A Federal Contractor’s Guide
to CMMC 2.0

(Comprehensive and Updated)

Executive Summary

Welcome to our most comprehensive and updated guide on Cybersecurity Maturity Model Certification (CMMC) 2.0!

The CMMC is a program spearheaded by the U.S. Department of Defense (DoD) aimed at safeguarding Controlled Unclassified Information (CUI) by ensuring that organizations have the necessary cybersecurity measures in place to prevent unauthorized access, usage, or dissemination of sensitive data.

The latest iteration, CMMC 2.0, brings forth a tiered system spanning levels from 1(Basic Cybersecurity Hygiene) to 3 (Advanced/Progressive), helping entities to categorize and manage cybersecurity with a perspective aligned to their risk management strategies and business needs.

As we navigate through a landscape where cyber threats are constantly evolving and getting sophisticated, being CMMC compliant not only stands central to securing an organization’s assets and data but is also pivotal in fostering credibility and gaining a competitive edge in the marketplace.

In July 2023, the Department of Defense (DoD) formally presented the CMMC 2.0 rule to the Office of Information and Regulatory Affairs (OIRA), an agency overseen by the Office of Management and Budget (OMB). This submission initiated a systematic regulatory review process, laying the groundwork for the rule's official implementation.

On December 26, 2023, the Department of Defense published the Proposed CMMC Rule. The Proposed Rule represents a pivotal step in the cybersecurity of the Defense Industrial Base (DIB). With the Proposed CMMC Rule, DoD has made significant changes that will have long-term impacts on how CMMC2.0 requirements are implemented in the DIB Supply chain.

What does this mean for organizations in the defense sector? With the CMMC Proposed Rule, the DoD has set the clock in motion. There has already been a significant uptick in CMMC requirements in the solicitations since last year. The commenting period on the Proposed Rule has already closed on February 26, 2024. Now, CMMC can be published as a final rule anytime between now and Q1 2025. Owing to this the requirements in the solicitation will expand exponentially over the next few years.

Businesses, especially small enterprises, are encouraged to gear up for this change by understanding the CMMC level pertinent to them and initiating the necessary steps toward certification rather than waiting. It is vital to undertake this journey with foresight, factoring in the time, which can range anywhere from a few months to a couple of years depending on various dynamics, such as the complexity of your organization and the level of certification you are targeting.

Get ready to achieve CMMC compliance with ease! Download this CMMC guide as a PDF now and stay ahead in the game.
Download  CMMC 2.0 Guide
CMMC 2.0 Guide

As the final rule is anticipated to be in effect anytime between now and Q1 2025,with a phased rollout spanning three years, starting your preparations now will ensure a smooth transition, helping you to uphold the integrity of sensitive information while reaping the manifold benefits of CMMC compliance.

Thisguide will delve into these topics and more to provide you with a comprehensiveunderstanding of CMMC 2.0 and the importance of achieving compliance.

Engaging with professional CMMC consulting firms can aid in delineating a path that is in alignment with your budget and needs, helping you to navigate the complexities with ease.

Outlook of CMMC Rulemaking

CMMC being published as a Proposed Rule in Dec 2023,leads to a phased CMMC implementation. Industry insiders are closely watching the NIST's maneuvers, which have moved ahead with SP800-171 Revision 3. SP 800-171 Rev 3 is set to elevate cybersecurity controls further.

This revision, anticipated to materialize between Q1 and Q2 of F.Y. 2024, may provoke the DoD to grant a "class deviation." DoD’s class deviation provides DoD contracting officers (COs) a way to mitigate delays prospective offerors would experience when transitioning from NIST 800-171 Rev 2 to Rev 3.

In the context of regulatory and compliance environments, "class deviation" refers to a temporary alteration or adjustment to a policy, standard, or regulation that applies to a specific group or "class" of entities, effectively extending the compliance deadline to synchronize with CMMC's potential F.Y. 2025 implementation.

Given the active developments, firms are advised to advance their compliance with the existing NIST SP 800-171 standards to transition into the CMMC requirements smoothly. Initiating this now is prudent, considering the considerable time -typically a few months to 2 years - required to become assessment-ready.

Federal Contract Information (FCI): Information not intended for public release. It is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public.
Controlled Unclassified Information (CUI): Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
CMMC Evolution Timeline

Exhibit 1: CMMC Rulemaking Timeline

Exhibit 2: The Federal Rulemaking Definition

The enforcement of CMMC by the Government showcases alignment with enhancing cybersecurity maturity in the defense supply chain ecosystem, reflecting a shift in national cybersecurity strategy.

In 2022, DoD released a memorandum that stated:
The protection of controlled unclassified information on contractor information systems is critically important to the Department of Defense (DoD). To that end, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012,"Safeguarding Covered Defense Information and Cyber Incident Reporting," requires contractors to provide adequate security on all covered contractor information systems, defined as an unclassified information system owned or operated by or for a contractor, and that processes, stores, or transmits covered defense information. Adequate security measures include, as applicable, implementation of the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (S.P.)800-171, "Protecting Controlled Unclassified Information in Non federal Information Systems and Organizations" in effect at the time the solicitation is issued or as authorized by the contracting officer.

CMMC And NIST SP 800-171 Comparison

Exhibit 3: CMMC Vs NIST AP 800-171 Comparision

Cybersecurity Maturity Model Certification 2.0 Framework

CMMC compliance aims to assess defense contractors' capabilities, readiness, and sophistication in cybersecurity. The framework comprises processes and other frameworks and inputs from cybersecurity standards like NIST 800-53, ISO 27001,U.K. Cyber Essentials, and Australia Cyber Security Centre Essential Eight Maturity Model. The program is designed to help federal contractors improve their cybersecurity posture through a standardized maturity model.

CMMC, created to defend the defense industrial base (DIB) from increasingly frequent and sophisticated cyberattacks, specifically intends to improve the security of federal contract information (FCI) and controlled unclassified information (CUI)transferred within the DIB.

As threats change, CMMC 2.0 expands on the original CMMC 1.0 framework to dynamically improve DIB cybersecurity. The CMMC framework ensures accountability, safeguards critical unclassified information shared by the DoD, and reduces obstacles to compliance with DoD regulations. Three levels based on well-recognized NIST cybersecurity standards have replaced the five cybersecurity compliance levels in CMMC 1.0.

With the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0program, the Department is introducing several key changes that build on and refine the original program requirements.

Key Changes to CMMC 2.0

Exhibit 4: CMMC 2.0 Streamlined Framework

The CMMC 2.0 Model as per the Proposed Rule

Following is the outline of the CMMC 2.0 Model as published in December2023:

  1. Level 1 (Performed: 15 practices). CMMC Level 1 emphasizes safeguarding Federal Contract Information through compliance with 15 essential cybersecurity practices from FAR clause 52.204-21, aimed at preventing unauthorized access to FCI. Annual self-assessment by contractors ensures adherence to these security protocols. The Department of Defense prohibits Plans of Action & Milestones (POA&Ms) at this level, requiring contractors to validate their compliance directly in the Supplier Performance Risk System (SPRS) to affirm their ongoing commitment to FCI protection
  2. Level 2 (Managed: 110 practices). CMMC Level 2 focuses on the advanced protection of Controlled Unclassified Information (CUI) and aligns with NIST SP 800-171 Rev 2, integrating 110 security standards. A scoring system assesses compliance levels. Contractors handle self-assessments or undergo third-party evaluations by C3PAOs, depending on the sensitivity of the CUI, as dictated by the DoD. Compliance levels are reported in the Supplier Performance Risk System (SPRS), reflecting the implementation of the required security measures.
  3. Level 3 (Optimizing: 110+ practices). CMMC Level 3 mandates advanced cybersecurity for highly sensitive contracts, adhering to NIST SP 800-171 Rev 2 and integrating 24 extra controls from NIST SP 800-172. It targets a select segment of the Defense Industrial Base, countering advanced persistent threats (APTs). This level necessitates stringent evaluation by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), ensuring compliance with enhanced security measures and addressing sophisticated cyber threats.
CMMC 2.0 Levels and Practices

Exhibit 5: CMMC 2.0 Assessment Requirements

Phased Implementation of CMMC 2.0

The Department of Defense (DoD) is systematically integrating the Cybersecurity Maturity Model Certification (CMMC) into defense contracts over four phases. This phased implementation facilitates defense contractors and subcontractors in transitioning to enhanced cybersecurity standards, ensuring gradual compliance with specific timelines and objectives.

  1. Phase 1- Initial Rollout (0-6 Months): Post finalization of DFARS 252.204-7021, this phase focuses on embedding basic CMMC requirements into DoD contracts, primarily targeting Level 1 or 2 Self-Assessments for FCI handling.
  2. Phase 2- Requirement Expansion (6-18 Months): Enhances security by incorporating Level 2 Certification Assessments in contracts involving CUI, aiming to fortify protection against cyber threats.
  3. Phase3- Scope Extension (18-30 Months): Mandates CMMC Level 3 Certification Assessments across all pertinent DoD contracts, emphasizing advanced cybersecurity measures for handling sensitive data.
  4. Phase 4- Complete Implementation (30+ Months): Marks the comprehensive application of CMMC across all DoD contracts, mandating full compliance with designated CMMC levels for every contractor.
  5. Timeline: These phases span over three years, aiming for the complete integration of CMMC requirements in DoD contracts by October 1, 2026.

How does the CMMC Proposed Rule impact Defense Contractors and Subcontractors?

The CMMC Proposed Rule introduces significant changes for defense contractors and subcontractors, mandating enhanced cybersecurity practices across various contracts and levels, including those involving cloud and external service providers. This regulation impacts how defense-related information is managed and protected.

  1. Contract and Subcontract Impacts: Affects all contracts/subcontracts dealing with CUI or FCI on contractor systems, excluding those under $10,000 and COTS item contracts.
  2. CMMC Level Determination: The rule directly ties the required CMMC level to the contract's nature and the sensitivity of the information processed..
  3. Subcontractor Compliance: Subcontractors in the supply chain must adhere to CMMC requirements, with levels corresponding to the information type they manage.
  4. Waiver Provision: DoD Program Managers can request CMMC requirement waivers under specific conditions, although the waiver process lacks complete clarity.
  5. Cloud and External Service Providers: The rule applies to CSPs and ESPs, requiring CSPs to meet FedRAMP Moderate for baseline security and ESPs to comply with the CMMC level of the contractor they support.
  6. Cloud Products and Services Compliance: These must conform to FedRAMP Moderate Baseline security standards to align with CMMC Level 2, integrating additional cybersecurity criteria.

Why is CMMC compliance important?

The significance of CMMC connects back to the United States' national security. The Defense Industrial Base (DIB) is a global industrial compound to supports vital services and goods such as the design, manufacture, delivery, and maintenance of military weapons systems to satisfy the needs of the U.S. military.

The DIB supply chain comprises more than 300,000 businesses that work for the DoD under contract. Defense contractors must have their cybersecurity status inspected and confirmed by an impartial third party before signing a contract with the DoD. In addition to the complexity of what is at risk, studies show that the global cost of cybercrime is around $945 billion, which is more than 1% of the worldwide GDP. The Department of Defense is putting in maximum effort to reduce the costs and risks through CMMC.

Below are the reasons for complying with CMMC:

  1. CMMC Compliance ensures the protection of sensitive (FCI/CUI): CMMC compliance is substantial because there is highly sensitive national information at risk. The Government requires contractors to practice set standards and regulations to strengthen the information's security. Specifically, suppose a company is dealing with Controlled Unclassified Information (CUI) or Federal Contract Information (FCI); in that case, the company must have CMMC compliance to protect the information. CMMC ensures that companies working with the Department of Defense meet security protocols and standards
  2. CMMC compliance will soon be a requirement for DoD contractors: With the publication of the CMMC Proposed Rule, CMMC compliance is guaranteed to become a requirement for DoD contractors to bid on Contracts. The DIB Contractors will not be able to bid on DoD Contracts if they fail to comply with the appropriate CMMC Level, meaning the companies who are CMMC compliant will have a competitive advantage.
  3. Enforcement of DFARS 254.204 7012: To enforce DFARS 254.204 7012, the Department of Justice has launched a robust Cyber-Fraud Initiative to hold contractors accountable for their cybersecurity. It is encouraging whistleblowers to come forward with False Claims. It would increase the scrutiny, resulting in increased pressure on Defense Contractors to comply with CMMC. Also, the Published rule proposes a separate rulemaking (DFARS2019-D041) that will address CMMC Contractual Processes assessing Contractors' implementation of the Cybersecurity requirements
  4. To avoid penalties under The False Claim Act: Contractors who make false statements or representations about their compliance with CMMC standards in order to obtain or retain a contract with the DoD could be subject to civil penalties, fines, and exclusion from future government contracts.
  5. Achieving CMMC compliance can provide many benefits to Federal Contractor: Achieving CMMC compliance can offer many benefits to organizations, including increased credibility and competitiveness in the market, improved cybersecurity posture, and protection of sensitive information. Therefore, it is essential for the organizations that handle CUI to comply with CMMC.

Who does CMMC apply to?

CMMC is a requirement for all companies who want to work as a contractor/subcontractor within the Defense Industrial Base supply chain.

Also, the proposed rule mandates that subcontractors throughout the supply chain comply with CMMC. The specific CMMC Level required for a subcontractor will align with the type of information they handle, which may differ from the prime contractor.

Exhibit 6: DoD Supply Chain

Hence, everyone involved in the defense contract supply chain, including contractors who work directly with the DoD and subcontractors who work with primes or other DoD Subcontractors to carry out or complete contracts, must abide by the CMMC.

In light of the unfolding developments in the Cybersecurity Maturity Model Certification (CMMC) landscape, the defense contracting sphere is entering a pivotal period where stringent adherence to the newly emphasized standards is not just recommended but becoming mandatory.

Exhibit 7: Prime Contactors' Reponsibilities

Prime contractors find themselves with heightened responsibilities as the Department of Defense (DoD) elevates its security requisites, impacting both the prime and their subcontractors significantly. Here is a detailed breakdown of the responsibilities and the anticipated shifts in the CMMC paradigm.

Exhibit 8: Sub-Contactors' Reponsibilities

The CMMC Ecosystem

The CMMC Ecosystem has several stakeholders. Some of the most important are shown in the image below:

The CMMC Ecosystem

Exhibit 9: The CMMC Ecosystem

  1. OSA: Organization Seeking Assessment is any organization seeking Self-Assessment at Level 1 or Level 2.
  2. OSC: Organization Seeking Certification is any organization seeking any of the CMMC Level 1 to Level 3 Certification..
  3. RP/RPA: Registered Practitioners and Registered Practitioner Advanced, accredited by Cyber-AB, are implementers and I.T. solution architects that provide consultative preparation services to the OSCs and either work as independent contractors or as members of a Registered Practitioner Organization (RPO).
  4. CCP/CCA: Certified CMMC Professional (CCP for Level 1) or Certified CMMC Assessor (CCA for Level 2) are individuals who have received training from a Licensed Training Provider (LTP) and are required to take and pass the certification exams. On passing the certification exam(s), they become certified assessors. They typically work for a C3PAO or can be independent.
  5. RPO: CMMC RPOs provide pre-assessment consulting and remediation services to OSCs and assist them during assessments. They deliver advisory and consulting services through R.P. and RPAs. They are consultative organizations or MSPs and do not conduct Certified CMMC Assessments.
  6. C3PAO: A CMMC Third-Party Assessment Organization (C3PAO) conducts assessments of OSCs by employing CCPs and CCAs based on their training and adherence to CMMC standards..
  7. DIBCAC: DIBCAC is a federal agency that leads the Department of Defense's (DoD) contractor cybersecurity risk mitigation efforts. DIBCAC assesses DoD contractors' compliance with the Defense Federal Acquisition Regulation Supplement (DFARS), NIST (S.P.)800-171 clause, and other clauses.
  8. DCISE: Defense Industrial Base Collaborative Information Sharing Environment (DCISE) is the operational hub of the Defense Industrial Base (DIB) Cybersecurity Program of the Department of Defense, focused on protecting intellectual property and safeguarding DoD content residing on or transiting through contractor unclassified networks. The public-private cybersecurity partnership provides a collaborative environment for crowd-sourced threat sharing at unclassified and classified levels. Cyber incidents outlined in the DFARS are submitted by OSCs to DC3/DCISE as mandatory reports; however, all other cyber activity can be reported voluntarily:
  9. Rated at the "Defined" level (Maturity Level 3) for Capability Maturity Model Integration for Services (CMMI-SVC), oversees a collaborative partnership with over 1,003 CDCs and U.S. Government (USG) agencies. Has shared over 589,006 (and counting) actionable, non-submitting-source-attributable indicators.
  10. Provides no-cost forensics and malware analysis for DIB Partners.
  11. Disseminates cyber threat reports for both DIB and USG consumption (DIB partners access DCISE reporting via their DIBNET accounts, and USG members can access via SIPRNet Intelshare).
  12. Operates a 24/7/365 support hotline (1-877-838-2174) to assist submitters and DIB and USG Partners.

Attack Surfaces in the Defense Supply Chain

In the defense industry, understanding and mitigating potential attack surfaces is imperative. As a Defense Contractor, being aware of these areas is vital:

Exhibit 10: Attack Surfaces in the Defense Supply Chain

The Road Ahead: Timeline and Expectations
While the official implementation of the new rule is anticipated to be either in mid to late 2024 or even early 2025, there is an undercurrent of urgency resonating in the sector, propagated mainly by the prime contractors. Besides that, a significant wave of conformity assessment requests is expected to flood C3PAOs, given the limited number of authorized bodies and qualified assessors to conduct the assessments. Defense Contractors should remain cautious amidst the growing overhype, steering clear from misinformation and focusing on achieving compliance in a structured manner. As the defense industrial base braces for the imminent CMMC tidal wave, it is incumbent upon businesses at every tier of the supply chain to foster a culture of readiness and vigilance. It is a critical juncture where preparation and early adoption of the CMMC norms can potentially delineate the leaders from the laggards in securing DoD contracts in the future. Thus, it is more prudent than ever for organizations to kickstart their journey toward CMMC certification, beginning with a robust NIST SP 800-171 implementation.

CMMC: From Readiness to Certification

What CMMC level do I need?

According to DoD, there are approximately 300,000 organizations that would require CMMC. There are about 80,000 organizations that require CMMC Level 2 and Level 3, and the rest require CMMC Level 1 compliance.

Most businesses will need certification between one of the three levels to qualify for government contracts. The Department of Defense is working with the CMMC Accreditation Body(Cyber-AB) to enforce the process, ensuring the validity and certifying independent third-party assessment organizations (C3PAOs).

The level necessary depends on whether the company is dealing with CUI or FCI. FCI would require the company to complete Level 1, and dealing with CUI would require the company to have achieved Level 2.

Download our free whitepaper that discusses Controlled Unclassified Information (CUI) and how to protect it best for free.
Download  Whitepaper
CUI Whitepaper

When will CMMC requirements start appearing in solicitations?

NIST 800-171 requirements have already started appearing in solicitations. Since CMMC compliance is a long journey, currently, DoD allows you to bid on contracts.

However, in the future, the Government will only allow companies to bid on the contract if they are CMMC-certified.

In anticipation of the final CMMC rule, DIBCAC the DoD's ultimate authority on compliance—has increased its audit staff size in response to the pressing need to improve security in the Defense Industrial Base.

How long does it take to get CMMC certified?

Since CMMC Compliance is a long process, the earlier the company begins, the greater advantage it will have before it becomes law. Obtaining CMMC certification is a comprehensive process that hinges on the following:

Based on our NIST 800-171 and CMMC compliance preparatory services, below is a general timeframe to become assessment-ready that OSCs need to be aware of:

CMMC 2.0 Compliance Timeline

Exhibit 11: CMMC Assessment Readiness Timeline

The following provides a general breakdown of the different stages and their anticipated timelines:

Exhibit 12: CMMC Compliance Stages and Timelines

These timelines are estimations and can vary depending on individual circumstances. Considering the lengthy nature of this process, it is recommended to initiate preparations as soon as possible and stay updated with the latest guidance from the DoD and the Cyber-AB.

Leveraging the impending enforcement of CMMC, organizations must urgently engage in this process not only to comply with regulatory norms but also to enhance their chances of securing contracts and fostering robust cybersecurity grounded in NIST SP 800-171 and CMMC protocols.

The endeavor will address the critically low implementation rates of NIST SP 800-171, positioning companies more favorably in the competitive landscape once CMMC compliance becomes a legal requirement.

What does the journey to CMMC certification look like?

The journey to CMMC certification is a long one. The company usually begins by identifying where to start and what level they want to achieve. Your company can begin the journey to CMMC certification by familiarizing itself with the CMMC 2.0 framework. It is important to have background knowledge and know all things CMMC to understand the journey's significance.

Exhibit 13: CMMC Compliance Journey

Here is what the journey to CMMC Compliance looks like:

Ask an Expert
  • Identifying external partners dedicated to making your company CMMC-certified is important to accelerate your company's process. Registered Provider Organizations (RPOs) can help guide you throughout your journey, saving time and cost.
Create a CMMC Team
  • In your organization, forming a team of resourceful experts focused on advancing CMMC progress is vital. These team members should be well-informed and committed to aiding your company in successfully obtaining CMMC certification.
Identify the Level
  • When beginning the CMMC journey, you must identify which CMMC level your company wants to achieve. This depends on which contracts and projects your company wants to work on now and in the future.
Scope the Environment
  • Once the level is clarified, your organization must scope your compliance boundary. This means there needs to be an in-depth investigation of who deals with CUI or FCI, which devices process it, and what organizational actions are related to it.
Gap Analysis and Remediation
  • Your company should conduct a gap analysis to discern its current state and pinpoint existing gaps. If you are already NIST compliant, your status is advantageous. Following the analysis, remediation will address and resolve identified issues.
Get Certified!
  • Level 1 companies perform self-assessment and attestation. Level 2 companies require C3PAO assessment, while Level 3 companies require DIBCAC assessment to get CMMC Certification.

What are the challenges faced by small businesses to comply with CMMC?

Small businesses, including those classified as Organization Seeking Certification (OSC) in the defense industrial base, often find themselves grappling with numerous challenges when navigating the path to CMMC compliance.

Challenges faced by Small Business to comply with Cybersecurity Maturity Model Certification

Exhibit 14: Challenges faced by small businesses to comply with CMMC

  1. Limited resources
    Small and medium-sized businesses (SMBs) and OSCs can find the requirement of significant resources for achieving CMMC compliance a major hurdle largely because the standards of CMMC are grounded in the NIST SP 800-171, which itself is resource-intensive. Such entities often have limited financial provisions, workforce, and technology to comply with these stringent standards fully.
  2. Impeding CMMC Final Rule
    Since DoD has closed the loop on 60 Days Comment Period post publishing the CMMC Proposed Rule, it is one of the leading causes for the smaller DIBs to stall embarking on the CMMC journey. Delaying the CMMC Compliance can have detrimental effects on contractors as it may result in lost opportunities.
  3. Lack of expertise
    Understanding and adhering to the detailed CMMC requirements can be an uphill task due to the limited knowledge and experience in cybersecurity harbored by small enterprises and OSCs. The complexities involved in the foundational standards, including NIST SP 800-171, necessitate deep expertise that these entities often lack.
  4. Limited access to information
    While the argument that CMMC disproportionately affects OSCs is valid, it doesn't necessarily pertain to the actual requisites of the CMMC program. Small enterprises may, however, need help with procuring detailed information about the standards and the necessary steps toward compliance, making the certification journey an arduous one.
  5. Limited access to vendors
    A limited pool of credible and approved CMMC readiness vendors or individuals to facilitate businesses in their compliance journey is another significant challenge. The journey toward CMMC certification demands guidance and assistance from seasoned vendors, which is often beyond reach for these businesses. With the CMMC Proposed Rule, the number of compliance vendors has increased. Question. 'Are CMMC Compliance Vendors really qualified and have a deep understanding to make the CMMC Compliance journey smooth and successful' is the question  Defense Contractors need to ask.
  6. Limited budget
    Financial constraints often limit small businesses' budgets for CMMC compliance. Meeting the stringent CMMC standards usually requires investments beyond OSCs' reach, exacerbating the uneven impact of CMMC on these entities. An Enclaved approach to CMMC compliance can expedite the contractor's compliance journey and save costs.
  7. Increased Demand for CMMC Compliance
    CMMC Proposed Rule has increased the number of Contractors looking to get CMMC Compliant. More companies requiring CMMC Compliance will flood the CMMC Compliance chain, resulting in increased cost and the quality of implementation.
Take control of CMMC compliance! Limited budget? No problem. Contact us to learn about our cost effective CMMC Enclave Solutions.

How much does CMMC Compliance Cost?

The CMMC assessment costs will depend upon several factors, including which CMMC level your company is achieving and the complexity of the DIB company's unclassified network for the certification boundary.

CMMC assessment expenses are predicted to be lower compared to CMMC 1.0 because the Department of Defense has intended to centralize the requirements at all levels instead of unique practices/processes, allowing organizations achieving Level 1 and some Level 2 programs to proceed with self-assessments instead of third-party assessments and strengthen the third-party evaluations.

DoD will release a new cost estimate associated with the CMMC 2.0 program, which will be published on the Federal Register as part of the rulemaking process. It is essential to note that the costs for implementing cybersecurity controls arise from the requirement to comply with and safeguard information, defined in FAR 52.204-21 and DFARS 252.204-7012.

Cost of CMMC Compliance Certification

Exhibit 16: Sample CMMC Cost Estimate

Here are the cost considerations to keep in mind for CMMC compliance for your company. Get expert insights on how to minimize these costs to obtain and maintain your CMMC certification.

Factors affecting the cost of CMMC Compliance

Exhibit 17: CMMC Cost Drivers


What is the difference between Basic, Medium, and High assessments?

What is an SPRS?

The DoDI 5000.79 "Defense-Wide Sharing of Supplier Performance Information (P.I.)," published on October 15, 2019, established policy and assigned responsibilities for managing the defense-wide collection and sharing of performance information on suppliers, products, and services.

DoD Supplier Performance Risk System (SPRS) is a procurement risk analysis tool for Price, Item, and Supplier risk. The Price Risk tool compares industry prices to the average price paid by the Government. The Item Risk tool flags items identified as high risk (based on critical safety/application or risk of counterfeiting). The Supplier Risk tool scores vendors on DoD-wide contract performance.

SPRS supports DoD Acquisition Professionals with meeting acquisition regulatory and policy requirements by providing the following:

SPRS provides storage and access to the NIST SP 800-171 assessment scoring information. The NIST SP 800-171 Assessments module contains the assessment date, score, scope, and plan of the action completion date, Included Commercial and Government Entity (CAGE) code(s), System Security Plan (SSP) name, SSP version, SSP date, and confidence level.

Exhibit 18: SPRS Data Flow

The NIST SP 800-171 Basic Assessment cannot be performed in SPRS; SPRS only stores the results of NIST SP 800-171 Assessments.

An "SPRS Cyber Vendor User" role is required for companies to enter/edit basic self-assessment information. One may be created if a record header for the Highest-Level Owner (HLO) does not exist. Once the HLO header has been created, assessments for CAGE codes that fall within the HLO hierarchy may be added.

All DIBs, regardless of CMMC 2.0 Level, must upload their SPRS score into the DoD SPRS system.

Are POA&Ms allowed in CMMC 2.0?

The Department of Defense (DoD) will permit the limited use of POA&Ms (Plan of Action and Milestones) for companies who still need to meet all the security controls at the time of award of defense contracts under CMMC 2.0.

For CMMC Level 1, the DoD prohibits the use of Plans of Action & Milestones (POA&Ms), requiring contractors to validate their compliance directly in the Supplier Performance Risk System (SPRS) to affirm their ongoing commitment to FCI protection.

Also, POA&Ms will not be allowed for the most critical security requirements, which are the most difficult to meet (The DoD uses a self-assessment method that assigns a weight of 1, 3, or 5 points to each of the 110 controls in NIST SP 800-171. The scoring starts at a maximum of 110, and points are subtracted for each control yet to be implemented. As most controls are worth more than one point, the self-assessment scores can be negative and range from -203 to +110.

Although final information has yet to be released, Stacy Bostjanick, the director of the CMMC program for the DoD, stated in June 2022 that POA&Ms will be allowed for controls weighted at 1 or 3 points but not for controls weighted at 5 points.

The DoD also plans to set a minimum score that must be achieved when using POA&Ms for CMMC certification, and POA&Ms will have a time limit, which will be strictly enforced. The time limit has yet to be decided, but it is considered 180 days. It has yet to be discovered when the 180-day POA&M clock will start, but it is likely to be upon the award of a contract, either by DoD to a prime contractor or by a contractor to a subcontractor.

Are waivers allowed in CMMC 2.0?

The proposed rule allows DoD Program Managers to seek approval to waive CMMC requirements in certain circumstances. However, the details of this process still need to be fully outlined.

These waivers may only be granted for specific mission-critical contracts and require a detailed justification package, including a plan for risk mitigation and a timeline for meeting CMMC requirements. Approval for waivers will come from high-level DoD leadership and apply to the entire CMMC requirement, not just individual controls. More information on waivers will be established during the rulemaking process.

Will prime contractors and subcontractors be required to maintain the same CMMC level?

The proposed rule requires subcontractors at all levels of the supply chain to adhere to CMMC standards. If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor. The particular CMMC Level necessary for each subcontractor will correspond to the nature of the information they process, which might vary from that of the main contractor.

Will my organization need to be certified if it does not handle CUI?

Suppose a DIB company does not process, store, or transmit CUI on its unclassified network but does process, store, or handle FCI. In that case, it must comply with  CMMC Level 1 at a minimum.

Will my assessment outcomes be accessible to the public and the DoD?

The DoD will have access to your assessment details, including results and the final report, once CMMC 2.0 is fully operational, storing this data in the SPRS and eMASS databases.

How should a company handle situations where complete CMMC implementation interferes with necessary system functionality?

CMMC assessments aim to ensure systems handling DoD CUI meet the security requirements outlined in specific FAR and DFARS clauses, including adhering to the "adequate security" standard of NIST SP 800-171. If full CMMC deployment compromises system functionality, the concerned system should not be used to process, store, or transmit DoD CUI, as it fails to satisfy the necessary security prerequisites to safeguard such information.

Alternatively, Contractors may go for an Enclaved approach to CMMC Compliance, which restricts the scope of compliance to a much smaller subset.

In the context of the CMMC framework, a CMMC Enclave refers to a controlled and secure computing environment within a defense contractor's network specifically designed to handle Controlled Unclassified Information (CUI). By creating these CUI enclaves, sensitive data and operations are segmented from the rest of the organization's network, offering an elevated level of security.

Exhibit 19: The CMMC Enclave Approach

How can an RPO help in CMMC Compliance?

Achieving compliance with the Cybersecurity Maturity Model Certification (CMMC) can be challenging for DIB Contractors. However, by working with a Registered Provider Organization (RPO), contractors can gain access to the guidance, expertise, and resources necessary to successfully navigate the requirements and best practices for each maturity level. Here are a few of the benefits of working with Intersec:

We provide  CMMC Consulting, Gap Assessment, Implementation, and Compliance support and provide CMMC Enclaves resulting in rapid and cost-effective compliance for Small and Medium businesses. We demonstrate rapid CUI scoping capabilities to begin your CMMC compliance journey.

We have expertise in technical remediation and provide audits for your company. We are a dedicated team of professionals to help your company meet your CMMC needs through cost-effective solutions.

Our bespoke solutions and services save your company valuable time, resources, and money in achieving CMMC compliance.

Partnering with an RPO like InterSec can significantly increase a DIB Contractor's chances of quickly achieving and maintaining CMMC compliance. InterSec, a Cyber-AB RPO, has years of experience helping Federal Contractors navigate complex compliance requirements. As a Cybersecurity organization, we provide end-to-end CMMC Compliance consulting.

As a Cyber-AB authorized CMMC RPO, Intersec offers Consulting, Gap Assessment, Remediation, and Managed Security Services to ramp up and accelerate your CMMC Compliance Journey.