Cybersecurity Maturity Model Certification (CMMC) is a framework of various cybersecurity standards and best practices to safeguard sensitive national security information from increasingly frequent and complex attacks. CMMC 2.0 compliance is a requirement for all government contractors working with the Department of Defense (DoD).
In 2015, the DoD released the Defense Federal Acquisition Regulation Supplement (DFARS), a series of cybersecurity requirements contractors and subcontractors in the Defense Industrial Base (DIB) had to follow to protect Controlled Unclassified Information (CUI). As part of the certification process, it includes complying with the National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171 Revision 2 (NIST SP 800-171 R2).
Contractors will lose existing DoD contracts and won’t be able to bid for new ones until they can demonstrate compliance with the required level in the contract. The Department of Justice (DOJ) has also launched the Civil Cyber-Fraud Initiative, which will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients who falsely claim compliance.
What are the CMMC Requirements?
In 2020, the Department of Defense (DoD) began to demand a self-assessment using a points-based system to prove compliance from defense contractors – an honor system, if you will. After completing the self-assessment, contractors are required to submit their scores to the DoD’s Supplier Performance Risk System (SPRS). A System Security Plan (SSP) is also required, containing comprehensive details of the organization’s networks, systems, processes, policies and security controls including how those controls are being implemented and improved over time. Contractors must currently have a SPRS score listed in the SPRS database in order to bid and receive DoD contracts.
In a significant move, the DoD introduced the Plan of Actions and Milestones (POAM) where organizations who have not yet fully implemented 800-171 can submit a solid plan for achieving full compliance, with specific dates and a timeline. This POAM is submitted with the SPRS and enables organizations to begin working for federal agencies whilst they simultaneously work towards full implementation of 800-171. Once CMMC is fully implemented, the timeline for completing a POAM is six-months from submission of a SPRS score and POAM.
Companies that handle CUI must also submit to and pass an independent audit proving that they meet the 110 controls outlined in NIST 800-171 R2. This audit is at the company’s expense.
When will CMMC Certification be required?
Mandatory SPRS score reporting has already begun in order to bid for contracts (to include creation of an SSP and POAM). Voluntary audits of those who claim to be CMMC compliant began in August 2022. It is expected that all the requirements of CMMC will be finalized by end of first quarter 2023.
Who needs CMMC Certification?
CMMC is required of any individual in the DOD supply chain, including contractors who interact exclusively with the Department of Defense and any and all subcontractors. According to the DOD, the CMMC requirements will affect over 300,000 organizations.
How will CMMC 2.0 be enforced?
Today, companies without a SPRS score cannot bid for new contracts. Those that can show compliance to CMMC Level 2 or 3 must submit to an audit by a third party. Failing the audit could result in loss of contracts or the ability to bid for future contracts. Any company that falsifies their compliance could face a False Claims Act lawsuit from the Department of Justice. The DOJ has already begun pursuing and collecting millions in fine from cases of cybersecurity-related fraud by government contractors and grant recipients.
What will be the consequences of not completing CMMC Certification?
Non-compliant companies will lose the ability to bid for new DoD contracts.
What are the different CMMC Levels?
You may be asking yourself, “What CMMC level do I need?” Determining the CMMC level you need depends on the type of services and information that your company accesses and stores in your information systems.
CMMC requirements are based on the type of information a company handles. Companies that provide COTS (Commercial off-the-shelf) service to the DoD and only handles Federal Contract Information (FCI) must comply with CMMC Level 1. All companies that handle CUI (Controlled Unclassified Information) must comply with Level 2 or 3 and have implemented 110(+) controls as well as prove successful implementation through an audit by an independent agency. For more details:
- Level 1 (Foundational) only applies to companies that focus on the protection of FCI. Level 1 is based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information and focus on the protection of FCI. These controls look to protect covered contractor information systems and limit access to authorized users.
- Level 2 (Advanced) is for companies working with CUI. CMMC 2.0 Level 2 requirements mirror NIST SP 800-171 and aligns with the document’s 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI.
- Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. The DoD has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.
In addition, Levels 2 and 3 will required a third-party assessment. See the chart below for an overview.
Are the CMMC requirements for small businesses the same as those for larger businesses?
CMMC requirements are not based on the size of the business but the type of information to which the company has access in order to do business with the DoD. Companies that only handle FCI (Federal Contract Information) do not have as stringent requirements as those who handle CUI (Controlled Unclassified Information).
How do I complete a CMMC Audit?
CMMC requires all DoD contractors that meet the requirements for Level 2 or 3 to get audited and obtain certification from a trusted and approved third-party assessment organization (C3PAO). For Level 2 compliance the CMMC Accreditation Body (CMMC-AB) is responsible for reviewing audits and issuing certificates, however C3PAO must perform an audit. For a small subset of contractors who must comply with Level 3, the federal government will conduct the audit.
The CMMC audit cost depends on the size of an organization. Notably, Companies should expect to incur the following types of costs in a CMMC audit process:
- Audit preparation costs: Also referred to as soft costs, audit preparation costs are the expenses for preparation and external consultancy.
- Hard costs: Hard costs are also incurred in audit preparation and the audit process and may involve investments made in processes needed to meet audit. This also includes costs for implementing authentication mechanisms, endpoint security, and log monitoring.
What is the total cost to get CMMC Certified?
There is no set cost to CMMC compliance. In addition, CMMC is not a “one and done” milestone. It will require time, personnel and expense to both achieve initial compliance and the work necessary to maintain compliance. CMMC Certification costs will vary by company depending on:
- what level of compliance needs to be achieved,
- where a company is in their current journey to CMMC compliance,
- the types of controls that need to be purchased, installed, configured and in place to achieve compliance,
- the cost of managed service providers (MSPs) and other vendors to perform installation and configuration of said controls,
- the cost of maintaining systems and controls and
- the cost of additional employees to maintain, update and manage the Risk Management, Policy and Procedure, Monitoring and Audit aspects of NIST 800-171 required to keep the company in compliance.
A good rule is that it will take most companies six to 12 months of time, talent and information system upgrades to gain compliance.
How long does it take to become CMMC Certified?
General estimates are six to twelve months to achieve compliance and certification.
How does CMMC compare to NIST 800-171?
NIST SP 800-171 lays out the requirements for any non-federal agency that handles controlled unclassified information (CUI), or other sensitive federal information. It details how organizations should protect this information. First published in 2015, the goal is to strengthen the federal supply chain and ultimately protect national security as a whole.
The “800-171”, as it’s known, is made up of 110 controls divided into 14 control families, and takes around half a year to implement. It’s important to note that there is no certification to prove compliance with this framework. It was originally developed to provide guidance to the DFARS clause (the Defense Federal Acquisition Regulation Supplement)- the original cybersecurity requirements from the DoD.
Since DFARS is still a listed requirement in most government contracts, if you are bidding on a contract or have been awarded the work, you’ll need to be compliant with all 110 NIST 800-171 controls in order to fulfill the DFARS clause.
Unfortunately, due to the lack of certification, the DoD found that contractors were claiming to uphold all of the NIST 800-171 standards, but in reality, they were not. DoD decided that it was necessary to develop a certification process to ensure that contractors were compliant with a basic set of cybersecurity controls: thus the CMMC and NIST 800-171.
How can GaMEP help my company become CMMC Compliant?
GaMEP can perform a CMMC Gap Analysis and Readiness Assessment. The gap analysis and readiness assessment are foundational steps for companies to gain a detailed understanding of how close they are to meeting the requirements of their targeted CMMC level.
The Readiness Assessment will help uncover systems and processes that may not meet the standards outlined in NIST 800-171, such as:
- How is data stored and access to information controlled?
- Are incident response plans in place, current, and effective?
- Are IT staff and other personnel adequately trained?
- How are security protocols implemented and maintained?
The resulting Gap Analysis will pinpoint risk areas for contractors and facilitate the creation and execution of the Remediation Plan, either by the MSP or utilizing in-house resources. From the Gap Analysis, GaMEP can assist a company with creating the SPRS, SSP and POAM necessary to begin the CMMC process and bid for DoD contracts.
Without an exhaustive Gap Analysis in hand, DoD contractors may find it impossible to identify risks, prioritize activities, and determine costs for any remedial steps required for CMMC certification.
What if I am not located in Georgia?
Check with your local state MEP to see if they can provide CMMC services.
Where can I complete CMMC training or learn more about CMMC requirements?
By: Michael Barker, GaMEP Cybersecurity Project Manager