Defense contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must strictly adhere to the security requirements spelled out in DoD’s Cybersecurity Maturity Model Certification (CMMC) program. FCI and CUI must be handled according to specific requirements outlined in the contract. Failure to do so can disqualify contractors from defense-related work.

This blog explains the basic requirements of CMMC, latest timeline, projected costs of compliance, and tips on how to get started on CMMC compliance.

Quick guide to Get Started with CMMC

The CMMC program is designed to raise cybersecurity levels throughout the Defense Industrial Base (DIB) by better protecting FCI and CUI.

Importantly, CMMC doesn’t change existing cybersecurity requirements for protecting FCI and CUI; rather, it steps up enforcement of security requirements already in effect. Until now, organizations have been permitted to self-assess their compliance with DoD security requirements, but under CMMC the vast majority of defense contractors will need to pass independent third-party assessments. Those will be conducted by CMMC Third Party Assessment Organizations (C3PAOs) that are trained and certified by the Cyber AB, CMMC’s official accreditation body.

Who needs CMMC Certification

If your organization handles FCI or CUI, then you’ll need to achieve CMMC certification at one of the three CMMC levels specified in your contract. So even if your organization is far down the DIB supply chain, you are still subject to CMMC requirements. That’s because cyber criminals know that large, prime defense contractors are well protected, and so they save themselves time and effort by going after their subcontractors. Raising cybersecurity levels throughout the entire supply chain is one of DoD’s key goals for the CMMC program.

CMMC Compliance Requirements For Level 1, Level 2 and Level 3

CMMC has three compliance levels, based on the type of information your defense organization is working with.

To be eligible to work on defense contracts as Prime or Subcontractor, your organization will need to comply with the security controls required at its CMMC level, and undergo assessments as shown in the figure below.

CMMC security and assessment requirements—based on information being handled

CMMC security assessment requirements

Source: DoD Chief Information Officer website

  • Level 1 is for organizations working with FCI only and requires compliance with the basic safeguarding requirements and procedures specified in FAR 52.204-21. These organizations will be required to perform annual self-assessments. 
  • Level 2 is for organizations working with CUI and requires compliance with the 110 security controls specified in NIST 800-171.95% of defense contractors handling CUI will be required to undergo 3rd-party assessments every three years. These 3rd-party assessments will need to be conducted by accredited C3PAOs, who will assess organizations’ compliance with the 110 NIST 800-171 security controls.
  • Level 3 is for organizations working with CUI and subject to Advanced Persistent Threats (APTs) and requires compliance with NIST 800-172. These defense contractors—who by definition are working on the most critical defense programs—will be required to undergo triennial assessments conducted by teams from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the DoD’s ultimate authority on compliance.

On 9/13/2024, the CMMC Final Rule (CFR 32) was released from OIRA, meaning no more changes can be made. Multiple industry experts including the CEO of the CyberAB, Matt Travis, expect CMMC to be published in Oct 2024, become effective in Dec 2024, and enter contracts by early 2025. See our CMMC timeline blog for more details.

It is important to understand that even though CMMC will be phased in over time, it does not necessarily follow that you have more time to achieve CMMC certification. Your organization, for example, could be far down the supply chain from a contractor subject to CMMC in Phase 1, in which case that contractor must flow down CMMC requirements to your organization at that time.

As Matt Travis, CEO of the Cyber-AB, the CMMC accreditation body, said during PreVeil’s CMMC Summit:

If you’re one of those companies…hoping that the protracted CMMC rulemaking will save you, you’re misguided and that’s a reckless way to run your business.

Costs associated with CMMC Level 2 certification will vary widely across organizations. Variables include current cybersecurity maturity level, scope of CUI enclave, number of employees that handle CUI, how much preparation organizations can do on their own for their C3PAO assessment, and how much outside expertise will be needed to achieve CMMC Level 2 certification.

On average, the Department of Defense estimates that the cost of CMMC Level 2 assessments and required affirmations of compliance will exceed $100,000, plus the cost of any technology needed to comply, as shown in the table below.

DoD CMMC Level 2 Certification and Cost Estimates for small defense contractors (with < 500 employees or revenue < $7.5 million)

Source: Proposed Rule: Cybersecurity Maturity Model Certification Program

These cost estimates include time spent by both in-house IT specialists and External Service Providers —such as Registered Practitioners (RPs) and C3PAOs—that can help organizations achieve CMMC Level 2.

It’s important to note that these cost estimates start at the C3PAO assessment phase and do not include any costs prior to that point. That’s because defense contractors have been required to comply with NIST 800-171—which CMMC Level 2 requirements mirror—since 2017. Therefore, DoD doesn’t consider NIST 800-171 compliance technologies or documentation a new expense.

The good news is that technology solutions are available that reduce the time and costs to achieve NIST 800-171 and CMMC compliance. PreVeil’s blog, 6 Ways to Save Money on CMMC, will help you better understand the costs involved, and provides ways to save money on each step of the process.

If you’re just starting your CMMC Level 2 compliance journey, you should focus on meeting the 110 controls in NIST 800-171. PreVeil offers a three-step roadmap to NIST 800-171 compliance and CMMC Level 2 certification.

You’ll need to choose an email and file sharing platform that complies with DFARS 7012. Know that the responsibility for choosing a compliant platform rests squarely on the shoulders of defense contractors. Don’t simply accept a provider’s self-attestation that they support DFARS 7012 and CMMC; Ask for documented evidence and ask for customers who have undergone successful assessments.

Multiple PreVeil customers have achieved perfect 110 NIST 800-171 scores in rigorous DIBCAC and JSVA assessments. The JSVA assessments will translate directly to CMMC Level 2 Certifications once rulemaking is complete. Moreover, PreVeil can be deployed in hours, uses your existing email addresses, and is easy for your team to use.

Defense contractors have to do more than implement technology and policies to comply with NIST SP 800-171. They also need detailed, evidence-based documentation to prove it. This can be a daunting, time-consuming, and costly task. PreVeil offers its customers a compliance documentation package that gives them a huge head start on this essential documentation. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; POA&M templates and more.

It’s understandable that many organizations lack the internal security expertise to conduct their NIST 800-171 self-assessment accurately and cost effectively. If you get stuck and need help, outside partners can save you time and money. To facilitate connections to the specialized help many small to midsize businesses need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs and other consultants—all with expert knowledge of DFARS, NIST, CMMC and PreVeil.

Now is the time to get started on CMMC compliance. Informed estimates from C3PAOs who have done this work are that it takes typical small to midsize organizations around 12 months to meet CMMC Level 2 requirements. That time frame exceeds estimates of how long it will be before CMMC requirements begin to appear in DoD contracts.

PreVeil is trusted by more than 1,200 small and midsize defense contractors. Learn more about how PreVeil can help you achieve CMMC Level 2 certification faster and more affordably: