CMMC Compliance Services

There are different controls totals for each level within CMMC 2.0:

• CMMC Level 1: 17 Practices (same as CMMC V1 Level 1)
• CMMC Level 2: 110 Practices (This is the level that fully achieves NIST SP 800-171 coverage)
• CMMC Level 3: This level is not yet fully defined, and the number of practices is still to be determined. Since Level 3 (equivalent to CMMC V1 Level 5) will be based on NIST SP 800-172, “Enhanced Security Controls,” which defines 35 controls beyond NIST SP 800-171, it will define somewhere between 110 and 145 practices.

You may no longer be able to win proposals to provide services in the DoD supply chain.

A reasonable assumption for achieving Level 2 CMMC 2.0 readiness is 6 to 10 months. It will ultimately depend on organizational knowledge and how soon you can get your “new normal” baked into your company culture and day-to-day processes.

Significant cost reduction, especially for SMBs, was a key goal of CMMC 2.0. The DoD has stated its intention to “publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking.” If your business needs to undergo a third-party assessment, costs will vary based on factors like the complexity of your unclassified network for the certification scope, how close you are today to meeting the requirements for the CMMC level in your contract, as well as market forces. Of course, your overall CMMC 2.0 certification costs will be lower if you can self-attest to compliance.

Some ballpark cost estimates include:

• For a CMMC Level 2 C3PAO assessment, you could expect approximately 30 person-days of effort and a cost of $60,000 to $90,000.
• If you are starting from scratch to build a NIST 800-171 conforming cybersecurity program, your costs could be $50,000 to $150,000. If you already have a mature cybersecurity program, costs to provably establish NIST 800-171 compliance could be $20,000 or less.
• If you have cost estimates for CMMC v1, your CMMC 2.0 costs should be lower since the maturity requirements are no longer part of the program.

Both CMMC 2.0 Level 2 and NIST 800-171 are intended to protect Controlled Unclassified Information (CUI), and CMMC 2.0 is based on the 110 controls specified by NIST 800-171.  Further, CMMC 2.0 is a certifiable standard that requires either a third-party audit or a self-assessment with executive sign-off to confirm that you are compliant. All organizations that become CMMC 2.0 certified at Level 2 or higher will still need to be DFARS 7012 and NIST 800-171 conforming, while those at Level 1 need only implement 17 of the 110 NIST 800-171 controls.

CMMC 2.0 will not be a contractual requirement until the DoD completes the rulemaking needed to implement the program. However, available information on CMMC 2.0 make it clear that the DoD will require DIB firms that handle CUI to have robust security postures that are “provably compliant” with NIST 800-171. Therefore, while you cannot currently undergo a CMMC 2.0 Level 2 or Level 3 audit, you should move quickly to close any gaps in your program relative to NIST 800-171. This is vitally important if you have a DFARS 7012 clause in any current contract, as this obligates you to NIST 800-171 compliance now.

A gap assessment is a good approach if you know that you have a very mature information security program that includes the required CMMC artifacts (e.g., Risk Assessment, System Security Plan, etc.). If not, you are better off viewing this as an implementation, with establishing the scope of your CUI environment as the best first step.