CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
Breaking Down the Real Cost of CMMC Compliance for Small Businesses
Submit any questions you would like answered on the podcast!
Why is CMMC compliance so expensive—especially for small businesses?
In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke from Justice IT Consulting break down what really drives up the cost of CMMC and NIST 800-171 compliance, and more importantly—how you can cut costs without cutting corners.
We cover:
- The four stages of compliance cost: paperwork, project work, ongoing maintenance, and assessments
- What assessors can and can’t help with
- Enclave strategies that can save you thousands
- Why smaller companies feel a heavier burden—and how to manage it
- Smart scoping, VDI, and how not to overspend on your CMMC journey
If you’re trying to balance compliance with a tight budget, this episode is a must-listen.
👉 Need help or have questions? Contact us for free advice at CMMCComplianceGuide.com.
🔔 Don’t forget to like, subscribe, and share!
Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke. From Justice IT Consulting. We're here to help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free, so if you want to tackle it yourself, you're equipped to do so. If you're struggling to figure out how to afford compliance... you're not the only one. Small businesses across the country are asking the same thing. How can we do this right without draining our budget? In this episode, we're wanting to cut through the noise and show you how to stay compliant, secure and stay on a budget. All right, Brooke, you ready to tackle today's episode? Always. All right. Well, this is probably our most frequently asked question, concern, complaint. I would probably label it as a complaint. Yeah. Sometimes it's a question that is concealed as a question, but it's actually a complaint. Exactly. I'm going to tackle why CMMC or compliance to the NIST 800-171 standard is so expensive. Even for small businesses, that try and follow the rules exactly.
SPEAKER_01:Yeah. You know, the compliance isn't really just about checking the box. It's not about going through all the complex things you have to go through. That complexity is not necessarily just what makes it expensive. That's definitely part of what makes it expensive. But, you know, it's about the ongoing mandated management and monitoring that you have to do, which is documentation, which is part of that, too. So... But it's all that. It's the ongoing, mandated, ongoing things that you have to do that make it so expensive. So, you know, you can't just go through and put some things in place and check a bunch of boxes and say, I'm done. You can once you get assessed, you know, say, here's my score. I passed. We're good for another three years. But guess what? During that three years, you still have to monitor and log. You still have to manage everything. You still have to update your documentation. And part of those are, you know, hire new employees. You have to document that you actually screen them and all that fun stuff. So that's what makes it expensive is all the things you have to do on an ongoing basis. There are other things that make it expensive. One of those other things is going to be all these solutions that you're able to use. If you put CUI in the cloud, for instance, you're going to need to use a FedRAMP moderate authorized or equivalent provider. And so guess what? Those are not cheap because that is not a cheap process to go through and it costs companies generally a quarter million and up to go through that. Those are the kind of things that make it expensive. The ongoing management and everything and the kind of services that you have to have.
SPEAKER_00:If we could kind of tie it into like a real life scenario that people might understand, it's like if You are mandated to do maintenance on your car, but all of the manufacturer recommended maintenance. So you got to replace your coolant fluid. You have to mark when it was done and document it. You have to do all your oil changes and do your oil filter change and mark when that was documented. You have to keep track of everyone that worked on it and then make sure that they are kept track of as well. And so, but that's, it's all those equivalent things, but for like a computer network or Right. Absolutely. All those things are much more expensive than coolant fluid or antifreeze or something,
SPEAKER_01:right? Going with your car analogy, you have to get the OEM parts. You can't get the third-party parts. They're a lot cheaper and probably made in China. You have to get the OEM parts. And if there's not an OEM part, you have to get the DEX fluid, the OEM fluid. You can't go get whatever– cut rate stuff off the shelf that's a lot cheaper. You have to get what is okayed and blessed to be able to use it on that car. So yes, that's a good analogy.
SPEAKER_00:Segueing in on something you mentioned earlier, it's why you can't just... buy something and set it and forget it. There's all these things you have to do and prove that you've done on an ongoing basis that you don't necessarily see. Other compliance standards you've been held to in the past, I think the quality audits and certifications are something that our customers typically are familiar with. I'm not saying they're not strict or stringent, but CMC compliance just takes it a step further. It takes it a step further than most compliance standards, frankly.
SPEAKER_01:It takes it a few steps further,
SPEAKER_00:but yes, it does. And so it's familiar to you in that it's compliance that you have to adhere to, and it's similar to other standards, but it's just the cost of maintenance, the cost of ownership, if you will, for that car that really makes the price go up and why you can't just buy something off the shelf and be done with it.
SPEAKER_01:Yeah, I can't tell you how many times I've heard for our ITAR or our ISO 9001 or whatever it is, audit, you know, it's only like$5,000. Why is this one so expensive? Because they don't have nearly as much to go through and they don't have nearly as much of a assessment process that they have to follow verbatim, you know. It's not nearly as detailed.
SPEAKER_00:So another question that we get Semi-frequently is about cage codes and combining businesses. Oftentimes, maybe some private equity or something that comes in and buys existing businesses with existing contracts. And then they're faced with trying to get the whole... entity compliant. But with that, they have the problem of their sub-entities being separate cage codes and historically separate businesses. The question we get frequently is, can we combine or reduce compliance across those businesses to reduce costs, kind of get economies of scale?
SPEAKER_01:So you can. I mean, if you've got several companies, company one, two, three, and four, and they all have varying different amounts of government contract work that they do or subcontract work. Depends on how they're doing business. If they're doing business as individual entities, they have to be assessed as individual entities. They can share some services through the parent company as long as you configure it properly. But when you start mixing and matching everything, then... That's when it gets a little complex, and you have to figure out where your boundary is. So you can share some services, say some VDI services or something like that, that the parent company is going to host. Then that's perfectly fine. But you do have to configure it right, make sure it's segregated, and all that kind of fun stuff. Because if they're separate environments, they're separate environments. You can't just commingle them all. Unless you want them all to be incessant as one.
SPEAKER_00:Which might impact your contracts and your cage code. Yeah,
SPEAKER_01:you have to be assessed under the entity that you have the contract under. If you have the contract under each company, company one, two, three, and four, then you have to be assessed company one, two, three, and four. But like I said, the parent company can have some services that they share between those as long as it's configured properly. Just doing that doesn't necessarily make them a cloud service, a CSP.
SPEAKER_00:And that's something that you'll want to make sure you get an assessor that understands that technical configuration because that matters as well, picking your assessor when you're going to do something like that because that's not something that everyone always understands. And so you might have one assessor, like I remember from Seek West, he was explaining how he would– think that's fine. And I've heard other people, not necessarily on stage, but have said that, no, that's CSP now, the cloud service provider, and you can't do it. So, you know, there's some of these things we're saying just should be, you know, cautioned with the fact that Assessors are where the buck stops and you need to make sure you interview your assessor and pick them that are right. Make sure they're right for your business and they understand the type of technology. You know, obviously they can't do a lot of consulting. No, they can't. But they can
SPEAKER_01:answer questions. Right. You know, how they go about assessments and all that kind of fun stuff and what their experience is.
SPEAKER_00:So things you might want to ask is like, if you're a machine shop, have you certified machine shops before? You know, make sure they understand the business type. You know, like, uh, We're called an MSP. And so when we're interviewing our assessor, one of the things that assessors options, one of the things that we've asked is, have you done MSPs before? You know, because it's quite
SPEAKER_01:different. 99.999% of them say no.
SPEAKER_00:Right. Yeah. So because you just you just don't want to hitch your wagon to, you know. Someone who's just not going to do any favors, not that they should shortcut or not hold you to the standards, but they need to be able to understand what they're assessing. Absolutely. So something we've addressed in the past is that the NIST standard, NIST 800-171, is kind of written start from scratch. you know, a network. And so, especially if we're working with a customer or a potential customer that is pretty read in and spent a lot of time in their view, unfortunately, kind of dissecting and trying to understand this compliance, they ask, is it, is it just easier to like start with a new network from scratch and go that route, just build everything from the ground up to make it compliant and then just kind of put people in in that compliant network fresh you know or can you use your existing computer network that you've been you've have you know 30 years of technical drawings and cobwebs and you know who knows what else in there and can you make that compliant which is smarter to do you do both or is there you know what what would you should suggest and how would you approach that
SPEAKER_01:well in general just from a 50,000 foot view you say yes it's a whole lot easier to put a nuisance in place and then put your CUI, your CMMC workflows in there in an enclave type of setup and just do that and make it fit. That is definitely easier than reengineering your corporate network to make everything fit. However, that doesn't always work and you also have to worry about your CUI that you already have on your systems. Really what you need to do is you need to do a gaps analysis, do a CUI data flow diagram, figure out where all your COI comes from, where it goes, figure out what's currently happening, right? And like we said before, make sure you bring in people to talk to that are actually performing the jobs because you may think they're doing it one way and they may say, well, this is the way we do it. And you're like, oh, really? I didn't realize that. You don't want to create a workflow or be based on a workflow that's inaccurate. Once you understand how everything's currently working and what kind of data you have and you have a gaps analysis to know where you are and where you need to go, then you can look and say is it smart to read to and it usually is but in some manner it's always smart to redo that data flow diagram and say all right this is where we want it to go and maybe it's not a complete new enclave maybe you're making your current network work for this a lot of time if you can make an enclave work an enclave really is the way to go that's really hard for a lot of people to wrap their minds around it's hard for people to wrap their minds around the fact that i'm gonna have to change my workflow it's better to do that it's cleaner to do that so the answer is yes it's better to start from scratch but you need to do your research your gas analysis and data flow diagram and everything and figure out where you are and where you need to be and how you can work how you're able to
SPEAKER_00:work one thing that we see a lot is that enclaves are a little I mean they're they're great in theory and that should probably be a goal whenever you're starting to design something is like well can we you know put this in its own little segment and walled off garden and keep all our COI there especially in a smaller manufacturing environment as we find it typically pretty hard to do. Really why I'm bringing that up is just to say that you had mentioned doing the gaps analysis first. It's really hard to address compliance without really seeing where you're at and really putting some effort into that. I think we've talked about it before, but people just want to download a SSP template and then implement it or get a quote from somebody and then just buy compliance. And it just doesn't work that way. And you should really start with a gaps analysis, some sort of diagnostic as to figure out where the heck you are. And truth be told is whatever preconceived notions you have, it's probably wrong, especially when you bring those people in, you know, Unless you're just Superman and you run your own business and know every single part of it, which I don't think there's a lot of those out there, you probably have someone doing some function for you. Spoiler alert, they're probably not doing the job the way that you thought they were. Not that they're doing it wrong, but that they have some workflow that they're doing to get their job done on a daily basis that really affects your COI and your compliance. If you buy something... off the shelf and just buy compliance, you won't know that necessarily until the assessor comes in and then you get failed.
SPEAKER_01:You know, one of the things that us as an IT services provider or an MSP, managed services provider, one of the things that we do is we do, to really understand an environment, we do some sort of gaps assessment, some sort of assessment to figure out what all really is there because every single time that you say, you know, just simple stuff. How many computers do you have? How many servers do you have? What kind of cloud services do you have? You know, and they'll tell you. And it's not their fault. I'm not saying they're dumb or misleading or anything, but... they're always wrong. There's something they're missing. They've got more computers than they think they do. They forgot about the CAD workstations that they have. Of course, I don't know how you could forget about that. But there's always something in that environment that they didn't take into consideration. So that's why you have to do a really good detailed gaps analysis, gaps assessment.
SPEAKER_00:And we actually... implement this in our daily business. So for example, like we manage backups for a lot of customers. And so we don't just install the backups and then We've installed them. They're good. We just know it's happening. Or even the logs, whenever they show completed and successful, we don't just go, cool, we're set. Even though we have all that technology, and we do have some pretty cool technology that will go in and test it automatically for us. It just doesn't require any human effort. And so we have a lot of air... handling and fail safes to make sure that it happens correctly but still at the end of the day we go in and we have you know frequent tickets to go actually check manually check the back backup with a human person and make sure it works because despite all of that what we think is happening sometimes isn't you know some configuration somewhere messes it up and we have to make sure we have to go fix the backup you know or maybe it just got corrupted you know and so without that physical checking this This system and process that we've designed that we thought was working turns out isn't. And we did that through what? An assessment. And that's all those are, right? Another popular question that we get asked is about the physical segmentation of devices. The question is, do we need to buy separate laptops or hardware for users handling CUI?
SPEAKER_01:I mean, if you want to make it easy, you can have a completely separate workstation in an enclave, and they have to use that workstation. And that way, this is one of the clean environments where we're talking about, you know, create an enclave, use that workstation in the enclave to deal with CUI, and machine outside the enclave, you don't. It doesn't touch it. It doesn't get anywhere near it. And so... sure, but it gets a little messier than that. Like I said, an enclave isn't always the best fit for everybody. So you can use things like virtual desktop infrastructure to help out as long as you can use that as long as it's configured right. You can't copy and paste, no drive mappings, no printing, no screenshotting, stuff like that. That's configured right. You can use VDI. So you can use things like that to help you out to where you don't have to double up on all your equipment. But that said, Again, it depends on your work environment. It depends on what you're doing. People really like to talk about, you know, just put an enclave in place and just put like four machines in there, you know, or 10 or 20 or however big your organization is, you know, just whatever that smaller percentage of your machines are, you know, they go in that enclave and that's it. And that's great. it just doesn't work as cleanly for everybody.
SPEAKER_00:Which, not to say it again, but that's why, you know, your designing of your SSP and your processes and your systems and having all those stakeholders at the table really matters because, you know, it's, when you implement that enclave, it's little details that throw the wrench in the system. And then if you poke some holes in your enclave, then it all goes up in fire. That's the whole point of an enclave, right?
SPEAKER_01:If you poke a hole so you can get in and grab some data and bring it out, and guess what? You just brought that stuff in scope or expanded the enclave, however you want to phrase it, but you just brought that stuff into scope instead of keeping that enclave there. scope
SPEAKER_00:right so it's easier just to address it beginning of the process rather than implement all this stuff and then figure out later that you got to redo a whole bunch of stuff
SPEAKER_01:yeah and again this is the larger the environment is it's a lot easier to implement an enclave it's a lot easier to do a lot of these things because you have people separated doing different things you might have an HR person you might have an accounting person you might have the CEO who nobody lets touch any data. I'm just kidding. Well, which may be accurate. But you have people that don't need to touch the CUI data, but when you get to a small organization that That HR and accounting person may do some other things, and they need to have access to a level one network, for instance. Or it might just be the owner who does the accounting, and maybe they outsource the HR or whatever. And so that's not a concern, but they do some of the accounting, and they also need to touch the CUI. So the smaller the organization gets, the harder this is to implement and create an enclave and network. Separate everything out like
SPEAKER_00:that. Which it all ultimately leads back to scoping. It does. And so I think that you and Stacey just did an episode over scoping, so that might be a good place to check. There you go. That's right. On whether you need physical separation advices and stuff like that. So it's all around your COI flow and scoping. Right. On to the next question. Can a C3PAO or assessor– give you advice before their formal assessment to help them get ready
SPEAKER_01:well the the simple straight answer is no they can't uh the uh the other answer that i'll give you is yeah absolutely they can do that but then they can't assess you so uh so which either way you know they you that advice is consulting giving you any kind of indication of how you can cover certain controls or whatever that's consulting code of professional conduct is is very clear that you can't do an assessment and give any consulting. If they give you any consulting at any time before that, they can't do your assessment. It's not like, well, that was three months ago. So they just can't do it. They've said, no, you can't get consulting from the same person you get an assessment from, the same person or the same company.
SPEAKER_00:Yeah, I think they do that because of ethics, and they're just trying to remove any possibility of a conflict of interest. So I completely understand that, but it does– It does. Mm-hmm. Mm-hmm.
SPEAKER_01:Mm-hmm. Mm-hmm. But people are people and there's going to be.
SPEAKER_00:Which I think is why we try and lean on accepted practice, you know, general accepted thoughts. And the CMMC, the town halls give a lot of guidance. There's nothing authoritative except for the authoritative documents. of course, but we really lean on best practice, if you will, for that reason, because it's the safest bet. And you can certainly take the documents to bat and argue with an assessor, but sometimes it's easier to go the path that has least resistance. It is, but
SPEAKER_01:also along with that path of least resistance, you're going to have documentation to back it up. So you can say, here's my documentation. You know, this is how it works. If you disagree with an assessor, you're going to have to really know your stuff and say, look, here's all my documentations here's all the supporting documents. It's based on NIST 800-171 and all of the other reference documents in CMMC and all the reference documents that apply here. You could reference something, good standards like CIS or something like that, but if it's not government-backed and approved and in reference to NIST 800-171 and CMMC, then don't depend on it. It's got to be in those sets of documents. It can't be something outside of that. Even if it's a better idea and more secure it doesn't matter I
SPEAKER_00:might not have been honest earlier when I said the most popular question we get asked is
SPEAKER_01:well you know it's kind of hard because we get there's a few questions that always come up so it's like which one was really you know
SPEAKER_00:go ahead sorry no you're good yeah so it's not usually why is it so expensive that's the second question after the first one which is how much does it cost how expensive is it right so how much is it oh you're asking me
SPEAKER_01:okay Well, the answer is it depends. But really, you know, you've got to start at the beginning, just like we've said several times. You've got to start with a gaps assessment and figure out where you're at. Because if you don't do a gaps assessment and then the other things that go along with that data flow diagram, you can guess, but you have no real clue where you're at. Generally, a lot of people will do, like us, do a gaps assessment and work on your SSP and your POAM, your policies, and kind of bundle that because they all kind of go together. You can do them separately in separate stages, but it just makes sense to bundle all those together. They
SPEAKER_00:always lead to the other, so you're not really saving any money by just doing it piecemeal. No, not really.
SPEAKER_01:You're going to have to spend the money anyway. You're going to have to do it anyway. Generally, that's going to start somewhere$15,000 to$25,000 or so, depending on the complexity of the environment, how many sites you have. You kind of start with that gaps assessment and SSPM point to figure out where you're at. Then after that, you've got your POAM, and so you know what you're lacking and what needs to be worked on. And so from that POAM, you can group those assessment objects or those controls or whatever. You can group those into different projects and figure out what those projects are. If you need to, of course, you can figure out however your data flow diagram looks now and what you want it to look like, and you can kind of design your environment and come up with projects. It really depends. Those could be 40,000. They could be 100,000. They could be less, more. They're all over the place. It really just depends on what you've come up with on a POAM to have to do. It also depends on scope, how you've scoped it. Are you restricting yourself to an enclave? Are you able to do that? You may not be able to do that. Are you encompassing more of your network? What is your scope? What does that look like? It depends on a lot of stuff. It's really hard to say what the projects are going to be for any particular size company. I would say if some comes and gives you a quote, here's your quote, we'll put this in place and you can use that and you'll be compliant. That's great, but does it really fit what you need and is it really going to accomplish everything? Is there going to be any, you know, you're liable for any of the data spillage, any of the CUI leakage, I guess, I should say. So is it really going to fit? Is it really going to work for you? So you've got to take that into consideration. Then there comes the ongoing, after you've got everything implemented, or actually probably during that time, you've got ongoing management costs. And it is a more complex environment. You're going to have to have somebody internal to manage all that or bring somebody on board to help with that or bring somebody on board to do that. One of those three options. It has to be managed. We talked about that a little earlier. That's how this is all built out. It's ongoing management. management of the system that you create. The cost for the For the ongoing management, I'd like to tell you how much it would cost, but that's a big secret. I'm just kidding. It's not a big secret. It's just they're a huge range. But think thousands, don't think hundreds. Think thousands, ongoing, monthly. It'll be thousands whether you bring somebody on to do it internally or whether you hire somebody in to do it. And if you're a smaller environment, it's almost always going to be less expensive to help you do it. They can do as much as they can for you, but there's always things that you have to do for this compliance. Then after that comes what you're really looking for And what you're really looking for is the assessment. You want to get that level two assessment certification and say, I've got it. It's right here. Give me some contracts. So that's what you're looking for. So those assessments, I was pretty confident in the price. I was pretty confident in the starting price. A little while back, now I'm a little less confident, it was somewhere between$40,000 and$60,000, erring on the side of caution and saying$60,000 for the assessment every three years. So once every three years, you'd have to spend that much. But that was the floor of where it would start. For a simple organization, it would start there. I've heard that there's C3PAOs that are doing for less than that. And again, you just need to do your due diligence and do your interviews and make sure you understand. If you hire a service provider like us, you do need to do the same thing. But you need to interview your C3PAOs, make sure that they can do the job, understand the job. So you may be able to get one for less than the$40,000 to$60,000 floor. But I wouldn't bet on it and I wouldn't tell you to budget for that. I would tell you to budget at least$40,000 to$60,000. Along with that assessment, what you're going to have to remember is that if you outsource any of it or if you insource all of it, there's going to be either time or money or both, and time is money. So even if it's time on your side, you're going to have to spend somewhere close to that$30,000$30,000 to$40,000 to$50,000,$60,000 is very dependent on complexity and a whole lot of other things. But you're going to have to spend quite a few thousand dollars prepping and make sure you have everything in order, making sure you have all your proof ready because you really want to be ready for that assessment when it comes. You don't want to have to be gathering things and figuring out where they're at. Hey, I need screenshots of this. I need that. Oh, we need to update this document. You don't want to be doing that at the last minute. You want to have all that ready. So there's going to be some projects costs, either internally or externally with your service provider, helping out with that, prepping for that assessment.
SPEAKER_00:So if I hear it right, you basically have four categories of costs. Paperwork to get started, and then you have the project that is a result of the paperwork, all your to-do items. And then third, you've got kind of the cost of ownership to go with a car theme we're talking about here, the maintenance, ongoing costs to stay compliant. And then fourth, you have the assessment-related costs, which is going to be labor internally or externally to prep your body of evidence and everything for the assessor and then the assessor costs. Yes. Absolutely. If I'm a listener and I'm on a budget and I'm listening right now, what are my key takeaways from this episode?
SPEAKER_01:Expect some real effort. Compliance takes time. It takes documentation. It takes a lot of effort to do all these things. It takes ongoing management. So expect some real effort to go into this. Even for small teams and really for small teams, it's going to seem like such a huge burden because you're a small team. If you can, start fresh. New enclave environment. If you can at all, really the best way to go if you can, it's faster, it'll be a little cheaper, be cleaner because you're not trying to clean up in 30 years of an existing network. Make sure you scope smartly. Make sure that you only include what needs to be included. We've talked about this before. Don't overscope. Only scope in what needs to be scoped in, which is what we're talking about the enclave, right? If you can create that enclave Make that your scope. Then do that. Make sure you try really hard to keep that scope as small as possible. You should also implement virtual desktop infrastructure. Smaller shops have a heavier burden than larger shops. I mean, larger shops have more complexity and more stuff, you know, but smaller shops, it's hard to do all this and not run the cost up. So if you... say, cost per capita. It's going to be a lot higher for small shops than it is for larger. I can tell you that. But if you can do virtual desktop infrastructure or VDI, that's a way to help out. And configure it properly. Maybe that's another episode. I know we've talked about it before. And we actually, I think, talked about it earlier in this episode. Don't expect any help from assessors. They can say, yeah, you failed here, here, and here. And you can say, well, why did we fail? Well, you failed because of this. Well, what can we do to fix that? They're going to go, I don't know. They probably do. know or they have some idea, but they can't tell you. That crosses over into consulting. You need to also take into consideration the full life cycle of all four stages that you were talking about a while ago, all the way from doing a proper, good, full gaps analysis, all the way through assessment.
SPEAKER_00:If you have any questions about what we covered, please feel free to reach out to us. We are here to help fast track your compliance journey. You can text, email, or call us, and we'll answer your questions for free here on the podcast. Find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure. Like, subscribe, and share.
.jpg)
