CMMC Compliance Services
Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance… Until now.
The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
Ready to talk? Click here to schedule time with a CMMC expert
The DOD finalized V1 of this standard at the end of January 2020 and is slated to go into effect mid-2020.
Since the standard has only recently been finalized, it would be presumptuous for us (or anyone) to called CMMC “experts.” We are, however, experts at developing and managing information security and privacy management systems that comply with government and industry regulations. We have also helped organizations ranging from $500K to $3B comply with DFARS clause 252.204-7012 and NIST SP 800-171 which covers 110 of the 131 controls required for CMMC Level 3 certification. So, while CMMC is a new certification scheme — the process of preparing for CMMC certification isn’t.
Ready to talk? Click here to schedule time with a CMMC expert
What Every DOD Contractor and Sub-Contractor is Facing
The BIG change with CMMC is self-attestation will be replaced with a requirement for every organization that does business with the DOD to undergo a third party audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.
The good news is CMMC is a well-architected framework that will reduce your cyber risk—and the DOD’s. The bad news is that it is going to be a significant challenge to achieve certification for many of the small to medium sized businesses that will need to do so.
To understand the challenges, you need to understand the basic structure of CMMC:
- CMMC uses a 1–5 maturity level scale, which allows the standard to define “Appropriate Security” for different types of information with different risk levels.
- The number of information security “practices” you need to implement differs based on the maturity level that your contract requires (from 17 practices at Level 1 to 219 practices at Level 5).
CMMC is a very comprehensive standard. Based on current guidance it is reasonable to assume that most organizations will be required to achieve CMMC Level 3 (“Good Cyber Hygiene”), which requires the implementation of 131 practices. Having worked with a number of small to medium sized businesses on their NIST 800-171 compliance efforts, we have found that “downstream” engineering, manufacturing and sales organizations (e.g., sub-contractors to Boeing, Raytheon, McDonnel Douglas) have only have a fraction of the mandated controls in place, and the maturity of the processes that support their existing practices are usually Level 1.
As with a lot of NIST/FISMA guidance, an effort to simplify CMMC has instead made it more complicated. CMMC draws from and directly references several other standards, including: DFARS, CERT RMM, 800-171, AU ACSC Essential Eight, UK NCSC Cyber Essentials, ISO 27001, CIS Critical Security Controls, and the NIST Cyber Security Framework. Mixing that many information security paradigms make it very challenging to establish a clear target for each CMMC process.
CMMC’s complexity is further exacerbated by lack of available expertise. Most small to medium sized businesses in the DOD supply chain don’t have full-time information security personnel, and those that do may not have sufficient expertise to address the development of a CMMC certifiable information security program.
Moving to a certification level of CMMC Level 2 or greater will take many small to medium sized businesses a significant amount of time and effort. If you are using internal resources, it will significantly impact their ability to address “business as usual.” If you are using external resources, it will be challenging to find qualified people to support your efforts. Those that are qualified are going to have a long line at their doors with 300,000 companies needing to achieve CMMC certifiability in calendar year 2020.
It is probably no surprise given the comprehensiveness, complexity, expertise, and availability challenges that becoming CMMC compliant will be an expensive proposition and likely a financial challenge for many small to medium sized businesses.
Now for the good news: security is considered an allowable cost and reimbursable by the DOD. That means expenses to obtain and maintain CMMC certification can be specified in a DOD contract… this is huge.
Sooooo… Where to turn?
We get it: getting CMMC certified within a timeframe that allows you to maintain your current DOD contracts feels a bit overwhelming. Helping organizations overcome these types of “prove you’re secure” challenges so that they can grow their businesses is what we have done for thousands of SMB clients over the last 20+ years.
The Stakes are High… Make Sure You Have the Chips to Stay in the Game
Beginning in mid-2020, CMMC certification will be an absolute requirement to bid on DOD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DOD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.
CMMC Compliance Can Make You Stronger
We believe there is a Darwinian element to CMMC. Those organizations that can “adapt” to the new reality, will not only survive, but are likely to prosper, by taking business from those that can’t adapt. Be the pigeon, not the dodo.
When does CMMC go into effect?
V1.0 of the CMMC was released on January 31st 2020. The audit program is being developed and should be in full effect by fall of 2020. CMMC will appear in Requests for Information (RFI’s) and Requests for Proposal (RFP’s) as early as August 2020.
How many controls does CMMC require?
There are different controls totals for each level within CMMC:
- CMMC Level 1: 17 Controls
- CMMC Level 2: 72 Controls & 2 Processes
- CMMC Level 3: 130 Controls & 3 Processes (This is the 1st level that fully achieved NIST SP 800-171 coverage)
- CMMC Level 4: 156 Controls & 4 Processes
- CMMC Level 5: 171 Controls & 5 Processes
What is the minimum CMMC level you need to reach NIST SP 800-171?
CMMC Level 3 is the first target level fully addressing NIST 800-171 and it covers 20 controls beyond NIST SP 800-171 (a total of 130).
If I’m not CMMC certified what does that mean?
Starting as early as August 2020, you will no longer be able to submit proposals to provide services in the DoD supply chain.
What is the difference between CMMC and NIST?
CMMC is a certifiable standard that requires regular audits to obtain and maintain certification. NIST is a self-attestable standard that allows organizations to self-attest to their own security maturity.
If we have relatively immature security program, how long will it take to get CMMC certified?
A reasonable assumption for achieving Level 3 CMMC readiness is 6 – 10 months.
How much does CMMC certification cost?
Until teh auditor program is fully established the actual cost of the audit has not yet been established. A reasonable guess for the audit is $20 – 40K.
Establishing an information security program that is capable of being CMMC Level 3 certified can be a notable expense dependent upon the current maturity of your program. If you already have a mature NIST 800-171 compliant environment in place it may be $20K or less. If you are starting from scratch it could be $50 – 150K. See this blog for a better explanation on the price ranges.
What is the difference between CMMC and NIST 800-171?
CMMC is a certifiable standard that requires a third party audit to confirm that you are compliant with the standard, NIST-800-171 is (or was 😆) a self-attestable standard to protect the same CUI that CMMC does. All organizations that become CMMC certified (level 3 or higher) will still need to be 800-171 conforming and the CMMC certification will demonstrate that they have achieved 800-171 as well.
With the DoD’s more “limited roll out” I heard about should we get CMMC certified this year?
Many of the companies in the Defense Industrial Base we are speaking with believe that it will be a competitive advantage to do so. Our understanding is that larger Prime’s will either require or favor those that are as they are building “pursuit teams”.
Should we start preparing for CMMC with a Gap Assessment?
A gap assessment is a good approach if you know that you have a very mature information security program that includes the required CMMC artifacts (e.g., Risk Assessment, System Security Plan, etc.). If not, you are better off viewing this as an implementation, with establishing the scope of your CUI environment as the best first step. See this blog for additional detail on approach.