CMMC Compliance – A Quick Overview

What Is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity framework and accompanying certification that is in the process of being finalized by the US Department of Defense (DoD). Soon, any contracts offered by the DoD will specify a level of the CMMC required to be awarded the contract.

While the CMMC framework is not finalized yet, it is known that this new umbrella standard will include requirements from NIST 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21, and beyond. It is also known that it will be broken into five levels of CMMC certification: Each level will require more practices and controls than the previous with level one being the lowest and five being the highest level. The certification will be valid for three years.

Who Needs CMMC Certification?

Any company and its subcontractors that bid on a DoD contract that contains Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) will be required to be CMMC compliant at the CMMC level mandated in the contract. Commercial off-the-shelf products will not require CMMC compliance. If a company will receive exclusively FCI and not CUI under the contract, then the company will only need CMMC Level 1 implementation. However, if a company receives CUI under the contract, then further levels of CMMC will be required. The CMMC level mandated will be stated in the contract information. Ecuron expects that the vast number of contracts will require a Level 1 or Level 3 certification.

When Will This Be Required?

As of right now, the plan from the DoD is to slowly roll out CMMC compliance requirements for new contracts beginning in the fall of 2020 with the expectation that every active contract will have a CMMC level requirement in place by 2026. Although not every contract will require CMMC compliance right away, we highly recommend that companies who plan to bid on DOD contracts start preparations for a CMMC certification now. The early adopters of CMMC will have a clear competitive advantage – especially considering that implementation and certification will take several months. The sooner an organization meets CMMC compliance, the less competition it will face when bidding on new DoD contracts that require CMMC!

How Long Does It Take to Implement CMMC?

The implementation timeframe depends on these main factors:

  • The level of certification are you required to comply with
  • The current state of your NIST 800-171 implementation
  • The size and scope of your system.

For example, we expect a CMMC Level 3 implementation to take approximately 6 months – or more if you are starting with a clean slate.

What Is the CMMC Cost?

The cost of achieving CMMC compliance depends on the same factors as listed above. You have to consider expenses for these steps:

  • Pre-assessment support by companies like Ecuron for help with implementation
  • CMMC implementation cost at your organization
  • Audit (CMMC Assessment) by a CMMC Third-Party Assessor Organization (C3PAO)
  • CMMC certificate awarded by the CMMC Advisory Board (CMMC-AB) at a fixed cost based on certification level.

Once certified, there will be annual certification updates. We advise companies wishing to work with the DOD in the future to expect some ongoing expenses in addition to the initial cost of certification.

How We Prepare

While the CMMC guidelines have not been finalized yet, the latest CMMC draft is already quite comprehensive and includes many requirements from NIST 800-171. Therefore, we can help with a CMMC focused implementation now. In addition, Ecuron has been receiving CMMC Registered Professional training from the CMMC Advisory Board to be among one of the first companies qualified to help during the Pre-Assessment Phase – from CMMC Readiness Assessments to implementation. Once the final CMMC standard is released, we will help make final adjustments if needed.

Depending on your organization’s current cybersecurity status and the CMMC Level required, implementation of the new standard can take from several weeks to a few months. Starting now will save you valuable time and will get you ahead of the competition.

We offer the following CMMC Services:

To discuss your CMMC requirements and schedule a complimentary 15-30 min consultation, email us at, use the form below, or give us a call.

last edit: 10/15/2020

You may also like

We’d Love to Talk About Your Cybersecurity Strategy.

- ​None of the information you provide in the form below will be used for marketing purposes -