Discover the challenges and costs of implementing CMMC compliance in-house and see why partnering with an MSP might be a smarter choice for your business.
“NIST 800-171 compliance is a full-time gig,” Jacob Hill says. “It’s not something that can be done in your downtime.”
Jacob Hill took on implementing NIST SP 800-171 for CMMC as a one-man team for a small business and lived to tell the tale. We interviewed Jacob to hear how he did it, and what he learned along the way.
In our interview, Jacob shared his tales from the trenches, explaining the costliness of taking CMMC on in-house rather than partnering with an MSP/MSSP, and what he would do different if he could start all over.
How Much Does CMMC Compliance Cost to Do In-House?
Jacob was given the green light by his leadership to make their whole company compliant with a budget of $100k for licensing and some light services – a number that he said was sufficient to do the initial job of buying products and migrating to GCC High. However, this does not include the full-time employee salaries dedicated to the project (average annual Cyber Security lead: $89k/yr).
Jacob says the total time it took from go was 12-18 months, but that includes juggling non-compliance projects. So, how many hours did it cost the company of full-time work?
Jacob says it took at least a year’s worth of 100% dedicated full-time employee man hours (appr. 2080 hours).
Using the national averages for a Cyber Security role, that means Jacob’s total cost (licenses + services + employees) of implementing NIST SP 800-171 was (at least) $167-$219k.
This lines up well with the numbers our Sum IT Up Podcast team, Jacob Horne and Jason Sproesser, landed on when they took on the challenge of calculating a ballpark cost to implement NIST SP 800-171. This estimate was confirmed to be accurate when the proposed FAR CUI rule – for the first time ever – included an official government estimate of implementing NIST SP 800-171.
Has Your Company Hired the Right People to Do CMMC?
Having successfully implemented NIST SP 800-171 in-house: Jacob has a crystal-clear view of what’s needed to make it happen.
His recommendation? Hire the right people:
1. Hire a senior-level cyber person dedicated to the task. This person would preferably have past compliance experience and not be burdened with IT system administration responsibilities as well. An inexperienced person could recommend incorrect or overly expensive solutions that could cost thousands of dollars to correct. Jacob had past RMF compliance and IT experience and was well equipped for the task.
2. Either hire a dedicated IT system administrator OR outsource the management of your IT to a CMMC-focused MSP. You cannot expect one person to analyze and monitor the controls and then also implement them. After you derive system requirements to satisfy the NIST controls, someone has to implement them in the systems. There is also overhead running a NIST compliance program: annual reviews, patch management, documentation updates, and much more. The more systems that are in your scope, the larger the overhead.
If He Could Start All Over…
Hindsight is 20/20. Here’s what Jacob wishes he had done out of the gate:
1. Integrate Compliance into Business Processes Sooner
First off, having leadership buy-in on the front-end is crucial. The cost, time, and effort that is needed to become compliant is high, so working against the grain with leadership isn’t going to an option.
From the start, realize that this is going to shift things organizationally for your company. There will be disruptions. You need to work towards congruency with current business processes and make sure new processes are well-documented.
“This is going to take a lot up front, and a lot to keep up,” Jacob says. Long term success requires integration into the business, because once you become certified, you have to maintain your certification: “This can’t be fire and forget.”
2. Prioritize Determining Compliance of Partners
How is the CUI you are managing handled across your partnerships? How do you verify their compliance level – especially if your DFARS clause makes their flowed-down compliance your problem? Jacob found that phone calls were often not the solution; getting stuck talking to the wrong person, without the right credentials to speak to the issue was a problem.
His solution? A thorough security questionnaire emailed to the person responsible for compliance. Bonus tip: asking their SPRS score should just be one of many questions asked – self-attestation can be slippery. CMMC C3PAO assessments will make this situation easier, but it will take time for small subcontractors to achieve CMMC level 2 certification. Whatever you decide, due diligence is your best friend: be specific, and consistently remind them that this is required.
3. Start with CUI, Not the Controls
Jacob explains that taking a CUI focused approach to starting your NIST SP 800-171 journey will save you time and effort. NIST SP 800-171 is data-centric framework. If you don’t know where your CUI is, how vast its tendrils have stretched out across your organization, you won’t know what the scope of the project is that you are taking on. In other words, you will be reading an instruction manual without first finding the pieces to make it work.
As Jacob notes: CUI data is often sprawling.
The scope of your project may not be the whole company. If that’s the case, you might be a good fit for an enclave: a cyber-insulated area of your workspace that is CUI-secure and compliant. An enclave can be done in-house or through partnering with an MSP as a Managed Enclave, where a third party is delegated to oversee this CUI-secure space. This would include migrating your company’s in-scope items and team into a compliant cloud platform like Microsoft GCC High and a compliant cloud-server like Azure.
Can Your Company Afford to Do CMMC In-house?
If you are struggling to figure out whether your company can afford taking CMMC on in-house or if partnering with an MSP/MSSP is a wiser choice, we created this Cost Benefit Analysis as a tool to help you make that decision.
Want to learn more about Summit 7's managed services?
