CMMC Compliance – A Quick Overview

What Is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity framework and accompanying certification by the US Department of Defense (DoD). The goal of the new CMMC compliance requirement is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

This new umbrella standard includes requirements from NIST 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21, and beyond. There are five levels of CMMC certification. Each level requires more practices and controls than the previous. Most organizations will have to comply with either Level 1 or Level 3. The certification is valid for three years.

Starting this year, contracts offered by the DoD might specify a level of the CMMC required to be awarded the contract. By the end of 2025 all contracts will require a CMMC certification. Unlike for the current NIST 800-171 requirements there will be no self-assessment accepted. Instead, the certification audit will be performed by Certified 3rd Party Assessor Organizations (C3PAO).

Who Needs CMMC Certification?

Only contracts for Commercial off-the-shelf (COTS) products will be exempt from CMMC compliance requirements.

Any company and its subcontractors that bid on a DoD contract that contains Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will be required to be CMMC compliant.

Which Level of CMMC Will We Need?

The CMMC level mandated will be stated in the contract information. The majority of contracts will require a Level 1 or Level 3 certification.

As a general rule:

  • If your company will receive exclusively FCI under the contract, then your will need CMMC Level 1 implementation and certification.
  • However, if your organization will receive CUI in addition, then CMMC Level 3 will be required as a minimum.

When Will This Be Required?

The DoD started rolling out CMMC compliance requirements for new contracts beginning of 2021. The expectation is that by the end of 2025 every active contract will have a CMMC level requirement in place. Approximately 15 prime contractors and 1500 sub-contractors will have CMMC requirements in 2021. Some of our partners fall into this category.

Although not every contract will require CMMC compliance right away, we highly recommend that companies who plan to bid on DoD contracts start preparations for their CMMC certification now. The early adopters of CMMC will have a clear competitive advantage – especially considering that implementation and certification will take several months and certification is required at the time of contract award. The sooner your organization meets CMMC compliance, the less competition it will face when bidding on new DoD contracts that require CMMC.

How Long Does It Take to Implement CMMC?

The implementation timeframe depends on these main factors:

  • The level of certification are you required to comply with
  • The current state of your NIST 800-171 implementation
  • The size and scope of your system.

For example, after an initial Gap Analysis, we expect a CMMC Level 3 implementation to take approximately 6-12 months. CMMC Level 1 compliance can be accomplished in a much shorter time-frame. For an overview of the preparation and certification process including some time estimates see  CMMC Certification Process and Timeline.

What Is the CMMC Cost?

The cost of achieving CMMC compliance depends on the same factors as listed above. You have to consider expenses for these steps:

  • Support by companies like Kloud9 for help with implementation
  • CMMC Assessment by a CMMC Third-Party Assessor Organization (C3PAO)
  • CMMC certificate awarded by the CMMC Advisory Board (CMMC-AB) which is a fixed cost based on certification level.

The DoD stated that the CMMC realted costs will be considered an allowable cost but the details remain unclear.

We advise companies wishing to work with the DoD in the future to expect some ongoing expenses in addition to the initial cost of certification.

How We Are Prepared To Help You

Kloud9 is a CMMC Registered Provider OrganizationKloud9 has been receiving CMMC Registered Professional training from the CMMC Accreditation Body to be among the first companies qualified to help you to become CMMC compliant. Due to our status as a CMMC Registered Provider Organization™ (CMMC-RPO), Kloud9 is specialized in services designed to take you from your current status to full CMMC compliance in the most efficient way. We do not conduct the final Certification Assessments.

Depending on your organization’s current cybersecurity status and the CMMC Level required, implementation of the new standard can take from several weeks to a few months. Starting now will save you valuable time and will get you ahead of the competition.

We offer CMMC Consulting Services to get you CMMC compliant in 4 Steps:

  1. CMMC Gap Analysis / CMMC Gap Assessment
    See where your organization stands and what it takes to achieve compliance
  2. CMMC Implementation Help
    Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls and any missing requirements. This includes developing and writing the extensive documentation required.
  3. Pre-Assessment Readiness Review
    Think of it as a mock audit. We will verify that everything is in place and can be proven to an auditor. If we find issues we will help you fix them. Once we are confident that you are ready for the CMMC Assessment we will recommend to schedule the actual audit.
  4. CMMC Assessment Support
    We help you prepare for the certification audit, gather & organize evidence for a smooth assessment by the C3PAO. We will be at your side throughout the process.
Find Out If Your Company Is Secure in Less Than 3 minutesSecurity Scorecard