Federal contractors looking to do business with DoD must become Certified Managed Manufacturing Compliance (CMMC)-certified. There is ample guidance online and via webinars on what it means, but little advice on HOW to achieve certification.

Under current rules, companies are required to self-assess at Level 1 and select programs at Level 2, as well as undergo independent assessments at all levels.

What is CMMC Certification?

The Cyber Military Management Cycle (CMMC) is a set of cybersecurity best practices required by the Department of Defense (DoD). Its primary goal is to protect DoD data against potential cyber threats.

DoD contracts may be awarded to contractors that meet the minimum criteria for CMMC certification, although DoD has made clear that certification should only serve as the start of changing an organization’s internal cybersecurity culture, with contractors continuously adapting to emerging threats.

CMMC applies to any company interacting with Department of Defense information, regardless of size or contract status. It covers security of both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), protection of DoD facilities and systems as well as roles and responsibilities of each team member.

What is the CMMC Assessment Process?

Step one of CMMC compliance for your company involves assessing what level of certification it requires based on existing contracts requiring compliance and your current security status to identify gaps.

After this initial phase of self-assessment is completed, your C3PAO should conduct an assessment against CMMC or NIST SP 800-171 standards to identify any potential conflicts of interest (COIs) which need to be managed before proceeding with further assessments.

Once your gap analysis is completed, your C3PAO will submit a request to Cyber-AB for an official CMMC assessment. As this can take up to 90 days, preparation should begin immediately as becoming certified can require extensive work such as writing policies and solutions deployment as well as creating new processes.

What is the CMMC Assessment Fee?

Once certified, your company must maintain compliance by participating in regular reassessments to ensure its business continues operating in accordance with CMMC standards and is prepared for any potential security incidents or breaches.

As your level of CMMC needs increase, so will its assessment costs. For instance, Level 1 doesn’t require external audit; while for Level 2, one performed by a CyberAB-authorized C3PAO may be necessary.

Note that CMMC requirements apply not just to defense contractors; all businesses handling federal contract information (FCI) or controlled unclassified information (CUI), including small businesses handling specific contracts as subcontractors, must meet CMMC standards. This includes small firms which work on parts of contracts.

What is the CMMC Certification Timeline?

DoD contractors already must comply with NIST 800-171 and Defense Federal Acquisition Regulation Supplement (DFARS). By taking proactive steps now and conducting DIBCAC and C3PAO assessments early on, DoD contractors will be better-positioned to quickly transition into full CMMC certification in the future.

America’s adversaries recognize that, despite the DoD’s rigorous cyber protections, its contractors and subcontractors often lack sufficient safeguards against hackers exfiltrating information from these firms and piecing together entire designs or plans. With the CMMC rollout set to start in 2023, DoD contractors need to prepare themselves by developing repeatable, scalable, evidence-driven processes to assess practices, create SSPs, and get certified either independently by third parties or government-led assessments.

What is the CMMC Certification Cost?

Costs associated with CMMC certification depend both on hard and soft costs, with hard costs including program development, technology implementation, audit and certification services, while soft costs depend on your company’s maturity level, size, and the amount of Controlled Unclassified Information (CUI) it handles – the more CUI your business handles the more costly it becomes to protect.

Complex networks also impact costs significantly, such as G-Suite or Office 365 being upgraded to meet CMMC regulations – an upgrade process which could double or even triple your current costs; you will also likely require security configuration updates, which can be costly and time consuming; therefore it is crucial that certification goals and budget are planned carefully in advance.