The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) is an assessment standard designed to ensure that defense contractors are in compliance with current security requirements for protecting sensitive defense information. The program is expected to go into effect in late 2023, at which point, CMMC will begin showing up in contracts. Whether organizations handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), they will need to achieve CMMC compliance.
CMMC Compliance is defined by 3 main objectives:
- Protect sensitive defense information from cyber attacks and nation state actors
- Create a unifying cybersecurity standard for defense contractors
- Ensure accountability for defense companies that are responsible for protecting government data
This blog will introduce CMMC, explain its key components and how defense contractors can meet its standards.
- What is CMMC
- What are the CMMC Certification Levels?
- Who needs CMMC Certification?
- How CMMC differs from NIST 800-171
- CMMC Timeline – When will it be in contracts
- Cost of CMMC Compliance
- How to Get Started with CMMC Compliance
What is CMMC
CMMC is the DoD’s definitive program to standardize cybersecurity practices for protecting Controlled Unclassified Information (CUI) throughout the defense industrial base (DIB). It will substantiate many of the existing cybersecurity regulations, have been met with spotty compliance. Depending on the sensitivity of the information which the contractor handles, they will have to meet one of the 3 CMMC levels.
CMMC was designed to strengthen and unify standards for the implementation of cybersecurity controls throughout the DIB. DoD expects that mandating CMMC will quicken the pace at which defense contractors improve their cybersecurity.
CMMC focuses on protection of both Federal Contract Information (FCI) and CUI. FCI is information not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government. CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with federal law, regulations, and government-wide policies.
DoD released CMMC 2.0, a much-streamlined version of its original CMMC framework, in November 2021. The revised program reflects key DoD goals: first, to reduce costs, particularly for small to mid-size businesses (SMBs), and second, to clarify and align cybersecurity requirements with other federal requirements.
The CMMC compliance levels
CMMC 2.0 lowers the number of CMMC levels from five to three. It does this by cutting the old levels 2 and 4, which were originally developed as transition levels. The new CMMC 2.0 levels are based on the type of information DIB companies handle:
- Level 1 (Foundational) only applies to companies that focus on the protection of Federal Contract Information (FCI). It will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information. These controls look to protect covered contractor information systems and limit access to authorized users. See table below.
- Level 2 (Advanced) is for companies working with CUI. It is comparable to the old CMMC Level 3. CMMC Level 2 is for companies working with CUI. It will mirror NIST SP 800-171. All practices and maturity processes that were unique to CMMC in CMMC 1.0 will be eliminated. Instead, Level 2 aligns with the 14 control families (listed below) and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI.
- Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. The DoD is still determining the specific security requirements for Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls, making for a total of 130 controls. These 130 controls will align with the same 14 control families in NIST 800-171, with the 20 additional controls coming from NIST 800-172.
6 FAR 52.204-21 Families
14 NIST 800-171 Families
Who needs CMMC certification?
By 2026, most defense contractors conducting work for the DoD – other than those managing Commercial Off The Shelf (COTS) – will need to achieve CMMC certification. The level of certification you need will depend on the requirements spelled out in your contract
Companies that have a FAR 52.204-21 (a subset of DFARS requirements) in their contract and handle only FCI will need to achieve CMMC Level 1. This will not require 3rd party certification. Instead, the contractor must specify the people, technology, facilities and external providers within their environment that process, store or transmit FCI. Companies will be required to self-certify once per year that they meet the basic safeguarding requirements for FCI specified in FAR clause.
Companies that have a DFARS 7021 clause in their contract and handle CUI will need to achieve CMMC level 2. This requires passing a third-party assessment every three years. The DoD has rolled back earlier statements that it will bifurcate level 2 requirements and allow for limited self-attestation. Instead, all organizations seeking level 2 will need to self-assess every year and undergo a formal assessment by an accredited C3PAO or certified CMMC Assessor once every 3 years.
Companies handling the most sensitive information will need to achieve CMMC Level 3 (Expert) compliance. These companies will have a DFARS 7021 clauses in their contract. To achieve level 3, they will need to meet the security requirements specified in NIST SP 800-171 plus a subset of requirements specified in NIST SP 800-172. The DoD is still in the process of determining how organizations seeking level 3 compliance will be assessed. However, those companies will require a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audit to achieve compliance.
How does CMMC Differ from NIST 800-171?
CMMC and NIST 800-171 share the exact same 14 levels and 110 controls. As Stacy Bostjanick (DoD Chief of DIB Cybersecurity) stated in a recent PreVeil webinar, “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”
NIST 800-171 has applied to all organizations handling CUI since 2017, so organizations should already have a good grasp of cybersecurity requirements under CMMC.
While CMMC doesn’t change cybersecurity requirements for organizations handling sensitive information, it steps up enforcement of those requirements. Companies were previously allowed to self-assess their compliance with NIST 800-171, but under CMMC they will be subject to third party assessments.
Assessment by C3PAOs will ensure that compliance scores are objective. Companies that are unable to meet all controls at the time of assessment may be granted strictly time-limited POAMs, however these will be granted selectively and cannot be applied to the more challenging controls. All POAMs will also need to be closed out within a 180 day deadline and are thus a tool to improve CMMC accessibility, but not a CMMC solution themselves.
CMMC Timeline – When will CMMC be in contracts?
CMMC’s timeline will move fast.
Any organization that works with the DoD and handles CUI has a contractual obligation to implement NIST 800-171’s 110 controls today, and that obligation dates all the way back to 2017. That means there won’t be a lot of extra time built in for companies to get up to code and assessors won’t be forgiving. CMMC interim rule is expected to go into effect in late 2023. CMMC will go into contracts 60 days later.
To protect your enterprise’s ability to remain in business with the DoD, you must move to meet NIST 800-171 controls swiftly.
Cost of CMMC compliance
CMMC costs depend on a number of factors, broken down below:
While the size of the organization seeking compliance can have a significant impact on overall project costs, the actual number of employees accessing CUI is the more significant driver in determining overall costs of CMMC compliance. As such organizations should limit the the number of employees and technologies touching CUI in order to best manage the compliance boundary and cost.
If you’re starting from scratch, your compliance journey will likely cost more, and take longer, than a company that’s further along in their process to start with. Things to consider include the overall maturity level of documentation development, technology implementation, and what processes and procedures are already documented and in use.
Achieving CMMC compliance will require a combination of policy as well as technology. The more technologies though that your organization has to implement, the greater your costs. Some of the more expensive technologies include SIEM, vulnerability scanning tools and FIPS 140-2 validated technology tools.
For most organizations, consulting costs will make up the bulk of their budget. This includes policy, procedure, documentation creation and gap analysis. Current industry standards show consulting costs range from between $5,000-$25,000 on consulting costs alone as a SMB.
The industry standard for technology solutions, including managed services, are between $1,000-$2,500 per month.
Your CUI technology solution will make up the rest of your budget. These solutions typically cost between $30-$80 per user per month.
*Note: The cost figures presented here are industry averages. Depending on your organization’s maturity, your costs may vary.
How to get started with CMMC compliance
If you’re just starting your CMMC compliance journey, you should prepare to meet the 110 controls in NIST 800-171. Don’t procrastinate; Preparation to meet these controls can take up to 18 months.
One of the best next steps you can take is to contact PreVeil, since our solution supports over 90% of CMMC security controls. There are 3 parts of our solution:
- Our PreVeil Drive and Email platform is end-to-end encrypted to protect CUI.
- From there you can use PreVeil’s compliance documentation package to save time, effort, and money in gathering the documentation needed to prove compliance.
- Finally PreVeil’s Preferred Partner Network of Managed Service Providers (MSPs), consultants, and Cyber AB-certified individuals and organizations can further help you along your compliance journey. Coordinated access to this specialized partner community and PreVeil’s ongoing support will smooth your path to CMMC, NIST 800-171, DFARS 252.204-7012 and ITAR 120.54 compliance.
If you’re a defense contractor, or plan to seek DoD contracts that may include CUI, the time to get started with your NIST compliance path is now.
To learn more about how PreVeil’s state-of-the-art platforms can help your organization, please contact us at preveil.com/contact.