Written by: Anna London, Executive Contributor
Executive Contributors at Brainz Magazine are handpicked and invited to contribute because of their knowledge and valuable insight within their area of expertise.
What Is the CMMC? The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity framework by the US Department of Defense (DoD) for the DoD supply chain and its contractors. The goal of the new CMMC compliance requirement is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
This new umbrella standard includes requirements from NIST SP 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21, and beyond. The latest iteration CMMC 2.0 was announced on November 4th, 2021 and includes three levels of compliance. Each level requires more practices and controls than the previous. Most organizations will have to comply with either Level 1 or Level 2.
Who Needs CMMC Certification?
Any company and its subcontractors that bid on a DoD contract that contains Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) will be required to be CMMC compliant.
Which Level of CMMC Will You Need?
The CMMC level mandated will be stated in the contract information. The majority of contracts will require a Level 1 or Level 2 compliance. As a general rule:
If your company will receive exclusively FCI under the contract, then your will need CMMC Level 1 implementation and certification.
However, if your organization will receive CUI in addition, then CMMC Level 2 will be required as a minimum.
CMMC Assessments
Depending on the CMMC levels you will need to comply with, the implementation and compliance status will be verified via a self-assessment that needs to be submitted to the SPRS, a Certified 3rd Party Assessment Organization (C3PAO), or DOD officials. While the outside assessments will be valid for three years, any self-assessments will have to be conducted annually and need to be accompanied by an annual affirmation from a senior company official that the company is meeting requirements.
When Will This Be Required?
Due to the significant changes in the latest CMMC 2.0 iteration the DoD suspended any CMMC requirements for new contracts until the rulemaking process for CMMC 2.0 is completed. In May 2022 CMMC director Stacy Bostjanick announced that the Pentagon plans to publish the CMMC ‘interim rule’ in early 2023, with initial requirements showing up in DoD contracts starting in May 2023. In the meantime, DFARS 252.204-7012 and -7019 are still in effect and require each organization to have a NIST SP 800-171 Assessment performed, the resulting score submitted to the SPRS, and a System Security Plan (SSP) as well as a Plan of Actions & Milestones (PoA&M) document in place. New DoD contracts might have minimum requirements for the organization’s NIST SP 800-171 assessment score. Although the CMMC compliance requirements are still several months away, we highly recommend that companies who plan to bid on DoD contracts start preparations for their CMMC assessment now. The early adopters of CMMC will have a clear competitive advantage – especially considering that implementation will take several months and compliance is required at the time of contract award. After years of delays, the CMMC rulemaking process seems to be on track and the latest update by CMMC director Stacy Bostjanick indicated that it is progressing faster than initially announced. Considering the upcoming May 2023 date (revised from July 2023) for CMMC contract requirements we expect a rush with availability of the C3PAOsbecoming a bottleneck. In other words– it’s time to get ready sooner than later. Currently, the DoD is discussing different incentives for those companies that become compliant before CMMC is mandatory. Assessments on a voluntary basis started late August 2022. How Long Does It Take to Implement CMMC?
The implementation time-frame depends on these main factors:
The level of certification you are required to comply with
The current state of your NIST SP 800-171 implementation
The size and scope of your system and architecture (e.g., multi-site, small, medium or large organization, et al.)
For example, after an initial Gap Analysis, it will take most organizations 6-12 months to achieve CMMC Level 2 compliance and to be ready for the certification assessment. CMMC Level 1 compliance can be accomplished in a much shorter time-frame.
What Is the CMMC Cost?
The cost of achieving CMMC compliance depends on the same factors as listed above. You have to consider expenses for these steps:
Support by companies like Chrysallis.AI for help with implementation and training
CMMC implementation cost
CMMC Assessment by a CMMC Third-Party Assessment Organization (C3PAO)if you are required to do so (CMMC Level 2 and Level 3)
We advise companies wishing to work with the DoD in the future to expect some ongoing expenses in addition to the initial cost of becoming compliant.
CMMC Compliance & Existing Cybersecurity Requirements
While there is a lot of buzz about CMMC, the reality is that it adds hardly any new requirements. We thought it would be helpful to take a step back and summarize all the existing cybersecurity requirements for contractors in the DoD supply chain. Our latest report gives a high-level overview of these existing FAR & DFARS requirements, how they relate to each other and to CMMC 2.0.
How We Are Prepared To Help You
Chrysallis.AI is a Licensed TrainingProvider vetted by the Cyber AB (formerly called the CMMC Accreditation Body) to be among the first companies qualified to help you to become CMMC compliant. Depending on your organization’s current cybersecurity status and the CMMC Level required, implementation of the new standard can take from several weeks to a few months. Starting now will save you valuable time and will get you ahead of the competition.
We offer CMMC Consulting Services to get you CMMC compliant through training and compliance support.
CMMC Organization and Individual Training and Certification: We will work around your schedule on weekdays, weekends and/or evenings to accommodate your schedule.
CMMC Gap Analysis & Pre-Assessment Consulting Services: Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. If your company needs to be assessed by a C3PAO or DoD official we will recommend to schedule the actual audit once we are confident that you are ready for the CMMC Assessment.
CMMC Post-Assessment Support (Findings Remediation and Sustainment Planning) f your company needs to be assessed by a C3PAO or DoD official we help you prepare for the audit, gather & organize evidence for a smooth assessment. We will be at your side throughout the process a and through post-assessment activities.
To discuss your CMMC requirements and schedule a complimentary 15 min consultation, email us at info@chrysallis.ai or give us a call at 703-576-0791.
Anna London, Executive Contributor Brainz Magazine
Anna London is an US Army Veteran, Colon Cancer Survivor, Educator, Cyber Security Expert, Entrepreneur.