CMMC Compliance 101

Confident and timely CMMC compliance comes down to whether or not you have an informed strategy. Do you know the basics of CMMC compliance and what it means for you?

In October 2020, the DoD released their Interim Final Rule, which set a deadline for NIST compliance and a timeline for CMMC compliance. These new compliance standards not only put DoD contractors on the clock but also presented them with far more rigorous expectations than they’ve been subject to before.

Who Needs A CMMC Certification?

CMMC RPOIf you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. Anyone operating in the DOD supply chain must become certified to showcase that they’re able to protect controlled unclassified information (CUI).

What Does CMMC Mean?

CMMC stands for Cybersecurity Maturity Model Certification. It is the DOD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and CUI shared within the supply chain.

What Is CMMC Compliance?

CMMC builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).

The DOD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data that is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.

The DOD has implemented a basic set of cybersecurity controls through DOD policies and DFARS. These rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit CUI. These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations”.

As a U.S. DOD contractor who collects, stores, or transmits Covered Defense Information (CDI) or CUI you must comply with NIST regulation 800-171 and DFARS 252.204-7012. Your subcontractors must comply as well and be able to maintain compliance.

If you don’t, you can’t bid on DOD contracts, and you may lose the ones you have. CMMC is the DOD’s way of giving contractors like you a method for verifying that the appropriate measures have been put in place.

There are five key steps in attaining your CMMC certification:

  • Self-Assessment: You need to know where you stand. Have you evaluated how well you’re protecting FCI and CUI, in line with CMMC’s requirements?
  • Pre-Audit Support: This is where an expert third party like Orion Networks comes in. We can assess your current processes and determine where you may be vulnerable. We’ll provide you with a detailed assessment that pinpoints areas of concern that you’ll need to address prior to your audit.
  • Remediation: Using the information gathered in our assessment, we’ll address any potential vulnerabilities and transition your organization to a fully CMMC compliant state.
  • Audit: The next step is to hire a Certified Third-Party Audit Organization (C3PAO), providing them with the results of your self-assessment and the changes made with assistance from our team.
  • Certification: Congratulations — you now meet CMMC compliance standards.

What Happens If You’re Not Compliant?

The penalty for CMMC compliance is simple — if you’re not compliant, you can’t be awarded defense contracts. There are no fines or conventional penalties. You’re just unable to operate in the DoD contracting space any longer.

While complying with these new requirements will undoubtedly require a further investment of time and money beyond your standard compliance efforts, it’s important to note the silver lining — compliance will likely reduce your competition.

As it becomes more difficult to operate in the defense sector, smaller competitors will likely drop out. Becoming compliant with CMMC will require more resources, and not all current contractors will see the benefit of investing further, especially if they don’t have the capital to do so.

That makes the market less competitive for contractors that do make the effort to become compliant. And that’s not the only benefit — these new requirements aren’t arbitrary. Implementing them will have additional benefits as well, making your company more secure and of greater value to your clients.

How Much Does CMMC Certification Cost?

It’s difficult to narrow down an exact cost for CMMC compliance, as it will largely depend on your current state of compliance, and what you will have to do to remedy it. The larger the gap between your current state and a compliant state, the more it will cost.

That’s why you need to develop a budget for your CMMC compliance processes. Your CMMC budget needs to consider the following factors:

Plan Your Resources

To start, take stock of the state of your systems and how they may need updating. Additionally, you’ll want to consider how your systems may or may not be compliant — particularly if you’re in the cloud.

Answer the following questions:

  1. Will your IT systems need updating within the next year?
  2. Are your systems on-premise or cloud-based?
  3. If on-premise, will you be planning on a cloud migration in the coming year?
  4. If cloud-based, are you using the provider’s compliant cloud solution?

With these points in mind, you can better understand how much you’ll need to budget for major projects in the coming year. Whether that means a full cloud migration, or switching to a compliant cloud solution, it’s better to know now instead of later.

Developing Compliant Policies

A core component of Level 3 compliance with CMMC is to both possess and demonstrate documented policies.

Take stock of your current policies and associated practices by answering the following questions:

  1. Do you have documented policies?
  2. Has your team been trained to follow them, and are they tested on their knowledge?
  3. Have your policies been reviewed by a third party?
  4. Do you have a process for updating policies?

Regardless of whether you hire outside support for your policy development or handle it entirely in-house, you’ll need to budget for that time and expense.

Cover Assessments, Audits & Testing 

There are two primary expenses you’ll want to include in your budget when it comes to demonstrating your CMMC compliance efforts:

  1. Self-Assessments: Clause 7019 requires contractors to, at a minimum, conduct a Basic Assessment which is a self-assessment of NIST 800-171 compliance. Make sure you’ve allotted for that time and any expenses stemming from hiring outside support.
  2. CMMC Audits: Later on, you’ll also need to have an audit performed by C3PAO’s — unfortunately, the cost of this type of audit isn’t widely known right now, given how new the system is.
  3. Don’t Forget About Your Supply Chain: The Interim Final Rule is also intended to standardize cybersecurity through your supply chain too. Make sure that you consider the additional resources needed to ensure a maturity level commensurate with the information you are sharing with any third parties in your supply chain.

How Long Will Your CMMC Certification Last?

Unfortunately, the current version does not offer detail as to the duration of certification. However, DoD’s Katie Arrington, Chief Information Security Officer for the Assistant Secretary for Defense Acquisition and a key player in the rollout of CMMC, stated in a press briefing that a company’s certification will be “good” for three years.

Need Expert Assistance Implementing CMMC?

Don’t go into your CMMC Audit without the confidence that you’ll pass with flying colors.

Orion Networks will help — we have extensive experience helping contractors like you to maintain compliance with complex systems like DFARS and NIST. We will do the same for your upcoming CMMC audit.