level 2. Both contain basic to intermediate cyber hygiene controls and practices. Examples include simple things like using strong passwords and locking your office door at the end of the day.
Conduct a CUI and CMMC Readiness Assessment.
Now it’s time to identify the scope of your Controlled Unclassified Information.
- What systems have access to CUI data?
- What security controls are in place to limit your architectural scope?
- Are any systems shared by DoD contracts but are also used for non-DoD projects?
- Do you have access to ITAR data?
- Are your DoD projects limited to US persons and US locations?
- Does your DoD business use any cloud systems?
For each item and security solution, think to yourself: “What would an auditor say?”
Apply for DoD funding.
The Department of Defense has already stated that they understand they may need to fund security programs to keep their supply chain in business and secure. Every dollar you can negotiate with your prime contractor or the DoD can be added to your CMMC budget. You can use chargebacks to get additional funding. Negotiate new funding whenever new security requirements are added.
Request a C3PAO Assessment.
At Rimstorm, not only can we help you define what level you need to reach, but also what you require to get there — and we can give you your C3PAO assessment. We are a third-party organization who has received accreditation by the CMMC Accreditation Body. This puts us in a unique position where we can act as your “one stop shop” for all things related to CMMC. This is a serious expenditure saving on your end, since we literally do it all for you and guide you at every step. The reason we do this is because we firmly believe that maintaining a secure ecosystem is in everyone’s best interest — especially now.
We want you to be secure, and we want you to be able to maintain said security in the most cost-effective way possible. When we have each other’s backs, we all win.