What is CMMC Compliance

December 5, 2024

The Cybersecurity Maturity Model Certification (CMMC) is a framework introduced by the Department of Defense (DoD) in 2019 to ensure defense contractors comply with cybersecurity requirements outlined in NIST SP 800-171. Its primary goal is to protect sensitive information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), while strengthening the overall security of the defense supply chain.

This blog explains the basic requirements of CMMC, latest timeline, projected costs of compliance, and tips on how to get started on CMMC compliance.

What is CMMC

The Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) to address widespread gaps in compliance and enforcement of the existing NIST SP 800-171 framework. While CMMC doesn’t introduce new cybersecurity requirements for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), it strengthens enforcement of the security measures already in place.

Previously, defense contractors were allowed to self-assess their compliance with DoD security requirements. Under CMMC, however, most contractors will need to undergo independent third-party assessments to verify compliance. These assessments will be conducted by CMMC Third Party Assessment Organizations (C3PAOs) that are trained and certified by the Cyber AB, CMMC’s official accreditation body.

Who needs CMMC Certification

Organizations that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must achieve CMMC certification at the level specified in their contract. This requirement applies not only to large, Prime defense contractors but also to subcontractors and smaller organizations further down the Defense Industrial Base (DIB) supply chain. Cybercriminals often target these smaller entities, viewing them as less secure entry points to sensitive data. By raising cybersecurity standards across the entire supply chain, the Department of Defense aims to mitigate these vulnerabilities—a core objective of the CMMC program.

CMMC Compliance Requirements For Level 1, Level 2 and Level 3

The Cybersecurity Maturity Model Certification (CMMC) has three levels of compliance, determined by the type of information your organization handles. To work on defense contracts, your organization must comply with the CMMC level specified in your contract and undergo the appropriate assessments, as shown in the figure below.

CMMC security and assessment requirements—based on information being handled

^Source:^{DoD Chief Information Officer website}

Level 1 applies to organizations handling Federal Contract Information (FCI) only. Compliance requires meeting the basic safeguarding requirements outlined in FAR 52.204-21. Organizations at this level must perform annual self-assessments to verify compliance.
Level 2 is designed for organizations that handle Controlled Unclassified Information (CUI). Compliance at this level involves meeting the 110 security controls specified in NIST SP 800-171. Most organizations at this level will need to undergo third-party assessments every three years. These assessments are conducted by accredited CMMC Third Party Assessment Organizations (C3PAOs), who evaluate compliance with NIST SP 800-171 controls..
Level 3 applies to organizations working with CUI and facing Advanced Persistent Threats (APTs)—sophisticated, state-sponsored attacks targeting critical defense programs. To achieve Level 3, organizations must comply with both the 110 NIST SP 800-171 security controls and an additional 24 enhanced security controls from NIST SP 800-172. Triennial assessments at this level are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the Department of Defense’s (DoD) ultimate authority on compliance.

When will CMMC compliance be required

On 10/15/2024, the CMMC Final Rule (CFR 32) was published in the Federal Register. It will become effective on Dec 16, 2024 and enter contracts by early 2025. See our CMMC timeline blog for more details.

It is important to understand that even though CMMC will be phased in over time, it does not necessarily follow that you have more time to achieve CMMC certification. Your organization, for example, could be far down the supply chain from a contractor subject to CMMC in Phase 1, in which case that contractor must flow down CMMC requirements to your organization at that time.

As leading cyber lawyer Robert Metzger said during PreVeil’s CMMC Summit:

The problem for most contractors is that you won’t know in advance when the compliance requirement will come to you or when your Prime will ask you to show you are ready for a certification assessment. Most organizations find that it takes 6-18 months to know that you are ready to pass an assessment. So you need to get started now.

Cost of CMMC Compliance

The costs associated with achieving CMMC Level 2 certification can vary widely depending on several factors. These include your organization’s current cybersecurity maturity, the scope of your Controlled Unclassified Information (CUI) enclave, the number of employees handling CUI, the extent of internal preparation for the C3PAO assessment, and the need for external expertise to meet certification requirements.

Want to know how much CMMC will cost your organization?

Check out our CMMC Cost Calculator

The Department of Defense (DoD) estimates that the cost of CMMC Level 2 assessments and required affirmations of compliance will exceed $100,000, excluding any additional technology investments needed to meet requirements. The table below provides a breakdown of cost estimates for small defense contractors (fewer than 500 employees or less than $7.5 million in annual revenue):

DoD CMMC Level 2 Certification and Cost Estimates for small defense contractors (with < 500 employees or revenue < $7.5 million)

^Source:^{Proposed Rule: Cybersecurity Maturity Model Certification Program}

These costs include time and resources from both in-house IT specialists and external service providers, such as Registered Practitioners (RPs) and C3PAOs, who assist in achieving CMMC Level 2 compliance.

However, it’s important to note that these estimates begin at the C3PAO assessment phase and exclude any costs incurred beforehand. Since defense contractors have been required to comply with NIST 800-171 standards—on which CMMC Level 2 is based—since 2017, the DoD does not consider NIST 800-171-related technologies or documentation as new expenses.

The good news is that there are technology solutions available that can significantly reduce the time and cost of achieving compliance. PreVeil’s blog, 6 Ways to Save Money on CMMC, offers insights into the costs involved and practical strategies to save money at each step of the process.

How to Get Started with CMMC

If you’re just starting your CMMC Level 2 compliance journey, you should focus on meeting the 110 controls in NIST 800-171. PreVeil offers a three-step roadmap to NIST 800-171 compliance and CMMC Level 2 certification.

1. Adopt a platform that securely stores, processes and transmits CUI.

You’ll need to choose an email and file sharing platform that complies with DFARS 7012. Know that the responsibility for choosing a compliant platform rests squarely on the shoulders of defense contractors. Don’t simply accept a provider’s self-attestation that they support DFARS 7012 and CMMC; Ask for documented evidence and ask for customers who have undergone successful assessments.

Over a dozen PreVeil customers have achieved CMMC compliance- validated by a perfect 110 score on their C3PAO or DoD assessment. PreVeil is used by over 1,200 defense contractors and provides a comprehensive solution to expedite CMMC compliance. In addition through a combination of inherited and shared controls, PreVeil supports over 90% of the NIST SP 800-171 security controls (102 of the 110).

2. Use prepared documentation to show compliance and save time and money.

Defense contractors have to do more than implement technology and policies to comply with NIST SP 800-171. They also need detailed, evidence-based documentation to prove it. This can be a daunting, time-consuming, and costly task.

PreVeil offers its customers a compliance documentation package that gives them a huge head start on this essential documentation. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; POA&M templates and more.

I would say the Preveil supporting documentation halved our time that we spent on the SSP. The pre-filled documents gave us that starting place to make sure we addressed everything in each control. -Paul Miller, Virtra

3. Identify certified consultants that are familiar with your technology

It’s understandable that many organizations lack the internal security expertise to conduct their NIST 800-171 self-assessment accurately and cost effectively. If you get stuck and need help, outside partners can save you time and money.

To facilitate connections to the specialized help many small to midsize businesses need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs and other consultants—all with expert knowledge of DFARS, NIST, CMMC and PreVeil.

Now is the time to get started on CMMC compliance. Informed estimates from C3PAOs who have done this work are that it takes typical small to midsize organizations around 12 months to meet CMMC Level 2 requirements. That time frame exceeds estimates of how long it will be before CMMC requirements begin to appear in DoD contracts.

To learn more

PreVeil is trusted by more than 1,200 small and midsize defense contractors. Learn more about how PreVeil can help you achieve CMMC Level 2 certification faster and more affordably:

Get a custom quote for your organization
Sign up for a free 15-minute consultation with our compliance team
Read Achieving CMMC Compliance: A guide for small and midsize defense contractors, which has been downloaded by more than 4,000 defense contractors

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is PreVeil's Compliance Officer and CMMC Certified Professional (CCP) with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her M.S. in Information Technology and holds certifications from the CMMC Accreditation Body (CyberAB), Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.

Related Blog

See All Blog

December 13, 2024

Why the Recent Telecom Hack Underscores the Need for End-to-End Encryption

Security

December 11, 2024

Interview with CyberSecurity TV at CEIC

PreVeil News

December 4, 2024

Six Things You Have to Know About Your SPRS Score

CMMC