June 20, 2025 • 31 mins
Submit any questions you would like answered on the podcast!
Why is CMMC compliance so expensive—especially for small businesses?
In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke from Justice IT Consulting break down what really drives up the cost of CMMC and NIST 800-171 compliance, and more importantly—how you can cut costs without cutting corners.
We cover:
- The four stages of compliance cost: paperwork, project work, ongoing maintenance, and assessments
- What assessors can and can’t help with
- Enclave strategies that can save you thousands
- Why smaller companies feel a heavier burden—and how to manage it
- Smart scoping, VDI, and how not to overspend on your CMMC journey
If you’re trying to balance compliance with a tight budget, this episode is a must-listen.
👉 Need help or have questions? Contact us for free advice at CMMCComplianceGuide.com.
🔔 Don’t forget to like, subscribe, and share!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting.
We're here to help businesseslike yours navigate CMMC and
NIST 800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free, so
(00:20):
if you want to tackle ityourself, you're equipped to do
so.
If you're struggling to figureout how to afford compliance...
you're not the only one.
Small businesses across thecountry are asking the same
thing.
How can we do this right withoutdraining our budget?
In this episode, we're wantingto cut through the noise and
show you how to stay compliant,secure and stay on a budget.
(00:42):
All right, Brooke, you ready totackle today's episode?
Always.
All right.
Well, this is probably our mostfrequently asked question,
concern, complaint.
I would probably label it as acomplaint.
Yeah.
Sometimes it's a question thatis concealed as a question, but
it's actually a complaint.
(01:02):
Exactly.
I'm going to tackle why CMMC orcompliance to the NIST 800-171
standard is so expensive.
Even for small businesses, thattry and follow the rules
exactly.
SPEAKER_01 (01:15):
Yeah.
You know, the compliance isn'treally just about checking the
box.
It's not about going through allthe complex things you have to
go through.
That complexity is notnecessarily just what makes it
expensive.
That's definitely part of whatmakes it expensive.
But, you know, it's about theongoing mandated management and
(01:35):
monitoring that you have to do,which is documentation, which is
part of that, too.
So...
But it's all that.
It's the ongoing, mandated,ongoing things that you have to
do that make it so expensive.
So, you know, you can't just gothrough and put some things in
place and check a bunch of boxesand say, I'm done.
You can once you get assessed,you know, say, here's my score.
(01:57):
I passed.
We're good for another threeyears.
But guess what?
During that three years, youstill have to monitor and log.
You still have to manageeverything.
You still have to update yourdocumentation.
And part of those are, you know,hire new employees.
You have to document that youactually screen them and all
that fun stuff.
So that's what makes itexpensive is all the things you
(02:18):
have to do on an ongoing basis.
There are other things that makeit expensive.
One of those other things isgoing to be all these solutions
that you're able to use.
If you put CUI in the cloud, forinstance, you're going to need
to use a FedRAMP moderateauthorized or equivalent
provider.
And so guess what?
Those are not cheap because thatis not a cheap process to go
through and it costs companiesgenerally a quarter million and
(02:41):
up to go through that.
Those are the kind of thingsthat make it expensive.
The ongoing management andeverything and the kind of
services that you have to have.
SPEAKER_00 (02:48):
If we could kind of tie it into like a real life
scenario that people mightunderstand, it's like if You are
mandated to do maintenance onyour car, but all of the
manufacturer recommendedmaintenance.
So you got to replace yourcoolant fluid.
You have to mark when it wasdone and document it.
You have to do all your oilchanges and do your oil filter
(03:11):
change and mark when that wasdocumented.
You have to keep track ofeveryone that worked on it and
then make sure that they arekept track of as well.
And so, but that's, it's allthose equivalent things, but for
like a computer network orRight.
Absolutely.
All those things are much moreexpensive than coolant fluid or
antifreeze or something,
SPEAKER_01 (03:31):
right?
Going with your car analogy, youhave to get the OEM parts.
You can't get the third-partyparts.
They're a lot cheaper andprobably made in China.
You have to get the OEM parts.
And if there's not an OEM part,you have to get the DEX fluid,
the OEM fluid.
(03:52):
You can't go get whatever– cutrate stuff off the shelf that's
a lot cheaper.
You have to get what is okayedand blessed to be able to use it
on that car.
So yes, that's a good analogy.
SPEAKER_00 (04:03):
Segueing in on something you mentioned earlier,
it's why you can't just...
buy something and set it andforget it.
There's all these things youhave to do and prove that you've
done on an ongoing basis thatyou don't necessarily see.
Other compliance standardsyou've been held to in the past,
I think the quality audits andcertifications are something
that our customers typically arefamiliar with.
(04:25):
I'm not saying they're notstrict or stringent, but CMC
compliance just takes it a stepfurther.
It takes it a step further thanmost compliance standards,
frankly.
SPEAKER_01 (04:37):
It takes it a few steps further,
SPEAKER_00 (04:38):
but yes, it does.
And so it's familiar to you inthat it's compliance that you
have to adhere to, and it'ssimilar to other standards, but
it's just the cost ofmaintenance, the cost of
ownership, if you will, for thatcar that really makes the price
go up and why you can't just buysomething off the shelf and be
done with it.
SPEAKER_01 (04:57):
Yeah, I can't tell you how many times I've heard
for our ITAR or our ISO 9001 orwhatever it is, audit, you know,
it's only like$5,000.
Why is this one so expensive?
Because they don't have nearlyas much to go through and they
don't have nearly as much of aassessment process that they
have to follow verbatim, youknow.
It's not nearly as detailed.
SPEAKER_00 (05:16):
So another question that we get Semi-frequently is
about cage codes and combiningbusinesses.
Oftentimes, maybe some privateequity or something that comes
in and buys existing businesseswith existing contracts.
And then they're faced withtrying to get the whole...
entity compliant.
(05:38):
But with that, they have theproblem of their sub-entities
being separate cage codes andhistorically separate
businesses.
The question we get frequentlyis, can we combine or reduce
compliance across thosebusinesses to reduce costs, kind
of get economies of scale?
SPEAKER_01 (05:52):
So you can.
I mean, if you've got severalcompanies, company one, two,
three, and four, and they allhave varying different amounts
of government contract work thatthey do or subcontract work.
Depends on how they're doingbusiness.
If they're doing business asindividual entities, they have
to be assessed as individualentities.
They can share some servicesthrough the parent company as
long as you configure itproperly.
(06:13):
But when you start mixing andmatching everything, then...
That's when it gets a littlecomplex, and you have to figure
out where your boundary is.
So you can share some services,say some VDI services or
something like that, that theparent company is going to host.
Then that's perfectly fine.
(06:33):
But you do have to configure itright, make sure it's
segregated, and all that kind offun stuff.
Because if they're separateenvironments, they're separate
environments.
You can't just commingle themall.
Unless you want them all to beincessant as one.
SPEAKER_00 (06:44):
Which might impact your contracts and your cage
code.
Yeah,
SPEAKER_01 (06:49):
you have to be assessed under the entity that
you have the contract under.
If you have the contract undereach company, company one, two,
three, and four, then you haveto be assessed company one, two,
three, and four.
But like I said, the parentcompany can have some services
that they share between those aslong as it's configured
(07:09):
properly.
Just doing that doesn'tnecessarily make them a cloud
service, a CSP.
SPEAKER_00 (07:13):
And that's something that you'll want to make sure
you get an assessor thatunderstands that technical
configuration because thatmatters as well, picking your
assessor when you're going to dosomething like that because
that's not something thateveryone always understands.
And so you might have oneassessor, like I remember from
(07:35):
Seek West, he was explaining howhe would– think that's fine.
And I've heard other people, notnecessarily on stage, but have
said that, no, that's CSP now,the cloud service provider, and
you can't do it.
So, you know, there's some ofthese things we're saying just
should be, you know, cautionedwith the fact that Assessors are
(07:59):
where the buck stops and youneed to make sure you interview
your assessor and pick them thatare right.
Make sure they're right for yourbusiness and they understand the
type of technology.
You know, obviously they can'tdo a lot of consulting.
No, they can't.
But they can
SPEAKER_01 (08:12):
answer questions.
Right.
You know, how they go aboutassessments and all that kind of
fun stuff and what theirexperience is.
SPEAKER_00 (08:18):
So things you might want to ask is like, if you're a
machine shop, have you certifiedmachine shops before?
You know, make sure theyunderstand the business type.
You know, like, uh, We're calledan MSP.
And so when we're interviewingour assessor, one of the things
that assessors options, one ofthe things that we've asked is,
have you done MSPs before?
(08:39):
You know, because it's quite
SPEAKER_01 (08:40):
different.
99.999% of them say no.
SPEAKER_00 (08:42):
Right.
Yeah.
So because you just you justdon't want to hitch your wagon
to, you know.
Someone who's just not going todo any favors, not that they
should shortcut or not hold youto the standards, but they need
to be able to understand whatthey're assessing.
Absolutely.
So something we've addressed inthe past is that the NIST
(09:04):
standard, NIST 800-171, is kindof written start from scratch.
you know, a network.
And so, especially if we'reworking with a customer or a
potential customer that ispretty read in and spent a lot
of time in their view,unfortunately, kind of
dissecting and trying tounderstand this compliance, they
ask, is it, is it just easier tolike start with a new network
(09:27):
from scratch and go that route,just build everything from the
ground up to make it compliantand then just kind of put people
in in that compliant networkfresh you know or can you use
your existing computer networkthat you've been you've have you
know 30 years of technicaldrawings and cobwebs and you
(09:48):
know who knows what else inthere and can you make that
compliant which is smarter to doyou do both or is there you know
what what would you shouldsuggest and how would you
approach that
SPEAKER_01 (10:00):
well in general just from a 50,000 foot view you say
yes it's a whole lot easier toput a nuisance in place and then
put your CUI, your CMMCworkflows in there in an enclave
type of setup and just do thatand make it fit.
That is definitely easier thanreengineering your corporate
(10:21):
network to make everything fit.
However, that doesn't alwayswork and you also have to worry
about your CUI that you alreadyhave on your systems.
Really what you need to do isyou need to do a gaps analysis,
do a CUI data flow diagram,figure out where all your COI
comes from, where it goes,figure out what's currently
happening, right?
And like we said before, makesure you bring in people to talk
(10:42):
to that are actually performingthe jobs because you may think
they're doing it one way andthey may say, well, this is the
way we do it.
And you're like, oh, really?
I didn't realize that.
You don't want to create aworkflow or be based on a
workflow that's inaccurate.
Once you understand howeverything's currently working
and what kind of data you haveand you have a gaps analysis to
know where you are and where youneed to go, then you can look
(11:05):
and say is it smart to read toand it usually is but in some
manner it's always smart to redothat data flow diagram and say
all right this is where we wantit to go and maybe it's not a
complete new enclave maybeyou're making your current
network work for this a lot oftime if you can make an enclave
work an enclave really is theway to go that's really hard for
(11:26):
a lot of people to wrap theirminds around it's hard for
people to wrap their mindsaround the fact that i'm gonna
have to change my workflow it'sbetter to do that it's cleaner
to do that so the answer is yesit's better to start from
scratch but you need to do yourresearch your gas analysis and
data flow diagram and everythingand figure out where you are and
where you need to be and how youcan work how you're able to
SPEAKER_00 (11:45):
work one thing that we see a lot is that enclaves
are a little I mean they'rethey're great in theory and that
should probably be a goalwhenever you're starting to
design something is like wellcan we you know put this in its
own little segment and walledoff garden and keep all our COI
there especially in a smallermanufacturing environment as we
(12:06):
find it typically pretty hard todo.
Really why I'm bringing that upis just to say that you had
mentioned doing the gapsanalysis first.
It's really hard to addresscompliance without really seeing
where you're at and reallyputting some effort into that.
I think we've talked about itbefore, but people just want to
download a SSP template and thenimplement it or get a quote from
(12:27):
somebody and then just buycompliance.
And it just doesn't work thatway.
And you should really start witha gaps analysis, some sort of
diagnostic as to figure outwhere the heck you are.
And truth be told is whateverpreconceived notions you have,
it's probably wrong, especiallywhen you bring those people in,
you know, Unless you're justSuperman and you run your own
business and know every singlepart of it, which I don't think
(12:50):
there's a lot of those outthere, you probably have someone
doing some function for you.
Spoiler alert, they're probablynot doing the job the way that
you thought they were.
Not that they're doing it wrong,but that they have some workflow
that they're doing to get theirjob done on a daily basis that
really affects your COI and yourcompliance.
If you buy something...
(13:10):
off the shelf and just buycompliance, you won't know that
necessarily until the assessorcomes in and then you get
failed.
SPEAKER_01 (13:18):
You know, one of the things that us as an IT services
provider or an MSP, managedservices provider, one of the
things that we do is we do, toreally understand an
environment, we do some sort ofgaps assessment, some sort of
assessment to figure out whatall really is there because
every single time that you say,you know, just simple stuff.
(13:41):
How many computers do you have?
How many servers do you have?
What kind of cloud services doyou have?
You know, and they'll tell you.
And it's not their fault.
I'm not saying they're dumb ormisleading or anything, but...
they're always wrong.
There's something they'remissing.
They've got more computers thanthey think they do.
They forgot about the CADworkstations that they have.
(14:06):
Of course, I don't know how youcould forget about that.
But there's always something inthat environment that they
didn't take into consideration.
So that's why you have to do areally good detailed gaps
analysis, gaps assessment.
SPEAKER_00 (14:21):
And we actually...
implement this in our dailybusiness.
So for example, like we managebackups for a lot of customers.
And so we don't just install thebackups and then We've installed
them.
They're good.
We just know it's happening.
Or even the logs, whenever theyshow completed and successful,
(14:42):
we don't just go, cool, we'reset.
Even though we have all thattechnology, and we do have some
pretty cool technology that willgo in and test it automatically
for us.
It just doesn't require anyhuman effort.
And so we have a lot of air...
handling and fail safes to makesure that it happens correctly
but still at the end of the daywe go in and we have you know
(15:06):
frequent tickets to go actuallycheck manually check the back
backup with a human person andmake sure it works because
despite all of that what wethink is happening sometimes
isn't you know someconfiguration somewhere messes
it up and we have to make surewe have to go fix the backup you
know or maybe it just gotcorrupted you know and so
without that physical checkingthis This system and process
(15:29):
that we've designed that wethought was working turns out
isn't.
And we did that through what?
An assessment.
And that's all those are, right?
Another popular question that weget asked is about the physical
segmentation of devices.
The question is, do we need tobuy separate laptops or hardware
for users handling CUI?
SPEAKER_01 (15:50):
I mean, if you want to make it easy, you can have a
completely separate workstationin an enclave, and they have to
use that workstation.
And that way, this is one of theclean environments where we're
talking about, you know, createan enclave, use that workstation
in the enclave to deal with CUI,and machine outside the enclave,
(16:11):
you don't.
It doesn't touch it.
It doesn't get anywhere near it.
And so...
sure, but it gets a littlemessier than that.
Like I said, an enclave isn'talways the best fit for
everybody.
So you can use things likevirtual desktop infrastructure
to help out as long as you canuse that as long as it's
configured right.
You can't copy and paste, nodrive mappings, no printing, no
(16:35):
screenshotting, stuff like that.
That's configured right.
You can use VDI.
So you can use things like thatto help you out to where you
don't have to double up on allyour equipment.
But that said, Again, it dependson your work environment.
It depends on what you're doing.
People really like to talkabout, you know, just put an
enclave in place and just putlike four machines in there, you
know, or 10 or 20 or however bigyour organization is, you know,
(16:57):
just whatever that smallerpercentage of your machines are,
you know, they go in thatenclave and that's it.
And that's great.
it just doesn't work as cleanlyfor everybody.
SPEAKER_00 (17:05):
Which, not to say it again, but that's why, you know,
your designing of your SSP andyour processes and your systems
and having all thosestakeholders at the table really
matters because, you know, it's,when you implement that enclave,
it's little details that throwthe wrench in the system.
And then if you poke some holesin your enclave, then it all
(17:28):
goes up in fire.
That's the whole point of anenclave, right?
SPEAKER_01 (17:31):
If you poke a hole so you can get in and grab some
data and bring it out, and guesswhat?
You just brought that stuff inscope or expanded the enclave,
however you want to phrase it,but you just brought that stuff
into scope instead of keepingthat enclave there.
scope
SPEAKER_00 (17:47):
right so it's easier just to address it beginning of
the process rather thanimplement all this stuff and
then figure out later that yougot to redo a whole bunch of
stuff
SPEAKER_01 (17:58):
yeah and again this is the larger the environment is
it's a lot easier to implementan enclave it's a lot easier to
do a lot of these things becauseyou have people separated doing
different things you might havean HR person you might have an
accounting person you might havethe CEO who nobody lets touch
(18:18):
any data.
I'm just kidding.
Well, which may be accurate.
But you have people that don'tneed to touch the CUI data, but
when you get to a smallorganization that That HR and
accounting person may do someother things, and they need to
have access to a level onenetwork, for instance.
Or it might just be the ownerwho does the accounting, and
(18:41):
maybe they outsource the HR orwhatever.
And so that's not a concern, butthey do some of the accounting,
and they also need to touch theCUI.
So the smaller the organizationgets, the harder this is to
implement and create an enclaveand network.
Separate everything out like
SPEAKER_00 (18:57):
that.
Which it all ultimately leadsback to scoping.
It does.
And so I think that you andStacey just did an episode over
scoping, so that might be a goodplace to check.
There you go.
That's right.
On whether you need physicalseparation advices and stuff
like that.
So it's all around your COI flowand scoping.
Right.
On to the next question.
(19:18):
Can a C3PAO or assessor– giveyou advice before their formal
assessment to help them getready
SPEAKER_01 (19:27):
well the the simple straight answer is no they can't
uh the uh the other answer thati'll give you is yeah absolutely
they can do that but then theycan't assess you so uh so which
either way you know they youthat advice is consulting giving
you any kind of indication ofhow you can cover certain
controls or whatever that'sconsulting code of professional
(19:48):
conduct is is very clear thatyou can't do an assessment and
give any consulting.
If they give you any consultingat any time before that, they
can't do your assessment.
It's not like, well, that wasthree months ago.
So they just can't do it.
They've said, no, you can't getconsulting from the same person
(20:09):
you get an assessment from, thesame person or the same company.
SPEAKER_00 (20:12):
Yeah, I think they do that because of ethics, and
they're just trying to removeany possibility of a conflict of
interest.
So I completely understand that,but it does– It does.
(20:50):
Mm-hmm.
Mm-hmm.
SPEAKER_01 (21:00):
Mm-hmm.
Mm-hmm.
But people are people andthere's going to be.
SPEAKER_00 (21:16):
Which I think is why we try and lean on accepted
practice, you know, generalaccepted thoughts.
And the CMMC, the town hallsgive a lot of guidance.
There's nothing authoritativeexcept for the authoritative
documents.
of course, but we really lean onbest practice, if you will, for
that reason, because it's thesafest bet.
And you can certainly take thedocuments to bat and argue with
(21:39):
an assessor, but sometimes it'seasier to go the path that has
least resistance.
It is, but
SPEAKER_01 (21:45):
also along with that path of least resistance, you're
going to have documentation toback it up.
So you can say, here's mydocumentation.
You know, this is how it works.
If you disagree with anassessor, you're going to have
to really know your stuff andsay, look, here's all my
documentations here's all thesupporting documents.
It's based on NIST 800-171 andall of the other reference
(22:07):
documents in CMMC and all thereference documents that apply
here.
You could reference something,good standards like CIS or
something like that, but if it'snot government-backed and
approved and in reference toNIST 800-171 and CMMC, then
don't depend on it.
It's got to be in those sets ofdocuments.
It can't be something outside ofthat.
(22:28):
Even if it's a better idea andmore secure it doesn't matter I
SPEAKER_00 (22:33):
might not have been honest earlier when I said the
most popular question we getasked is
SPEAKER_01 (22:38):
well you know it's kind of hard because we get
there's a few questions thatalways come up so it's like
which one was really you know
SPEAKER_00 (22:46):
go ahead sorry no you're good yeah so it's not
usually why is it so expensivethat's the second question after
the first one which is how muchdoes it cost how expensive is it
right so how much is it ohyou're asking me
SPEAKER_01 (22:59):
okay Well, the answer is it depends.
But really, you know, you've gotto start at the beginning, just
like we've said several times.
You've got to start with a gapsassessment and figure out where
you're at.
Because if you don't do a gapsassessment and then the other
things that go along with thatdata flow diagram, you can
guess, but you have no real cluewhere you're at.
(23:21):
Generally, a lot of people willdo, like us, do a gaps
assessment and work on your SSPand your POAM, your policies,
and kind of bundle that becausethey all kind of go together.
You can do them separately inseparate stages, but it just
makes sense to bundle all thosetogether.
They
SPEAKER_00 (23:37):
always lead to the other, so you're not really
saving any money by just doingit piecemeal.
No, not really.
SPEAKER_01 (23:44):
You're going to have to spend the money anyway.
You're going to have to do itanyway.
Generally, that's going to startsomewhere$15,000 to$25,000 or
so, depending on the complexityof the environment, how many
sites you have.
You kind of start with that gapsassessment and SSPM point to
figure out where you're at.
Then after that, you've got yourPOAM, and so you know what
(24:05):
you're lacking and what needs tobe worked on.
And so from that POAM, you cangroup those assessment objects
or those controls or whatever.
You can group those intodifferent projects and figure
out what those projects are.
If you need to, of course, youcan figure out however your data
flow diagram looks now and whatyou want it to look like, and
you can kind of design yourenvironment and come up with
(24:26):
projects.
It really depends.
Those could be 40,000.
They could be 100,000.
They could be less, more.
They're all over the place.
It really just depends on whatyou've come up with on a POAM to
have to do.
It also depends on scope, howyou've scoped it.
Are you restricting yourself toan enclave?
Are you able to do that?
You may not be able to do that.
(24:46):
Are you encompassing more ofyour network?
What is your scope?
What does that look like?
It depends on a lot of stuff.
It's really hard to say what theprojects are going to be for any
particular size company.
I would say if some comes andgives you a quote, here's your
quote, we'll put this in placeand you can use that and you'll
be compliant.
(25:07):
That's great, but does it reallyfit what you need and is it
really going to accomplisheverything?
Is there going to be any, youknow, you're liable for any of
the data spillage, any of theCUI leakage, I guess, I should
say.
So is it really going to fit?
Is it really going to work foryou?
So you've got to take that intoconsideration.
Then there comes the ongoing,after you've got everything
(25:29):
implemented, or actuallyprobably during that time,
you've got ongoing managementcosts.
And it is a more complexenvironment.
You're going to have to havesomebody internal to manage all
that or bring somebody on boardto help with that or bring
somebody on board to do that.
One of those three options.
It has to be managed.
We talked about that a littleearlier.
That's how this is all builtout.
(25:50):
It's ongoing management.
management of the system thatyou create.
The cost for the For the ongoingmanagement, I'd like to tell you
how much it would cost, butthat's a big secret.
I'm just kidding.
It's not a big secret.
It's just they're a huge range.
But think thousands, don't thinkhundreds.
Think thousands, ongoing,monthly.
It'll be thousands whether youbring somebody on to do it
(26:10):
internally or whether you hiresomebody in to do it.
And if you're a smallerenvironment, it's almost always
going to be less expensive tohelp you do it.
They can do as much as they canfor you, but there's always
things that you have to do forthis compliance.
Then after that comes whatyou're really looking for And
what you're really looking foris the assessment.
You want to get that level twoassessment certification and
say, I've got it.
It's right here.
(26:32):
Give me some contracts.
So that's what you're lookingfor.
So those assessments, I waspretty confident in the price.
I was pretty confident in thestarting price.
A little while back, now I'm alittle less confident, it was
somewhere between$40,000 and$60,000, erring on the side of
caution and saying$60,000 forthe assessment every three
years.
(26:52):
So once every three years, you'dhave to spend that much.
But that was the floor of whereit would start.
For a simple organization, itwould start there.
I've heard that there's C3PAOsthat are doing for less than
that.
And again, you just need to doyour due diligence and do your
interviews and make sure youunderstand.
(27:13):
If you hire a service providerlike us, you do need to do the
same thing.
But you need to interview yourC3PAOs, make sure that they can
do the job, understand the job.
So you may be able to get onefor less than the$40,000 to
$60,000 floor.
But I wouldn't bet on it and Iwouldn't tell you to budget for
that.
I would tell you to budget atleast$40,000 to$60,000.
Along with that assessment, whatyou're going to have to remember
(27:36):
is that if you outsource any ofit or if you insource all of it,
there's going to be either timeor money or both, and time is
money.
So even if it's time on yourside, you're going to have to
spend somewhere close to that$30,000$30,000 to$40,000 to
$50,000,$60,000 is verydependent on complexity and a
(28:00):
whole lot of other things.
But you're going to have tospend quite a few thousand
dollars prepping and make sureyou have everything in order,
making sure you have all yourproof ready because you really
want to be ready for thatassessment when it comes.
You don't want to have to begathering things and figuring
out where they're at.
Hey, I need screenshots of this.
I need that.
Oh, we need to update thisdocument.
You don't want to be doing thatat the last minute.
(28:21):
You want to have all that ready.
So there's going to be someprojects costs, either
internally or externally withyour service provider, helping
out with that, prepping for thatassessment.
SPEAKER_00 (28:31):
So if I hear it right, you basically have four
categories of costs.
Paperwork to get started, andthen you have the project that
is a result of the paperwork,all your to-do items.
And then third, you've got kindof the cost of ownership to go
with a car theme we're talkingabout here, the maintenance,
ongoing costs to stay compliant.
And then fourth, you have theassessment-related costs, which
is going to be labor internallyor externally to prep your body
(28:54):
of evidence and everything forthe assessor and then the
assessor costs.
Yes.
Absolutely.
If I'm a listener and I'm on abudget and I'm listening right
now, what are my key takeawaysfrom this episode?
SPEAKER_01 (29:05):
Expect some real effort.
Compliance takes time.
It takes documentation.
It takes a lot of effort to doall these things.
It takes ongoing management.
So expect some real effort to gointo this.
Even for small teams and reallyfor small teams, it's going to
seem like such a huge burdenbecause you're a small team.
If you can, start fresh.
New enclave environment.
If you can at all, really thebest way to go if you can, it's
(29:28):
faster, it'll be a littlecheaper, be cleaner because
you're not trying to clean up in30 years of an existing network.
Make sure you scope smartly.
Make sure that you only includewhat needs to be included.
We've talked about this before.
Don't overscope.
Only scope in what needs to bescoped in, which is what we're
talking about the enclave,right?
If you can create that enclaveMake that your scope.
(29:49):
Then do that.
Make sure you try really hard tokeep that scope as small as
possible.
You should also implementvirtual desktop infrastructure.
Smaller shops have a heavierburden than larger shops.
I mean, larger shops have morecomplexity and more stuff, you
know, but smaller shops, it'shard to do all this and not run
the cost up.
So if you...
(30:10):
say, cost per capita.
It's going to be a lot higherfor small shops than it is for
larger.
I can tell you that.
But if you can do virtualdesktop infrastructure or VDI,
that's a way to help out.
And configure it properly.
Maybe that's another episode.
I know we've talked about itbefore.
And we actually, I think, talkedabout it earlier in this
episode.
Don't expect any help fromassessors.
(30:31):
They can say, yeah, you failedhere, here, and here.
And you can say, well, why didwe fail?
Well, you failed because ofthis.
Well, what can we do to fixthat?
They're going to go, I don'tknow.
They probably do.
know or they have some idea, butthey can't tell you.
That crosses over intoconsulting.
You need to also take intoconsideration the full life
cycle of all four stages thatyou were talking about a while
ago, all the way from doing aproper, good, full gaps
(30:53):
analysis, all the way throughassessment.
SPEAKER_00 (30:56):
If you have any questions about what we covered,
please feel free to reach out tous.
We are here to help fast trackyour compliance journey.
You can text, email, or call us,and we'll answer your questions
for free here on the podcast.
Find our contact information atcmmccomplianceguide.com.
Stay tuned for our next episode.
(31:17):
Until then, stay compliant andstay secure.
Like, subscribe, and share.
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting.
We're here to help businesseslike yours navigate CMMC and
NIST 800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free, so
(00:20):
if you want to tackle ityourself, you're equipped to do
so.
If you're struggling to figureout how to afford compliance...
you're not the only one.
Small businesses across thecountry are asking the same
thing.
How can we do this right withoutdraining our budget?
In this episode, we're wantingto cut through the noise and
show you how to stay compliant,secure and stay on a budget.
(00:42):
All right, Brooke, you ready totackle today's episode?
Always.
All right.
Well, this is probably our mostfrequently asked question,
concern, complaint.
I would probably label it as acomplaint.
Yeah.
Sometimes it's a question thatis concealed as a question, but
it's actually a complaint.
(01:02):
Exactly.
I'm going to tackle why CMMC orcompliance to the NIST 800-171
standard is so expensive.
Even for small businesses, thattry and follow the rules
exactly.
SPEAKER_01 (01:15):
Yeah.
You know, the compliance isn'treally just about checking the
box.
It's not about going through allthe complex things you have to
go through.
That complexity is notnecessarily just what makes it
expensive.
That's definitely part of whatmakes it expensive.
But, you know, it's about theongoing mandated management and
(01:35):
monitoring that you have to do,which is documentation, which is
part of that, too.
So...
But it's all that.
It's the ongoing, mandated,ongoing things that you have to
do that make it so expensive.
So, you know, you can't just gothrough and put some things in
place and check a bunch of boxesand say, I'm done.
You can once you get assessed,you know, say, here's my score.
(01:57):
I passed.
We're good for another threeyears.
But guess what?
During that three years, youstill have to monitor and log.
You still have to manageeverything.
You still have to update yourdocumentation.
And part of those are, you know,hire new employees.
You have to document that youactually screen them and all
that fun stuff.
So that's what makes itexpensive is all the things you
(02:18):
have to do on an ongoing basis.
There are other things that makeit expensive.
One of those other things isgoing to be all these solutions
that you're able to use.
If you put CUI in the cloud, forinstance, you're going to need
to use a FedRAMP moderateauthorized or equivalent
provider.
And so guess what?
Those are not cheap because thatis not a cheap process to go
through and it costs companiesgenerally a quarter million and
(02:41):
up to go through that.
Those are the kind of thingsthat make it expensive.
The ongoing management andeverything and the kind of
services that you have to have.
SPEAKER_00 (02:48):
If we could kind of tie it into like a real life
scenario that people mightunderstand, it's like if You are
mandated to do maintenance onyour car, but all of the
manufacturer recommendedmaintenance.
So you got to replace yourcoolant fluid.
You have to mark when it wasdone and document it.
You have to do all your oilchanges and do your oil filter
(03:11):
change and mark when that wasdocumented.
You have to keep track ofeveryone that worked on it and
then make sure that they arekept track of as well.
And so, but that's, it's allthose equivalent things, but for
like a computer network orRight.
Absolutely.
All those things are much moreexpensive than coolant fluid or
antifreeze or something,
SPEAKER_01 (03:31):
right?
Going with your car analogy, youhave to get the OEM parts.
You can't get the third-partyparts.
They're a lot cheaper andprobably made in China.
You have to get the OEM parts.
And if there's not an OEM part,you have to get the DEX fluid,
the OEM fluid.
(03:52):
You can't go get whatever– cutrate stuff off the shelf that's
a lot cheaper.
You have to get what is okayedand blessed to be able to use it
on that car.
So yes, that's a good analogy.
SPEAKER_00 (04:03):
Segueing in on something you mentioned earlier,
it's why you can't just...
buy something and set it andforget it.
There's all these things youhave to do and prove that you've
done on an ongoing basis thatyou don't necessarily see.
Other compliance standardsyou've been held to in the past,
I think the quality audits andcertifications are something
that our customers typically arefamiliar with.
(04:25):
I'm not saying they're notstrict or stringent, but CMC
compliance just takes it a stepfurther.
It takes it a step further thanmost compliance standards,
frankly.
SPEAKER_01 (04:37):
It takes it a few steps further,
SPEAKER_00 (04:38):
but yes, it does.
And so it's familiar to you inthat it's compliance that you
have to adhere to, and it'ssimilar to other standards, but
it's just the cost ofmaintenance, the cost of
ownership, if you will, for thatcar that really makes the price
go up and why you can't just buysomething off the shelf and be
done with it.
SPEAKER_01 (04:57):
Yeah, I can't tell you how many times I've heard
for our ITAR or our ISO 9001 orwhatever it is, audit, you know,
it's only like$5,000.
Why is this one so expensive?
Because they don't have nearlyas much to go through and they
don't have nearly as much of aassessment process that they
have to follow verbatim, youknow.
It's not nearly as detailed.
SPEAKER_00 (05:16):
So another question that we get Semi-frequently is
about cage codes and combiningbusinesses.
Oftentimes, maybe some privateequity or something that comes
in and buys existing businesseswith existing contracts.
And then they're faced withtrying to get the whole...
entity compliant.
(05:38):
But with that, they have theproblem of their sub-entities
being separate cage codes andhistorically separate
businesses.
The question we get frequentlyis, can we combine or reduce
compliance across thosebusinesses to reduce costs, kind
of get economies of scale?
SPEAKER_01 (05:52):
So you can.
I mean, if you've got severalcompanies, company one, two,
three, and four, and they allhave varying different amounts
of government contract work thatthey do or subcontract work.
Depends on how they're doingbusiness.
If they're doing business asindividual entities, they have
to be assessed as individualentities.
They can share some servicesthrough the parent company as
long as you configure itproperly.
(06:13):
But when you start mixing andmatching everything, then...
That's when it gets a littlecomplex, and you have to figure
out where your boundary is.
So you can share some services,say some VDI services or
something like that, that theparent company is going to host.
Then that's perfectly fine.
(06:33):
But you do have to configure itright, make sure it's
segregated, and all that kind offun stuff.
Because if they're separateenvironments, they're separate
environments.
You can't just commingle themall.
Unless you want them all to beincessant as one.
SPEAKER_00 (06:44):
Which might impact your contracts and your cage
code.
Yeah,
SPEAKER_01 (06:49):
you have to be assessed under the entity that
you have the contract under.
If you have the contract undereach company, company one, two,
three, and four, then you haveto be assessed company one, two,
three, and four.
But like I said, the parentcompany can have some services
that they share between those aslong as it's configured
(07:09):
properly.
Just doing that doesn'tnecessarily make them a cloud
service, a CSP.
SPEAKER_00 (07:13):
And that's something that you'll want to make sure
you get an assessor thatunderstands that technical
configuration because thatmatters as well, picking your
assessor when you're going to dosomething like that because
that's not something thateveryone always understands.
And so you might have oneassessor, like I remember from
(07:35):
Seek West, he was explaining howhe would– think that's fine.
And I've heard other people, notnecessarily on stage, but have
said that, no, that's CSP now,the cloud service provider, and
you can't do it.
So, you know, there's some ofthese things we're saying just
should be, you know, cautionedwith the fact that Assessors are
(07:59):
where the buck stops and youneed to make sure you interview
your assessor and pick them thatare right.
Make sure they're right for yourbusiness and they understand the
type of technology.
You know, obviously they can'tdo a lot of consulting.
No, they can't.
But they can
SPEAKER_01 (08:12):
answer questions.
Right.
You know, how they go aboutassessments and all that kind of
fun stuff and what theirexperience is.
SPEAKER_00 (08:18):
So things you might want to ask is like, if you're a
machine shop, have you certifiedmachine shops before?
You know, make sure theyunderstand the business type.
You know, like, uh, We're calledan MSP.
And so when we're interviewingour assessor, one of the things
that assessors options, one ofthe things that we've asked is,
have you done MSPs before?
(08:39):
You know, because it's quite
SPEAKER_01 (08:40):
different.
99.999% of them say no.
SPEAKER_00 (08:42):
Right.
Yeah.
So because you just you justdon't want to hitch your wagon
to, you know.
Someone who's just not going todo any favors, not that they
should shortcut or not hold youto the standards, but they need
to be able to understand whatthey're assessing.
Absolutely.
So something we've addressed inthe past is that the NIST
(09:04):
standard, NIST 800-171, is kindof written start from scratch.
you know, a network.
And so, especially if we'reworking with a customer or a
potential customer that ispretty read in and spent a lot
of time in their view,unfortunately, kind of
dissecting and trying tounderstand this compliance, they
ask, is it, is it just easier tolike start with a new network
(09:27):
from scratch and go that route,just build everything from the
ground up to make it compliantand then just kind of put people
in in that compliant networkfresh you know or can you use
your existing computer networkthat you've been you've have you
know 30 years of technicaldrawings and cobwebs and you
(09:48):
know who knows what else inthere and can you make that
compliant which is smarter to doyou do both or is there you know
what what would you shouldsuggest and how would you
approach that
SPEAKER_01 (10:00):
well in general just from a 50,000 foot view you say
yes it's a whole lot easier toput a nuisance in place and then
put your CUI, your CMMCworkflows in there in an enclave
type of setup and just do thatand make it fit.
That is definitely easier thanreengineering your corporate
(10:21):
network to make everything fit.
However, that doesn't alwayswork and you also have to worry
about your CUI that you alreadyhave on your systems.
Really what you need to do isyou need to do a gaps analysis,
do a CUI data flow diagram,figure out where all your COI
comes from, where it goes,figure out what's currently
happening, right?
And like we said before, makesure you bring in people to talk
(10:42):
to that are actually performingthe jobs because you may think
they're doing it one way andthey may say, well, this is the
way we do it.
And you're like, oh, really?
I didn't realize that.
You don't want to create aworkflow or be based on a
workflow that's inaccurate.
Once you understand howeverything's currently working
and what kind of data you haveand you have a gaps analysis to
know where you are and where youneed to go, then you can look
(11:05):
and say is it smart to read toand it usually is but in some
manner it's always smart to redothat data flow diagram and say
all right this is where we wantit to go and maybe it's not a
complete new enclave maybeyou're making your current
network work for this a lot oftime if you can make an enclave
work an enclave really is theway to go that's really hard for
(11:26):
a lot of people to wrap theirminds around it's hard for
people to wrap their mindsaround the fact that i'm gonna
have to change my workflow it'sbetter to do that it's cleaner
to do that so the answer is yesit's better to start from
scratch but you need to do yourresearch your gas analysis and
data flow diagram and everythingand figure out where you are and
where you need to be and how youcan work how you're able to
SPEAKER_00 (11:45):
work one thing that we see a lot is that enclaves
are a little I mean they'rethey're great in theory and that
should probably be a goalwhenever you're starting to
design something is like wellcan we you know put this in its
own little segment and walledoff garden and keep all our COI
there especially in a smallermanufacturing environment as we
(12:06):
find it typically pretty hard todo.
Really why I'm bringing that upis just to say that you had
mentioned doing the gapsanalysis first.
It's really hard to addresscompliance without really seeing
where you're at and reallyputting some effort into that.
I think we've talked about itbefore, but people just want to
download a SSP template and thenimplement it or get a quote from
(12:27):
somebody and then just buycompliance.
And it just doesn't work thatway.
And you should really start witha gaps analysis, some sort of
diagnostic as to figure outwhere the heck you are.
And truth be told is whateverpreconceived notions you have,
it's probably wrong, especiallywhen you bring those people in,
you know, Unless you're justSuperman and you run your own
business and know every singlepart of it, which I don't think
(12:50):
there's a lot of those outthere, you probably have someone
doing some function for you.
Spoiler alert, they're probablynot doing the job the way that
you thought they were.
Not that they're doing it wrong,but that they have some workflow
that they're doing to get theirjob done on a daily basis that
really affects your COI and yourcompliance.
If you buy something...
(13:10):
off the shelf and just buycompliance, you won't know that
necessarily until the assessorcomes in and then you get
failed.
SPEAKER_01 (13:18):
You know, one of the things that us as an IT services
provider or an MSP, managedservices provider, one of the
things that we do is we do, toreally understand an
environment, we do some sort ofgaps assessment, some sort of
assessment to figure out whatall really is there because
every single time that you say,you know, just simple stuff.
(13:41):
How many computers do you have?
How many servers do you have?
What kind of cloud services doyou have?
You know, and they'll tell you.
And it's not their fault.
I'm not saying they're dumb ormisleading or anything, but...
they're always wrong.
There's something they'remissing.
They've got more computers thanthey think they do.
They forgot about the CADworkstations that they have.
(14:06):
Of course, I don't know how youcould forget about that.
But there's always something inthat environment that they
didn't take into consideration.
So that's why you have to do areally good detailed gaps
analysis, gaps assessment.
SPEAKER_00 (14:21):
And we actually...
implement this in our dailybusiness.
So for example, like we managebackups for a lot of customers.
And so we don't just install thebackups and then We've installed
them.
They're good.
We just know it's happening.
Or even the logs, whenever theyshow completed and successful,
(14:42):
we don't just go, cool, we'reset.
Even though we have all thattechnology, and we do have some
pretty cool technology that willgo in and test it automatically
for us.
It just doesn't require anyhuman effort.
And so we have a lot of air...
handling and fail safes to makesure that it happens correctly
but still at the end of the daywe go in and we have you know
(15:06):
frequent tickets to go actuallycheck manually check the back
backup with a human person andmake sure it works because
despite all of that what wethink is happening sometimes
isn't you know someconfiguration somewhere messes
it up and we have to make surewe have to go fix the backup you
know or maybe it just gotcorrupted you know and so
without that physical checkingthis This system and process
(15:29):
that we've designed that wethought was working turns out
isn't.
And we did that through what?
An assessment.
And that's all those are, right?
Another popular question that weget asked is about the physical
segmentation of devices.
The question is, do we need tobuy separate laptops or hardware
for users handling CUI?
SPEAKER_01 (15:50):
I mean, if you want to make it easy, you can have a
completely separate workstationin an enclave, and they have to
use that workstation.
And that way, this is one of theclean environments where we're
talking about, you know, createan enclave, use that workstation
in the enclave to deal with CUI,and machine outside the enclave,
(16:11):
you don't.
It doesn't touch it.
It doesn't get anywhere near it.
And so...
sure, but it gets a littlemessier than that.
Like I said, an enclave isn'talways the best fit for
everybody.
So you can use things likevirtual desktop infrastructure
to help out as long as you canuse that as long as it's
configured right.
You can't copy and paste, nodrive mappings, no printing, no
(16:35):
screenshotting, stuff like that.
That's configured right.
You can use VDI.
So you can use things like thatto help you out to where you
don't have to double up on allyour equipment.
But that said, Again, it dependson your work environment.
It depends on what you're doing.
People really like to talkabout, you know, just put an
enclave in place and just putlike four machines in there, you
know, or 10 or 20 or however bigyour organization is, you know,
(16:57):
just whatever that smallerpercentage of your machines are,
you know, they go in thatenclave and that's it.
And that's great.
it just doesn't work as cleanlyfor everybody.
SPEAKER_00 (17:05):
Which, not to say it again, but that's why, you know,
your designing of your SSP andyour processes and your systems
and having all thosestakeholders at the table really
matters because, you know, it's,when you implement that enclave,
it's little details that throwthe wrench in the system.
And then if you poke some holesin your enclave, then it all
(17:28):
goes up in fire.
That's the whole point of anenclave, right?
SPEAKER_01 (17:31):
If you poke a hole so you can get in and grab some
data and bring it out, and guesswhat?
You just brought that stuff inscope or expanded the enclave,
however you want to phrase it,but you just brought that stuff
into scope instead of keepingthat enclave there.
scope
SPEAKER_00 (17:47):
right so it's easier just to address it beginning of
the process rather thanimplement all this stuff and
then figure out later that yougot to redo a whole bunch of
stuff
SPEAKER_01 (17:58):
yeah and again this is the larger the environment is
it's a lot easier to implementan enclave it's a lot easier to
do a lot of these things becauseyou have people separated doing
different things you might havean HR person you might have an
accounting person you might havethe CEO who nobody lets touch
(18:18):
any data.
I'm just kidding.
Well, which may be accurate.
But you have people that don'tneed to touch the CUI data, but
when you get to a smallorganization that That HR and
accounting person may do someother things, and they need to
have access to a level onenetwork, for instance.
Or it might just be the ownerwho does the accounting, and
(18:41):
maybe they outsource the HR orwhatever.
And so that's not a concern, butthey do some of the accounting,
and they also need to touch theCUI.
So the smaller the organizationgets, the harder this is to
implement and create an enclaveand network.
Separate everything out like
SPEAKER_00 (18:57):
that.
Which it all ultimately leadsback to scoping.
It does.
And so I think that you andStacey just did an episode over
scoping, so that might be a goodplace to check.
There you go.
That's right.
On whether you need physicalseparation advices and stuff
like that.
So it's all around your COI flowand scoping.
Right.
On to the next question.
(19:18):
Can a C3PAO or assessor– giveyou advice before their formal
assessment to help them getready
SPEAKER_01 (19:27):
well the the simple straight answer is no they can't
uh the uh the other answer thati'll give you is yeah absolutely
they can do that but then theycan't assess you so uh so which
either way you know they youthat advice is consulting giving
you any kind of indication ofhow you can cover certain
controls or whatever that'sconsulting code of professional
(19:48):
conduct is is very clear thatyou can't do an assessment and
give any consulting.
If they give you any consultingat any time before that, they
can't do your assessment.
It's not like, well, that wasthree months ago.
So they just can't do it.
They've said, no, you can't getconsulting from the same person
(20:09):
you get an assessment from, thesame person or the same company.
SPEAKER_00 (20:12):
Yeah, I think they do that because of ethics, and
they're just trying to removeany possibility of a conflict of
interest.
So I completely understand that,but it does– It does.
(20:50):
Mm-hmm.
Mm-hmm.
SPEAKER_01 (21:00):
Mm-hmm.
Mm-hmm.
But people are people andthere's going to be.
SPEAKER_00 (21:16):
Which I think is why we try and lean on accepted
practice, you know, generalaccepted thoughts.
And the CMMC, the town hallsgive a lot of guidance.
There's nothing authoritativeexcept for the authoritative
documents.
of course, but we really lean onbest practice, if you will, for
that reason, because it's thesafest bet.
And you can certainly take thedocuments to bat and argue with
(21:39):
an assessor, but sometimes it'seasier to go the path that has
least resistance.
It is, but
SPEAKER_01 (21:45):
also along with that path of least resistance, you're
going to have documentation toback it up.
So you can say, here's mydocumentation.
You know, this is how it works.
If you disagree with anassessor, you're going to have
to really know your stuff andsay, look, here's all my
documentations here's all thesupporting documents.
It's based on NIST 800-171 andall of the other reference
(22:07):
documents in CMMC and all thereference documents that apply
here.
You could reference something,good standards like CIS or
something like that, but if it'snot government-backed and
approved and in reference toNIST 800-171 and CMMC, then
don't depend on it.
It's got to be in those sets ofdocuments.
It can't be something outside ofthat.
(22:28):
Even if it's a better idea andmore secure it doesn't matter I
SPEAKER_00 (22:33):
might not have been honest earlier when I said the
most popular question we getasked is
SPEAKER_01 (22:38):
well you know it's kind of hard because we get
there's a few questions thatalways come up so it's like
which one was really you know
SPEAKER_00 (22:46):
go ahead sorry no you're good yeah so it's not
usually why is it so expensivethat's the second question after
the first one which is how muchdoes it cost how expensive is it
right so how much is it ohyou're asking me
SPEAKER_01 (22:59):
okay Well, the answer is it depends.
But really, you know, you've gotto start at the beginning, just
like we've said several times.
You've got to start with a gapsassessment and figure out where
you're at.
Because if you don't do a gapsassessment and then the other
things that go along with thatdata flow diagram, you can
guess, but you have no real cluewhere you're at.
(23:21):
Generally, a lot of people willdo, like us, do a gaps
assessment and work on your SSPand your POAM, your policies,
and kind of bundle that becausethey all kind of go together.
You can do them separately inseparate stages, but it just
makes sense to bundle all thosetogether.
They
SPEAKER_00 (23:37):
always lead to the other, so you're not really
saving any money by just doingit piecemeal.
No, not really.
SPEAKER_01 (23:44):
You're going to have to spend the money anyway.
You're going to have to do itanyway.
Generally, that's going to startsomewhere$15,000 to$25,000 or
so, depending on the complexityof the environment, how many
sites you have.
You kind of start with that gapsassessment and SSPM point to
figure out where you're at.
Then after that, you've got yourPOAM, and so you know what
(24:05):
you're lacking and what needs tobe worked on.
And so from that POAM, you cangroup those assessment objects
or those controls or whatever.
You can group those intodifferent projects and figure
out what those projects are.
If you need to, of course, youcan figure out however your data
flow diagram looks now and whatyou want it to look like, and
you can kind of design yourenvironment and come up with
(24:26):
projects.
It really depends.
Those could be 40,000.
They could be 100,000.
They could be less, more.
They're all over the place.
It really just depends on whatyou've come up with on a POAM to
have to do.
It also depends on scope, howyou've scoped it.
Are you restricting yourself toan enclave?
Are you able to do that?
You may not be able to do that.
(24:46):
Are you encompassing more ofyour network?
What is your scope?
What does that look like?
It depends on a lot of stuff.
It's really hard to say what theprojects are going to be for any
particular size company.
I would say if some comes andgives you a quote, here's your
quote, we'll put this in placeand you can use that and you'll
be compliant.
(25:07):
That's great, but does it reallyfit what you need and is it
really going to accomplisheverything?
Is there going to be any, youknow, you're liable for any of
the data spillage, any of theCUI leakage, I guess, I should
say.
So is it really going to fit?
Is it really going to work foryou?
So you've got to take that intoconsideration.
Then there comes the ongoing,after you've got everything
(25:29):
implemented, or actuallyprobably during that time,
you've got ongoing managementcosts.
And it is a more complexenvironment.
You're going to have to havesomebody internal to manage all
that or bring somebody on boardto help with that or bring
somebody on board to do that.
One of those three options.
It has to be managed.
We talked about that a littleearlier.
That's how this is all builtout.
(25:50):
It's ongoing management.
management of the system thatyou create.
The cost for the For the ongoingmanagement, I'd like to tell you
how much it would cost, butthat's a big secret.
I'm just kidding.
It's not a big secret.
It's just they're a huge range.
But think thousands, don't thinkhundreds.
Think thousands, ongoing,monthly.
It'll be thousands whether youbring somebody on to do it
(26:10):
internally or whether you hiresomebody in to do it.
And if you're a smallerenvironment, it's almost always
going to be less expensive tohelp you do it.
They can do as much as they canfor you, but there's always
things that you have to do forthis compliance.
Then after that comes whatyou're really looking for And
what you're really looking foris the assessment.
You want to get that level twoassessment certification and
say, I've got it.
It's right here.
(26:32):
Give me some contracts.
So that's what you're lookingfor.
So those assessments, I waspretty confident in the price.
I was pretty confident in thestarting price.
A little while back, now I'm alittle less confident, it was
somewhere between$40,000 and$60,000, erring on the side of
caution and saying$60,000 forthe assessment every three
years.
(26:52):
So once every three years, you'dhave to spend that much.
But that was the floor of whereit would start.
For a simple organization, itwould start there.
I've heard that there's C3PAOsthat are doing for less than
that.
And again, you just need to doyour due diligence and do your
interviews and make sure youunderstand.
(27:13):
If you hire a service providerlike us, you do need to do the
same thing.
But you need to interview yourC3PAOs, make sure that they can
do the job, understand the job.
So you may be able to get onefor less than the$40,000 to
$60,000 floor.
But I wouldn't bet on it and Iwouldn't tell you to budget for
that.
I would tell you to budget atleast$40,000 to$60,000.
Along with that assessment, whatyou're going to have to remember
(27:36):
is that if you outsource any ofit or if you insource all of it,
there's going to be either timeor money or both, and time is
money.
So even if it's time on yourside, you're going to have to
spend somewhere close to that$30,000$30,000 to$40,000 to
$50,000,$60,000 is verydependent on complexity and a
(28:00):
whole lot of other things.
But you're going to have tospend quite a few thousand
dollars prepping and make sureyou have everything in order,
making sure you have all yourproof ready because you really
want to be ready for thatassessment when it comes.
You don't want to have to begathering things and figuring
out where they're at.
Hey, I need screenshots of this.
I need that.
Oh, we need to update thisdocument.
You don't want to be doing thatat the last minute.
(28:21):
You want to have all that ready.
So there's going to be someprojects costs, either
internally or externally withyour service provider, helping
out with that, prepping for thatassessment.
SPEAKER_00 (28:31):
So if I hear it right, you basically have four
categories of costs.
Paperwork to get started, andthen you have the project that
is a result of the paperwork,all your to-do items.
And then third, you've got kindof the cost of ownership to go
with a car theme we're talkingabout here, the maintenance,
ongoing costs to stay compliant.
And then fourth, you have theassessment-related costs, which
is going to be labor internallyor externally to prep your body
(28:54):
of evidence and everything forthe assessor and then the
assessor costs.
Yes.
Absolutely.
If I'm a listener and I'm on abudget and I'm listening right
now, what are my key takeawaysfrom this episode?
SPEAKER_01 (29:05):
Expect some real effort.
Compliance takes time.
It takes documentation.
It takes a lot of effort to doall these things.
It takes ongoing management.
So expect some real effort to gointo this.
Even for small teams and reallyfor small teams, it's going to
seem like such a huge burdenbecause you're a small team.
If you can, start fresh.
New enclave environment.
If you can at all, really thebest way to go if you can, it's
(29:28):
faster, it'll be a littlecheaper, be cleaner because
you're not trying to clean up in30 years of an existing network.
Make sure you scope smartly.
Make sure that you only includewhat needs to be included.
We've talked about this before.
Don't overscope.
Only scope in what needs to bescoped in, which is what we're
talking about the enclave,right?
If you can create that enclaveMake that your scope.
(29:49):
Then do that.
Make sure you try really hard tokeep that scope as small as
possible.
You should also implementvirtual desktop infrastructure.
Smaller shops have a heavierburden than larger shops.
I mean, larger shops have morecomplexity and more stuff, you
know, but smaller shops, it'shard to do all this and not run
the cost up.
So if you...
(30:10):
say, cost per capita.
It's going to be a lot higherfor small shops than it is for
larger.
I can tell you that.
But if you can do virtualdesktop infrastructure or VDI,
that's a way to help out.
And configure it properly.
Maybe that's another episode.
I know we've talked about itbefore.
And we actually, I think, talkedabout it earlier in this
episode.
Don't expect any help fromassessors.
(30:31):
They can say, yeah, you failedhere, here, and here.
And you can say, well, why didwe fail?
Well, you failed because ofthis.
Well, what can we do to fixthat?
They're going to go, I don'tknow.
They probably do.
know or they have some idea, butthey can't tell you.
That crosses over intoconsulting.
You need to also take intoconsideration the full life
cycle of all four stages thatyou were talking about a while
ago, all the way from doing aproper, good, full gaps
(30:53):
analysis, all the way throughassessment.
SPEAKER_00 (30:56):
If you have any questions about what we covered,
please feel free to reach out tous.
We are here to help fast trackyour compliance journey.
You can text, email, or call us,and we'll answer your questions
for free here on the podcast.
Find our contact information atcmmccomplianceguide.com.
Stay tuned for our next episode.
(31:17):
Until then, stay compliant andstay secure.
Like, subscribe, and share.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com