If you are a defense manufacturer, then you know that CMMC is the latest requirement if you hope to continue servicing U.S. Department of Defense (DoD) contracts. But, do you know all the costs associated with becoming cybersecure and what you need to do to prepare?  

Blog Header (19)

The Cybersecurity Maturity Model Certification (CMMC) supersedes the self-attestation process used for DFARS 252.204-7012 and NIST 800-171 and instead moves towards a more uniform third-party certification model. The new model seeks to verify you and other defense contractors have implemented the appropriate cybersecurity controls to protect controlled unclassified information (CUI).  

The DoD describes CMMC as a "unifying standard for the implementation of cybersecurity across the defense industrial base." It provides a "comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level." DOD says CMMC is designed to provide increased assurance that a Defense Industrial Base (DIB) company can "adequately protect sensitive unclassified information accounting for information flow down to subcontractors and a multi-tier supply chain." 

What does that mean for Defense Manufacturers?

The framework for the CMMC is largely built on existing requirements included in NIST SP 800-171 and NIST SP 800-53 and consist of up to 5 levels, broken into practices and processes, that measure the cybersecurity practices of defense contractors and manufacturers.

When will CMMC be required?

 Your specific CMMC requirements for certification depend on the level of certification you need for your contracts. By now, you should be performing at CMMC Level 1 if you are working on government contracts. But without an exact date to mark on your calendar, here's what's important to know: the recently released DFARS Interim Final Rule effective, November 30 2020, requires all DoD contractors and subcontractors to submit scored self-assessments against NIST 800-171 requirements. 

Throughout 2021 and the years following, most DoD contractors will need to meet their CMMC level requirements or risk losing existing contracts. By 2025, the CMMC-AB will mandate certifications for all DoD suppliers to bid on new contracts or continue doing business with the DoD. 

What is the Cost of Becoming Cybersecure?

 CMMC certification is a snapshot of your cybersecurity posture and requires continuous support, practice, and policy enforcement to achieve and maintain compliance. Understanding that cybersecurity it not a one-time fee, most defense contractors will face three primary investment cost categories to becoming cybersecure and CMMC certified:

  • Soft costs for internal resourcing and/or external consulting in preparation for a CMMC audit
  • Hard costs for achieving a particular requirement such as a SIEM or two-factor authentication in preparation for a CMMC audit
  • Hard costs for the Certified Auditor and CMMC audit itself 

Chief Information Security Officer (CISO) Katie Arrington, at the Office of the Under Secretary of Defense Acquisition & Sustainment, estimates that for CMMC level one certification - the audit itself - defense contractors can expect to pay between $3,000 – $5,000 and increase with each level. 

Of course, these are only estimates due to the final CMMC certification costs guidelines still being decided, but the cost for CMMC certification is reimbursable, not prohibitive. There are conversations regarding "allowable cost," for CMMC certification expenses that could be billed to the DoD. To be clear, this is the cost of the actual CMMC certification audit and does not cover the costs to get you to the compliance standards for your intended CMMC level.

Your actual hard and soft cost to reach your desired CMMC level depends on several factors, including your organization's size and number of locations, the extent of your Controlled Unclassified Information (CUI), the current maturity of your NIST SP 800-171 program, whether you require external support, and your desired CMMC level. 

In the end, you're best served by doing a CMMC Gap Assessment or CMMC Readiness Assessment. Let's assume that your objective is CMMC Level 3 (the most common target) and you're operating from a centrally managed and reasonably mature state of NIST SP 800-171 compliance. For the average 250-500 user, multi-location manufacturing company, you're looking at tens of thousands of dollars or more to meet the CMMC Level 3 compliance standards. That's a big difference and where a gap assessment gives you insight into the resources required for your CMMC level. 

What can Maryland Defense Manufacturers do to Prepare for CMMC?

  1. As mentioned above, much of the CMMC assessment framework is based on the NIST 800-171 controls, so you may have some controls already in place for CMMC. Be sure to understand and complete any outstanding implementations of policy and/or technical controls and bookmark the OUSD CMMC website.

  2. Get a CMMC Gap Assessment or CMMC Readiness Assessment.
    Schedule a Consultation

  3. Ensure the subcontractor handling your information has the results of a current Assessment posted in SPRS prior to awarding a subcontract or other contractual instruments and that they address any outstanding NIST 800-171 requirements/POAM items.

  4. Sign up for our Coffee and Conversation on Thursday, March 25 at 11 AM with eTrepid and Sara Keith, Cybersecurity Program Manager at the Maryland Manufacturing Extension Partnership (MD MEP). In this free webinar, we'll provide you with updates regarding funding and assistance for Defense Contractors. Then fill out and submit the Maryland Defense Cybersecurity Assistance Program (DCAP) Application PDF

The MD DCAP provides funding and assistance for Defense Contractors to comply with the DFARS and NIST 800-171 Standards for cybersecurity, funded by the Department of Defense's Office of Economic Adjustment (OEA) through the Maryland Department of Commerce and coordinated by the MD MEP. 

Together with qualified Maryland cybersecurity providers like eTrepid, MD MEP has developed a series covering essential cybersecurity topics and provides Maryland's defense contractors with guidance on their current DFARS and CMMC requirements.

Current DFARS, CMMC and Cybersecurity topics include:

  • How to Develop and Execute a Patch Management Routine
  • How to Download and Apply the Appropriate Group Policy Objects (GPOs) to Your Network
  • How to Protect Organizational Communications at Key Internal and External Boundaries
  • Periodic information system scans- what should be done?
  • CMMC Update as of January 7, 2021
  • Does having anti-virus software with auto-updates enabled really protect your company from malicious software?
  • How to Conduct Basic Risk Analysis
  • Employee Cybersecurity Training Requirements
  • How to Develop, Execute and Test a Good Data and System Back-up Routine
  • What is a Security Information and Event Manager (SIEM) and do I really need one?
  • How to Develop a Plan for Disasters and Information Security Incidents

For additional information view previous Coffee and Conversation with eTrepid webinars that describe programs such as MD MEP DCAP, Compliance & CMMC, and others.

The CMMC process is complicated, much like the cost of becoming cybersecure. To better assist Maryland defense manufacturers, eTrepid, in coordination with DCAP, MD MEPS, and the U.S. Department of Defense (DoD), is leading the charge to increase the cybersecurity posture within Defense Industrial Base (DIB) supporting the Cybersecurity Maturity Model Certification (CMMC) initiatives.

If you have questions about CMMC or where your organization stacks up, don't go it alone– sign up for the webinar or speak with one of our CMMC experts before it's too late.

Leave A Comment