What Is the CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity framework and accompanying certification that is in the process of being finalized by the US Department of Defense (DoD). Soon, any contracts offered by the DoD will specify a level of the CMMC required to be awarded the contract.
While the CMMC framework is not finalized yet, it is known that this new umbrella standard will include requirements from NIST 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21, and beyond. It is also known that it will be broken into five levels of CMMC certification: Each level will require more practices and controls than the previous with level one being the lowest and five being the highest level. The certification will be valid for three years.
Who Needs CMMC Certification?
Any company and its subcontractors that bids on a DoD contract that contains Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) will be required to be CMMC compliant at the CMMC level mandated in the contract. Commercial off the shelf products will not require CMMC implementation. If a company will receive exclusively FCI and not CUI under the contract, then the company will only need CMMC Level 1 implementation. However, if a company receives CUI under the contract, then further levels of CMMC will be required. The CMMC level mandated will be stated in the contract information. Ecuron expects that the number of contracts requiring a specific level will end up in a bell curve shape with Level 3 as the mean.
When Will This Be Required?
As of right now the plan from the DoD is to slowly roll out CMMC compliance requirements for new contracts beginning in the fall of 2020 with the expectation that every active contract will have a CMMC level requirement in place by 2026. While to begin not every contract will require CMMC, it’s highly recommended that companies who plan to bid on DoD contracts begin preparing themselves for a CMMC certification once the final standards have been released so that they are ready to bid on any contract in the coming years. The early adopters of CMMC among DoD contractors will have a clear competitive advantage. The sooner an organization meets CMMC compliance, the less competition it will face when bidding on new DoD contracts that require CMMC!
What Is the CMMC Cost?
The CMMC Advisory Board (CMMC-AB) is the body in charge of training people on the new requirements so that they can perform pre-audit support, audits, and grant CMMC certifications to companies. These CMMC Third-Party Assessor Organizations (C3PAO) will be the only organizations approved to audit and certify. The board stated that each level of the CMMC will have a different cost which will be locked. This means that any company that performs a certification will have to charge the same amount.
For everything at CMMC level 2 and above, Ecuron recommends getting pre-audit support for implementation by certified professionals. Also, there will be annual certification updates, so the certification is not a one time cost but rather an ongoing cost for any company wishing to work with the DoD in the future.
How We Prepare
Ecuron will receive CMMC Certified Professional training from the CMMC Advisory Board as soon as it launches. We are excited to provide pre-audit support, to help organizations navigating this new cybersecurity framework. No matter which certification level you will need – we will be able to help you in implementing CMMC requirements and guide you through the certification process. The certification itself will be performed by a CMMC Third-Party Assessor Organization (C3PAO).
For a more detailed description of the latest CMMC draft and the outline requirements please see: