Let's continue on prepping for C MMC now. And this is probably one of the most unpleasant areas of CMC for not only for the contractor, for D. O. D is the cost.
with the cost, what can you do in preparation for C MMC? Because there's
definitely, ah costs associated with that
some what's going to depend upon the structure of the contractors company? And as I mentioned before, they may have a managed services provider who's doing most of their infrastructure work.
So in that case for that company, they're gonna have to reach out to the managed services provider and get assistance from them in the preparation.
The other thing that is occurring is that there are other companies out there who will work with the contractors specifically
for this preparation or what in the industry they're calling pre assessors.
And what will be the cost of the preparation that's going to be variable because first,
consider the level that you know that you operate with the contracts that you have, So if you're a Level three,
um, contract provider,
then your costs will be less than a level five. Because of the dramatic amount of sensitive data. The level five deals with
doesn't mean that the Level three will have a much of a cost. No, it's just that it will be less so with that preparation.
If your infrastructure already is
security wise tight, then the amount of work that you'll have to do to be able to be comfortable when the assessor of the O. D comes walking in will be a lot less now.
We'll get into that later
where does this assessor come from? But the D. O. D has a C M M c A B A B being in accreditation body that is helping the d. O. D. And creating the framework for these assessments.
So when Ashley comes down to the actual cost of the assessment, you have two phases. You have a pre assessment phase two, where, as your company, you will want to be able to go over when Version one of C MMC comes out,
You want to make sure that your abiding by the practices within that version one framework
then the other thing that you look at is that when that assessor comes,
Do you have everything ready? The documentation that people everything ready. So when the assessor comes in, he only has to spend minimum time with you and doing his assessment.
So all these roll up into a cost to the contractor.
So where is D of D and all this
as faras Right now, the D. O. D has not put out a dollar amount
that they will help the contractor absorb.
the c M M C. A B accreditation body works with D of D,
the contractors will know what allowable costs will be able to be passed through with that certification.
So if you've already been self assessing yourself
I think the amount of work that you'll have to do in this pre assessment phase should be minimal. Probably the biggest effort you'll have is just making sure that you can prove
that you are complying with 801 71 coming up with version one,
which has a big basis on the 801 71.
So what does that mean again? Documentation,
policies, procedures? Can you show the assessor when he comes in that you have good cyber hygiene
granted at Level one. The amount that you have to prove is a lot less versus level five.
So really, look at the contracts that you are going to be bidding on. Know what that level is that the highest level you have to attain, and then when you can look a 0.7 framework right now to get an idea
off what you will be responsible for so that when version one does come out,
you'll be able to very quickly see what differences there are between 0.7 dot one and be able to walk and assess yourself if there's any additional documentation and work of your end that you have to do before the assessor comes in.