CMMC Basics (Kieri Solutions)
CMMC Basics Part 3

CMMC Basics Part 3

Complete & Continue Next Lesson Learn More

IN THIS LESSON

In the final episode of the CMMC Basics series, Mark Hatman and Amir Armand from CARRI Solutions focus on one of the most pressing topics for defense contractors: how to manage and reduce the cost of achieving CMMC Level 2 compliance—without sacrificing functionality, security, or long-term sustainability.

🔹 Key Topics Covered:

1. Cost Drivers: Labor and Technology

  • Labor is the largest cost factor, particularly due to the people-driven nature of CMMC controls (e.g., documentation, reviews, authorizations).

  • Technology expenses include purchasing enterprise-grade systems, endpoint protection, and cloud or on-premises infrastructure capable of supporting compliance.

2. The Myth of “Buy This and Be Compliant”

  • Beware of tools or vendors promising instant compliance—technology alone is never enough.

  • Compliance requires defined policies, processes, and consistent documentation. Two-thirds of the 320 assessment objectives require manual or procedural action.

3. Functional Use Cases Drive Design Choices

  • Organizations must tailor their cybersecurity architecture to how they handle Controlled Unclassified Information (CUI):

  • Full-function networks (complex, on-prem)

  • Limited-use enclaves (segmented environments for focused compliance)

  • Virtual Desktop Infrastructure (VDI) (low-cost, cloud-based, limited functionality)

  • Considerations include whether you need to print, transfer files, hold meetings, or support manufacturing systems with CUI access.

4. Future-Proofing for Export Controlled Data (e.g., ITAR)

  • If you plan to handle export-controlled data, your architecture must restrict international access and comply with sovereignty requirements (e.g., FedRAMP Moderate or on-prem systems).

5. Design and Support Options

  • Do-It-Yourself (DIY): Build and maintain your own CMMC-compliant system. Labor-intensive but highly flexible.

  • Managed Service Providers (MSPs): Outsource IT management, but ensure your MSP understands CMMC responsibilities—or risk failure.

  • Reference Architectures: Purchase a proven blueprint (e.g., from Kieri Solutions) to reduce setup complexity.

  • Managed Enclaves: Subscribe to a fully managed secure environment built for CMMC. Offers simplicity, but vet providers carefully.

6. Documentation Matters

  • Policies, SSPs, procedures, and inventories are all essential and time-consuming to develop from scratch.

  • Using a high-quality, plain-language template set can save time and cost (versus writing everything yourself or hiring consultants).

✅ Key Takeaways:

  • Compliance is not a one-time investment—it requires ongoing maintenance and mature IT processes.

  • Choose a solution based on how your organization uses CUI, and plan for future scalability.

  • Engage CMMC-trained professionals, assess your MSP’s capabilities, and consider using prebuilt architectures to save money and reduce risk.