CMMC Compliance Guide

          Understanding the Cybersecurity Maturity Model Certification (CMMC 2.0) for Defense Contractors

          PathfinderTool_Graphic1x1

          On October 15th, 2024, the CMMC Final Rule was published We know this is a stressful time for many government contractors. We've provided a wealth of knowledge below, but if you need to speak with an expert now to get answers, fill out this form and we'll get in touch with you within 1-2 business days.

          Key Takeaways:

          • CMMC is the Department of Defense's method for ensuring that contractors have implemented adequate cybersecurity measures to protect sensitive data.
          • The CMMC Program Rule was published on October 15, 2024.
          • CMMC assessments will start in Q1 2025.
          • The phased rollout of CMMC in contracts will begin in Q3 2025.
          • Prime contractors will likely expect subs to be CMMC compliant well before the phased rollout period.
          • There are 3 levels of CMMC depending on the types of data you handle as a part of your DoD contracts.
          • For Level 2, which is the most common, it takes an average of 6-18 months to prepare for a CMMC assessment.
          • The CMMC rule is built on the assumption that contractors have already implemented NIST SP 800-171.
          • If you're in a time crunch, you can do a CMMC Enclave to ensure that your business doesn't lose contracts while you gradually move your company all-in over time.

          Watch the CMMC Final Rule Webinar On-Demand

          In this webinar, Jacob and Scott dedicate their efforts to distilling all the complexities and detailed nuances of 32 CFR CMMC.

          Their goal is to offer a thorough understanding of 32 CFR CMMC, making sure you are in the know.

          You'll gain:

          • Key highlights of the CMMC final rule
          • Clarity on what happens next
          • When will CMMC show up in contracts?
          • The state of the CMMC ecosystem post-rule

          Click to watch

          CMMC Final Rule Webinar On-Demand

           


          Sections

          See our CMMC Solutions

          Ready to start your CMMC compliance journey? Click below to see how to get started.

          What Is CMMC?


          CMMC, which stands for Cybersecurity Maturity Model Certification, is the DoD's method for assessing the ability of organizations in the DoD supply chain to protect sensitive data such as FCI, CUI, and/or ITAR. There are three levels of CMMC. We will cover each of these in-depth in the How to Become CMMC Compliant section of this guide.

          Many Americans are unaware, but the United States is currently in a Cyber War. And we're losing.

          Every day, foreign adversaries attempt to steal information about the advanced technologies that drive our industrial and defensive dominance.

          The primary target is the U.S. Department of Defense (DoD) and its associated supply chain, known as the Defense Industrial Base (DIB).

          The magnitude of the problem is daunting:

          • By engaging in Intellectual Property theft, China now leads in 37 out of 44 critical technologies, including areas like Optics, Advanced RF, and Cybersecurity.
          • Former NSA Director General Keith Alexander has referred to this cybersecurity crisis and Intellectual Property theft as "the largest transfer of wealth in human history."

          Safeguarding sensitive data and Intellectual Property has never been more crucial for DoD contractors in the Defense Industrial Base. The CMMC program is the DoD's attempt at solving this problem.

          CMMC Program Explained

          CMMC (Cybersecurity Maturity Model Certification) is a framework created by the Department of Defense (DoD) to ensure contractors and companies handling sensitive government information, like Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), meet strict cybersecurity standards.

          The CMMC certification process includes assessing a company’s cybersecurity practices, calculating a score, and submitting that score to the government’s Supplier Performance Risk System (SPRS). This helps the DoD verify that contractors are compliant and secure enough to handle important information.

          CMMC was introduced in 2020, building on existing DoD cybersecurity requirements that had been in place since 2016. The first iteration of CMMC (CMMC 1.0) was released in September 2020 and made effective on November 30, 2020.

          Prior to CMMC, contractors were expected to follow the security standards outlined in NIST SP 800-171, but compliance was largely self-reported. The introduction of CMMC formalized the process by creating certification levels and a requirement for assessments to ensure compliance.

          Over time, the framework has gone through revisions, leading to CMMC 2.0, which simplifies and streamlines the process while maintaining strong security requirements.

          In November 2021, CMMC 2.0 was announced as a response to the review of CMMC 1.0.

          This video explains what changed from CMMC 1.0 to CMMC 2.0:

           

          CMMC 2.0 Levels

          CMMC 2.0 includes three certification levels based on the type of information a company handles and the level of cybersecurity required:

          1. Level 1: Foundational
            This level focuses on basic cyber hygiene and is intended for companies handling Federal Contract Information (FCI). It requires 17 security practices and an annual self-assessment.

          2. Level 2: Advanced
            Designed for companies that handle Controlled Unclassified Information (CUI), Level 2 includes 110 security practices based on NIST SP 800-171. Companies must conduct either self-assessments or third-party assessments, depending on the contract requirements.

          3. Level 3: Expert
            This is the highest level and is for companies managing the most sensitive data. It includes advanced cybersecurity practices based on NIST SP 800-172 and requires government-led assessments.

          Who does CMMC apply to?

          CMMC directly impacts organizations supporting the Department of Defense or higher education research institutions handling:

          • Federal Contract Information (FCI)
          • Controlled Unclassified Information (CUI)
          • Covered Defense Information (CDI)
          • Controlled Technical Information (CTI)
          • or ITAR/export-controlled data

          According to the DoD, over 200,000 aerospace and defense suppliers are expected to meet CMMC compliance. Of those 200,000, DoD estimates that over 80,000 will need a CMMC level 2 certification. Number of companies affected by CMMC

          Why should I become CMMC compliant?

          CMMC compliance is required if you plan to do business with the Department of Defense.

          Aside from that, there are also other advantages. Here are some key benefits of CMMC:

          CMMC enhances your cybersecurity and protects the American dream.

          By adhering to the framework's controls and practices, businesses significantly reduce their vulnerability to cyber threats and attacks. When American businesses are more secure in the handling of sensitive government information, our country is more secure from enemy attacks.

          CMMC creates business opportunities and a competitive edge.

          CMMC compliance opens the door to lucrative DoD contracts. As the government prioritizes cybersecurity, businesses that meet these stringent requirements are more likely to secure contracts and partnerships.

          With CMMC as a contractual requirement for DoD contracts, companies that attain certification gain a competitive edge in the Defense Industrial Base. Being able to demonstrate a commitment to robust cybersecurity practices can set them apart from non-compliant competitors. 

          CMMC creates long-term viability and supply chain resilience.

          As cybersecurity threats continue to evolve, compliance with CMMC ensures that businesses are better equipped to adapt to new challenges. The CMMC framework promotes an ongoing commitment to security, which is crucial in an ever-changing digital landscape.

          Also, by ensuring that suppliers and partners meet the necessary cybersecurity standards, the entire ecosystem becomes more secure.

          Safeguarding sensitive data and Intellectual Property has never been more crucial for DoD contractors in the Defense Industrial Base.

          Section 2:

          When Will CMMC 2.0 Appear In Contracts?

          S7 Website Square 2

          Here's what you need to know about when CMMC will be in contracts: 

          • The CMMC Program Rule was published on October 25, 2024.
          • It takes an average of 6-18 months to prepare for a CMMC level 2 assessment.
          • CMMC assessments will be available in Q1 2025.
          • The phased roll out of CMMC as a contractual requirement will begin around Q3 of 2025.
          • Remember: CMMC checks compliance with DFARS 7012 and other requirements in NIST SP 800-171 that are currently in contracts for DoD contractors handling sensitive information (i.e., the government is assuming these requirements are already met).

          CMMC Timeline Jan 2024 2

          For detailed information on the CMMC compliance deadline, refer to our post here.

          Why not just wait until CMMC phased rollouts begin in 2025?

          There are a few reasons to not wait until phased rollouts in contracts begin.

          Reason #1 to not wait: Primes will expect it sooner.

          Prime contractors' certification requirements flow down to their Subcontractors. Primes will be asking their subs to become CMMC certified as soon as possible to keep their competitive edge.

          Here's the question Prime contractors are likely asking themselves:

          "Who's more proactively secure and which organization creates less supply chain risk?"

          Reason #2 to not wait: The longer you wait, the more of your competitive edge you lose.

          According to the CMMC rule, organizations "may elect to complete a self-assessment or pursue a certification assessment at any time after issuance of the rule, in an effort to distinguish-themselves as competitive for efforts that require an ability to adequately protect CUI.” CMMC compliance will be a significant competitive edge when it comes to bidding on new contracts.

          That means your competition will be picking the earliest possible moment to become compliant (Q1 of 2025), trying to edge you out.

          Reason #3 to not wait: Waiting puts you further back in the assessment queue.

          Lastly, there are more organizations that need CMMC certification than there are CMMC assessors, causing a bottleneck effect. If you wait until the DoD Phased rollout starts in 2025, you will already be behind because of the inevitable backlog.

          With these factors in mind, most organizations are looking to Q1 of 2025 to be assessment ready. 

          Most organizations underestimate how long becoming assessment-ready will take.

          The average time it takes to implement NIST SP 800-171 (6-18 months for a 50-500 person company starting from an average compliance posture) extends beyond the estimated final rule publish date. 

          So, if you want a shot at staying competitive, your best chance is to start NIST SP 800-171 implementation today.

          If you wait, you will be behind your competition.

          Section 3:

          What You Should Know About the Published CMMC 2.0 Rule

          If you're wondering what the key takeaways are from the published CMMC rule, here's what you should know:

          The first 150 pages of the rule are basically a summary of "how we got here" and "what to expect". 

          The crucial details fall in the last 70 pages. This is where you find out all the specifics around what is required for each CMMC level.

          • Level 1 is for Federal Contract Information (FCI) 
          • Level 2 is for Controlled Unclassified Information (CUI). CUI is an umbrella term that includes common data types such as Controlled Technical Information (CTI), and ITAR data.  
          • Level 3 is for Critical CUI

          Since most organizations seeking compliance will be at CMMC Level 2 (roughly 80,000 companies, over a third of the Defense Industrial Base, according to the DoD) we'll focus on takeaways for Level 2.

          Key takeaways for CMMC Level 2 include: 

          • CMMC assesses NIST SP 800-171 Revision 2, not Revision 3.
          • All 320 Assessment Objectives in NIST SP 800-171A must be met. 
          • Once 3rd Party Assessments become available, you need to self-attest to 100% before you can go through a 3rd Party Assessment (C3PAO).
          • In order for you to receive a CMMC certification through a Certified 3rd Party Assessment Organization (C3PAO), they will attest that you have fully implemented all 320 assessment objectives. 
          • Every year a senior company official must re-affirm that all 320 assessment objectives are still being met.
          • Every 3 years a C3PAO must re-certify the organization.
          • CMMC is incredibly thorough in assessing NIST SP 800-171 implementation. There are no loopholes.

           

          Section 4:
          The cost of CMMC compliance varies a good bit, but broadly speaking, CMMC is a six-figure investment.

          It's very important to understand that CMMC compliance is an investment in the future of your organization. It is NOT a box to check.

          CMMC is intended to spark a complete overhaul of the way the American defense supply chain handles sensitive data – so foreign adversaries can't steal the most value assets we have as an international superpower.

          That will not and should not be cheap or easy if it's done right.

          Having said that, the cost to become CMMC certified will vary a great deal depending on the size and complexity of your organization. However, there are some general costs that you can expect to incur.

          When thinking about how to budget for CMMC – there are 5 major buckets to consider:

          • Scoping: auditing your systems to locate all of your sensitive data (CUI, ITAR, etc.)
          • Licensing: for a CMMC-ready cloud provider like Microsoft Government Cloud
          • Implementation: costs associated with implementing CMMC controls
          • Migration: moving your current environment into your new, secure cloud provider
          • Support: getting the right people/team to meet CMMC's monitoring and threat detection requirements
          • Assessment: paying for the actual CMMC assessment (every 3 years)

          Total Cost = Scoping + Licensing + Implementation + Migration + Support + Assessment

          Each one of these buckets can vary widely depending on your need, organization size, current state of your cybersecurity, etc.

          But we can work our way backwards through these budgeting buckets to estimate the cost as best we can without factoring in the details of your organization:

          Assessment Costs

          As a reminder, these assessment costs are based on the assumption that you have already implemented NIST SP 800-171.

          The CMMC rule gives some estimates for how much an assessment could cost and how much support should cost:

          For a Level 2 CMMC assessment, the cost will include Assessment Costs (initial and every three years after), and Affirmation Costs (annually). DoD estimates that the cost of assessment and affirmation will be around $104,670.

          Remember, that's just the cost of the assessment itself.

          Cost of CMMC 1.1

          Support Costs

          Support costs will include hiring additional staff and/or an External Service Provider (MSP/MSSP) to support your CMMC compliance program on an ongoing basis. To remain CMMC compliant, you'll need active monitoring, threat detection, and incident reporting that will consume a moderate amount of time between your CMMC assessments.

          According to DoD, getting an experienced IT professional capable of supporting such an effort would cost somewhere around $86/hour.

          Cost of CMMC 2.1

          Implementation, Migration, and Scoping Costs

          If you do actually find a unicorn IT person who also has the bandwidth to support CMMC compliance, you could, in theory, use this person for the implementation, migration, and scoping as well.

          Implementation costs will include all the technical changes required to meet the standards that CMMC is intended to check (such as NIST SP 800-171 ) as well as migration to a compliant platform.

          Based on the estimated number of hours it could take for a CMMC project, implementation alone could easily consume at least one person's full time job for 12-18 months.

          The annual full-time salary of an employee being paid $86.24 per hour would be around $179,000. So keep that in mind when considering first-year implementation, migration, and scoping cost if you were to hire in-house (which you can avoid by outsourcing to a trusted partner).

          Licensing Costs

          When it comes to licensing, we recommend Microsoft GCC or GCC High. The cost of licensing for your organization is strongly dependent on your approach to CMMC compliance.

          Here's why we recommend GCC High:

          • Microsoft 365 GCC High is built on Azure Government within dedicated US data centers.
          • GCC High is the only Microsoft offering besides the DoD dedicated Microsoft 365 that insures all data resides in U.S. data centers
          • GCC High is also supported by background-checked U.S. persons

          Those attributes make GCC High suitable for ITAR and EAR data.

          Microsoft 365 GCC High is also a suitable cloud platform to house CUI corporately and on behalf of the Government, which requires DISA IL 4 or greater. GCC High is rated at DISA IL 5 and is FedRAMP High equivalent.

          If you want a quote, reach out below. Someone from our team will get you the answers you need within one business day:

          Section 5:
          Download the 7 Steps to CMMC Compliance
          7 step whitepaper mock

          What's the Fastest Way to Become CMMC Compliant?

          A Managed Controlled Unclassified Information (CUI) Enclave is the fastest way to achieve CMMC compliance, potentially within just two months*. A Managed CUI Enclave creates a controlled environment for sensitive data, simplifying compliance and reducing your cybersecurity risks. Plus, it allows you to start small and expand into an All-In approach later if needed.

          To find out if a Managed CUI Enclave is right for your organization, check out our blog on Managed CUI Enclaves here, and our featured video below:

           
          *Timelines will vary for each organization according to scope and complexity. This is the fastest that Summit 7 is currently seeing Enclaves setup for organizations, and while we guarantee efficiency, we cannot accurately provide an estimated timeline until learning more about your goals and environment. 

          7 Steps to CMMC Compliance

          Aerospace and defense contractors in the Defense Industrial Base looking to achieve CMMC compliance should be taking the following steps:

          1. Define Your Required CMMC Level
          2. Identify Assets for CMMC
          3. Choose a Technical Design For CMMC
          4. Implement Microsoft Government For CMMC
          5. Find a Managed Service Provider for CMMC
          6. Prepare and Document for CMMC
          7. Complete a CMMC Assessment

          7 Steps for CMMC Compliance- CMMC AB-min-1

          Get the Downloadable Version of 7 Steps to CMMC Compliance for free.

           

          Download the CMMC Readiness Brief for Free

          Click below to download the CMMC Readiness Brief.

          Readiness-Brief-windows-surface-side-view-2