Making Sense of Small Business CMMC

​What is CMMC and Why Should Small Businesses Care?
The Cybersecurity Maturity Model Certification (CMMC) will soon be mandatory for many businesses. These organizations may look very different from one another, but they have one thing in common: they all deal with what the Government calls Controlled Unclassified Information (CUI). This CUI may be drawings, specifications, digital data or other information owned by the Government.
The U.S. Government has long taken care of the information they determined to be classified.  More recently, they have come to recognize that just because some information does not meet the criteria of “classified”, doesn’t mean that protection isn’t required. There is a lot of valuable information that is not classified but still needs to be controlled. While they have many protections that apply to this information inside the Government, CMMC is their effort to apply controls to non-government organizations that deal with CUI.
So, CMMC is a set of protections that a company must apply to help assure that their CUI doesn’t get out to unauthorized parties. It has 110 specific requirements that address everything from limiting computer access to physical security. After a company has everything in place and documented, then it will all be verified by an outside assessor. The company is certified to CMMC when it successfully completes this assessment.
Who does CMMC apply to?
So, CMMC is being pushed out to DoD contractors. Beyond that, each company must ensure that suppliers they share CUI with are also certified under CMMC. This means that a company that is not a Government contractor may still have their customers require that they get certified.
Why is CMMC harder for smaller companies?
Many of these companies with CMMC hanging over their heads are small, and some are very small. The big companies are finding it a challenge to get compliant with all of the requirements of CMMC, but in the smaller organizations, the challenges are even more significant. Some of the challenges are the same, but many are unique to smaller organizations.
1.One size doesn’t fit all. The authors of the CMMC standard came primarily from government or big Defense contractors. There was little input into how difficult, or even nonsensical, some of the requirements would be in a company with a handful of employees.
2.Technical Expertise Gap. CMMC is a technical standard. Implementing many of the requirements requires a depth of technical knowledge that is rare in small businesses.
3.Reliance on outside IT support. Many small businesses get their IT support from outside. This means that they do not have any employees who understand what CMMC requires. This puts the company at risk for inaction, distraction, or subject to CMMC scams. When there is an employee who is accountable for CMMC, it improves the likelihood of success.
4.Financial Strain. While a small business might willingly stretch to buy something that will directly earn them money, CMMC is a different matter. For a small business, the required cost is a much larger percentage of their annual capital. Spending this money allows the company to continue its Government-related business, but otherwise provides few visible benefits to non-technical management.
5.Cybersecurity Awareness. Hand-in-hand with their lack of technical expertise comes a naiveté about the cyber risks. It is this same risk-blindness that makes small businesses a favorite target for hackers. Without understanding the risks that CMMC is trying to address, it is easy to make costly errors.
Is CMMC realistic for small businesses?
CMMC is not an impossibility for small businesses, but it may be more difficult without some help. CMMC is complex and involves many moving pieces. A small business needs the benefit of others who have already worked out how to address the complexity within a small organization. Yet that assistance comes at a price. Implementation assistance is expensive so care must be taken to assure that your dollars are being spent well.
How can CMMC costs be minimized?
Because of the high cost of having a consultant perform a company’s implementation, it is better if the company can do the work themselves. Even if they are unable to do everything, each requirement they can take care of negates the need for a high-priced consultant to do that task.
So how does a small company know where to start? DIY CMMC for Small Business is a practical guide with least-cost approaches to successful implementation of level 2 CMMC. This book is written by a security professional that has decades of small businesses experience. The book makes sense of each of the 110 requirements within the context of a small business. It shows how you can use tools you already own in a Windows domain environment to reduce implementation cost. It is written for individuals with basic technical skills, providing them with step-by-step instructions to move their organization toward certification readiness.
DIY CMMC for Small Business, by Richard McInteer, is available from Amazon or other booksellers. Go to https://cmmc4smb.com for more information.