If your company works with the US Department of Defense (DoD) as a contractor or subcontractor, you will need to prepare to meet CMMC requirements in order to successfully bid on and win contracts.
This recent development has been a significant adjustment for small organisations who wish to work with or continue working with the DoD. With Version 2.0 (published December, 2021) of the Cybersecurity Maturity Model Certification's Appendices being in excess of 50 pages, it is very easy for business owners to get lost in the sheer amount of documentation associated with CMMC.
In this guide, we are covering some of the key facts that you need to know in order to prepare your business to meet these new cybersecurity regulations.
What Is CMMC Compliance?
CMMC compliance is a new standard developed by the United States Department of Defense (DoD). There are 17 maturity levels in the CMMC standard, each with its own requirements. For companies or organisations interested in contracting with the federal government, CMMC compliance has become a necessity. Guidelines must be followed and need to be renewed every three years.
Failure to comply with CMMC could result in the contractor losing valuable DoD contracts, as well as leaving them vulnerable to cyberattacks. It is possible for a subcontractor to only be required to meet CMMC compliance requirements at a lower level if the work they perform is classified as less sensitive and does not interact with CUI (Controlled Unclassified Information).
Who Needs To Attain CMMC Certification?
If your organisation or company is a part of the Department of Defense’s supply chain (or plans to be in the near future) as either a contractor or subcontractor then you will require CMMC certification.
Responsibility to uphold CMMC requirements will also extend to managed service providers (MSPs) and managed security service providers (MSSPs) who run the risk of misrepresenting themselves or their solutions as CMMCasaService offerings and as a result are liable under the False Claims Act (FCA).
If your client is part of the DoD supply chain and you have access to their data, systems or network infrastructure then you will be in scope for CMMC and will likely be required to provide evidence of due diligence and care.
Those further down the supply chain may not need to reach the same level of CMMC compliance as the prime contract. The level they need to be compliant with will likely be determined by how information flows downwards from the prime contract to the third party in question.
By October 1st 2025 all DoD contracts that exceed the micro-purchase threshold of $10,000 will be required to achieve CMMC certification. It is estimated that by 2025 there will be at least 48,000 CMMC certified contractors partnered with the DoD.
An exception for meeting CMMC requirements currently extends to contacts for COTS (commercial off the shelf) items exclusively.
Specialists in this field have predicted that COTS suppliers should make sure they have level 1 CMMC controls in place as it would be a logical move if the DoD were to include COTS contracts in future guidance as resellers and distributors are coming into contact with contract data which could be classified as sensitive in nature.
What CMMC Level Do I Need To Meet?
In order to start implementing the needed requirements to ensure CMMC compliance, you will need to find out which level of compliance your business needs to meet. This level is often defined in line with the amount of contact you are having with controlled unclassified information (CUI).
Examples of controlled unclassified information include but are not limited to the following:
- Time Compliant Technical Orders (TCTO)
- Program Protection Plans (PPP)
- Weekly Status Reports
- Software Source Code
- Shipping Locations
- Technical Orders
- Test Reports
If you are unsure how to define the data your organisation currently handles to see if it falls into the remit of CUI or FCI (or any of the additional sensitive data types such as PII, CHD, ACPI, PHI, IP or FERPA) then you will benefit from reviewing this unified scoping guide to define the data you store, transmit and process.
Once you have attained your CMMC certification, this documentation will be valid for three years.
CMMC compliance doesn't have to extend to all elements of your organisation, it only has to cover the information systems and networks where CUI is stored, processed, transferred or created.
It has been touted that the CMMC could be expanded upon to become a standard that covers not only Defence Industrial Base (DIB) contracts and instead extends to cover all government contractors.
How Do I Get CMMC Certification?
For organisations seeking certification (OSC), the CMMC Accreditation Body recommends planning at least six months in advance of when you need to produce your certification for DoD bids.
Whilst companies are unable to self-certify they are encouraged to complete a self-assessment of how they are meeting CMMC requirements prior to scheduling a formal CMMC assessment with a certified third-party assessment organization (C3PAO).
Your C3PAO will be able to provide advice, schedule assessments, train individuals within your organisation, and subsequently review your evidence with the CMMC Accreditation Body (AB) Quality Auditors.
Recently the CMMC Accreditation Body published a press release alerting users to be aware of the rise of unauthorised training providers offering services that they are not qualified to advise upon.
Contractors trying to demonstrate compliance should only undertake training with CMMC Licensed Training Providers (LTPs) who will use authorized training content as provided by Licensed Partner Publishers (LPPs).
If your C3PAO does identify gaps in your compliance then you will have 90 days to resolve these. In the event that your company achieves compliance, your CMMC certification will be made public knowledge but the specific details of your compliance will be made private including information of any previous gaps identified.
Initial Self Preparation For CMMC:
- Determine the compliance level you need to meet
- Determine the information you handle
- Determine the scope of your assessment
- Review the assessment guide and other supporting documentation
- Perform a Gap assessment
Helpful video content on this topic: https://www.youtube.com/watch?v=uquTousSGCA
How Much Is CMMC Certification?
It was previously estimated by CISO Katie Arrington, that companies looking to meet level 1 CMMC certification should expect to pay between $3,000 and $5,000, with levels upwards from here only increasing this cost subsequently. With this quote in mind, it is worth considering that certification costs are still in the process of being decided so this initial figure may increase significantly.
Whilst many companies are concerned that CMMC compliance is a cost that they can’t afford to cover, winning contracts will have their CMMC compliance costs seen as an allowable expense by the DoD.
If you do not win your contract you may not be eligible to write off these costs according to this statement. In that scenario, it is wise to look at centralising your system data affordably if you don’t want to risk the chance of incurring high fees without a chance for reimbursement.
Logit.io can work alongside your cybersecurity team by providing a platform compatible with varying levels of CMMC compliance by offering a central repository for the collection of audit data & logs.
What Happens If My Company Is Found In Breach Of CMMC?
Beyond the immediate loss of government funding, the costs of CUI or other sensitive data being breached have many additional consequences for companies found guilty of negligence.
These range from facing exclusion from being able to bid on future government contracts all the way through to negative brand awareness resulting from the publication of a breach to government hearings and finings.
To avoid breaches, best practices need to be upheld beyond your cybersecurity department. All employees who come into contact with CUI need to be trained on how to handle this data in compliance with CMMC.
Companies may find it helpful to create a standard template that displays sensitive media examples, CUI element types, categories and designation indicator specifics into account for easy reference as an internal document.
Understanding CMMC compliance requires the knowledge to understand that this is not a compliance standard that can be fully outsourced to any single third-party solution or consultant to solve on your behalf.
By taking the time to understand and resolve the risks that stop your organisation from being the best possible supply chain partner they can be to the DoD you can confidently provide solutions and services that play their part in upholding US national security.
If you enjoyed this article on CMMC certification why not check out our article on what is CMMC?