In a larger company with limited resources, it could take upwards of 2 years to complete your get-well plan; and that could be too long for many DoD Contractors. Depending on the layers of bureaucracy and the speed of your organization this could be faster or it could be slower. How’s that for being obtuse? Let’s dive in to the long-lead items and see what is going to drive your schedule?
After reviewing a few small client’s preparedness for CMMC we found a few common themes amongst their get-well plans and those can create significant schedule time to complete. If you’ve already implemented these items then, of course, your schedule will look quite shorter.
A few things take a while to complete. There are about 90 days of schedule dedicated to reviewing policy documents; and that doesn’t take into account the time it takes to create those policy documents. This assumes that your security team, or MSSP, is able to find and use policy templates to shrink that time. Our schedule above assumes that you will have inter-departmental reviews at the supervisor/worker level to determine the impact and feasibility of each policy. One sure way to kill your user adoption is to force new security policies on them without buy-in or understanding the unintended consequences of implementing those policies. We also assume that you will have a director/executive review of each of the policies so that you have ownership at the highest levels to ensure these policies are implemented. Each review takes 6 weeks; 4 weeks of review and 2 weeks of comment resolution.
The second driver of the schedule is Security Awareness Training. Standing up a Security Awareness Training program from scratch simply takes a lot of staff-hours. We assume that the person tasked with developing the training already has a day-job that keeps them busy, so fitting this training development in is quite a task. We estimate about 3 months to create the content. And if you’re using a Learning Management System you add in additional time to create the training workflows, slides, and any other content. We estimate about 3 months of development in the LMS as well. Couple this with the finish-to-start relationship between each security awareness requirement in CMMC and you’re looking at a full year and a half of training development. One sure way to shrink this time is to outsource your Security Awareness training to a company like Inspired eLearning; however, we haven’t fully evaluated their training content against the CMMC requirements yet.
The last significant critical path item from our analysis is configuring each computer to comply with the requirements of CMMC. The most difficult of these is employing Whole Disk Encryption with technologies like BitLocker for Windows or FileVault with Mac OS. Although most of this can be automated using your Remote Management and Monitoring (RMM) tool or MS Windows Active Directory tools; our analysis found that many computers in the field didn’t support this out of the box and required a BIOS upgrade to fully support the encryption. This means each computer may need to be touched by a technician to upgrade. If your employees are engaged in remote work or have geographically separated offices, then you may need quite some time to work through the logistics of upgrading each computer.