When Small Business & CMMC Clash

​It was a normal enough day. I was pulled in about 10 different directions and a couple of those were urgent. It had been this way since I had bought this small manufacturing firm, but I found this much more satisfying than my prior corporate job.

My activity was interrupted by a call from Artie. He represented our largest customer, Ascendancy Dynamics, and I counted him as a friend. Today, he was calling to tell me that as a Defense contractor, they were required to meet a set of computer security standards called CMMC, but since they gave us government drawings, we were going to have to do this stuff too. He made it clear that this was a big deal and was legally required. He said he would email me detailed information. The way he spoke of this program made me a little uncomfortable.

After that call, I was dragged back into the shop to deal with a shipping problem. When I returned to my desk, Artie's email had arrived. I had a few more things to take care of, then I was able to spare a few minutes to look at what he had sent me. I opened up the standard and began to browse over the requirements. It quickly became obvious that this wasn't something to be figured out in a few minutes. I briefly considered taking this home over the weekend to digest it, but I quickly decided to delegate.
About a month ago, we hired a guy fresh out of college. Although I barely knew him, he appeared bright and tech-savvy. I went out to locate Riley, who had been hired to help with production scheduling. I found him and asked him to come around to my office when he was free. He said he wasn't in anything urgent, so he followed me back to my office.

I caught him up on what little I knew about this CMMC thing. I didn't think this was going to be too complicated. "Maybe you can go through it this afternoon, then in the morning we can figure out how we can do it to keep Ascendancy Dynamics happy. I told Riley we might need to bring our computer consultants in on some of the details. He sounded interested and enthusiastic about the project.
The next morning, Riley was at my office door. He said that the bulk of the requirement focused on Controlled Unclassified Information, which the standard called by the initials "CUI". As best as he could tell, this was the government drawings that we got from Ascendancy Dynamics, but it might include some other stuff, like specifications, but he wasn't sure. In fact, many aspects of CMMC weren't very clear to him. I suggested that he get in touch with our computer consultants over at TechDudes to see if they could help. Since he didn't have clarity about what CMMC required, I also suggested that we postpone our meeting to discuss our plan of attack for a couple more days. At this point, I have the first thought that this CMMC might be a true problem.

After 2 days, Riley came back and explained that the more he digs into CMMC, the more complicated it appears. He explains that he did talk to TechDudes and while they knew of CMMC, they didn't sound like they knew much more about it than he did. However, they were helpful when Riley asked about the requirements around logging. Riley said, "When I had tried to research this, there were just too many choices and none of them looked simple enough and cheap enough for what we need. Since a huge number of companies are going to need to get CMMC, I was surprised that nobody is selling a product made specifically for small businesses needing the check the CMMC boxes."

"So how much is this going to cost?", I asked.

"I don't know yet, but this isn't the only thing you will have to buy. There are several requirements asking for something we don't have."

I wasn't impressed. This CMMC thing is becoming more of a headache every day. I asked Riley to dig into the costs.

"Speaking of costs," Riley said, "Did you realize that we have to have somebody come in from the outside to verify that we have done all this stuff?"

"Who is supposed to pay for that?", I asked.

He replied, "I guess we do."

The next day, Riley is at my office again. "I've discovered another complication to CMMC. In the documents you got from Ascendancy Dynamics, there was an 'Assessment Guide.' I didn't pay much attention to it since I wasn't trying to do an assessment, but I got curious. The document shows how an assessment will be conducted. It is worse than I thought."

"Uh-oh, how bad is it," I said.

"Well, when they come out to look at us, they are going to go through everything and expect clear evidence that it has been completely done. They will look at records, test stuff, and interview users. So, it isn't enough to say that we have a policy that our folks are supposed to do this or that; they would want to see the policy, they might talk to people to see how they do it or look at records to see if our folks have been doing it correctly."

"Ugh"

Riley continued, "Then to make matters worse, they have a checklist of every clause in every requirement. So if a requirement says to implement something as it applies to X, Y, and Z; then we better have evidence of X, Y, and Z. When I initially looked at the requirements, I kinda slid over some of the aspects that were more challenging. Now I see that we can't do that. This assessment is going to be extremely thorough."
I had a sick feeling that we were in over our heads. "What have we gotten ourselves into?"
"I don't know. I haven't got the pricing information you asked me for. I am still waiting for some folks to get back to me."

I was beginning to wonder if I really wanted to see the cost. I sent Riley back to do his job. I sat for a moment slightly stunned. Then I decided to give Artie a call and see if this all was really necessary.
My call to Artie was disappointing. Apparently, Ascendancy Dynamics was struggling with some of the very same issues, so he had sympathy. He went on to explain that one of the clauses in their contracts makes it explicitly clear that they can't be giving CUI drawings to anybody who didn't have the security to protect them. He said, "The way the law reads, our partners must be CMMC certified. I hate it because I know what an expensive undertaking CMMC is, but it has to be done."

My call to Artie left me regretting the burrito I ate for lunch.

A few days later Riley showed up with a sheaf of papers. He said, "I think I have most of the costs estimated. There are a few more numbers that I am still waiting on, but I thought you should see where this is now."
He proceeded to show me the numbers he had collected. I was shocked.

I said, more aggressively than I intended, "We could buy another machine for that much money. At least a machine would make us some money!"

Riley looked slightly intimidated as he said, "At least the company would be safer from cyber attack…"
I apologized for my temper showing. It sure wasn't Riley's fault.

I went through the numbers and all the time I was wondering how we could pay for this. Business hadn't been very strong lately. We had money in the bank, but not a lot, certainly not enough. The idea that we might have to go into debt for something without a clear ROI was appalling. I knew that a huge chunk of our revenue, all our Ascendancy Dynamics business, was going to hinge on CMMC.

While I am typically decisive in choosing the path for the business, this time I was faced with 2 unpleasant options. Either one could result in the demise of our business.

It was Riley who helped me make up my mind. He said, "I was thinking about how tough doing CMMC will be. A lot of companies are going to refuse to jump through the hoops. The ones that do will have a competitive edge. If we get CMMC certified, we might just find ourselves with less competition and able to charge more for our parts."

This young man has some wisdom. I think he may have a bright future.
 

CMMC has significant challenges for small businesses. For information about how to achieve compliance with minimal cost, go to https://cmmc4smb.com

---