Any organization that handles data controlled by the US government must achieve CMMC compliance in order to win contracts from the Department of Defense (DoD). This set of standards ensures that cybercriminals cannot gain access to confidential government information by hacking civilian contractors.
The CMMC takes requirements from earlier compliance models, such as NIST SP 800-171 and Federal Acquisition Requirements (FAR) document 52.204-21, and unifies them to make certification more streamlined and efficient. The CMMC is focused on protecting two kinds of protected information: federal contract information (FCI) and controlled unclassified information (CUI).
CMMC 2.0, which was announced November 4th 2021, is the latest iteration and features three distinct levels of compliance. Level 1 is the simplest and easiest level to achieve, while Level 2 and Level 3 require you to implement additional, more complex practices and controls. The majority of DoD contractors only need to achieve CMMC Compliance Level 1.
Any company (and, if applicable, its subcontractors) that seeks to bid on a DoD contract must be CMMC-compliant if the nature of the work involves federal contract information (FCI) and/or controlled unclassified information (CUI). If the contract work involves exclusively commercial off-the-shelf (COTS) products, the contractor is exempt from CMMC requirements.
The contract you bid on will state which compliance level you must reach to win the contract. In general, only Level 1 or Level 2 is required for most contracts.
CMMC director Stacy Bostjanick announced in April 2022 that the Pentagon plans to publish the CMMC “interim rule” no later than May 2023, with initial requirements showing up in DoD contracts 60 days after the rule publication.
Although the CMMC compliance requirements are not in full effect yet, early adopters of CMMC will have a clear competitive advantage, considering that implementation will take several months and compliance is required at the time of contract award. Certification will take even longer for Level 2 and above the closer the deadline approaches, as certified CMMC assessors will have limited availability during the rush for certification.
Additionally, the DoD is discussing incentives for organizations that become compliant before CMMC is mandatory. Therefore, achieving CMMC compliance ASAP is recommended.
To determine if you are compliant, an assessment is performed on your cybersecurity posture, data security policies, installed security tools, and similar areas. The nature of this assessment varies depending on which level you are trying to achieve, with Level 1 being the simplest and fastest to achieve.
The process could take anywhere from a couple months to a year or more, depending on a wide variety of factors. If you are operating with an advanced and up-to-date cybersecurity posture and only need to achieve Level 1 compliance, you’re going to have a quicker time than an organization starting from scratch and trying to achieve Level 3 compliance.
The cost to achieve CMMC compliance is proportional to the amount of work needed to align with CMMC standards. As with the timeline, there are a number of factors that will affect your total expenditure. However, hiring an experienced consultancy to prepare your organization for the CMMC process will help you avoid delays, remediate security issues efficiently, and end up saving you time and money in the long run.