Taking CMMC Seriously - What Is The Cost Of Compliance?

Taking CMMC Seriously:
What is the Cost of
Compliance?
September, 19, 2023

Welcome!
Bill Wootton
Chief Revenue Officer
C3 Integrated Solutions
bwootton@C3isit.com

© 2023 C3 Integrated Solutions. All Rights Reserved.
3
Today’s Topics
▸Overview: Major Components of the Cost of CMMC
▸Building a Strategy
▸Deployment
▸Management and Monitoring
▸Compliance
▸Data Enclaves: Options and Impact
▸Three Types of Companies

5
Building Your CMMC Strategy
Understanding
your business
Setting the
system
boundary
Determining the
organizational
impact
Determining
the expertise
you need

6
Understanding Your Business
External Factors Internal Factors
▸ Your Customers…
▸ Which agencies do you work with?
▸ Your Partners…
▸ Who are your primes and subs?
▸ What are THEIR requirements to continue
working with them?
▸ Your Contracts…
▸ What clauses are already in your contracts?
▸ Your Future…
▸ Where will your business be in 2-3 years?
▸ Your Data…
▸ Do you have CUI?
▸ Do you have export-controlled data?
▸ Can you segment it from the rest of the
organization?
▸ Your People…
▸ Who directly interacts with CUI
▸ Who indirectly interacts with CUI?
▸ Your Systems…
▸ Which systems store, process, or transit
data?
The better you know your business, the less you will need a consultant to answer these questions.

7
Company Examples: All 100-Person Firms
Research Firm
• Almost all commercial work
• Single DoD contract
• Team segmented from rest
of the firm
Manufacturing Firm
• Approximately 90% DoD
work
• Highly customized parts for
aircraft
• Large amounts of export-
controlled data
Professional Services
• Many distributed contracts
• Team members rotate
between DoD and civilian work
regularly
• Centralized admin supports all
contracts
Current systems are not compliant. No preexisting certifications (e.g. ISO
9001)

8
Employee Access to CUI (100-person
Company)
????????
90 People 10 people
90 People
10 people
Commercial
Within CUI Boundary
Company 1 – Research
Firm
Company 3 – Professional Services Firm
Company 2 – Manufacturing Firm

9
Determining System Boundaries: Enclave or
All-In?
ENCLAVE
Separate environment isolated
from the corporate environment
ALL-IN
Full configuration of corporate
environment to meet CMMC
requirements
Pros
▸ Reduced investment and scope
▸ Smaller attack surface
▸ More controlled system
boundary
▸ Limited (if any) data migration
Cons
▸ Swivel-seat user impact
▸ Illusion of cost savings
▸ Dual administration
▸ Unintended spillage
Pros
▸ Single, consolidated
environment
▸ Eliminates all technical debt
(fresh start)
Cons
▸ Data migration
▸ User impact
▸ Higher deployment costs
▸ Everyone is “locked down”
▸ Non-approved applications

10
Enclave or All-In?
????????
90 People 10 people
90 People
10 people
Commercial
Within CUI Boundary
Company 1 – Research
Firm
Company 3 – Professional
Services
Company 2 - Manufacturing
Enclave
????
All-in

11
Cost Drivers in Building a Strategy
Drivers Costs
▸ Knowledge of business
▸ Knowledge of data
▸ Current situation
▸ Technical debt
▸ Documentation
▸ Previous investment
▸ Internal resources
▸ Expertise/knowledge
▸ Availability
▸ Direct costs
▸ Outside consultant
▸ Internal effort
▸ Indirect costs
▸ Organization impact beyond IT
⁃ Business process changes
⁃ Segmenting and isolating data in an
enclave
▸ Impact of Strategy
⁃ Determines cost of the rest of the
process
▸ Confidence
▸ Risk of pursuing the wrong approach
Strategy costs are
not directly related to
the size of the
company. In most
cases, the scope of
effort drives the cost
profile.

13
Setting the System Boundary
System Boundary System Selection
• Communications
• E-mail
• Unified communications
• Collaboration
• Documents
• Other data
• CRM
• Financial
• Operational technology
• Access
• Virtual desktop
• Physical devices
• Mobile devices
• Cloud v. on-premises
• FedRAMP
• Export control
• US data residency
• US persons
Minimizing the
system boundary
reduces the services
that need to be fully
compliant

14
Technology Costs
▸System selection
criteria
▸Accreditations
▸Attestations
▸Export control
▸GovCloud is
typically at least
30% higher
Commercial GCC GCC High
Data Centers Worldwide US Only US only
Accreditation FedRAMP
Moderate*
FedRAMP
Moderate
FedRAMP High
DFARS 7012 No Yes Yes
ITAR/EAR No No Yes
CUI/CDI No Maybe Yes
Customer
Support
Worldwide/Commercial
Personnel
Directory/Nt
k Azure Commercial Azure Gov
M365 G5
($/yr) $684 $684 $1120
Source: Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings - Microsoft Community Hub
Microsoft 365 Example
Critical to choose the right systems that are accredited and can attest to requirements

15
Deployment Costs
▸Provisioning
▸Establish the tenant
▸Configure
▸Should align to NIST SP 800-171
▸Data migration
▸Proportional to the size of the company
▸Microsoft 365 examples
⁃ Mailboxes
⁃ Teams and SharePoint
• Complexity – Workflows, etc.

17
Management
Standard Services Compliant Services
▸ System administration
▸ Operational monitoring
▸ Patch management
▸ Support Desk
▸ Moves, adds, changes
▸ Documentation
▸ SLA
▸ SRM
▸ Standardized
procedures
▸ Configuration updates
▸ System reviews
▸ Support for GRC tool
▸ Assessment support
▸ U.S. based
If your corporate IT or
current MSP provider
cannot support
requirements (i.e. US
person only support),
an MSP specializing in
the DIB should be
considered.

18
Monitoring – What to look for
▸ Automation
▸ Export control
▸ 24x7
▸ Documentation
▸SLA
▸SRM
▸IR Plan
▸ Incident response
▸ Certifications
▸SOC-2
▸ Vulnerability scanning
Costs vary widely
depending on the
level of services and
the sophistication of
the solution.

20
Cost of Managing Compliance
Initial Costs Ongoing Costs
▸ Pre-assessment review
▸ Documentation
development
▸ System Security Plan (SSP)
▸ Policies
▸ Procedures
▸ Incident response plan
▸ Initial assessment
▸ Gap analysis
▸ POAM development
▸ Initial table-top
▸ Documentation
▸ Management and upkeep
▸ Integration with services?
▸ Annual validations
▸ Table-top
▸ GRC tool
▸ Licensing
▸ Information upkeep
▸ Ad hoc consulting
Compliance costs have a
minimum threshold where
certain activities (i.e.
assessment) are required
regardless of company
size.

Back to Our Examples…
Numbers provided are for illustration purposes only.

22
Cost Profile
Considerations
▸ Commercial v. GCCH M365
▸ IT support costs
▸ Monitoring costs
▸ Users swivel seat
▸ Double count users across both
environments
Not considered
▸ Additional applications
▸ Intangibles
▸User frustration
▸Overhead and administration of multiple
environments
Corporate Government
Microsoft
365
Commercial M365 G5
$57/month
GCC High M365
G5
$1120/year
IT Support
Internal
$150 month
equivalent
Outsourced
$200/month
Monitoring
Commercial Grade
$26/endpoint
Compliant
$35/endpoint
Strategy, deployment and cost of compliance
assumed comparable across examples unless noted.

23
Pre-CMMC Annual IT Budget
▸M365 Commercial
▸G5 license
▸100 users
▸IT Support
▸$150/user cost of operation
▸May be internal or external
▸Monitoring
▸“Commercial grade”
▸$26/endpoint
▸Assume 100 endpoints
▸Annual budget: $279,600
$68,400
$180,00
0
$31,200
$-
$50,000
$100,000
$150,000
$200,000
$250,000
$300,000
Corporate
M365 IT Support Monitoring

24
Company 1: Research Firm
▸GCC High enclave
▸10 users, M365 G5
▸Azure Virtual Desktop
▸User access
▸No additional applications
▸$2000/month usage
▸IT Support
▸$200/user, External vendor
▸Monitoring
▸$35/endpoint (virtual)
▸Total Budget: $343,700
$279,60
0
$64,100
$-
$50,000
$100,000
$150,000
$200,000
$250,000
$300,000
$350,000
$400,000
Annual Budget
Corporate Enclave

25
Company 2: Manufacturing Firm
▸All-In
▸Microsoft 365 GCC High
▸100 users
▸Azure Virtual Desktop
▸Not required
▸Endpoints converted
▸IT Support
▸$200/user
▸External vendor
▸Monitoring
▸$35/endpoint (virtual)
▸Migration costs not considered
▸Total Budget: $401,000
$119,00
0
$240,00
0
$42,000
$-
$50,000
$100,000
$150,000
$200,000
$250,000
$300,000
$350,000
$400,000
$450,000
All-In
M365 IT Support Monitoring

26
Company 3: Professional Services
▸ All-in or Enclave?
▸ Likely the most expensive from a
strategy development perspective
▸ Escalating commitment as users
are added
▸ Increased risk of unintended
spillage
▸ Increased user frustration and
confusion
▸ Break even to go all-in just under
30 users
* Does not consider other applications
nor strain of managing multiple
environments for both IT and users
$-
$100,000
$200,000
$300,000
$400,000
$500,000
$600,000
$700,000
$800,000
0 10 20 30 40 50 60 70 80 90 100
Commerical GCCH Enclave All-In

27
About C3 Integrated Solutions
Technology
Experience
11 years Microsoft partner
6+ years experience in GCC
High
Multiple Gold competencies
Co-Sell Authorized
Client Experience
450+ Microsoft 365 clients
200+ GCC High clients
Deep NIST, DFARS, ITAR
experience
Industry Leader
First to offer GCC High
backup and hosted voice
CMMC Registered
Practitioner Organization
Two successful C3PAO
clients

Get Started
Build the barriers that
protect your business,
not disrupt it.
Our mission is to protect sensitive data and prevent breaches by providing world-class
cybersecurity and compliance services to businesses of all sizes.
visit
c3isit.com

Taking CMMC Seriously - What Is The Cost Of Compliance?

Taking CMMC Seriously - What Is The Cost Of Compliance?

Recommended

More Related Content

Similar to Taking CMMC Seriously - What Is The Cost Of Compliance?

Similar to Taking CMMC Seriously - What Is The Cost Of Compliance? (20)

More from JSchaus & Associates

More from JSchaus & Associates(20)

Recently uploaded

Recently uploaded(20)

Taking CMMC Seriously - What Is The Cost Of Compliance?