CMMC certification: How to get your organization certified
From September 2020, the Department of Defense (DoD) began to incorporate the requirement for Cybersecurity Maturity Model Certification (CMMC) compliance into its requests for information (RFI). Following on from this, a phased inclusion of CMMC in all DoD tenders is now ongoing to 2026, when all DoD vendors will be required to meet some level of CMMC compliance.
The result is that the more than 300,000 suppliers in the DoD’s Defense Industrial Base (DIB) will each be required to meet CMMC compliance to supply the DoD.
CMMC certification is the process that a DoD supplier must go through to meet those compliance obligations. This process is not self-certified. Instead, an Organization Seeking Certification (OSC) must use the skills of third-party accredited vendors chosen from a specialist portal, the CMMC-AB Marketplace, to achieve CMMC certification.
What is Cybersecurity Maturity Model Certification (CMMC)?
First, an understanding of what the Cybersecurity Maturity Model Certification (CMMC) consists of is fundamental in achieving compliance. The CMMC FAQ advises on the Cybersecurity Maturity Model Certification process and what it delivers. Notably, the types of information that require protection are:
Controlled Unclassified Information (CUI): “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls…” and,
Federal Contract Information (FCI): Information not intended for public release.
The CMMC consists of five increasingly mature levels of cybersecurity based on the principles contained within NIST’s cybersecurity maturity model. Each group outlines best practice cybersecurity, and each level is dependent on the previous level.
Level 1: performed, basic cyber hygiene
Level 2: documented, intermediate cyber hygiene
Level 3: managed, good cyber hygiene
Level 4: reviews, proactive
Level 5: optimizing, advanced/progressive
Who needs to be CMMC certified?
Any supplier that is part of the Defense Industrial Base (DIB) and bids on DoD tenders will be required to comply with at least one of the levels of maturity of the CMMC. Which level depends on the type of contracts you bid on. In terms of sub-contractors, the CMMC advice is that if the DoD contract requires CMMC compliance and your company does not solely produce COTS products, and you will need to obtain a CMMC certificate. The level is dependent on the type of data shared with the main contractor.
When do I need to get CMMC certified?
The DoD is phasing CMMC regulation across all contracts to Sept. 30, 2025, when the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in RFIs/RFPs.
The first CMMC pilot program inclusion in contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3). In subsequent years, the Department will incorporate CMMC Levels 4 and 5 on a small number of contracts. By 2025, 475 prime acquisitions will contain CMMC requirements. As certification takes, on average, six months to go through, any organization wishing to bid on DoD tenders should begin to look at starting the process in advance of any expected bids.
How do I get CMMC certified?
An Organization Seeking Certification (OSC) must use Authorized or Accredited C3PAOs (CMMC 3rd Party Assessment Organization) found using the CMMC-AB Marketplace website. The C3PAO and other marketplace vendors, such as a Registered Provider Organization (RPO), will take the OSC through a process to final certification. The CMMC-AB suggests beginning the process by completing a self-assessment based on CMMC Assessment Guides before scheduling a CMMC assessment.
The process steps to CMMC certification at a chosen level typically cover:
- Identify the CMMC level required by your organization to bid on DoD contracts.
- Choose a professional CMMC-AB Marketplace vendor to guide your organization through the process and run a pre-assessment exercise. Typically an RPO can help carry this out. Any gaps found can be rectified before the formal assessment process.
- Find an accredited C3PAO using the CMMC-AB Marketplace.
- The C3PAO then takes your organization through an assessment process in line with the chosen CMMC maturity level requirements.
- The CMMC-AB reviews the assessment made by the C3PAO using a Quality Auditor.
- Your organization has 90 days to rectify any gaps found during the formal assessment.
- Once the assessment meets the criteria for the chosen CMMC level, the CMMC-AB will issue your organization a CMMC certificate of compliance. This certification lasts for three years
How much does CMMC certification cost?
CMMC assessment costs vary and depend upon:
- CMMC level
- The complexity of the OSC’s network
- CMMC-AB Marketplace vendor costs may change as market forces dictate
The DoD has stated that the cost of certification must be affordable by an SMB. However, the market forces will determine actual costs. The Department does point out that any costs associated with implementing CMMC compliance, along with the CMMC assessment, and the cost of engaging a C3PAO, are considered an “allowed cost.”
If your organization has already done work to comply with NIST 800-171, preparation contains many of the elements of CMMC and will reduce costs of CMMC compliance. Other OSCs who are less mature in their cybersecurity posture will likely require more third-party assistance, and, therefore, prices will increase.
Various cost estimations are available, but they often are along the lines of “how long is a piece of string.” The Department of Defense offered a rough estimate for CMMC assessments as part of the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041. A post from ClearanceJobs stated that the DoD initially expected costs for CMMC certification to be in the thousands of dollars; however, some companies are reporting costs of around $250,000 to go through the entire 110 NIST 800-171 requirements mapping to CMMC level 3. Prices vary between estimations, and the likely costs will depend on the level and an existing security posture.
CMMC certification advantage
Having CMMC certification is not a nice to have, but a must-have for the 300,000+ DoD suppliers. Certification is only achievable by going through a process managed via third-party CMMC-AB Marketplace vendors. The costs associated with CMMC certification may seem onerous. Still, without the certificate, a DIB member will not bid on tenders once the phased rollout of CMMC compliance is complete in 2025. A study that investigated CMMC compliance readiness found that two-thirds of respondents expected that being able to demonstrate compliance with CMMC provided a competitive advantage.
Security Maturity Levels, NIST
Infosec, CMMC marketplace: Understanding C3PAOs, RPOs, LTPs and more [link to be added once on site]
The Cost of CMMC: Cybersecurity Isn’t Free or Cheap, ClearanceJobs
CMMC Preparation Study, Apptega
CMMC Ebook, Infosec
CMMC page, Infosec