FLASH NOTICE: Flash Notice: SonicWall Warns of Imminent Ransomware Attack Against EOL Products

Need to Report an Incident? Call +1 (877) 707-7997

Show No Weakness

Update the Page Title under Page Options

CMMC COMPLIANCE

Everything You Need to Know

Table of Contents

CMMC OVERVIEW

What is CMMC?

CMMC is a standard regulation for the implementation of cybersecurity for Defense Industrial Base (DIB) companies. Mandated by the Department of Defense (DOD), The CMMC framework consists of comprehensive assessments and scalable certifications to verify the implementation of processes and policies associated with the achievement of a cybersecurity maturity level. 

DIB companies ensure their level of maturity depending on which level of CMMC certifications are achieved.

What does CMMC stand for?

Why was CMMC created? What is the purpose of obtaining CMMC certification?

The CMMC framework is designed to provide increased levels of assurance to the DoD that DIB companies are adequately equipped to protect controlled unclassified information (CUI).

This certification verifies that contractors or C3PAOs have adequate cybersecurity controls and compliance policies in place to meet the DoD’s security standards. 

The Department of Defense (DoD) has released the Cybersecurity Maturity Model Certification (CMMC) Version 1.0, a new framework designed to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) and its suppliers. CMMC is an evolution of DFARS 252.204-7012 (NIST SP 800-171), but now requires third-party attestation.

Related Resources: 

Why is CMMC important?

In short, the CMMC provides clients with reassurance about a contractor’s security protocols. 

Serving as a verification mechanism, CMMC is designed to ensure appropriate levels of cybersecurity controls and processes are adequate in protecting all data and information. Achieving a high-level CMMC accreditation is a sign that the Defense Industrial Base (DIB) company meets the DoD’s core objectives when it comes to cybersecurity.

Related Resources: 

Who needs CMMC Certification? Who does CMMC apply to?

Although CMMC Version 1.0 was recently released, all organizations that provide services to the DoD will eventually need to be CMMC certified to bid on future DoD solicitations. That said, it is not expected that CMMC will be retroactively applied to existing contracts or their options years until at least 2026.

Even small businesses that provide a service or product and work indirectly with the DoD will need CMMC.

Will CMMC ever be required outside of the DoD? 

It’s hard to definitively determine at this point. That said, at a recent ISSA Webinar, Katie Arrington, Chief of Information Security for Acquisition, Department of Defense discussed adoption of CMMC at the larger federal level. She stated, “I think that this (CMMC) is definitely going to go outside DoD. I know it is.” 

CMMC - PLAYERS, PROCESS, + TIMELINE

Who issues CMMC certification?

A non-government body called the CMMC accreditation, or accreditation board (AB), is an organization made up of industry professionals, government officials, etc. that understand what the DOD needs and how private industries can relate back to it. 

With a few different certifications that are available to the private industry surrounding CMMC, the CMMC-AB members will authorize and accredit C3PAOs and the CMMC Assessors and Instructors Certification Organization (CAICO) in accordance with DoD requirements.

Types + Levels of 3rd Party CMMC Certifications

What are C3PAOs?

CMMC Third Party Assessment Organizations (C3PAOs) are certified CMMC assessors responsible for conducting CMMC assessments on behalf of the DoD. Once the assessment is completed, the C3PAO can appropriately issue CMMC certificates. 

C3PAOs are authorized to:

  • Schedule, perform, and manage assessments 
  • Provide advisory services
  • Hire and train individual assessors 
  • Review results with the CMMC Accreditation Board (CMMC-AB) Quality Auditors
 

What are RPOs?

The role of Registered Provider Organizations (RPOs) is largely consultative. RPOs are well-versed in CMMC and help Organizations Seeking Certification (OSC) within the Defense Industrial Base (DIB) navigate the CMMC process.  

As part of the RPO certification process, each organizational applicant must have at least one Registered Practitioner (RP) – someone trained and authorized by the CMMC-AB to deliver “non-certified advisory services informed by basic training on the CMMC standard”—must be “associated” (as an employee or contractor) with the RPO at all times.

At this point, RPOs looking to achieve C3PAO status may offer assistance around setting up the initial self-assessment and management of the action items that come out of the self-assessment in preparation for CMMC.

Download the CMMC Service Brief

Download the CMMC Service Brief

What role does a CMMC Audit play within the certification process?

CMMC Certifications are achieved through passing an external audit. Otherwise known as a CMMC Audit, it is an assessment of your organization’s cybersecurity by an accredited CMMC third-party assessment organization (C3PAO).

When will CMMC be required? When will CMMC audits begin?

The Department of Defense (DoD) is implementing CMMC through a rollout schedule by phases. Organizations have until September 30, 2025 to be CMMC certified – the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation. Keep in mind that dates are contingent on moving parts:

  • Q1 January 2020: DoD released Version 1.0 of the CMMC
  • Q1 March 2020: The Memorandum of Understanding (MOU) between the DoD and the Accreditation Board (AB) was signed
  • Q2 2020: The DoD developed the assessment guide and training to certify C3PAOs and individual assessors 
  • FY 2021 – 2026: Implementation of the CMMC through a phased rollout 
  • FY 2026: CMMC certification a requirement for all companies doing business with the DoD 

How much does CMMC cost? Is CMMC pay-to-play?

Since the CMMC certification is a new requirement, concrete costs are yet to be determined. What we do know is that there will be a varying range of costs depending on the level of CMMC achieved, along with preparation and audit costs. 

In order to determine the variables that do impact the cost, start by asking the following questions: 

  • Which level of CMMC are you looking to pursue? (Note that the higher the level, the greater the cost.)
  • What level of maturity does your current IT and cybersecurity infrastructure have? What changes need to be made in order to reach your desired level of CMMC compliance?
  • How big is your organization? How complex are the systems, processes, etc.?
  • What volume of CUI can you and your team handle? What scope of CUI does your team handle? How much CUI do you exchange with other DIB companies or government agencies? How many databases store CUI?
  • If your team does not have the bandwidth to take the necessary steps, how much will you have to rely on outside help (consulting our outsourced cybersecurity services) in order to prepare for the CMMC assessment?
  • What are the expenses associated with protecting the infrastructure that protects day-to-day tasks like email, file sharing systems, or cloud storage? 
  • How much does it cost to engage a Certified Assessor? How much supply or demand exists in the market for Certified Assessors? 
  •  

To give a well-informed estimate, not including preparation and audit expenses, it could cost an organization pursuing a CMMC Level 1 certification from $3000 to $5000. As the levels go up, the cost increases. 

 

Achieving CMMC Requirements for Small Businesses + SMBs

While market forces will ultimately dictate the audit costs, the DoD has considered the financial burden that CMMC poses to SMBs.

At the end of the day, the cost depends on your cybersecurity maturity, and can be anywhere from $20,000-$100,000. Companies with less mature environments – think noncompliance with comparable regulations like NIST 800-171 – will need to contend with consulting fees, increased CAPEX (on things like mutlifactor authentication, mobile device management, log monitoring) , and increased OPEX (on things like security awareness training, additional personnel, etc.

Are there penalties for noncompliance with CMMC?

Because the CMMC certification is a prerequisite for working with the DoD and is awarded by levels, the DoD anticipates that it will not impose penalties for CMMC noncompliance. However, failure to qualify for a required certification level will prevent a contractor from working with the DoD.

CMMC CONTROLS, LEVELS, + REQUIREMENTS

What are the levels of CMMC?

Level 1 | Total Controls: 17

CMMC Processes: Practices are performed

CMMC Practices / Requirements: The minimum CMMC certification level requires basic cyber security measures and only requires that processes are performing, at least in the ad hoc manner. The 17 controls, or practice requirements, are equivalent to the 15 practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21, and are also equivalent to 17 practices drawn from NIST SP 800-171 Rev 1.

Level 2 | Total Controls: 72

CMMC Processes: Practices are documented

CMMC Practices / Requirements: A level 2 CMMC certification requires intermediate cyber security measures and requires documented information on all CMMC practices and policies. On top of having everything documented, third party assessors will also require the organization to have a policy put in place that encompasses all activities.

In addition to the 17 controls required from CMMC level 1, level 2 adds 55 new practices totaling that to 72 controls. These new practices include policies about levels for account access privilege, incident response and remediation plans, and other mid-level cyber security measures.

Level 3 | Total Controls: 130

CMMC Processes: Practices are maintained and followed

CMMC Practices / Requirements: A level 3 CMMC certification combines everything from the previous 2 levels and requires that an organization must maintain and resource a plan encompassing all activities.

There are a total of 130 controls at level 3, which includes the coverage of all practices from NIST SP 800-171 Rev 1, and 20 additional practices protecting controlled unclassified information (CUI) and ensuring cyber security methodologies are moderately resilient and comprehensive.

Level 4 | Total Controls: 156

CMMC Processes: Practices are regularly reviewed and improved across enterprise

CMMC Practices / Requirements: A level 4 CMMC certification incorporates proactive practices to continually improve and enhance an organization’s cyber security capabilities in detection, response, remediation, and further protection.

There are 156 total controls in level 4. In addition to the controls from levels 1 to 3, 11 out of the 26 new practices are from the Draft NIST SP 800171B. Other additional cyber security measures a level 4 certified organization must have in place are detecting and addressing changing TTPs used by Advanced Persistent Threats (APTs).

Level 5 | Total Controls: 171

CMMC Processes: Practices show continuous enterprise improvement

CMMC Practices / Requirements: At the highest CMMC certification level, level 5, an organization is seen as highly advanced in their cyber security practices with continuous and optimized enterprise improvement.

Encompassing all controls of levels 1 through 4, level 5 organizations must have an improved standardized, documented approach across enterprise. Level 5 introduces 15 new practices, 4 of which are from the Draft NIST SP-171B and 11 of which have to do with advanced cyber security measures, for a total of 171 controls. This strengthens the level of CUI protection, creating a more sophisticated cyber security system.

CMMC Maturity Level

Total Controls

CMMC Practices / Requirements

CMMC Processes

Level 1

17

The minimum CMMC certification level requires basic cyber security measures and only requires that processes are performing, at least in the ad hoc manner. The 17 controls, or practice requirements, are equivalent to the 15 practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21, and are also equivalent to 17 practices drawn from NIST SP 800-171 Rev 1.

Practices are performed

Level 2

72

A level 2 CMMC certification requires intermediate cyber security measures and requires documented information on all CMMC practices and policies. On top of having everything documented, third party assessors will also require the organization to have a policy put in place that encompasses all activities.

In addition to the 17 controls required from CMMC level 1, level 2 adds 55 new practices totaling that to 72 controls. These new practices include policies about levels for account access privilege, incident response and remediation plans, and other mid-level cyber security measures.

Practices are documented

Level 3

130

A level 3 CMMC certification combines everything from the previous 2 levels and requires that an organization must maintain and resource a plan encompassing all activities.

There are a total of 130 controls at level 3, which includes the coverage of all practices from NIST SP 800-171 Rev 1, and 20 additional practices protecting controlled unclassified information (CUI) and ensuring cyber security methodologies are moderately resilient and comprehensive.  

Practices are maintained and followed

Level 4

156

A level 4 CMMC certification incorporates proactive practices to continually improve and enhance an organization’s cyber security capabilities in detection, response, remediation, and further protection.  

There are 156 total controls in level 4. In addition to the controls from levels 1 to 3, 11 out of the 26 new practices are from the Draft NIST SP 800171B. Other additional cyber security measures a level 4 certified organization must have in place are detecting and addressing changing TTPs used by Advanced Persistent Threats (APTs).

Practices are regularly reviewed and improved across enterprise

Level 5

171

At the highest CMMC certification level, level 5, an organization is seen as highly advanced in their cyber security practices with continuous and optimized enterprise improvement. 

Encompassing all controls of levels 1 through 4, level 5 organizations must have an improved standardized, documented approach across enterprise. Level 5 introduces 15 new practices, 4 of which are from the Draft NIST SP-171B and 11 of which have to do with advanced cyber security measures, for a total of 171 controls. This strengthens the level of CUI protection, creating a more sophisticated cyber security system.

Practices show continuous enterprise improvement

How many CMMC controls are there for each level?

While CMMC is still in version 1.0, we do know a few things about the five levels of CMMC and the associated set of controls in scope for a CMMC audit. As a rule of thumb, each level of CMMC maturity has increasing expectations. 

  • CMMC Level 1: 17 Controls
  • CMMC Level 2: 72 Controls (includes Level 1 controls)
  • CMMC Level 3: 130 Controls (includes Level 2 controls)
  • CMMC Level 4: 156 Controls (includes Level 3 controls)
  • CMMC Level 5: 171 Controls (includes Level 4 controls)
Avertium CMMC Levels
Avertium CMMC Levels

CMMC Domains: The CMMC maps controls and processes across five certification levels, ranging from “Basic Cybersecurity Hygiene” to “Advanced”. 

Related Resources: 

ACHIEVING CMMC COMPLIANCE / CMMC IMPLEMENTATION

How to become CMMC certified?

To become CMMC certified and achieve compliance, Defense Industrial Base (DIB) companies must be audited and assessed by a certified third-party assessment organization (C3PAO) or an accredited individual assessor. 

If you’re seeking to become CMMC compliant, here are a few steps to consider before getting audited:

  1. Identify the desired maturity level you want to be certified for
  2. Find an available C3PAO or an accredited individual assessor
  3. Have a timeline of up to 90 days to resolve and fill gaps with C3PAO


Note that specific findings audited by the C3PAO will be confidential. Any level achieved will be made public knowledge. 

Steps to CMMC Certification

The CMMC Interim Rule’s overall objectives are to instill that CMMC is the new cybersecurity framework for DoD contracts while instructing contractors to perform a self-assessment based on NIST 800-171 and reporting their score to the DoD. 

Interim Rule Self-Assessment levels are defined in the interim rule as follows:

This is a self-assessment done by contractors using the DoD Assessment Methodology. This could go two ways: (1) If an organization has implemented all 110 controls outlined in NIST SP 800-171, then the score received and recorded in the SPRS Basic Assessment is 110. (2) If an organization has not implemented all 110 controls, then the Assessment Methodology is used to figure out that score. Each unimplemented control is assigned a specific value within the Assessment Methodology and is to be subtracted from the total score of 110. Within 30 days of completing the assessment, contractors must post their score and the date by which they will achieve full compliance in SPRS. Until then, the assessment resulting score is a confidence level of “Low”.

At this level, an assessment is conducted by the Government in which access to all systems and personnel needed to perform this assessment must be provided by the contractor. This assessment includes a review of the contractor’s Basic Assessment, as well as, a thorough document review, and discussions with the contractor for additional information as needed. The assessment resulting score is a confidence level of “Medium”.

The assessment at the highest level combines both the Basic and Medium Assessments while also includes the verification, examination, and demonstration of the contractor’s system security plan, validating the implementation of NIST SP 800-171 security requirements. The assessment resulting score is a confidence level of “High”.

This is a self-assessment done by contractors using the DoD Assessment Methodology. This could go two ways: (1) If an organization has implemented all 110 controls outlined in NIST SP 800-171, then the score received and recorded in the SPRS Basic Assessment is 110. (2) If an organization has not implemented all 110 controls, then the Assessment Methodology is used to figure out that score. Each unimplemented control is assigned a specific value within the Assessment Methodology and is to be subtracted from the total score of 110. Within 30 days of completing the assessment, contractors must post their score and the date by which they will achieve full compliance in SPRS. Until then, the assessment resulting score is a confidence level of “Low”.

At this level, an assessment is conducted by the Government in which access to all systems and personnel needed to perform this assessment must be provided by the contractor. This assessment includes a review of the contractor’s Basic Assessment, as well as, a thorough document review, and discussions with the contractor for additional information as needed. The assessment resulting score is a confidence level of “Medium”.

The assessment at the highest level combines both the Basic and Medium Assessments while also includes the verification, examination, and demonstration of the contractor’s system security plan, validating the implementation of NIST SP 800-171 security requirements. The assessment resulting score is a confidence level of “High”.

CMMC RESOURCES

HOW AVERTIUM CAN HELP

Avertiuma CMMC registered provider organization (RPO), is an expert in CMMC Assessment, Readiness, and Program Creation. Avertium will get to know your organization, set a baseline maturity index, and work with you tailoring a path to compliance and security program improvement that fits the way you do business.