Compliance Isn’t Optional—But Overspending Is. Here’s How to Avoid It

Compliance Isn’t Optional—But Overspending Is. Here’s How to Avoid It.

Compliance with FAR 52.204-21 and DFARS 252.204-7012, 7019, 7020, and 7021 (and ultimately with CMMC), is non-negotiable for contractors. But what often gets overlooked is the price tag. From gap assessments to security tool implementation, the cost of compliance can be significant. This post outlines the key budget areas and offers practical ways to control costs without cutting corners.

Key Compliance-Related Expenses

The direct costs of compliance with FAR and DFARS cybersecurity requirements are often the easiest to identify and plan for. Even so, you should make sure you take all these costs into account.

• Security measures: Depending on your current security capabilities, you may need to upgrade or even replace some of your systems and software to meet the cybersecurity requirements for compliance. You might also need to make physical security enhancements to the facilities where your systems are housed.
• Audits, assessments, and consultations: As you prepare for compliance, consider working with a C3PAO or an RPO. These experts can audit your systems, evaluate your current compliance posture, and highlight gaps that need to be addressed. Once the CMMC rule is finalized, if your contract requires a third-party assessment, you'll be required to hire an authorized C3PAO to conduct it.
• Employee training and commitment to change: Compliance is not just an IT concern. Everyone in your organization needs to be aware of compliance requirements and take responsibility. You will need to train your employees to understand their roles and responsibilities for compliance and follow any new procedures that you implement. If this represents a cultural change for your company, use frequent and ongoing communication to reinforce your commitment.

A common pitfall many contractors and subcontractors face are failing to recognize and plan for the indirect costs of compliance. These include:

• Time and effort: Internal time and effort spent by your employees on compliance activities can add up. Such activities include internal audits, implementing new or additional security controls, creating and documenting policies and procedures, and planning sessions.
• Procedural changes: New security procedures might require you to change your normal operations, resulting in additional time and effort to learn the new procedures until they become routine.
• Ongoing expenses: Be sure to budget for ongoing expenses such as continuous monitoring and regular reporting, downtime during implementation and maintenance periods, and the cost of periodic expenses such as cybersecurity insurance premiums.
• Compliance throughout the supply chain: Any subcontractors or other third parties who handle government data for you are subject to the same compliance requirements (except for Cloud Service Providers, who must meet FedRAMP moderate standards or higher). You will need to ensure your contracts contain the appropriate requirements, and you will need to spend some time and effort managing risk and coordinating incident response throughout your supply chain.

Keep in mind that while the cost of compliance may be more than expected, the cost of noncompliance is much steeper.

• Contractual penalties and reputational damage: Failure to comply with regulations as per the terms of your contract may result in fines, revenue losses, and even termination of your contract. It may also damage your reputation, making it harder to obtain future contracts.
• Loss of opportunities: Once CMMC takes effect, your company will not be considered for any DoD contracts unless you are certified at the appropriate level. In other words, your ability to garner DoD prime or subcontract business is at risk. The sooner you are in full compliance and get in queue for certification, the better, as C3PAO backlogs are expected to be greater than six months on average.

Cost Mitigation Strategies

Fortunately, there are numerous strategies to help you keep compliance costs under control. While many of these strategies involve an initial financial and time outlay, they can reduce your overall costs in the long run.

• Leveraging internal resources
  • Proactive compliance: As with any other contract requirement, ensure you fully understand the applicable FAR and DFARS clauses and related NIST requirements, particularly those related to handling government FCI and CUI. The earlier you can assess your risks relative to those requirements and implement appropriate security controls, the more efficient you will be in becoming compliant.
  • Continuous monitoring and improvement: Conduct periodic internal audits to proactively identify and address any gaps in compliance or security. Also stay current on FAR and DFARS regulations and any changes (check out this e-book for more detail about these regulations). Keep your employees trained in these standards-and-security best practices.
  • Streamlined processes: Look for ways to streamline and automate. Align your business processes with FAR and DFARS requirements to organically enforce compliance.
  • Dedicated compliance personal: If your resources allow, consider dedicating a team to oversee compliance within your organization on an ongoing basis. Make sure the leader of this team is someone with authority who has the respect of your C-level management. This helps ensure all areas within the organization are on board with compliance and coordinating their efforts and that all projects are in compliance and managed consistently.
  • Cost management and reimbursement: Make sure you identify and track direct and indirect compliance costs applicable to specific contracts and projects. Maintain clear records so you know how and where compliance-related funds are being spent. The DoD recognizes that compliance can be costly, especially to small businesses, and will reimburse what they consider allowable expenses. FAR 31.201-2 provides the basis for determining allowable costs for reimbursement that may be included in DoD contracts. In general, the costs leading up to your assessment will not be allowed; this includes security personnel salaries, employee training, internal assessments, and implementation of new security systems or procedures. Allowable costs include the assessment itself, and the remediation of issues found during the assessment. Allowable costs can be billed directly in the contract and clearly presented as such. Cost reimbursement is somewhat of a tightrope, however. The DoD also considers that compliance to be a cost of doing business and will not necessarily expect to cover your full cost of compliance in a single contract. You must also remember that you will likely be bidding against other contractors, and you need to keep your bids competitive in order to gain the business.
• Engaging cost-effective third parties
  • Consulting services: Engaging the expertise of authorized C3PAO or RPO can help you achieve compliance in the most cost-effective way possible. Before beginning your search, make sure you fully understand your cybersecurity requirements and what you are looking for in a consultant. Utilize the Cyber AB Marketplace to find accredited experts with expertise in your industry who charge affordable fees. Compare quotes from multiple organizations and be sure to ask for references.
  • External Service Providers (ESPs): Rather than creating your solutions from scratch, consider using the services of an ESP, such as a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP), who has expertise in CMMC or DFARS compliance. These providers often offer ready-made or easily customizable solutions that will meet your company’s needs at a competitive price. (See this e-book for more information on choosing MSPs and MSSPs).
  • Supply chain management: Ensure that FAR and DFARS requirements flow down in your contracts with subcontractors and other third parties who handle government FCI or CUI on your behalf. Engaging compliant vendors reduces your risk and thus your overall cost.

CyberNINES has the expertise to help you keep your overall compliance costs in check. Contact us at this link to see how we can help you cost-effectively navigate your compliance journey.

Resources

• https://dodcio.defense.gov/CMMC/About/
• https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
• https://www.acquisition.gov/far/52.204-21
• https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
• https://www.acquisition.gov/dfars/252.204-7019-notice-nistsp-800-171-dod-assessment-requirements.
• https://www.acquisition.gov/dfars/252.204-7020-nist-sp-800-171dod-assessment-requirements.
• https://www.acquisition.gov/dfars/252.204-7021-cybersecurity-maturity-model-certification-requirements.
• https://www.acquisition.gov/far/part-31#FAR_31_201_2
• https://cyberab.org/Catalog#!/c/s/Results/Format/list/Page/1/Size/9/Sort/NameAscending
• https://blog.cybernines.com/a-defense-contractors-guide-to-cmmc-dfars-and-far-requirements
• https://info.cybernines.com/demystifying-cmmc-compliance-your-guide-to-cmmc-compliance
• https://blog.cybernines.com/third-party-risk-management-assessing-your-supply-chain
• https://blog.cybernines.com/coordinating-cyber-incident-response-with-subcontractors
• https://blog.cybernines.com/cmmc-compliance-it-takes-a-village