CMMC Compliance – A Quick Overview

What Is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity framework and accompanying certification by the US Department of Defense (DoD). Starting this year, contracts offered by the DoD might specify a level of the CMMC required to be awarded the contract. By 2026 all contracts will require a CMMC certification.

This new umbrella standard includes requirements from NIST 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21, and beyond. It is broken into five levels of CMMC certification: Each level requires more practices and controls than the previous with level one being the lowest and five being the highest level. The certification will be valid for three years.

Who Needs CMMC Certification?

Any company and its subcontractors that bid on a DoD contract that contains Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) will be required to be CMMC compliant at the CMMC level mandated in the contract. Commercial off-the-shelf products will not require CMMC compliance. If a company will receive exclusively FCI and not CUI under the contract, then the company will only need CMMC Level 1 implementation. However, if a company receives CUI under the contract, then CMMC Level 3 will be required as the minimum. The CMMC level mandated will be stated in the contract information. Ecuron expects that the vast number of contracts will require a Level 1 or Level 3 certification.

When Will This Be Required?

The plan from the DoD is to slowly roll out CMMC compliance requirements for new contracts beginning of 2021 with the expectation that every active contract will have a CMMC level requirement in place by 2026. The estimate is that a total of 1,500 of prime contractors and sub-contractors will have CMMC requirements in 2021. Although not every contract will require CMMC compliance right away, we highly recommend that companies who plan to bid on DOD contracts start preparations for a CMMC certification now. The early adopters of CMMC will have a clear competitive advantage – especially considering that implementation and certification will take several months. The sooner an organization meets CMMC compliance, the less competition it will face when bidding on new DoD contracts that require CMMC!

How Long Does It Take to Implement CMMC?

The implementation timeframe depends on these main factors:

  • The level of certification are you required to comply with
  • The current state of your NIST 800-171 implementation
  • The size and scope of your system.

For example, we expect a CMMC Level 3 implementation to take approximately 6 months – or more if you are starting with a clean slate. CMMC Level 1 compliance can be accomplished in a much shorter time-frame. For an overview of the preparation and certification process including some time estimates see CMMC Certification Process and Timeline.

What Is the CMMC Cost?

The cost of achieving CMMC compliance depends on the same factors as listed above. You have to consider expenses for these steps:

  • Pre-assessment support by companies like Ecuron for help with implementation
  • CMMC implementation cost at your organization
  • Audit (CMMC Assessment) by a CMMC Third-Party Assessor Organization (C3PAO)
  • CMMC certificate awarded by the CMMC Advisory Board (CMMC-AB) at a fixed cost based on certification level.

Once certified, there will be annual certification updates. We advise companies wishing to work with the DOD in the future to expect some ongoing expenses in addition to the initial cost of certification.

How We Are Prepared To Help You

Ecuron is a CMMC Registered Provider OrganizationEcuron has been receiving CMMC Registered Professional training from the CMMC Accreditation Body to be among the first companies qualified to help your organization to become CMMC compliant. Due to our status as a CMMC Registered Provider Organization™ (CMMC-RPO), Ecuron can perform pre-assessment services which include CMMC gap analysis, implementation help, CMMC pre-assessments. We do not conduct the final Certified Assessments.

Depending on your organization’s current cybersecurity status and the CMMC Level required, implementation of the new standard can take from several weeks to a few months. Starting now will save you valuable time and will get you ahead of the competition.

We offer the following CMMC Services:

To discuss your CMMC requirements and schedule a complimentary 15-30 min consultation, email us at, use the form below, or give us a call.

last edit: 01/07/2021

You may also like

What to Do When Ransomware Attacks

When Tools & Templates Aren’t Enough

We’d Love to Talk About Your Cybersecurity Strategy.

- ​None of the information you provide in the form below will be used for marketing purposes -