
by Ian MacRae
President and CEO, E-N Computers
25+ years experience solving business IT problems in Virginia and Washington, D.C.
Are you a small government contractor with an SPRS score in the negative numbers? Do you see the CMMC compliance deadline looming without the budget to make major changes?
Our client – a Richmond area aviation contractor – was in a similar situation. But this contractor is now well on the road to CMMC compliance – without killing their business with overwhelming IT costs. Here’s how they did it, and some lessons you can apply to your own compliance journey.
Why write about this client now when they have not yet achieved CMMC certification? For one thing, as of right now, nobody is CMMC certified. The final rule was only published late in 2024, and CMMC assessments aren’t expected to start until early 2025.
However, now is the time to be learning from small businesses who are ahead of you on this journey, a journey that can take two years or more.
For context, I’m the founder and president of E-N Computers, a regional IT managed services provider. I started it as a computer shop in my garage nearly 30 years ago. Our headquarters is in Waynesboro, Virginia, and we have satellite services in Washington, D.C. and serve clients in Richmond, Charlottesville, Roanoke and from coast to coast with our remote services. Because of where we are, our focus over the years has been on government organizations and government compliance.
QUICK ANSWER:
How can a small business achieve CMMC compliance?
Start now so you can spread out your costs, stay within the Microsoft ecosystem to simplify your compliance, and keep as much protected data as possible within a single system. Also, be prepared for a cultural change – IT compliance requires group effort and planning.
Taking care of general IT support
This particular government contractor (who also serves commercial clients) came to us about six years ago. At first, they were looking for a full-time IT person but then saw the value of our staff augmentation services. Not long after, they hired us as a managed IT services provider.
Six years may seem like an incredibly long time to be on the road to CMMC compliance, but we weren’t just working on CMMC over those years. A lot of what we’ve been doing is day-to-day user support that includes everything from onboarding to setting up conference room phone systems. During that time, we’ve also set up or supported:
- a new VoIP phone system
- A backup system that met FAA compliance standards for data retention
- SOLIDWORKS® 3D CAD
- Multi-factor authentication
- An up-to-date VPN to allow the team to work securely from remote locations
- A computer and server refresh
Progress toward CMMC compliance
As far as compliance is concerned, our client started off with a negative SPRS score, which is not unusual.
Your SPRS score represents how compliant you are with the security controls in NIST SP 800-171. SPRS stands for Supplier Performance Risk System, the web app the Department of Defense uses to track this data.
An SPRS score can range from -203 to 110. Under the current scoring system, you start at 110 and lose points for each unmet control. To achieve CMMC certification, you’ll have to reach a minimum score of 88 and a Plan of Action and Milestones (POA&M) for the remaining items.
Our client is now in the 80s or 90s, and we’d like to reach 110. We’re still working on getting that number up. We’ve been staying on top of their System Security Plan and their Plan of Action & Milestones and preparing them for their audit.
We took a huge step lest year when we moved this client into a Department of Defense approved cloud product. If your business works with any federal agency and handles federal data, your cloud services need to comply with FedRAMP. Defense contractors are required under DFARS 252.204-7012 to make sure the cloud services they use are FedRAMP Moderate authorized or equivalent. Under CMMC, they must prove that the services they use are compliant. See our article What federal contracts need to know about FedRAMP for details.
Someone who handles CUI will need Microsoft 365 Government Community Cloud (GCC), and someone who also has export-controlled information will need GCC High.
Moving to a FedRAMP-approved tenant like Microsoft GCC High reworks everything – your email and all your settings have to be redone, all of your devices need to be managed, and you have to build out more policies than before – and document them.
GCC High is a great product, but it’s not compliant out of the box. It can manage all of you devices but it doesn’t do it automatically, and one of the requirements of CMMC is to have an inventory of all your devices. You have to enroll your devices and have required policies applied to them.
Every time you change out a system, you’re going to have to revisit policies and procedures, so we are helping our client write those. It takes substantial time and effort. It’s just a big shift.
Lesson 1: Don’t drag your feet with CMMC
Here’s our first lesson from this client. Don’t delay. If you’re dragging your feet over upgrading to the right Microsoft tenant because it’s expensive, that’s going to delay your progress.
On the other hand, planning ahead for CMMC allowed our client to move toward compliance and still keep their business running. A small business only has capacity to do so much in a year. And you need to plan for and spread out your costs. For example, we did a server refresh one year and migrated the company to Microsoft GCC High the next year.
Lesson 2: Use Microsoft
The more you can do in Microsoft the better. It can allow you to run your busines with one FedRAMP-approved client. You can retire out a lot of third-party systems because you can do multi-factor authentication, device management and so forth all in Microsoft. These days Microsoft Defender can even replace your third-party EDR solution.
Lesson 3: Keep your data in one place
This relates to the previous point about using Microsoft for everything. Compliance can be a faster process if your data is all in one place. If your data must reside in multiple systems, expect a multi-year implementation. And push back on your government program managers. If you fear your data is all CUI because you don’t know, get that nailed down. The fewer systems (which could be anything from email to a fax machine) you have to worry about, the easier it will be.
CUI is sensitive information related to the deliverables of a contract for any federal agency. You are required to protect all information you handle as part of a government contract, even if you are just a subcontractor. If the contract is with the Department of Defense, you must comply with CMMC Level 2. Microsoft GCC and GCC High will allow you to implement tags to label and track CUI tenant wide. For more details on scoping and handling your CUI, see our related article What is CUI and do I need to worry about it?
Next Steps
In general, CMMC is a tremendous shift for most businesses. You can’t expect out-of-the-box solutions or quick fixes. And it’s a cultural change. It’s about getting away from some of the cowboy stuff that might have worked in the past.
And it’s a cultural change. It’s about getting away from some of the cowboy stuff that might have worked in the past.
Right now is the time to educate yourself and also talk to a CMMC Registered Practitioner (RP) to help you through the process.
Talk to a pro
Through our contact form, request a complimentary consultation with one of our senior engineers who is also an RP.
Learn more from our CMMC articles
You can learn more about CMMC in the following articles, all of which were written with small businesses in mind:
- The Ultimate Guide to CMMC
- The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
- What is FCI and should I worry about it?
- What is CUI and should I worry about it?
If you’re looking for CMMC tools and training:
- We found the best GRC tool for CMMC
- What is Microsoft GCC High and do I need it?
- Best CMMC training resources
- CMMC Level 1 guide as audio book
- CMMC Level 2 guide as audio book
If you’re looking for a CMMC consultant or Registered Practitioner Organization:
- Best CMMC consultants
- Best CMMC RPOs near Washington, DC
- Best Virginia Registered Practitioner Organizations
If you’re looking for a CMMC assessor:
If you’re looking for information about CMMC that is targeted toward smaller businesses:
Not sure of your next step?
Get a free CMMC consultation
In a few minutes, get actionable insights on your CMMC strategy.
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082