What You Need to Know About the Cybersecurity Maturity Model Certification (CMMC)

CMMC is a certification that a company can earn to demonstrate that it is capable of protecting “federal contract information” (CUI) or “controlled unclassified information” (CUI). This certification will soon become a contract requirement on many U.S. Department of Defense contracts and will eventually apply to all U.S. Department of Defense contracts.

The DoD created the CMMC program to protect federal contract information (FCI) and controlled unclassified information (CUI) residing on contractor systems. The DoD hopes that by requiring and verifying that companies are in fact protecting their systems it can reduce the theft of intellectual property and sensitive information from the defense sector.

The cybersecurity maturity model certification requirement will be rolled out over the next seven years. It will already be applying to many companies in 2021. It estimated that over the next five years 129,810 companies will pursue the cybersecurity maturity model certification (CMMC).

By October 1, 2025, all entities receiving DoD contracts and orders, other than contracts or orders exclusively for commercially available off-the-shelf items or those valued at or below the micro-purchase threshold, will be required to have the CMMC Level identified in the solicitation, but which at minimum will be a CMMC Level 1 certification.

Companies that process “federal contract information” (FCI) or “controlled unclassified information” (CUI) will need to eventually earn a cybersecurity maturity model certification (CMMC).

The DoD is prescribing Cybersecurity Maturity Model Certification Requirements, for use in solicitations and contracts, including solicitations and contracts, excluding acquisitions exclusively for COTS items. In order to implement the phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. As a result not all DoD contracts will have CMMC requirements.

A company can achieve a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.

In order to achieve a specific CMMC level, a DIB company must demonstrate both process institutionalization or maturity and the implementation of practices commensurate with that level. CMMC assessments will be conducted by accredited CMMC Third Party Assessment Organizations (C3PAOs). Upon completion of a CMMC assessment, a company is awarded a certification by an independent CMMC Accreditation Body (AB) at the appropriate CMMC level (as described in the CMMC model). The certification level is documented in SPRS to enable the verification of an offeror's certification level and currency (i.e. not more than three years old) prior to contract award.

If you currently process, store, or transmit “federal contract information” (FCI) and or have FAR clause 52.204-21 in any of your current contracts you will likely have to earn a Level 1 Cybersecurity Maturity Model Certification (CMMC). To start preparing you should conduct a gap analysis of your current cybersecurity program against CMMC level 1 requirements. Then remediate any of the identified gaps.

If you currently process, store, or transmit “controlled unclassified information” (CUI) and or have DFARS clause 252.204-7012 in any of your current contracts you will likely have to earn a Level 3 Cybersecurity Maturity Model Certification (CMMC). To start preparing you should conduct a gap analysis of your current cybersecurity program against CMMC level 3 requirements. Then remediate any of the identified gaps.

The CMMC will encompass five cybersecurity maturity levels. They range from “Basic Cybersecurity Hygiene” (level 1) to “Advanced” (level 5). A contractor's required CMMC level will be specified in their contract.

CMMC Level 1: Consists of the 15 basic safeguarding requirements from FAR clause 52.204-21.

CMMC Level 2: Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes. Intended as an optional intermediary step for contractors as part of their progression to Level 3.

CMMC Level 3: Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes.

CMMC Level 4: Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes.

CMMC Level 5: Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes.

The below estimates are from the U.S. Department of Defense:

DoD estimates that the cost for a small entity to support a CMMC Level 1 Assessment or recertification is $2,999.56.

DoD estimates that the cost for a small entity to support a CMMC Level 2 Assessment or recertification is $22,466.88.

DoD estimates that the cost for a small entity to support a CMMC Level 3 assessment or recertification is $51,095.60.

DoD estimates that the cost for a small entity to support a CMMC Level 4 Assessment or recertification is $70,065.04.

DoD estimates that the cost for a small entity to support a CMMC Level 5 Assessment or recertification is $110,090.80.

The duration of a CMMC certification is still under consideration. Katie Arrington (the head of the CMMC program) eluded that companies with a level 1 or 2 maturity requirement will be audited every three years. Level 3 companies every 2 years, and level 4 or 5 companies every year.

We developed a web application to help contractors meet their CMMC requirements. Through the app, we conduct a Gap Analysis of your current cybersecurity controls to determine where you stand in relation to your CMMC requirements. After conducting the gap analysis we create a project plan with specific tasks for meeting your CMMC requirements. You can then either choose to implement the tasks using your own IT team or have us do it for you.