Building a CMMC Strategy for c-Suites

"Strategic planning is worthless -- unless there is first a strategic vision." – John Naisbitt.

A clear vision is the foundation upon which strategic planning can be built effectively.

Consider the possibility that a defense contractor’s CMMC vision is to achieve an incredible competitive edge, differentiator, and one-upper. C-Suites can frame a strategy based on contractual obligations, the available budget, the company's current compliance status, the contract’s supply chain compliance status, and its associated costs, before initiating the expenses of a CMMC journey.

Below are high-level considerations for framing a strategy.

Cost Considerations

Costs depend on various factors including the size of the organization, the complexity of IT systems, and the level of cybersecurity maturity. Consider the following cost components:

1. Stand-alone vs. connected IT systems

2. Organic vs. outsourced costs

3. Impact of bundled supply chain compliance costs

Schedule Considerations

The timeline for achieving CMMC compliance varies based on the organization's readiness, existing policies, and the complexity of its IT systems. Typical timelines include:

1. Initial assessment and gap analysis: Three Days - Two Weeks

2. Implementation of required controls: Six Months - Two Years

3. Third-party assessment: One Week - One Month

4. Upon certification, continuous monitoring and reassessment: One Month - Three Months Annually

5. Supply chain compliance validation: One Week - Three months

Risk Considerations

Risks associated with CMMC compliance include potential delays, increased costs, and the need for ongoing cybersecurity improvements. Mitigation strategies include:

1. Conducting thorough risk assessments and incident response exercises

2. Implementing robust operational and information technology cybersecurity controls

3. Engaging experienced CyberAB credentialed consultants

4. Regularly reviewing and updating NIST 800- 171a compliance policies and procedures

5. Include conditions of compliance transparency in supply chain contracts.

Reimbursement Considerations

Defense contractors may seek reimbursement for costs associated with implementing NIST 800-171 and CMMC consulting and assessments. To maximize reimbursement, follow these steps:

1. Document all compliance-related expenses

2. Develop an indirect and wrap rates pricing strategy early

3. Provide detailed supply chain compliance cost breakdowns

4. Engage with contracting officers for guidance

For more insights on building a strategy for your company or an entire contract supply chain, don’t hesitate to get in touch with Reach’s CMMC Director.

Jill Lawson

jill@reach-networks.com

Retired DAWIA LVL 3 PM, RP, CCP, CCA

Book a meeting with me: https://calendly.com/jill-reach-networks/30min

LinkedIn: https://www.linkedin.com/in/jill-lawson-a520273b/