CMMC/NIST Compliance Services

What is CMMC?

The Department of Defense (DoD) has tried to simplify the application requirements while maintaining high levels of cybersecurity for its potential contractors with the Cybersecurity Maturity Model Certification (CMMC). While this has made the application process more straightforward, it has also become a mandatory requirement for contractors to shift to this standard.

CMMC is a more unified standard that takes requirements from earlier compliance models such as NIST SP 800-171 and Federal Acquisition Requirements (FAR) document 52.204-21. This new standard is focused on protecting two sets of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

In the latest iteration, CMMC 2.0 which was announced November 4th 2021, features three levels of CMMC compliance. Each level requires more practices and controls than the previous. Most organizations will have to comply with either Level 1 or Level 2.


Who needs to apply for CMMC?

Any company and its subcontractors that bid on a DoD contract containing Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) need to be CMMC compliant. Contracts for Commercial off-the-shelf (COTS) will be exempt from CMMC requirements.

Which Level of CMMC do we need?

You need the CMMC Level that is mandated in the stated contract information. The majority of contracts will require a Level 1 or Level 2 compliance.

As a general rule:

  • If your company will exclusively receive FCI under the contract, then you will need CMMC Level 1 implementation and certification.
  • However, if your organization will receive CUI in addition, then CMMC Level 2 will be required as a minimum.

To learn more about the different CMMC Levels and assessment requirements, check our page on CMMC Compliance Levels in CMMC 2.0.

CMMC Assessments

The assessment body depends on the CMMC Level you are applying for. Assessments can be done accordingly by verified self assessment that needs to be submitted to the SPRS, a Certified 3rd-Party Assessor Organization (C3PAO), or DoD officials. Assessments done by external auditors are valid for three years, but self assessment must take place annually and it needs to be accompanied by an annual affirmation from a senior company official that the company is meeting requirements.

What is the deadline for complying with CMMC?

The DoD started rolling out CMMC 1.02 requirements for a few pilot contracts at the beginning of 2021. However, due to the significant changes in the latest CMMC 2.0 iteration, the DoD suspended any CMMC requirements for new contracts until the rulemaking process for CMMC 2.0 is completed. In April 2022, CMMC director Stacy Bostjanick announced that the Pentagon plans to publish the CMMC ‘interim rule’ by May 2023, with initial requirements showing up in DoD contracts 60 days after the rule publication. In the meantime, DFARS 252.204-7012 and -7019 are still in effect and require each organization to have a NIST SP 800-171 Assessment performed, the resulting score submitted to the SPRS, and a System Security Plan (SSP) as well as a Plan of Actions & Milestones (PoA&M) document in place. New DoD contracts might have minimum requirements for the organization’s NIST SP 800-171 assessment score. Although the CMMC compliance requirements are still several months away, we highly recommend that companies who plan to bid on DoD contracts should start preparing for their CMMC assessment now. The early adopters of CMMC will have a clear competitive advantage — especially considering that implementation will take several months and compliance is required at the time of contract award. Currently, the DoD is discussing different incentives for companies that become compliant before CMMC is mandatory. Considering the upcoming July 2023 date for CMMC contract requirements, we expect a rush with the availability of the C3PAOs becoming a bottleneck. In other words, it’s time to get ready sooner than later.

How long does it take to implement CMMC?

Implementation of CMMC depends on these major factors:

  • The level of certification you are required to comply with
  • The current state of your NIST SP 800-171 implementation
  • The size and scope of your system

For example, after a CMMC Gap Assessment, it will take most organizations 6-12 months to achieve CMMC Level 2 compliance and get ready for the certification assessment. CMMC Level 1 compliance can be accomplished in a much shorter time frame. For an overview of the preparation and certification process including some time estimates, see CMMC Compliance Process and Timeline.


How much does CMMC compliance cost?

The cost of achieving CMMC compliance depends on the same factors as listed above. You have to consider expenses for these steps:

  • CMMC Consulting and Assessment services by companies such as Kloud9 IT
  • CMMC implementation costs
  • CMMC Assessment by a CMMC Third-Party Assessor Organization (C3PAO) if you are required to do so (CMMC Level 2 and Level 3)
It’s time to take downtime seriously. Discover why an MSP is your best ally against this threat. Download our free eBook today to learn more!Download here
+
ClickCease

Schedule
a 12 Minute Call