CMMC

CMMC certification: How to get your organization certified

Today by Susan Morrow

From September 2020, the Department of Defense (DoD) began to incorporate the requirement for Cybersecurity Maturity Model Certification (CMMC) compliance into its requests for information (RFI). Following on from this, a phased inclusion of CMMC in all DoD tenders is now ongoing to 2026, when all DoD vendors will be required to meet some level of CMMC compliance.

The result is that the more than 300,000 suppliers in the DoD’s Defense Industrial Base (DIB) will each be required to meet CMMC compliance to supply the DoD.

CMMC certification is the process that a DoD supplier must go through to meet those compliance obligations. This process is not self-certified. Instead, an Organization Seeking Certification (OSC) must use the skills of third-party accredited vendors chosen from a specialist portal, the CMMC-AB Marketplace, to achieve CMMC certification.

What is Cybersecurity Maturity Model Certification (CMMC)?

First, an understanding of what the Cybersecurity Maturity Model Certification (CMMC) consists of is fundamental in achieving compliance. The CMMC FAQ advises on the Cybersecurity Maturity Model Certification process and what it delivers. Notably, the types of information that require protection are:

Controlled Unclassified Information (CUI):any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls…” and,

Federal Contract Information (FCI): Information not intended for public release.

The CMMC consists of five increasingly mature levels of cybersecurity based on the principles contained within NIST’s cybersecurity maturity model. Each group outlines best practice cybersecurity, and each level is dependent on the previous level.

Level 1: performed, basic cyber hygiene

Level 2: documented, intermediate cyber hygiene

Level 3: managed, good cyber hygiene

Level 4: reviews, proactive

Level 5: optimizing, advanced/progressive

Who needs to be CMMC certified?

Any supplier that is part of the Defense Industrial Base (DIB) and bids on DoD tenders will be required to comply with at least one of the levels of maturity of the CMMC. Which level depends on the type of contracts you bid on. In terms of sub-contractors, the CMMC advice is that if the DoD contract requires CMMC compliance and your company does not solely produce COTS products, and you will need to obtain a CMMC certificate. The level is dependent on the type of data shared with the main contractor.

When do I need to get CMMC certified?

The DoD is phasing CMMC regulation across all contracts to Sept. 30, 2025, when the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in RFIs/RFPs.

The first CMMC pilot program inclusion in contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3). In subsequent years, the Department will incorporate CMMC Levels 4 and 5 on a small number of contracts. By 2025, 475 prime acquisitions will contain CMMC requirements. As certification takes, on average, six months to go through, any organization wishing to bid on DoD tenders should begin to look at starting the process in advance of any expected bids.

How do I get CMMC certified?

An Organization Seeking Certification (OSC) must use Authorized or Accredited C3PAOs (CMMC 3rd Party Assessment Organization) found using the CMMC-AB Marketplace website. The C3PAO and other marketplace vendors, such as a Registered Provider Organization (RPO), will take the OSC through a process to final certification. The CMMC-AB suggests beginning the process by completing a self-assessment based on CMMC Assessment Guides before scheduling a CMMC assessment.

The process steps to CMMC certification at a chosen level typically cover:

  1. Identify the CMMC level required by your organization to bid on DoD contracts.
  2. Choose a professional CMMC-AB Marketplace vendor to guide your organization through the process and run a pre-assessment exercise. Typically an RPO can help carry this out. Any gaps found can be rectified before the formal assessment process.
  3. Find an accredited C3PAO using the CMMC-AB Marketplace.
  4. The C3PAO then takes your organization through an assessment process in line with the chosen CMMC maturity level requirements.
  5. The CMMC-AB reviews the assessment made by the C3PAO using a Quality Auditor.
  6. Your organization has 90 days to rectify any gaps found during the formal assessment.
  7. Once the assessment meets the criteria for the chosen CMMC level, the CMMC-AB will issue your organization a CMMC certificate of compliance. This certification lasts for three years

How much does CMMC certification cost?

CMMC assessment costs vary and depend upon:

  • CMMC level
  • The complexity of the OSC’s network
  • CMMC-AB Marketplace vendor costs may change as market forces dictate

The DoD has stated that the cost of certification must be affordable by an SMB. However, the market forces will determine actual costs. The Department does point out that any costs associated with implementing CMMC compliance, along with the CMMC assessment, and the cost of engaging a C3PAO, are considered an “allowed cost.”

If your organization has already done work to comply with NIST 800-171, preparation contains many of the elements of CMMC and will reduce costs of CMMC compliance. Other OSCs who are less mature in their cybersecurity posture will likely require more third-party assistance, and, therefore, prices will increase.

Various cost estimations are available, but they often are along the lines of “how long is a piece of string.” The Department of Defense offered a rough estimate for CMMC assessments as part of the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041. A post from ClearanceJobs stated that the DoD initially expected costs for CMMC certification to be in the thousands of dollars; however, some companies are reporting costs of around $250,000 to go through the entire 110 NIST 800-171 requirements mapping to CMMC level 3. Prices vary between estimations, and the likely costs will depend on the level and an existing security posture.

CMMC certification advantage

Having CMMC certification is not a nice to have, but a must-have for the 300,000+ DoD suppliers. Certification is only achievable by going through a process managed via third-party CMMC-AB Marketplace vendors. The costs associated with CMMC certification may seem onerous. Still, without the certificate, a DIB member will not bid on tenders once the phased rollout of CMMC compliance is complete in 2025. A study that investigated CMMC compliance readiness found that two-thirds of respondents expected that being able to demonstrate compliance with CMMC provided a competitive advantage.

 

Sources: 

Security Maturity Levels, NIST

FAQ, CMMC 

Infosec, CMMC marketplace: Understanding C3PAOs, RPOs, LTPs and more [link to be added once on site]

The Cost of CMMC: Cybersecurity Isn’t Free or Cheap, ClearanceJobs 

CMMC Preparation Study, Apptega 

CMMC-AB

CMMC Ebook, Infosec 

CMMC page, Infosec 

Posted: July 12, 2021
Articles Author
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.

Leave a Reply

Your email address will not be published. Required fields are marked *