Issue link: https://iconnect007.uberflip.com/i/1496178
42 SMT007 MAGAZINE I APRIL 2023 and processes may take years to achieve a Maturity Level 2 or 3 certification. It's important for businesses to conduct a thorough self- assessment to identify any gaps in their cybersecurity measures and work with experienced cybersecurity professionals to develop and implement a plan to achieve compliance. How much will the certification cost businesses? Takanti: Companies should plan on substantial costs to acquire their CMMC accreditations. Several factors serve as cost drivers. First, regardless of the Maturity Level they pursue, members of the DIB should perform a self-assessment against the relevant CMMC practices. The self-assessment will either be sufficient for accreditation or help prepare for a third-party assessment. Many organizations, particularly small- and medium-sized businesses (SMBs), lack the expertise, resources, and time to conduct an assessment properly. Instead, they must rely on outside consultants or tools, and each comes with a price tag. S e c o n d , a u d i t s a l r e a d y c o n d u c te d b y DIBCAC have shown that most companies, even large enterprises, find themselves much further from meeting the relevant requirements than they think. Achieving the necessary full compliance takes signif icant remediation and implementation activities, which means incurring overhead costs and possibly capital expenditures. Finally, most organizations at Maturity Level 2, and all at Maturity Level 3, will need to be assessed by an approved outside party to receive their accreditation. The size of the organization and the depth and breadth of CUI throughout its infrastructure impact the scope of a C3PAO's audit, which can span days or weeks and thus become expensive. Add it all up, and the numbers can become quite large. Expect a minimum of five figures, and perhaps six, of hard and soft costs to successfully acquire CMMC accreditation. What if my company doesn't contract directly with the DoD, or even with a prime contractor? Does CMMC still apply? Anderson: While CMMC may not directly apply to a sub- contractor or supplier not contracting with the DoD or even a prime contractor, it will eventually be the cost of doing business in the defense sector and reach the subcontractor or supplier through mandated contractual flowdowns. Moreover, one can absolutely expect similar or identical requirements for those in the government contracting chain, as similar standards are now being mandated by GSA, NASA, and other civilian agencies. Where can a business find the resources to get started? Takanti: CMMC can be daunting, in terms of compliance and cost. Fortunately, members of the DIB have access to a variety of resources to help on both fronts. The DoD Office of Small Business Programs initiated Project Spectrum to provide companies with a comprehensive platform that includes the tools and training needed to increase cybersecurity awareness and maintain compliance in accordance with DoD contracting requirements. The federal Small Business Administration, along with locally based Manufacturing Extension Partnerships and Pro c urement Technical A s s i stance Centers, offer training, counseling, and even grants to improve cybersecurity readiness and maturity in preparation for CMMC and similar mandates. Allen Anderson