CMMC Compliance: DIY or Outsource?

As companies approach the new Cybersecurity Maturity Model Certification (CMMC) requirements they’re exploring options of whether they should do it themselves or outsource all or part of it to a managed security service provider (MSSP). A conservative estimate to meet CMMC level 3 requirements is around $300,000, the items you need to budget for are:

• Consultant for Pre-Assessment $ 25,000

• Fix identified gaps $ 30,000

• Recurring/nonrecurring engineering $ 67,886*

• Documentation of plans and polices $ 10,000

• Cybersecurity/SysAdmin to maintain $ 110,000

• C3PAO Assessment $ 51,095*

*DoD estimates taken from the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041)

If you chose to tackle it yourself, you’re going to need the right people, enough experience, proper documentation, the right mixture of tools and technology and above all else…time.

The right people. If you don’t have a cybersecurity expert on staff, you should start looking for one. Not only to decipher and implement CMMC practices but to monitor and maintain them. Keep in mind that Certified Third-Party Assessment Organizations (C3PAO) that have undergone the certification process and achieved level 3 certification have stated that the undertaking was a whole of company endeavor from the CEO on down, to include all department heads and their staffs. Also factor in that there is an estimated shortage of 359,000 of cybersecurity professionals nationwide.

Enough experience. You may not need to become cybersecurity experts, but you’ll need an adequate understanding of what all the 130 security practices require, how to implement them, how to manage and maintain them, and how to ensure they’re performing as expected. Not only will you need an experienced cybersecurity engineer, or at least someone with some cybersecurity background, you’re going to need experience with implementing National Institute of Standards and Technology (NIST) controls and policy/plan writing. Which brings us to documentation.

Proper documentation. As you work through the CMMC requirements the first time, a good exercise is to list the policies you’ll need to create. When you’re done if your count isn’t somewhere around fifty you weren’t paying attention. All the current C3PAOs have stated publicly that one of the more challenging aspects of their certification was proving to the assessor that they were meeting practices and processes through proper documentation. Not shelf-ware, but detailed living documents that a third-party could pick up and without help manage the tools and technology that make up your environment.

Right mixture of tools and technology. To successfully implement all the level 3 technical practices, you need to be able to effectively stich together a multitude of security tools, applications and services. To include multifactor authentication, FIPS encryption, access control management, security operations centers, and telemetry. Once implemented, all these tools require constant monitoring, management and updating. All this requires the dedicated attention and time of a cybersecurity specialist.

Time. The well prepared and experienced C3PAOs have stated that their journey to certification took them all well over a year. These are companies focused on cybersecurity that have been in the cybersecurity assessment business for years. If you haven’t already started in earnest, you’re too late. Implementing the practices, documenting how they’ve been implemented, managing their implementation and monitoring their effectiveness requires a dedicated full-time staff resource.

After reviewing the DIY option perhaps you’ve concluded that your existing staff and IT environment are up to the task. Larger, more experienced teams will find CMMC challenging, but not impossible. If, however you realize that your staff is not up to the task, the solution may lie in outsourcing to an MSSP. Keep in mind that the nature of the CMMC requirements do not lend themselves to a complete 100% outsourcing. No matter how thorough your MSSP may be, a solid 20% of the requirements must still be met by you and your employees.

The advantages of outsourcing to an MSSP are that they will have the people, the experience, the tools and technology and save you time. The disadvantages are that you’ll have less control and flexibility, and you must trust a third-party. MSSPs offer varying degrees of support from consulting and technical expertise to help you with your existing infrastructure to providing separate enclaves. Whichever you decide, CMMC is not an easy undertaking. Best to get started preparing now.