CMMC is not Rocket Surgery!

As a small business owners in the government contracting business sector our inbox is filled every day with business requests just this side of predatory. Businesses trying to sell me on freely available government contracts, if I just pay them to get me on the GSA schedule. Offers of support in proposal development, often in emails poorly proofed. Offers to submit my business to the SBA as an 8a, which we could never qualify for.

And one or two to teach my grandmother how to suck eggs.

And now, the latest set of snake oil salesmen, the RPOs and MSPs that offer to get me through the Oh So Very Scary (TM) CMMC process. If only I give them a few hundred thousand dollars. And commit to an annual maintenance plan in the tens of thousands.
So, here is the dirty truth… CMMC is not scary, it is not rocket surgery, and it should not be a significant economic or effort barrier to continuing to participate in DoD contract opportunities.

There have been evolving policies, DFARS regulations, CMMC 1.0, CMMC 2.0, FAR proposed rules. This left us with a sour taste in our mouths, so we decided to see if we could take a little pain out of the world.

Here are five truths we would like to share about CMMC:

1) If you use M365 and Windows computers, you will likely not have buy more software, though, depending on the data you are safeguarding you may need a GCC or GCC High environment.
2) It is not yet clear what implementation is going to look like in terms of proposal and contract requirements. No one knows what CMMC level is going to be required for specific contracts. While the levels are well defined, the levels required for any particular effort will be left to KOs.
3) You should do a make/buy analysis before buying MSP, MSSP, or RPO services. If you have personnel already versed in DoD cyber security compliance, this will be a cake walk for them. It may take money out of my pockets to say this, but there is always more work to do. If you already have IT staff onboard then they may be able to fill required roles without considerable extra effort.
4) They are going to charge you too much. RPOs are looking to get top dollar, hoping you are ignorant of what a compliance package should cost. MSSPs are going to provide fractional resources, but charge you for full time. It may be most economical to use current resources, or to add resources you receive the full benefit of.
5) The main benefit of hiring CMMC expertise is to keep you in your best and highest ROI for as much of your time as is possible. If you are working on CMMC you are not winning contracts, forming strategy, meeting partners and expanding your offerings. We are focused on this work because it wasn’t that much of a stretch from work we already do (very efficiently) for the DoD.
6) It is easy to buy wrong or unnecessary products. In the broader world of enterprise cybersecurity, there are thousands of tools covering dozens of specialties and data domains. CMMC is 14 control families and only 110 controls at level 2. You probably already have processes, tools or practices that cover most of them.