The Department of Defense (DoD) has tried to simplify the application requirements while maintaining high levels of cybersecurity for its potential contractors with the Cybersecurity Maturity Model Certification (CMMC). While this has made the application process more straightforward, it has also become a mandatory requirement for contractors to shift to this standard.
CMMC is a more unified standard that takes requirements from earlier compliance models such as NIST SP 800-171 and Federal Acquisition Requirements (FAR) document 52.204-21. This new standard is focused on protecting two sets of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
In the latest iteration, CMMC 2.0 which was announced November 4th 2021, features three levels of CMMC compliance. Each level requires more practices and controls than the previous. Most organizations will have to comply with either Level 1 or Level 2.
Any company and its subcontractors that bid on a DoD contract containing Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) need to be CMMC compliant. Contracts for Commercial off-the-shelf (COTS) will be exempt from CMMC requirements.
You need the CMMC Level that is mandated in the stated contract information. The majority of contracts will require a Level 1 or Level 2 compliance.
To learn more about the different CMMC Levels and assessment requirements, check our page on CMMC Compliance Levels in CMMC 2.0.
The assessment body depends on the CMMC Level you are applying for. Assessments can be done accordingly by verified self assessment that needs to be submitted to the SPRS, a Certified 3rd-Party Assessor Organization (C3PAO), or DoD officials. Assessments done by external auditors are valid for three years, but self assessment must take place annually and it needs to be accompanied by an annual affirmation from a senior company official that the company is meeting requirements.
The DoD started rolling out CMMC 1.02 requirements for a few pilot contracts at the beginning of 2021. However, due to the significant changes in the latest CMMC 2.0 iteration, the DoD suspended any CMMC requirements for new contracts until the rulemaking process for CMMC 2.0 is completed. In April 2022, CMMC director Stacy Bostjanick announced that the Pentagon plans to publish the CMMC ‘interim rule’ by May 2023, with initial requirements showing up in DoD contracts 60 days after the rule publication. In the meantime, DFARS 252.204-7012 and -7019 are still in effect and require each organization to have a NIST SP 800-171 Assessment performed, the resulting score submitted to the SPRS, and a System Security Plan (SSP) as well as a Plan of Actions & Milestones (PoA&M) document in place. New DoD contracts might have minimum requirements for the organization’s NIST SP 800-171 assessment score. Although the CMMC compliance requirements are still several months away, we highly recommend that companies who plan to bid on DoD contracts should start preparing for their CMMC assessment now. The early adopters of CMMC will have a clear competitive advantage — especially considering that implementation will take several months and compliance is required at the time of contract award. Currently, the DoD is discussing different incentives for companies that become compliant before CMMC is mandatory. Considering the upcoming July 2023 date for CMMC contract requirements, we expect a rush with the availability of the C3PAOs becoming a bottleneck. In other words, it’s time to get ready sooner than later.
Implementation of CMMC depends on these major factors:
For example, after a CMMC Gap Assessment, it will take most organizations 6-12 months to achieve CMMC Level 2 compliance and get ready for the certification assessment. CMMC Level 1 compliance can be accomplished in a much shorter time frame. For an overview of the preparation and certification process including some time estimates, see CMMC Compliance Process and Timeline.
The cost of achieving CMMC compliance depends on the same factors as listed above. You have to consider expenses for these steps: