June 24, 2022

Last Updated on January 12, 2024

To invest in CMMC or to not invest in CMMC – that is the question.

Cybersecurity Maturity Model Certification, or CMMC, is a potentially lofty yet necessary investment for the Defense Industrial Base. While all signs point to May 2023 as the date to expect CMMC to enter into contracts, it’d be wise to implement it before.

Any business that is considering CMMC should achieve certification sooner rather than later, as implementing any comprehensive cyber security program could take a company 9 to 12 months.

May 9th, 2022 marked the recent CMMC Day conference held in Washington DC. This event was full of essential clarifications and rich information about coming changes and requirements.

The Early Adopter Program and why it may be crucial to join

CMMC is expected to begin appearing in contracts as early as May 2023. While this is still approximately a year out, it is worth considering whether organizations interested in adopting CMMC should join the Early Adopter Program.

Early adoption will be beneficial for many reasons. First, becoming CMMC certified can offer organizations the upper hand when competing for government and other contracts.

“The Early Adopter Program has been approved, which means that you will soon start to see organizations touting the fact that they are CMMC certified.” — John Verry

Being CMMC certified could provide an advantage for those who adopt it before it appears in contracts. Prime contractors seeking contracts may consider certified organizations ahead of the curve and stronger in cyber security.

Additionally, with impending CMMC requirements, it’s better to be prepared. Awarded contracts could be put at risk if your organization cannot achieve certification within the announced 180-day grace period. The effort could take as long as 12 months, with potential waiting periods if assessors and/or other third-party partners are busy helping other DIB orgs.

With an estimated 80,000 organizations that will need a level 2 certification and assessment and a current shortage of assessors, participants in the early certification program are more likely to achieve accreditation without an extended waiting period.

Differences in requirements between CMMC levels 2 and 3

CMMC V2 certification requirements remain relatively unchanged for level 2, with no major changes announced.

“Realistically, CMMC hasn’t changed once we roll back to CMMC v2 because CMMC is effectively 800-171.” — John Verry

Therefore, the vast majority of what is currently expected for a level 2 certification relies upon compliance with the controls specified in NIST 800-171, which have been the requirement for DIB orgs handling CUI since December of 2017. The same 110 controls will be assessed and relied upon for certification, with the only significant difference being that now compliance must be formally validated through a third-party (C2PAO) assessment process.

What about CMMC Level 3? Recent announcements indicate that Level 3 will require a full Level 2 assessment by a C3PAO, plus adherence to additional controls not yet specified from among the approximately 35 additional controls in NIST 800-172. Compliance assessment against the additional controls will be performed by Defense Contract Management Agency (DCMA) assessors, i.e., the DIBCAC.

While some details remain undecided, the discussion at CMMC Day did reveal that CMMC would be a three-year certification. But instead of requiring surveillance audits (like ISO 27001), CMMC will require “affirmation from a senior company official” that the compliance program remains on track (like Sarbanes-Oxley).

The False Claims Act and the hefty price it carries for violators

The False Claims Act could prove to be a crucial avenue of enforcement regarding CMMC adherence.

“A false claim act can be triggered in a lot of different ways. The most likely way would be a whistleblower, or, this is the scary part, some form of a cyber incident.” — John Verry

If a false claims suit is filed, it is usually either because of actions taken by a whistleblower or following the government’s looking into a cyber incident. If a DIB org is found to have misrepresented its CMMC compliance posture, the penalties can be stiff.

An actual cyber incident raises the question of how an incident took place, given the organization is adhering to the 110 CMMC level 2 controls. While cyber incidents can still occur with full CMMC compliance, it is much less likely. In this case, an organization can suffer from not conforming to CMMC guidelines while touting the certification.

Is the investment in CMMC worth it?

The choice of whether or not to pursue CMMC compliance depends on the costs and benefits to your organization. Gaining certification to CMMC level 2 or 3 can be a costly and time-consuming process if you’re starting from scratch or have major gaps in your controls. However, if you want to do business with the DoD there is no way around making the investment.

Weighing the pros and cons of CMMC is something that organizations should do carefully.

While many organizations are leaving the Defense Industrial Base (DIB) to avoid impending CMMC requirements, others are jumping on board to take market share and maximize overall return.

If you ultimately decide that the benefits of CMMC compliance outweigh the costs, the benefits will likely be greater—and the risks lower—for those firms that receive certification promptly.

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here. 

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player