If you are a defense manufacturer, then you know that CMMC is the latest requirement if you hope to continue servicing U.S. Department of Defense (DoD) contracts. But, do you know all the costs associated with becoming cybersecure and what you need to do to prepare?
The Cybersecurity Maturity Model Certification (CMMC) supersedes the self-attestation process used for DFARS 252.204-7012 and NIST 800-171 and instead moves towards a more uniform third-party certification model. The new model seeks to verify you and other defense contractors have implemented the appropriate cybersecurity controls to protect controlled unclassified information (CUI).
The DoD describes CMMC as a "unifying standard for the implementation of cybersecurity across the defense industrial base." It provides a "comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level." DOD says CMMC is designed to provide increased assurance that a Defense Industrial Base (DIB) company can "adequately protect sensitive unclassified information accounting for information flow down to subcontractors and a multi-tier supply chain."
The framework for the CMMC is largely built on existing requirements included in NIST SP 800-171 and NIST SP 800-53 and consist of up to 5 levels, broken into practices and processes, that measure the cybersecurity practices of defense contractors and manufacturers.
Your specific CMMC requirements for certification depend on the level of certification you need for your contracts. By now, you should be performing at CMMC Level 1 if you are working on government contracts. But without an exact date to mark on your calendar, here's what's important to know: the recently released DFARS Interim Final Rule effective, November 30 2020, requires all DoD contractors and subcontractors to submit scored self-assessments against NIST 800-171 requirements.
Throughout 2021 and the years following, most DoD contractors will need to meet their CMMC level requirements or risk losing existing contracts. By 2025, the CMMC-AB will mandate certifications for all DoD suppliers to bid on new contracts or continue doing business with the DoD.
CMMC certification is a snapshot of your cybersecurity posture and requires continuous support, practice, and policy enforcement to achieve and maintain compliance. Understanding that cybersecurity it not a one-time fee, most defense contractors will face three primary investment cost categories to becoming cybersecure and CMMC certified:
Chief Information Security Officer (CISO) Katie Arrington, at the Office of the Under Secretary of Defense Acquisition & Sustainment, estimates that for CMMC level one certification - the audit itself - defense contractors can expect to pay between $3,000 – $5,000 and increase with each level.
Of course, these are only estimates due to the final CMMC certification costs guidelines still being decided, but the cost for CMMC certification is reimbursable, not prohibitive. There are conversations regarding "allowable cost," for CMMC certification expenses that could be billed to the DoD. To be clear, this is the cost of the actual CMMC certification audit and does not cover the costs to get you to the compliance standards for your intended CMMC level.
Your actual hard and soft cost to reach your desired CMMC level depends on several factors, including your organization's size and number of locations, the extent of your Controlled Unclassified Information (CUI), the current maturity of your NIST SP 800-171 program, whether you require external support, and your desired CMMC level.
In the end, you're best served by doing a CMMC Gap Assessment or CMMC Readiness Assessment. Let's assume that your objective is CMMC Level 3 (the most common target) and you're operating from a centrally managed and reasonably mature state of NIST SP 800-171 compliance. For the average 250-500 user, multi-location manufacturing company, you're looking at tens of thousands of dollars or more to meet the CMMC Level 3 compliance standards. That's a big difference and where a gap assessment gives you insight into the resources required for your CMMC level.
The MD DCAP provides funding and assistance for Defense Contractors to comply with the DFARS and NIST 800-171 Standards for cybersecurity, funded by the Department of Defense's Office of Economic Adjustment (OEA) through the Maryland Department of Commerce and coordinated by the MD MEP.
Together with qualified Maryland cybersecurity providers like eTrepid, MD MEP has developed a series covering essential cybersecurity topics and provides Maryland's defense contractors with guidance on their current DFARS and CMMC requirements.
Current DFARS, CMMC and Cybersecurity topics include:
For additional information view previous Coffee and Conversation with eTrepid webinars that describe programs such as MD MEP DCAP, Compliance & CMMC, and others.
The CMMC process is complicated, much like the cost of becoming cybersecure. To better assist Maryland defense manufacturers, eTrepid, in coordination with DCAP, MD MEPS, and the U.S. Department of Defense (DoD), is leading the charge to increase the cybersecurity posture within Defense Industrial Base (DIB) supporting the Cybersecurity Maturity Model Certification (CMMC) initiatives.
If you have questions about CMMC or where your organization stacks up, don't go it alone– sign up for the webinar or speak with one of our CMMC experts before it's too late.