Compliance

Compliance

Compliance

CMMC Compliance Challenges for Small Businesses

11/2024

5  

min read

Introduction

When it comes to complying with NIST 800-171, DFARS 7012, and CMMC, the size of a company often dictates its approach. Large aerospace and defense companies like Boeing or Lockheed Martin have the resources to assign entire teams to handle the complex requirements of NIST 800-171, DFARS 7012, and CMMC. They can afford to divide the responsibilities across every aspect of these requirements.  

On the other hand, small businesses—those with fewer than 300 employees—face the same strict standards but without the luxury of large, dedicated teams. For them, compliance can feel overwhelming. Many lack the internal resources to meet these demands, often needing to outsource help or re-task employees. In this blog, we’ll explore how small and large companies approach compliance differently and the unique challenges smaller businesses face.

Smaller Businesses are Focusing More on NIST 800-171, DFARS 7012 & CMMC

Here at Atomus, we talk to hundreds of small aerospace and defense companies. From our conversations, we hear that businesses with less than 300 employees are focusing more on complying with NIST 800-171, DFARS 7012, and the upcoming CMMC 2.0 requirements. Many of these companies are being asked by customers about these cybersecurity requirements in their contracts and realize that compliance is essential to maintaining those relationships.

The challenge, however, is that most small companies can’t manage these requirements on their own. The conclusion most come to is that outside help will be needed, as handling everything in-house is often impractical for businesses of this size.

Jobs that Need to be Done for NIST 800-171, DFARS 7012 & CMMC

NIST 800-171, DFARS 7012, and CMMC takes a lot of work. Big companies usually approach these requirements by assigning individual team members or entire teams to each job. However, while that might work for companies with over 300 employees or the Boeings or Lockheed Martins of the world. Most small businesses cannot apply this big company playbook to these requirements, and that's why many companies are unsure of what to do.  

The jobs required to comply with these requirements include the following:

01
Configure & Manage IT Systems:
Someone must configure and manage a company’s IT systems, which is usually the IT manager's responsibility.
02
Create, Manage and Update 300+ Pages of Documentation + Artifacts:
Someone should be dedicated to creating, managing, and updating the 300+ pages of documentation and artifacts required to demonstrate compliance with NIST 800-171 and CMMC assessment requirements. This process can be extremely time-consuming and is a full-time job in itself.
03
Report & Track Compliance of Systems:  
Someone must report/ track system compliance. This means ensuring that all the systems in a company’s IT environment are up to compliance and then tracking deviations and drifts.
04
Provide Compliance Advice and Implementation to End Users and Administrators:
Someone must provide compliance advice and implementation guidance to end users or administrators. Companies need consultation whenever a new compliant system, software, or server gets set up.
05
Monitor Systems for Cyberattacks and Respond to Incidents:
Someone must monitor a company’s system for cyber attacks and respond to incidents. It's important to invest in tools and set them up, but having someone to monitor them is crucial for effective responses to any issues.
06
Create & Implement Internal Company Policies and Procedures:
Someone must create and implement a company’s internal policies and procedures to handle data and contracts with these requirements.

For small businesses, NIST 800-171, DFARS 7012, and CMMC can be an intimidating task. Unlike large companies with dedicated teams and big budgets, smaller companies often struggle to handle these requirements with limited resources. This is why many small businesses find it challenging to meet these requirements and realize that trying to apply the big company approach just isn't feasible for them.

How Does a Company Under 300 Employees Comply with NIST 800-171, DFARS 7012 & CMMC?

After talking to numerous aerospace and defense companies with less than 300 employees, solutions typically fall into one of three buckets:

  • Outsource - Usually to an IT Managed Service Provider or Consulting Firm
  • Internal - Usually hiring someone, re-tasking a current employee to use a governance risk and compliance tool.  

Each of these approaches has its advantages and disadvantages. Most IT Managed Services Providers and consulting firms don’t know how to deal with these compliance requirements and don’t use the FedRAMP products needed for this requirement. An In-house solution is typically not feasible for companies under 300 employees, and it is generally not a good use of resources to custom-build a compliance program manually. GRC tools are a good template but don’t help implement, monitor, and maintain a company’s IT systems or generate the needed evidence to pass an assessment. As a result, approaching these compliance requirements internally still requires a significant amount of in-house work even after buying expensive GRC tools.    

Conclusion

The path to complying with NIST 800-171, DFARS 7012, and CMMC looks very different between large and small companies. Large organizations can assign teams to meet these requirements. However, small businesses must follow the same strict standards with fewer resources. For small aerospace and defense companies CMMC can be overwhelming, see how Atomus can help simplify your CMMC compliance journey today!

Logo image

Become Compliant with NIST 800-171, DFARS 7012, and CMMC Requirements

Talk to an Expert