We’re a small business (~20 employees) with 4 corporate computer potentially handling CUI, while 95% of our government work is done on GFE. Based on our assessment, we identified the need for a SIEM solution, move from google to Microsoft 365 GCC High, local computer MFA implementation, advanced antivirus with centralized reporting, establishing group policies for local computers, and a firewall device.

However, the quotes for implementation and ongoing costs feel like overkill—seeming to require a full SOC for just 4 computers. For those who’ve successfully navigated the CMMC Level 2 process, what are your insights? Any strategies to balance compliance with practicality?