<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Tyler Thepsiri

By: Tyler Thepsiri on December 02, 2022

Print/Save as PDF

4 Ways To Achieve CMMC 2.0 Compliance (Pros & Cons of Each Approach)

Cybersecurity

We've been hearing about Cybersecurity Maturity Model Certification (CMMC) for years. With CMMC 2.0 on the horizon, you likely have an understanding of what the requirements will look like, but what's the best way for you to implement the 14 control families and achieve the level of certification your contracts require?

In this article, we’ll go beyond the requirements and cover all of your options for achieving compliance. After reading this, you’ll understand your choices and will be confident in deciding the best approach for your organization

At Kelser Corporation, we are committed to providing the IT information business leaders like you need, whether we work together or not. 

Reading this article will provide you with the understanding you need to evaluate your options when it comes to CMMC certification. 

What Is CMMC 2.0?

Just to ensure we are all operating from the same understanding here’s a very brief explanation of CMMC 2.0.

CMMC 2.0 is the latest iteration of a cybersecurity framework outlined by the U.S. Department of Defense. It is expected to be fully implemented by 2025 (with indications that it may be operational to some degree before then, possibly as early as 2023). Here are 5 actions you can take to prepare for CMMC 2.0.

From its inception, the goal of CMMC has always been to protect information shared within the U.S. Defense Industrial Base (DIB) and the contract information necessary to produce the parts, systems, and components needed for national defense


Related article:  What's In The CMMC 2.0 Framework? 14 Control Families & 3 Certification Levels


What Does CMMC 2.0 Require? 

CMMC 2.0 provides a framework for assessing the compliance of government contractors and subcontractors to the requirements outlined and the preparedness and ability of those organizations to handle cyber threats.

The assessments will also evaluate how well organizations integrate cybersecurity into their culture

There are 3 levels of certification outlined in CMMC 2.0. Government contracts will require certain levels of certification for organizations looking to bid.


Related articleCMMC 2.0: What We Know So Far About Certification


What Are My Options For Achieving CMMC 2.0 Compliance? 4 Options

When it comes to figuring out what you need and how to achieve compliance, you have four options. Each one has advantages and disadvantages.

Option 1: Dedicate An Existing Staff Member 

You may have a full complement of IT professionals on staff and have the luxury of assigning a current staff member with the task of facilitating and monitoring your organization's CMMC 2.0 compliance.

If you have someone who is really up on cybersecurity and government regulations, that is a natural choice.

Pros

    • Known Commodity

You already know the people on staff. You can select the one that is best suited to this task with confidence because you already know their work ethic, skills, and background. 

And, other people in your organization will have the comfort of working with someone they know has the organization’s best interests in mind. 

    • Experience

When dedicating a current staff member to this assignment, you have the advantage that they already understand your business and IT infrastructure, so the learning curve will be less and they can hit the ground running. 

    • Budget

There may be no additional hit to your budget since you are simply reallocating existing internal resources. 

Cons

    • Fewer Resources

When you take one person from your existing staff and dedicate them to CMMC, your everyday resources are effectively diminished. You’ll have the same workload, but one less person available to handle the daily tasks. 

    • Training

Even if the person has cybersecurity experience, there may be some training required to bring them up to speed on everything involved with CMMC 2.0. 

    • Burnout

If you choose to dedicate one person to CMMC 2.0, you’ll need to make sure that other people understand this person’s new role and don’t fall into the habit of expecting them to also handle the workload they had previously

Option 2: Hire An Internal Specialist

Another option would be to add a new person to your team to handle your CMMC compliance journey. 

Pros

    • Dedicated Staff Member

With this approach, you’d still have a full staff to handle the daily activities and a new team member to handle the CMMC 2.0 requirements

    • Continuous Attention

With a dedicated staff member, there will always be someone monitoring for the latest requirements and tweaking your cybersecurity infrastructure to include the latest technology developments.

Cons

    • Learning Curve

As with any new employee, it will take time for this new hire to come up to speed and understand your business and your IT infrastructure

    • Limited Reach

Depending on the size of your organization, the complexity of your infrastructure and the volume of your government contracts, one person may not be enough to handle the entire workload. 

Option 3: Hire An External IT Organization That Specializes In CMMC

Many businesses seek out external IT providers that specialize in CMMC compliance. 

Pros

    • Specialists

With this approach, you ensure that you get someone who is on top of everything CMMC compliance entails. They know the ins and outs of what you need to do, the control families, and the certification levels. 

    • Other IT Skills

Some external IT organizations that specialize in CMMC may also offer other skills such as infrastructure or project work that you can use. Don’t assume though. Make sure you do your homework and talk to current customers to be sure that they can truly do everything you need. 

    • Experience 

In the same way that a mechanic can perform an oil change in less time than it would likely take you, an experienced CMMC professional has the skills, certifications, and experience to provide what you need in a timely and effective way.

Cons

    • Narrow Focus

Organizations that focus on one element of IT are often so focused on that one service that other services either aren’t available or may get lost in the weeds

    • Cost

Many IT organizations that specialize in NIST and CMMC compliance are expensive. They have the expertise you need, they know you need it, and they charge accordingly. 

Option 4: Hire An External Managed IT Support Services Provider

Some organizations prefer to hire an external managed IT support organization so that they can not only enhance their cybersecurity and CMMC efforts, but also benefit for other services a managed IT support provider offers. 

Every IT infrastructure needs the same elements of care, whether the business is large or small.

Pros
    • Variety Of IT Service Offerings

Managed IT services provide a range of offerings from service desk support to disaster recover, monitoring to firewalls, and email support to employee security training

All of these things work together to help keep your environment safe, available, and efficient. 

    • Cost

Because you are effectively sharing the cost of the IT expertise with other customers, you get the skills you need without the cost of hiring staff.  

And, most managed IT support providers provide proactive service and charge a consistent monthly fee, so you always know what to expect and won’t be surprised. 

    • Skills

Managed IT providers offer numerous services, so they have the experienced, certified professionals to help with all of your IT needs from daily monitoring and patching updates to complex, long-term project work. 

    • Continuity

With a managed IT provider you are always covered. You never have to worry that your IT person will quit or be out for an extended period of time. The provider is responsible for providing continuous service no matter what and personnel transitions are seamless.

Cons

    • Cost

Two things can be true. Yes, we mentioned cost as an advantage, but many people have the impression that managed IT is expensive, so we want to address it. 

When you truly roll up all of the expenses of traditional break/fix IT solutions compared with managed it, you’ll find that the cost is not substantially greater.

And, the additional advantages of proactive IT and strategic guidance gained with managed IT support more than compensate for the cost. 

Read this article to learn the cost of managed IT and what's included.

    • Skills

Make sure to ask the right questions to ensure that the provider has the skills and experience to back up their service offerings


Related article: Managed IT Support: The Pros & Cons


What’s The Best Way To Achieve CMMC Compliance? 

Here’s the thing: the best way to achieve CMMC compliance depends on your organization

There is no one right way to approach CMMC. The important thing is that you get moving in a direction that works for you. 

Whether you opt to dedicate an existing member of your staff, add an internal specialist to your staff, hire an external organization that specializes in CMMC, or work with a managed IT support provider, you can achieve success

As with any other IT decision, we encourage you to consider several options and determine the best solution for your organization. 

Learn more about CMMC compliance, who is affected, what the certification levels mean and more! The truth is CMMC can be complicated, but it doesn’t have to be difficult. 

Is your organization’s data protected from the latest cyber threats? If you have any doubt, click on the button below and download the free eBook to learn 10 actions you can take today to secure your data and be confident that have all the necessary protections you need.

Get Your Cybersecurity eBook

About Tyler Thepsiri

With more than 10 years in the IT industry, Tyler is able to adapt quickly to almost any technological issue. He understands how systems should work, and specializes in security and compliance.

Suggested Posts

Visit Our Learning Center