Budgeting For CMMC In 2021: What Do You Need To Know?
With winter here, it’s time once again to start planning out your budget for the coming year. And while the pandemic will undoubtedly make it a unique fiscal plan, there’s something else you’ll have to consider as well: how much will you need to budget for CMMC compliance?
CMMC & The Interim Final Rule
The Department of Defense (DoD) has issued their much-anticipated interim rule, which has put all contractors on the clock — by November 30, 2020, you will need to comply with the National Institute of Standards and Technology (NIST) Assessment methodology.
From that date on, your DoD contracts will contain DFARS clause 252.204-7012, requiring you to be fully NIST compliant. Are you ready?
Whereas NIST used to be a series of guidelines to help contractors like you maintain the security of CUI, it’s now becoming a requirement. If you haven’t been managing and strategizing your compliance so far, you’ve got a lot of work to do.
No matter how secure your organization is, it’s wise for you to assume some degree of investment in CMMC readiness and compliance throughout 2021. You will need to budget for new technology, the time spent to develop and implement new policies, perform assessments, and prepare for audits.
4 CMMC-Related Items To Add To Your 2021 Budget
To start, take stock of the state of your systems and how they may need updating. Additionally, you’ll want to consider how your systems may or may not be compliant — particularly if you’re in the cloud.
Answer the following questions:
- Will your IT systems need updating within the next year?
- Are your systems on-premise or cloud-based?
- If on-premise, will you be planning on a cloud migration in the coming year?
- If cloud-based, are you using the provider’s compliant cloud solution?
With these points in mind, you can better understand how much you’ll need to budget for major projects in the coming year. Whether that means a full cloud migration or switching to a compliant cloud solution, it’s better to know now instead of later.
Mature & Compliant Policy Development
A core component of Level 3 compliance with CMMC is to both possess and demonstrate documented policies.
Take stock of your current policies and associated practices by answering the following questions:
- Do you have documented policies?
- Has your team been trained to follow them, and are they tested on their knowledge?
- Have your policies been reviewed by a third party?
- Do you have a process for updating policies?
Regardless of whether you hire outside support for your policy development or handle it entirely in-house, you’ll need to budget for that time and expense.
Assessments And Audits
There are two primary expenses you’ll want to include in your budget when it comes to demonstrating your CMMC compliance efforts:
- Self-Assessments: Clause 7019 requires contractors to, at a minimum, conduct a Basic Assessment, which is a self-assessment of NIST 800-171 compliance. Make sure you’ve allotted for that time and any expenses stemming from hiring outside support.
- CMMC Audits: Later on, you’ll also need to have an audit performed by C3PAO’s — unfortunately, the cost of this type of audit isn’t widely known right now, given how new the system is.
Supply Chain Management
The Interim Final Rule is also intended to standardize cybersecurity through your supply chain too. Ensure that you consider the additional resources needed to ensure a maturity level commensurate with the information you are sharing with any third parties in your supply chain.
Need Expert Assistance Budgeting For CMMC & NIST Compliance?
If you’re looking for expert guidance, Intelice Solutions is here to help. We work with DOD contractors throughout the Washington and DC Metro area and can help attain confident CMMC & NIST compliance — all within a carefully developed budget.