6 min read

7 Ways to Prepare Your Business for CMMC Now (+ Cost & Training Info)

Featured Image

In November of 2020, the U.S. Department of Defense (DoD) rolled out the interim rule for the cybersecurity maturity model certification (CMMC). This is a major rule change for businesses that work with the DoD and other government agencies—one that may change the way that they approach their cybersecurity processes and tools.

What is CMMC? Why was it created? What do you need to know about CMMC compliance and certification?

What Is the Cybersecurity Maturity Model Certification (or CMMC)?

CMMC, also known as Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041, is a new DoD-mandated standard for protecting controlled unclassified information (CUI) and federal contract information (FCI) that businesses working with the DoD need to meet.

According to a statement from the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) the “DoD is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector.” Because of various foreign and domestic threats to the confidentiality of sensitive information, the DoD is increasing security to minimize the risk of intelligence leaks.

What You Need to Know About CMMC

So, what do you need to know about earning CMMC? If you’re like many other business owners, odds are that you want to know how much it costs, when you need to be done by, and what is involved in the certification process. Here are a few basic pieces of info:

CMMC Certification Cost

Unfortunately, there isn’t a “one size fits all” cost to certifying for CMMC. The Federal Register’s documents provide an overall cost of CMMC requirement cost estimates to both the public and the government (figures presented are in millions):

CMMC Requirements

Public Costs

Government Costs

Total

Annualized Costs

$6,525.0

$8.9

$6,553.9

Present Value Costs

$93,213.6

$127.3

$93,340.9

The cost to individual businesses for meeting CMMC requirements can vary depending on a variety of factors, such as:

  • The size of the business;
  • The complexity of its internal systems;
  • What level of security it already has in place; and
  • What level of CMMC the business is trying to certify for.

Levels of CMMC

Under the cybersecurity maturity model certification, there are five distinct levels that a business can aim to achieve labelled 1-5 in ascending order of difficulty and security.

Level 1 businesses are practicing “basic” cyber hygiene and might not have a consistent strategy for preventing cyberattacks and protecting sensitive information. Level 5 organizations have robust, well-documented procedures for detecting and dealing with a variety of cyber threats—including advanced persistent threats (APTs) that are traditionally difficult to counter.

CMMC Training

Under CMMC, there is a requirement domain called “Awareness and Training (AT).” Under this domain of the CMMC guidelines, organizations are required to conduct security awareness activities and provide training to ensure that “personnel are trained to carry out their assigned information security-related duties and responsibilities.”

Conducting cybersecurity awareness and training is a requirement for level 2 CMMC certification.

Some managed service providers and security service providers (MSPs and MSSPs) may offer CMMC training to help organizations learn how to meet CMMC requirements as well. While this can add to the cost of preparing the organization for CMMC, it can help save time and reduce the risk of failing to meet certification standards.

CMMC Deadline

According to Federal News Network, the DoD will start a staggered rollout of CMMC in spring 2021 and “By 2026, bidding on any DoD contract will require CMMC compliance.” The OUSD(A&S) publication notes that the rollout will focus on “candidate programs that will implement CMMC requirements during the FY2021-FY2025 phased rollout” starting with 15 programs in 2021 and going to 475 programs in 2025. This rollout “will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3).”

So, what does this mean? Your company might be required to start meeting CMMC requirements as early as this year, or it may be able to wait a few years before having to make the change.

However, it’s better to assume that you will need to meet CMMC standards sooner rather than later—and prepare accordingly. This is especially true if you regularly process or store CUI or FCI data when working on DoD contracts.

7 Ways to Get Your Business CMMC Ready

So, what can your business do to get CMMC ready as soon as possible? Here are a few things to help you improve your CMMC compliance quickly:

  • Identify the Level of Certification You Need. Not every government contractor needs to meet level 5 of CMMC. However, being only level 1 certified may lock you out of lucrative contracts. So, it’s important to carefully consider which level of CMMC  you need to meet to earn contracts while keeping compliance costs down as much as possible. For many organizations, level 3 certification might be the best option.
  • Conduct a Gap Analysis. After identifying the level of CMMC required, run a gap analysis to determine where your existing cybersecurity processes and tools fall short of your goal. This helps put a laser focus on the things you need to achieve CMMC without wasting time and money.
  • Document EVERYTHING. Documentation is key for higher levels of certification. Being able to show a certified third-party assessment organization (C3PAO) documents detailing what security controls are in place, training programs and results, and incident response plans (IRPs) can be crucial for demonstrating higher levels of cybersecurity maturity.
  • Schedule an Assessment. Contacting the CMMC accreditation body (CMMC-AB) and scheduling an assessment with a C3PAO is an important step in the certification process. This assessment is how your organization can earn a CMMC certificate that can be used with the DoD.
  • Make Changes to Resolve Issues. During their assessment, a C3PAO may identify some issues that are holding your organization back from your desired certification level. When you receive this information, you’ll have 90 days to make any required changes before your assessment is finalized.
  • Plan to Increase Security Controls in the Future. While CMMC is still in its early stages, there may be significant changes to the requirements for different certification levels in the near future. So, it’s important to have plans in place to increase security to go above and beyond the current minimum requirements. Doing so can help future-proof your CMMC compliance so future certifications can be completed more easily.
  • Work with an MSSP to Enhance Cybersecurity. Having dedicated expert help can make a world of difference for your company's cybersecurity. An experienced managed security service provider (MSSP) can help your company prepare for CMMC compliance and point out any major issues that need to be fixed before you reach out to a C3PAO to conduct an assessment.

CMMC certification will not be a “one and done” process. The OUSD(A&S) will require organizations to periodically re-certify their cybersecurity maturity levels to verify that they can adequately protect CUI and FCI data.

Additionally, a security breach that results in data loss or leaks may cause the DoD to reassess a contractor’s certification. As noted by the OUSD(A&S): “A cybersecurity incident will not automatically cause a DIB company to lose its CMMC certification. Depending upon the circumstances of the incident, the DoD program manager may direct a re-assessment.” In other words, the DoD recognizes that no defense is perfect, so a breach isn’t grounds for revoking a CMMC certification on its own. However, the DoD may reassess and reduce the affected organization’s certification level.

To avoid this, it’s important to be proactive about cybersecurity and make updates to your cybersecurity tools, policies, and procedures before a breach happens. If you can demonstrate due diligence, it will be for the better if a breach does occur—plus, being proactive can help prevent such breaches from happening in the first place.

Need help with your CMMC certification? Reach out to Systems X today to get started!Download the CMMC Readiness Roadmap

5 min read

Why Consult with a CMMC-Registered Practitioner

The Cybersecurity Maturity Model Certification (CMMC) is the major new security standard that companies in the defense...

7 min read

Compliance 101: Developing Your POA&M (+ Template)

If you’ve been researching how to meet certain compliance standards, you may have come across the acronym “POA&M” a few...

4 min read

3 Types of Software Every Manufacturer Should Use

Technology is a core part of many modern businesses. Manufacturing is no exception. In fact, highly successful...