by Scott Jack
Content Contributor, E-N Computers
Over 10 years of experience in healthcare IT and tech support.
If you are looking to achieve CMMC compliance, you’re probably about to face the challenge of tracking an overwhelming number of components across business and IT.
If you don’t want to juggle dozens of Excel spreadsheets and data stored in a hundred places, you’ll need to find a GRC tool before you start drowning.
But which GRC tools actually help and which ones just create more headaches?
In our role as a managed IT services provider and CMMC consultant, we found that a lot of time was wasted on document management with our CMMC engagements. We’ve had a chance to try out several GRC tools, and we’ve found many to be clunky or overly broad. Here is our in-depth review of the one we think works the best. We’ll also give you some tips on what to look for in your own search for a good GRC tool.
Why you can trust us
ENC has helped hundreds of companies to implement new technologies and processes in a way that advances their goals and reduces risk. We’re also a Registered Practitioner Organization that is actively working with defense contractors preparing for CMMC.
QUICK ANSWER:
What should I look for in a GRC app, and what is the best GRC app for CMMC?
Key features of GRC tools include document management, risk analysis, workflow management, and compliance tracking. We think FutureFeed is the best GRC app for CMMC because it engages business leaders first. It also has solid tracking and reporting tools and decent templates for policies and procedures. E-N Computers includes FutureFeed access with each CMMC consulting engagement.
What is GRC?
GRC stands for Governance, Risk, and Compliance. It is a unified strategy for corporate governance, risk management, and regulatory compliance that can be used in any size of organization.
Governance refers to how your business is run. Policies and procedures define your goals and strategy and the responsibilities of key stakeholders, and they make sure that the company acts ethically while fulfilling its obligations.
Risk management seeks to identify potential problems and mitigate them. Although CMMC is a security framework, your risk management program should also address other risks your business faces.
Compliance is adherence to rules and regulations — in this case, NIST 800-171 and CMMC. It includes the policies and procedures you follow to maintain and check for compliance.
GRC tools aim to provide a unified dashboard and document repository for these three functions.
Do you need a GRC tool?
If you are seeking to become CMMC compliant, you should use a GRC tool. In our experience, many organizations underestimate the complexity of CMMC implementation. A good GRC tool provides so many benefits that it’s well worth the price.
The primary benefit of a GRC tool is that it centralizes information on your governance, risk, and compliance efforts, providing a single source of truth for monitoring and reporting. This allows you to spend less time chasing down data and making it agree. Instead, you can take a more proactive approach to your implementation program.
What to look for in a GRC app
GRC tools are expensive, so we think it’s fair to expect them to make your job easier. Here are some of the key functions you should look for in a GRC app.
Document management. You’ll be generating an avalanche of reports and policies. Don’t underestimate the importance of a solid document management system. That means it should help you create, track and securely store policies, procedures, and compliance reports in an organized, accessible way.
Risk analysis. Based on information you provide, the tool should calculate your risk and provide insights on your risk and compliance posture. For CMMC, this function is closely related to your gap assessment and SPRS score.
Workflow management and automation. The tool should encourage an effective workflow for designing, implementing, and executing your compliance program. When you enter data for the first time or update it, that should automatically update your scores, POA&M, and usable reports.
Compliance tracking and reporting. Without too much digging, you should have a clear view of your compliance and be able to see the status of any compliance initiatives. It should also provide reminders regarding deadlines and regular inspections. Reports should be useful and accurate.
After evaluating several GRC tools for CMMC, we decided that the best one out there for us and for our clients is FutureFeed. Here’s why.
FutureFeed GRC tool review
FutureFeed is the only GRC tool we have encountered that takes a truly comprehensive approach to governance, risk, and compliance. Where other GRC tools seem built around a high-intensity, sprint-like engagement, FutureFeed is designed to guide you through CMMC implementation the right way.
Features
Clean, visually effective interface. As you might expect, many GRC tools are clunky and unintuitive. In contrast, FutureFeed presents all the information you need in a visually pleasing and data-heavy way.
Step-by-step guidance. This is where FutureFeed really shines. From the layout to the included explanations, FutureFeed makes it clear that their software is meant to help you work through every part of implementation rather than take shortcuts. It starts by engaging your business team first. Leaders put in their CAGE codes, the types of CUI they have, and other company data. At the top of the page, you get a “subway map” of stops along the way to your compliance destination:
- Big picture: assessment scope, data locations, and budget
- Tech and docs: technology overview, working docs, reference docs, reviews
- Assess: NIST 800-171 controls
- SSP: SSP scope, system environment, and detailed plan
- Your FutureFeed (POA&M): project builder and project portfolio manager
Each of these stops shows a completion rate—or in the case of POA&M, how many items there are—so you have a quick idea of your progress and what still needs to be done. From this high-level view, you can drill down into the nitty-gritty details of your compliance program.
Automated workflows and reporting. FutureFeed is carefully designed so that when you enter information, it flows everywhere it needs to be. For example, changes you make in your company profile, tech, assess, and FutureFeed (POA&M) sections are immediately reflected in your SSP. This allows you to spend less time on data collection, analysis, and reporting, and more time on getting things done.
Document templates. FutureFeed has an extensive library of templates that are good, but not great. You’ll still have to put work into making the documents your own, but these templates are a solid starting point. For example, we often use the “Email Retention Policy” template as a basis for a more comprehensive Data Retention Policy.
Secure storage. FutureFeed uses AWS GovCloud to provide FedRAMP High-compliant storage
Automatic regulatory updates. When NIST revisions happen, FutureFeed automatically pulls in those changes. You’ll always be aware and ready to act. For example, look at the FutureFeed blog post “Don’t Panic! NIST 800-171r3 and FutureFeed”. The post explains the timeline for rule finalization, how customers can prepare, and what software adjustments will be released within a few weeks of the final rule.
FutureFeed screenshots
FutureFeed GRC Pricing
FutureFeed pricing is based on:
1) the size of your organization
2) the feature set you choose
3) how often you want to pay
If you are seeking CMMC Level 2, you will need the DoD Contractor CUI Bundle. If you have less than 20 full-time equivalent employees (FTEs), this is $183/month. For companies with 20-199 FTEs, it’s $333/month. Those prices are billed yearly; you’ll pay about double if you want to pay monthly.
We include FutureFeed as part of our CMMC consulting services, which usually costs $1,250 to $1,500 per month if you need to reach CMMC Level 2. That cost is based on your company size and current IT environment. CMMC consulting is a long-term engagement — it will take 12 to 18 months for most companies to be ready for a CMMC assessment.
Other popular GRC tools for CMMC
The Cyber AB CMMC Readiness Tool (CRT) is the default for many Registered Practitioner Organizations because it is available through the Cyber AB, our accreditation body. It’s rather unusual—and a violation of international standards—for an accreditation body to provide a tool or service that could make it seem biased. Yet, this tool is a white-labeled version of Cyturus, commercial software developed by a cybersecurity consulting firm. Beyond these concerns, the tool itself is fairly clunky.
We also have some experience with IntelliGRC. The State of Virginia contracted with a consulting firm to evaluate Registered Practitioner Organizations like us. The firm used IntelliGRC to generate generic, overly broad reports that we found to be fairly useless.
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
