In the last decade, there has been an increase in the number and severity of cyberattacks. Contrary to what many would think, even large corporations and state agencies are susceptible to such threats. According to a report by the Center for Strategic & International Studies (CSIS), a think tank, there have been hundreds of attacks on U.S. state agencies, including the Department of Defense (DoD). Previously, contractors servicing the DoD were allowed to conduct self-certification and assessment. However, in light of the increasing threats, companies must now meet the Cybersecurity Maturity Model Certification (CMMC) requirements to bid on contracts.

Previously, contractors servicing the DoD were allowed to conduct self-certification and assessment. However, in light of the increasing threats, companies must meet the Cybersecurity Maturity Model Certification (CMMC) requirements to bid on contracts.

As CMMC is gradually rolled out in the coming years, all 350,000+ DoD contractors will have to be accredited accordingly. Such accreditations can only be earned after passing audits issued by a Certified 3rd-Party Assessment Organization (C3PAO).

For DoD contractors, the biggest concern at this time is what exactly CMMC entails going forward and how costly it will be. Read on to learn everything you need to know about CMMC and how much it will cost your company.

What Is the Cybersecurity Maturity Model Certification?

The primary objective of the Department of Defense is to safeguard the security of the nation. In addition to providing the necessary military process, the department also conducts a lot of data collection. With over 300,000 companies servicing the DoD, many third parties handle sensitive data.

To prevent cybersecurity breaches, the DoD developed the Cybersecurity Maturity Model Certification. It’s a standardized method of implementing cybersecurity that all DoD contractors are required to comply with.

Before the introduction of CMMC, monitoring, implementing, and certifying the security of data held within systems, including sensitive DoD information, was the contractor’s responsibility. CMMC has altered this setup. It is still the contractor’s responsibility to implement the cybersecurity measures outlined by the CMMC. However, assessments and certifications can only be conducted by independent third-party organizations.

On January 31, 2020, the DoD released the Cybersecurity Maturity Model Certification (CMMC) version 1.0. Along with the DoD, the new certification was also drafted with the support of Federally Funded Research and Development Centers and University Affiliated Research Centers.

As CMMC implementation was intended to occur over an extended period, the milestones and timeline are as follows.

  • January 2020: Requirements for CMMC levels 1–5 made public
  • January 2020: Assessments by third-party organizations on DoD contractors begin
  • June 2020: Requests for Information (RFIs), including CMMC requirements, begin
  • September 2020: CMMC requirements included in all DoD requests for proposals

As of September 2020, any contractor that wants to continue servicing the DoD must attain at least level 1 certification.

CMMC Framework

As outlined in the CMMC framework, there are five levels that demonstrate a company’s cybersecurity infrastructure maturity and reliability. The levels start from 1 to 5, with each building on the previous level’s requirements.

Before advancing to level two, a company must satisfy the requirements of level one in full. Achieving a level 5 certification indicates that a company has met all the CMMC requirements.

Level 1: Implementing Basic Cybersecurity Practices

In level 1, the first phase of CMMC compliance, companies should put in place basic cybersecurity protocols to protect Federal Contract Information (FCI). Federal Contract Information includes data generated by the government that should not be released to the public.

Steps that should be taken at this level include using and regularly updating antivirus as well as changing employee passwords frequently.

Level 2: Documenting Cybersecurity Practices

After adopting basic cybersecurity measures, DoD contractors should implement additional cybersecurity practices. As per the U.S. Department of Commerce National Institute of Standards and Technology (NIST 800-171), these protocols aim to protect Controlled Unclassified Information (CUI).   

NIST 800-171 requires businesses to create and document policies that will aid employees in executing cybersecurity practices.

Level 3: Managing Cybersecurity Protocols

At level 3, it’s not just about having cybersecurity protocols but also ensuring that they are practiced accordingly. Contractors should have an institution-wide plan for managing and implementing protocols to safeguard CUI. Other requirements and standards to be followed include NIST 800-172 r2.

Information such as company cybersecurity goals and data on employee training can also be included in the cybersecurity management plan.

Level 4: Reviewing                 

To ensure the effectiveness of cybersecurity protocols is not compromised, companies should have a clear process for reviewing and measuring them. This includes putting measures to detect and address evolving strategies used with advanced persistent threats (APTs).

APTs are threats that use significant resources, advanced expertise, and multiple attack vectors to breach systems.

Level 5: Optimizing Cybersecurity Protocols

At level 5, cybersecurity protocols must be implemented in all the networks and systems in the organization. Additional advanced measures to help detect and respond to ATPs might also be required.

cybersecurity concept showing a shield above a circuit board

Which Companies Should Comply with CMMC?

Any contractor that actively bids on DoD contracts and plans on continuing must eventually have CMMC. This group includes players within the DoD supply chain, such as small businesses, foreign players, and commercial item contractors.

Though CMMC involves a lot of things, the key things to take away include:

  • Businesses advance gradually from level 1 as the levels build on each other.
  • Level requirements must be observed both in practice and process to gain certification.
  • It’s not necessary to meet level 5 requirements. However, this may limit you from bidding on certain projects.

How to Proceed

To ensure you can continue bidding on DoD contracts, you must comply with CMMC requirements and attain at least level 1 certification. Here’s how to go about it to make the process smooth:

  1. Start Preparing Immediately

With over 300,000 DoD contractors in need of accreditation and limited third-party organizations, some companies may be delayed. Preparing early will afford you time to take necessary measures and allow you to gain certification early. Some of the steps you should take include:

  • Ensure that all the practices and procedures that comply with CMMC requirements are well documented
  • Implement additional cybersecurity protocols to gain higher certification levels

If you are a prime contractor, work with all the subcontractors within your supply chain to ensure they have the necessary protocols and measures to review compliance.

  1. Coordinate With Agencies

The certification requirements for various DoD contracts will differ. To ensure you qualify for your respective level, work with agencies to review RFIs and RFPs to ensure that the assessment only assesses elements crucial to your level.

  1. Work Toward Achieving Agility

There are numerous cyber threats that are continuously evolving. Attaining CMMC certification may allow you to bid on DoD contracts, but it does not mean your cybersecurity efforts are enough. According to the DoD, CMMC is the bare minimum for their contractors. To avoid being compromised with emerging threats, you must create a cybersecurity culture that’s proactive and agile.

How Much Will Certification Cost?

Along with how to attain certification, the biggest concern for DoD contractors is the cost that will come with compliance. In this regard, most companies will incur three types of costs.

  1. Soft Costs

Soft costs are the expenses you will incur as you prepare for the audit. They will depend on factors such as the size of your organization, level of external support required, the maturity of NIST SP 800-171, the level of CMMC you’re targeting, number of offices, and what types of federal information you handle.

  1. Hard Costs for Preparing for CMMC Audit

In preparation for the audit, contractors could incur expenses in implementing standards that are not already in place. Those costs could be for consultants, additional employee resources, systems, or other software/hardware expenses. For companies that have been investing in cybersecurity in previous years, the costs incurred at this stage may not be significant.

  1. Hard Costs for the Audit

The final costs associated with attaining CMMC certification involve expenses for the audit. The process may involve questionnaires, testing, sampling rates, and artifacts to gather. Currently, assessment costs start at $2,500 per day plus expenses for the assessor.

CMMC Reimbursement

Attaining CMMC certification can be expensive and could present a significant obstacle, especially for small businesses. Appreciative of the need for heightened cybersecurity protocols across the board and the plight of such businesses, the DoD has offered to allow businesses to bill these costs as an allowable expense on their DoD contract.

This step is designed to act as a cushion from the expenses and an incentive to begin compliance as soon as possible.

The Cost of Non-Compliance

Unlike the cost of complying, non-compliance costs are easy to know. The Defense Federal Acquisition Regulation (DFARS) and NIST are incorporated within CMMC guidelines. Therefore, failure to comply with such standards will apply to CMMC.

In addition to fines, the contract may be terminated if Uncontrolled Classified Information is breached. Also, your business may be restricted from bidding on DoD contracts in the future, as well as face criminal and civil litigation.

Other effects and penalties include:

  • Damaged reputation
  • Loss of federal funding

Are You Ready for the Cybersecurity Maturity Model Certification?

As a DoD supplier, complying with CMMC should be high atop your list of priorities. Considering that there will be reimbursements for the costs incurred and the likelihood of delays as businesses scramble to get audited, it’s best to get on with it early.

Xodyak is an IT consulting and systems integration firm that helps DoD contractors achieve CMMC compliance. Reach out to us today to schedule a free consultation.