Preparing for CMMC 2.0: Build New or Fix Old?

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

As the Defense Industrial Base (DIB) awaits the finalization and rollout of proposed changes to the Cybersecurity Maturity Model Certification (CMMC) program, there are still plenty of ways to begin preparing for CMMC 2.0 now.  Some aspects of the revised model are more streamlined; for instance, CMMC 2.0 will only have three levels of certification, ranging from basic cyber hygiene to advanced practices. However, other proposed changes reflect tighter standards for supply chain cybersecurity. Depending on the type and scope of the contracts they pursue, defense contractors – and even the external service providers in their security stack – will now need to achieve a certain level of CMMC compliance by 2025.


When preparing their IT environments for CMMC compliance, defense contractors have two choices: build a new environment or try to fix their current one. Both options have pros and cons, and the decision will depend on several factors, such as the current state of the environment, the budget, the timeline, and the desired level of CMMC certification.


Build New or Fix Old: A Car Analogy

To illustrate the difference between building new and fixing old, let's use a car analogy. Imagine you have an old car that has been serving you well for many years, but it has some problems. It consumes a lot of gas, it breaks down frequently, it has outdated features, and it doesn't meet the latest safety standards. You know it’s time to upgrade your car, but that leaves you with two options: buy a new car or repair the old one.


Buying a new car would give you many benefits. You would get a more efficient, reliable, modern, and safe car that meets your needs and preferences. You would also save money and time in the long run, as you would avoid costly and frequent repairs. However, buying a new car also has some drawbacks. You would have to pay a large upfront cost, you would have to learn how to use the new features, and you would have to deal with the hassle of selling or disposing of the old car.


Repairing the old car would also have some advantages. You would avoid the upfront cost of buying a new car, you would keep the familiarity and comfort of the old car, and you would extend its lifespan. However, repairing the old car also has some disadvantages. You would still have to pay for the repairs, which could be expensive and frequent. You would also have to compromise on the performance, features, and safety of the car, as you would be trying to make it work with older technologies. Moreover, you would risk not meeting the latest standards and regulations, which could affect your eligibility for certain benefits or opportunities.


How Does This Apply to CMMC?

The car analogy can help us understand the trade-offs between building new and fixing old IT environments for CMMC. Building new environments would mean creating a separate and secure network for handling controlled unclassified information (CUI) and other sensitive data. This would allow defense contractors to design and implement the best practices and technologies for CMMC compliance, such as encryption, segmentation, monitoring, and backup. Building new environments would also reduce the risk of cyberattacks, data breaches, and non-compliance penalties. However, building new environments would also require a significant investment of time, money, and resources. Defense contractors would have to plan, procure, deploy, and test the new environments, as well as train their staff and migrate their data and applications.


Fixing old environments would mean trying to retrofit the existing network with the necessary security controls and processes for CMMC compliance. This would allow defense contractors to leverage their current infrastructure and avoid the disruption of building new environments. Fixing old environments would also enable defense contractors to maintain their business continuity and operations. However, fixing old environments would also pose many challenges and risks. Defense contractors would have to identify and remediate the gaps and vulnerabilities in their network, which could be complex and time-consuming. They would also have to deal with the compatibility and integration issues of adding new security solutions to their old systems. Moreover, they would risk not achieving the desired level of CMMC compliance, as they would be trying to make their old environments meet the new standards.


Considering Costs: Build New or Fix Old

The CMMC program is designed to assess an organization’s entire IT environment, and in the case of prime contractors, may soon include flow down requirements to attest to the security posture of their subcontractors’ environments as well. That means that many organizations will need to assess their CMMC readiness against a mix of cloud, hybrid, and on-premise environments.


When considering whether it's better to build a new or fix an existing environment, the most important factor to consider is cost. The cost of preparing for CMMC will vary depending on the size, complexity, and maturity of the IT environment, as well as the level of CMMC certification required. Here are the typical types of costs contractors should consider when preparing their IT environment for CMMC compliance:


  • Hardware: Includes the purchase of new servers, switches, routers, firewalls, and other devices for the new environment, or the upgrade of the existing devices for the old environment.
  • Software: Includes the purchase of new licenses, subscriptions, or updates for the security solutions, such as antivirus, firewall, encryption, backup, and monitoring software.
  • Services: Includes the fees of external consultants, auditors, or contractors that help with the planning, implementation, testing, and certification of the new or old environment.
  • Training: Includes the expenses of educating the staff on how to use, manage, and maintain the new or old environment.
  • Maintenance: Includes the ongoing costs of keeping the new or old environment operational, such as power, cooling, support, and updates.
  • Repairs: Includes the occasional costs of fixing the problems or issues that arise in the new or old environment, such as hardware failures, software bugs, or security incidents.


While specific costs vary by technology and service provider, most organizations can expect to see a higher upfront cost to build a new environment, but lower ongoing costs for its maintenance and repairs. For organizations that decide to only focus on upgrading or migrating certain parts of their IT environment, it’s also important to consider the potential cost benefits and risks to the environment’s overall performance, reliability, security, and compliance. Here are some questions to help guide that decision-making process:


  • Do we have the financial and technical staff resources to achieve compliance with our current environment?
  • Is it more cost-effective to migrate our CUI workloads to a separate government-compliant cloud enclave?

Are we better prepared to meet any other future compliance requirements with our current environment?

Where to Start?

While the path to CMMC compliance may not be simple, there are some scenarios where the decision to build new or fix old becomes quite clear. Organizations that are significantly behind on compliance standards -- and lack the internal resources to address those gaps -- may opt to build new right away. On the other hand, organizations that are already heavily resourced for compliance management may only need to make small adjustments to ensure new requirements are met.


Still wondering where to begin? BlueVoyant's CMMC compliance decision tree should help get you started. 



Build New or Fix Old: CMMC Compliance Decision Tree




Please keep in mind that GCC and GCCH are Microsoft environment that can meet FedRAMP requirements. For more information on the difference between different O365 environments please visit Richard Wakeman's article on "Understanding Compliance Between Commercial, Government and DoD Offerings"


No matter which path your organization decides to take, there are several activities that every defense contractor can do now to effectively reduce cybersecurity risk and increase resilience in the long term:


  • Understand your FCI/CUI dataflow and prepare for CMMC readiness. 
  • Verify compliance of cloud services used to handle CUI.
  • Gain deeper visibility of your supply chain. 
  • Create scalable risk mitigation plans to address ongoing threats. 
  • Regularly validate technical controls with continuous monitoring tools.
  • Establish processes to collaborate with subtractors on cyber remediation.


Preparing for CMMC is a critical and urgent task for defense contractors that want to stay competitive and compliant in the defense industry. They have two choices: build new environments for the or try to fix their current environment. Both options have pros and cons, and the decision will depend on several factors, such as the current state of the environment, the budget, the timeline, and the desired level of CMMC certification. Defense contractors need to evaluate their options carefully and choose the one that best meets their needs and expectations.


Interested in learning more about CMMC compliance? Check out BlueVoyant’s recent webinar here.




Here are additional blog articles from CMMC Acceleration: 



Blog Title 

Aka Link 

Sharing Lessons Learned from Microsoft’s Joint Surveillance Audit

Get Started with Microsoft Learn for CMMC

New! Microsoft Collaboration Framework 

New! ND-ISAC MSCloud - Reference Identity Architectures for the US Defense Industrial Base 

History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government 

Gold Standard!Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings 

The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In 

Microsoft US Sovereign Cloud Myth Busters - A Global Address List (GAL) Can Span Multiple Tenants 

Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants 

Microsoft US Sovereign Cloud Myth Busters - Active Directory Does Not Require Restructuring 

Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty 

Microsoft expands qualification of contractors for government cloud offerings 


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.