Every year, cybercriminals and hackers wage digital warfare to gain access to some of our most sensitive personal information. In 2023, there was a 72% increase in data breaches compared to 2021, with the average cost exceeding $4.45 million. While these numbers are striking, they don’t account for the potential exposure of personal and sensitive information – or the leaking of classified government documents.
To address cybersecurity threats within the government sector, the Department of Defense (DoD) regularly increases the security protocols for contractors with access to sensitive government data. Contractors who work with the Defense Industrial Base (DIB) and anyone who receives, shares, sends, or processes Controlled Unclassified Information (CUI) must demonstrate compliance with the Cybersecurity Maturity Model Certification (CMMC).
While CMMC compliance was first introduced in 2020, several updates have since occurred. This practical guide aims to provide defense contractors with a comprehensive understanding of the current CMMC compliance landscape in 2024, including its requirements, levels, costs, and steps to achieve certification.
CMMC aims to assure the government that contractors and subcontractors meet the cybersecurity requirements for processing, storing, and handling CUI. CMMC requirements are robust, spanning three maturity levels, each introducing a new sophisticated set of cybersecurity practices. Contractors must meet the required standards to handle sensitive information, and to take contracts with the DoD.
CMMC certification is a formal process in which an organization that works on specific government projects and handles sensitive data must prove that it can adhere to the cybersecurity practices outlined in the CMMC framework.
Defense contractors who wish to bid on or participate in DoD contracts must obtain CMMC certification. This requirement applies to all defense contractors, from small businesses to large enterprises, and anyone handling Federal Contract Information (FCI) or CUI. It also applies to organizations impacted by flow-down requirements. This means that if your organization receives contracts or subcontracts from a prime contractor, the security requirements outlined in those agreements must “flow down” to your organization, making you responsible for ensuring the same level of compliance.
When CMMC was first introduced, it included five levels of security, each with specific cybersecurity practices and processes. These levels represented a progression in an organization’s maturity in cybersecurity practices.
However, with the latest update of CMMC (Version CMMC 2.0), the previous five levels of security requirements have been consolidated into three levels. These revisions were made to streamline and simplify compliance with CMMC and more closely align with standards laid out in NIST 800-171.
As of the latest updates, the CMMC 2.0 framework includes the following levels:
Level 1 focuses on basic safeguarding requirements and involves implementing fundamental cybersecurity practices. It focuses on an annual self-assessment and annual affirmation. It is a “foundational” level, where organizations must implement 17 practices, including access control and physical security measures. This level was designed to establish a baseline for cybersecurity, and the contractors are authorized to handle FCI, which works for those who deal with less sensitive information.
Level 2 represents an intermediate level of cybersecurity maturity. It includes all 17 of the required practices from Level 1, with additional expectations to implement all 110 security controls listed in the NIST SP 800-171. At this level, organizations must implement more advanced controls, including incident response and risk management practices. These contractors must also undergo triennial assessments from a certified third party assessment organization (C3PAO).
Level 3 is the highest level of CMMC certification and involves an in-depth set of cybersecurity practices to protect sensitive information. Organizations must comply with Level 1 and 2 practices, including the expectations listed in both NIST SP 800-171 and NIST SP 800-172. Level 3 requires advanced measures such as continuous monitoring, advanced threat detection, and multi-year government-led assessments.
CMMC 2.0, introduced as an update to the original CMMC framework, brings several changes and improvements. The key differences include:
See this blog for more information on the differences between CMMC 2.0 and CMMC 1.0.
Generally, contractors should expect preparation for CMMC certification to take 9-12 months. This timeline will vary based on several factors, mainly the organization’s current cybersecurity standing and the level of certification sought. Working with a Registered Provider Organization (RPO) with extensive experience helping clients in the DIB will help the process move faster. The other primary variable is the scheduling of an assessment with a C3PAO. As of August 2024, there are just 54 assessors that must assess ~80,000 contractors in level 2.
Companies that want to achieve certification face a lengthy and costly process. The cost often stems from businesses that must rebuild their systems to meet CMMC standards. While there isn’t a set expense amount, companies can expect to pay consulting fees, cybersecurity implementation costs, and fees for third-party assessments.
Failure to achieve CMMC compliance can have significant consequences, including:
CMMC and NIST 800-171 are related but distinct frameworks. The main difference between these two is that the CMMC is a certification program, and NIST 800-171 is a set of guidelines. CMMC uses NIST 800-171 practices, expands on the requirements, and introduces a certification process to verify compliance. Essentially, NIST 800-171 serves as a baseline while CMMC adds a layer of assurance through third-party assessments.
CMMC is not intended to replace NIST standards but rather to complement them. CMMC incorporates NIST 800-171 elements and other standards to create a cybersecurity framework. Both aim to boost cybersecurity measures, and each has its unique requirements.
Under CMMC 2.0, businesses are allowed to self-assess only at Level 1 and in some cases at Level 2. Depending on the type of information an organization is working with, some companies will need a Certified Third-Party Assessment Organization (C3PAO) assessment at Level 2, and Level 3 requires a government-led assessment.
A C3PAO is responsible for conducting official assessments of an organization’s cybersecurity practices to determine compliance with CMMC requirements. A C3PAO is trained and certified by the CyberAB (Formerly CCMMC AB) to perform and deliver CMMC assessments. CyberAB has an exclusive contract with the DoD and is authorized to serve as the sole CMMC licensing and certification provider for C3PAOs.
Any company in the DIB supply chain that handles FCI or CUI – including both contractors and subcontractors – will need to achieve a CMMC certification level to be eligible for DoD contracts. CMMC requirements are slated to begin appearing in new DoD contracts and potentially in modifications to existing contracts starting in late Q1 or early Q2 of 2025.
While CMMC was initially developed for the DoD, its principles and practices may extend to other federal agencies and sectors in the future. For now, compliance is only mandatory for organizations working with the DoD.
To achieve CMMC compliance, organizations should:
Achieving CMMC compliance is a necessary safeguard for government contractors working with sensitive information. The CMMC framework, with its clearly defined levels and comprehensive guidelines, provides a structured way for defense contractors to enhance their cybersecurity posture.
However, mastering CMMC compliance will be much smoother with the help of experts like IsI. IsI will ensure that your organization is well-prepared to navigate the complexities of this CMMC certification process, securing your place in the defense contracting community. Contact us today to learn more about how ISI can help support your business’s compliance journey.