April 14, 2021
Good afternoon, everyone!
It’s a Marathon, Not a Sprint
This recent Tweet by @MalwareJake really kicked my brain into gear:
Nobody undoes years of technical debt overnight. Remember: it's a marathon, not a sprint.
Invariably, when I am speaking with a defense contractor contemplating its CMMC compliance program, there are two questions that come up. Every. Single. Time: ”How long is this going to take?” and ”How much is this going to cost?” The answer to both questions, of course, is ”It depends.” Largely it depends on where you are now. The destination is the same for all, but the journey will vary widely for each organization, based on what it has done over the past five years.
The Past Five Years
What is the significance of the past five years? Technical debt. What is technical debt? Put simply, it’s skipping things, postponing things, taking shortcuts. The problem with technical debt is that it builds up over time, and when you suddenly have to play catch-up, it can get very expensive. It’s like not doing preventive maintenance on your car … ever … and ending up with engine or transmission failure.
So what happened five years ago? The DFARS 252.204-7012 clause (Safeguarding Covered Defense Information and Cyber Incident Reporting), requiring all contractors who handle CUI to implement the NIST 800-171 controls, was first published on November 18, 2013. It was getting lots of attention in 2014 and 2015, while undergoing revision, and became an official rule in October 2016. Full implementation was due by December 31, 2017. So, at least five years ago, DoD contractors who handle CUI should have started working on implementation of the 110 controls of NIST 800-171 (plus some other stuff in the 7012 clause).
How much you have done towards this end over the past five years determines the path (including time and cost) of your CMMC journey. Remember, too, that the CMMC is about People, Policies & Processes, and Technology. If you don’t have written policies, repeatable (documented) processes and an employee training program, your “technical debt” is greater than just the technology you haven’t upgraded or even put into place.
Calculating the time and cost required to achieve CMMC
I’m afraid I don’t have any easy answers for you, but I do have some things for you to think about.
- Which CMMC Maturity Level is your goal?
There is an absolute chasm between the requirements of ML1 and ML3. ML1 should be easily achieved by most organizations in a few months, while ML3 may take 1-3 years. The cost scales accordingly. If you really don’t need ML3, set your cap for ML1. You can always go for ML3 later, If you want to start going after contracts involving CUI.
- What is your DoD Self-Assessment Score?
If you have a double-digit positive score, you have some work to do, but you’ve already done quite a bit. Good for you. If you have a negative score, you have quite a ways to go. I’ve heard lots of “talking heads” on webinars throw out 12-18 months to achieve CMMC ML3 for organizations who are already working on NIST 800-171 compliance, so your DoD Self-Assessment Score should help you calculate an approximate timeline. (Possible score range from a perfect 110 to -203).
- Do you have a CUI enclave?
Scoping is a key element of your CMMC preparation. The DoD highly recommends developing a secure enclave for CUI, thus greatly reducing your compliance burden. Reducing the scope will impact time to some extent, and cost to a great extent.
- What is your technical debt level?
This is a biggie, so I’ll break it up into two parts:
(1) People, Policies & Processes
This is where I find small businesses are lacking the most in their CMMC preparation. No written documentation, no policies (or policies that aren’t enforced), no security processes, no employee training. Take a hard look at your organization. If you have none of these things in place, it may be because you don’t have anyone in-house who can manage these tasks, and you will most likely need to engage outside help.
(2) Technology
What is your tech spend? There are lots of references, but this one is pretty easy to read. If you have spent less than industry average on IT for the past five years (since the 7012 rule became final), then you have a lot of catch-up to do. If you have invested in IT, following NIST 800-171, and have been marking items “Fully Implemented” that were previously on your POAM, you will need to focus only on the 20 additional “delta” practices in the CMMC.
Hopefully all this helps you get a better perspective on your organization’s journey to CMMC compliance. The most difficult part is getting started, and my two upcoming workshops are designed to get you on the path. Hope to “see” you there!
P.S. – Need help? I’m just an email or phone call away!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!
Sincerely,
Glenda R. Snodgrass
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!