TrustedSec works with clients of all sizes on Cybersecurity Maturity Model Certification (CMMC) readiness engagements, but recently we’ve received a few questions on how smaller organizations can help to offset some of the costs related to CMMC compliance.
There are three (3) typical paths for small organizations to obtain financial assistance regarding CMMC activities. We typically refer to these as Grants, Expenses, and Other Resources.
Not limited to assistance regarding the CMMC, small businesses should look into Small Business Association (SBA) grants and awards, as these can help offset costs associated with CMMC activity. Additionally, manufacturing organizations should explore Manufacturing Extension Partnership (MEP) programs for grants.
Per the CMMC FAQ, activities related to CMMC compliance, such as implementing CMMC requirements and contracting with a C3PAO to perform a certification audit, are “allowable costs” in Department of Defense (DoD) contracts that have CMMC requirements. Allowable costs are essentially expenses that are noted up-front in the contract.
Organizations currently within the defense supply chain have generally already self-attested to the DoD that they have the 110 NIST-171 controls in place. These 110 controls plus an additional 20 controls make up CMMC Level 3. Because of this, the DoD may not allow expenses associated with the 110 controls that should already be in place for existing vendors.
Furthermore, using this mechanism essentially increases the contract price, and those price increases could result in an organization losing a bid. Because compliance preparation costs associated with a lost bid cannot be reimbursed, attempting to recoup CMMC expenses via ‘allowable cost’ mechanics could be risky. Ultimately, most organizations will likely avoid billing back most expenses related to the implementation of the CMMC to avoid the risk of losing out on revenue.
Local Procurement Technical Assistance Centers (PTACs) and DoD Small Business Offices (SBOs) may also be able to help connect small businesses with resources to aid in CMMC implementation. Typically, these programs provide education or preferred status on bids, but connecting with your PTAC can help ensure that you are taking advantage of all available resources, including any free resources that could help operationalize CMMC requirements or offset CMMC costs.
Don’t go it Alone
While the costs associated with getting CMMC compliant may seem daunting, the above resources may be able to help offset some of those costs. Additionally, as a Registered Provider Organization (RPO), TrustedSec is equipped to help your organization understand its compliance gaps and to offer efficient solutions for solving them.