The Cybersecurity Maturity Model Certification (CMMC) program establishes assessment mechanisms to verify defense contractors’ compliance with Department of Defense security requirements for the protection of sensitive information. Those security requirements are already in effect, but self-assessment has been permitted until now and so compliance has been weak.
 
Under CMMC, any organization that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will need to achieve one of the three possible CMMC levels, as specified in its contract, to be eligible to do defense-related work. Organizations that handle FCI only will need to achieve Level 1; organizations that handle CUI will need to achieve at least CMMC Level 2. Level 2’s security requirements mirror the 110 security controls of NIST 800-171 . Level 3 is for organizations working with CUI and subject to Advanced Persistent Threats (APTs), and requires the more advanced security controls of NIST 800-172.
 
CMMC rulemaking took a huge leap forward with publication of the CMMC Proposed Rule in the Federal Register in late 2023. The rulemaking process is expected to be finalized by late 2024, at which point CMMC requirements will start to appear in defense contracts.


This blog explains the basics you need to know about CMMC, shares the latest information about CMMC’s roll out and projected costs of compliance, and offers tips on how to get started on CMMC compliance.

What is CMMC

The CMMC program is designed to raise cybersecurity levels throughout the Defense Industrial Base (DIB) by better protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is information not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government. CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with federal law, regulations, and government-wide policies.
 

Quick Guide to Get Started with CMMC


 
Importantly, CMMC doesn’t change existing cybersecurity requirements for protecting FCI and CUI; rather, it steps up enforcement of security requirements already in effect. Until now, organizations have been permitted to self-assess their compliance with DoD security requirements, but under CMMC the vast majority of defense contractors will need to pass independent third-party assessments. Those will be conducted by CMMC Third Party Assessment Organizations (aka C3PAOs) that are trained and certified by the Cyber AB, CMMC’s official accreditation body.

The CMMC compliance levels

CMMC has three compliance levels, based on the type of information DIB organizations are working with:

  • Level 1 is for organizations working with FCI only and requires compliance with the basic safeguarding requirements and procedures specified in FAR 52.204-21.
  • Level 2 is for organizations working with CUI and requires compliance with the 110 security controls specified in NIST 800-171.
  • Level 3 is for organizations working with CUI and subject to Advanced Persistent Threats (APTs) and requires compliance with NIST 800-172.

Who needs CMMC certification?

If your organization handles FCI or CUI, then you’ll need to achieve CMMC certification at the level specified in your contract. Note that DFARS 7020 requires prime contractors to flow down security requirements to their subcontractors , including CMMC mandates. That means that even organizations far down the DIB supply chain are still subject to CMMC requirements. That’s because cyber criminals know that large, prime defense contractors are well protected, and so typically save themselves time and effort by going after their subcontractors. Raising cybersecurity levels throughout the entire supply chain is one of DoD’s key goals for the CMMC program.

CMMC Compliance Requirements

To be eligible to work on defense contracts, your organization will need to comply with the security controls required at its CMMC level, and undergo assessments as shown in the figure below.
 

CMMC security and assessment requirements—based on information being handled


Source:DoD Chief Information Officer website
At Level 1, defense contractors handling FCI will be required to perform annual self-assessments. At Level 2, just 5% of contractors will be permitted to perform annual self- assessments. This subset includes contractors that, while handling CUI, are working on projects that do not involve sensitive national security information, i.e., non-prioritized acquisitions.
 
The overwhelming majority—over 95%—of Level 2 defense contractors handling CUI will be required to undergo third-party assessments once every three years. Those will need to be conducted by accredited C3PAOs, who will assess organizations’ compliance with the 110 NIST 800-171 security controls.
 
All Level 3 contractors—who by definition are working on the most critical defense programs—will be required to undergo triennial assessments conducted by teams from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the DoD’s ultimate authority on compliance.

How does CMMC Differ from NIST 800-171?

CMMC Level 2 security controls exactly mirror the 110 NIST 800-171 security controls. Any organization that handles CUI has a DFARS 7012 clause in its contract that requires compliance with NIST 800-171. That’s been the case since 2017, so organizations should already be well on their way toward meeting CMMC Level 2 security controls.
 
The key difference is that to achieve CMMC Level 2, self-assessment of compliance with NIST 800-171 will no longer be permitted. Stacy Bostjanick (DoD Chief of DIB Cybersecurity) put it this way in a recent PreVeil webinar:

“CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”

Organizations that don’t meet all 110 NIST 800-171 controls but score at least 88 (out of 110) on their initial C3PAO assessment will be permitted to create Plans of Action & Milestones (POA&Ms) indicating how and when the unmet controls will be met. Additionally, under CMMC—unlike with NIST 800-171—POA&Ms will be time-bound: to achieve CMMC Level 2 certification, organizations will need to address all the deficiencies outlined in their POA&M within 180 days.

Definition:POA&M

POAM stands for Plan of Action and Milestones. A POAM is a plan that indicates the specific measures that a DIB company will take to correct deficiences found during a security control assessment. The POAM should identify which tasks should be done as well as the resources required to make the plan work.

Organizations that fail to achieve at least an 88 on their initial C3PAO assessment will need to spend more time closing the security gaps revealed by their unmet controls, and then start the C3PAO assessment process over.

CMMC Timeline – When will CMMC be in contracts?

The CMMC Proposed Rule was published in the Federal Register in late December 2023. That triggered a public comment period that ended in late February 2024—and the submission of nearly 800 comments. The DoD is currently adjudicating and working on responses to those comments, a process that could take 6 -12 months, as shown below:

When the DoD finishes its adjudication process, the CMMC program will be codified in DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements. That will kick off Phase 1 of the CMMC roll out, which will occur in four phases over three-plus years.
 
It is important for contractors to understand that even though CMMC will be phased in over time, it does not necessarily follow that you have more time to achieve CMMC certification. Your organization, for example, could be far down the supply chain from a contractor subject to CMMC in Phase 1, in which case that contractor must flow down CMMC requirements to your organization at that time.
 
As Matt Travis, CEO of the Cyber-AB, the CMMC accreditation body, said during PreVeil’s 2023 CMMC Summit: “If your one of those companies…hoping that the protracted [CMMC] rulemaking will save you, you’re misguided and that’s a reckless way to run your business.”

Cost of CMMC compliance

Costs associated with CMMC Level 2 certification will vary widely across organizations. Variables include current cybersecurity maturity level, scope of CUI enclave, number of employees that handle CUI, how much preparation organizations can do on their own for their C3PAO assessment, and how much outside expertise will be needed to achieve CMMC Level 2 certification.
 
On average, the Department of Defense estimates that the cost of CMMC Level 2 assessments and required affirmations of compliance will exceed $100,000, plus the cost of any technology needed to comply, as shown in the table below.

DoD CMMC Level 2 Certification and Cost Estimates for small defense contractors
(with < 500 employees or revenue < $7.5 million)


Source: Proposed Rule: Cybersecurity Maturity Model Certification Program
These cost estimates include time spent by both in-house IT specialists and External Service Providers (ESPs)—such as Registered Practitioners (RPs), Certified CMMC Assessors (CCAs), and C3PAOs—that can help organizations achieve CMMC Level 2.
 
It’s important to note that these cost estimates start at the C3PAO assessment phase and do not include any costs prior to that point. That’s because defense contractors have been required to comply with NIST 800-171—which CMMC Level 2 requirements mirror—since 2017. Therefore, DoD doesn’t consider NIST 800-171 compliance technologies or documentation a new expense.
 
The good news is that technology solutions that reduce the time and costs to achieve NIST 800-171 compliance and CMMC Level 2 certification are available. PreVeil’s blog, 6 Ways to Save Money on CMMC Certification Costs, will help you better understand the costs involved, and provides tips on how to save money on each step of the CMMC certification process.

How to get started with CMMC compliance

If you’re just starting your CMMC Level 2 compliance journey, you should focus on meeting the 110 controls in NIST 800-171. PreVeil offers a three-step roadmap to NIST 800-171 compliance and CMMC Level 2 certification.

Schedule a Free Compliance Consult with PreVeil:

Set up a free 15 minute session to get personalized answers to your CMMC & NIST 800-171 questions.

 

  1. Adopt a platform that securely stores, processes and transmits CUI.
    File sharing and email is how CUI is most frequently transmitted. You’ll need to assess platforms and choose one that enables compliance with NIST 800-171. Know that the responsibility for choosing a compliant platform rests squarely on the shoulders of defense contractors. Don’t simply accept a provider’s self-attestation that they support NIST 800-171 standards. Ask for documented evidence.
     
    PreVeil customers have achieved perfect 110 out of 110 NIST 800-171 scores in rigorous DIBCAC and JSVA assessments. The JSVA assessments will translate directly to CMMC Level 2 Certifications once rulemaking is complete. Moreover, PreVeil can be deployed in hours, uses your existing email addresses, and is easy for your team to use.
  2. Use prepared documentation to show compliance and save time and money.
    Defense contractors have to do more than implement technology and policies to comply with NIST SP 800-171. They also need detailed, evidence-based documentation to prove it. This can be a daunting, time-consuming, and costly task.
     
    PreVeil offers its customers a compliance documentation package that gives them a huge head start on this essential documentation. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; POA&M templates; and more. (Note that your SSP will be the first document that your C3PAO will ask for when you kick off your C3PAO Level 2 assessment).
  3. Identify certified consultants that are familiar with your technology

    It’s understandable that many organizations lack the internal security expertise to conduct their NIST 800-171 self-assessment accurately and cost effectively. If you get stuck and need help, outside partners can save you time and money.
    &nbsp
    To facilitate connections to the specialized help many small to midsize businesses need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs and other consultants and organizations—all with expert knowledge of DFARS, NIST, CMMC and PreVeil.

Now is the time to get started on CMMC compliance. Informed estimates from C3PAOs who have done this work are that it takes typical small to midsize organizations anywhere from 12-18 months to meet CMMC Level 2 requirements. That time frame exceeds estimates of how long it will be before CMMC requirements begin to appear in DoD contracts.
 

To learn more

PreVeil is trusted by more than 1,000 small and midsize defense contractors. Learn more about how PreVeil can help you achieve CMMC Level 2 certification faster and more affordably:

  • Get a custom quote for your organization
  • Sign up here for a free 15-minute consultation with our compliance team
  • Check out Achieving CMMC Compliance: A guide for small and midsize defense contractors, which has been downloaded by more than 4,000 defense contractors