Cybersecurity Blog | Ingalls Information Security

Why You Should Budget for CMMC & ATO Before Submitting a SBIR Proposal

Written by Brandi Pickett | Aug 8, 2022 4:00:00 AM

Are you gearing up to submit a SBIR proposal? Here’s what you need to know about budgeting for CMMC and ATO so you don’t run into any issues or delays. 

The memo released by the DoD last month increased pressure on contractors when it comes to cybersecurity. Check out our recent blog post that breaks down what these DoD requirements mean for government contractors because it’s important to understand how failure to have or to make progress on NIST SP 800-171 requirements may be considered a material breach of contract requirements.

How to Budget for CMMC and ATO

One way to get ahead of any potential problems is to budget for Cybersecurity Maturity Model Certification (CMMC) and Authorization to Operate (ATO) costs before you submit a SBIR proposal. CMMC’s key objective is to enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the supply chain. Because you’re likely to handle these information types as a DIB supplier, specific safeguarding requirements are outlined by CMMC to keep them secure. CMMC reviews and combines various cybersecurity standards and best practices, making it a comprehensive verification mechanism for effective security.

In order to ensure you adhere to the DoD’s requirements correctly, you need an expert who understands how to navigate the CMMC process effectively. At Ingalls, our staff of experienced CMMC Registered Practitioners provide a wide range of CMMC services including:

  • FutureFeed, a Governance, Risk, & Compliance (GRC) tool, that integrates tracking mechanisms and empowers your team to stay on course
  • Performing assessments against the NIST SP 800-171 and help you submit your score in the Supplier Performance Rating System (SPRS)
  • Create a “Plan” aka POA&M
  • Consultation and Maintenance of your cyber program

Also, if you are developing a product or technology for the DoD, then your contract may have a clause that requires the product to obtain an ATO. The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is a 7-step process that organizations can use to manage information security and privacy risk for organizations and their systems. All DoD information systems must undergo the RMF process to achieve an ATO.

Navigating the RMF/ATO process is exhaustive, resource-intensive, and often not considered until the system or application is ready to deploy, significantly delaying timely delivery. Ingalls partners with you to provide ATO support throughout the RMF lifecycle with a tailored approach for services including:

  • Dedicated support throughout RMF Lifecycle
  • IAM Level III and II Certified Information System Security Manager (ISSM)
  • IAT Level II and III Certified Information System Security Officer (ISSO)
  • eMASS Data Entry and control responses
  • RMF Expert to liaison with Authorizing Official (AO) Staff or Security Control Assessor (SCA)
  • Development of core documentation and evidence
  • Development of RMF/ATO tasks with Project Schedule

 

If you are not sure how to get started with a budget or want to know more about your responsibilities for CMMC and ATO, we are here to help. Reach out for a free consultation to learn how Ingalls can help.
View full post