For organizations that work with the federal government, the whole Cybersecurity Maturity Model Certification (CMMC) process has been quite the rollercoaster. It’s been a back-and-forth of “it’s coming,” to “it’s delayed,” to “why aren’t you doing this yet?”
The reality is, if your organization does business with the Department of Defense (DoD) and you will bid on or renew a DoD contract, you will likely need to be CMMC-certified. And, you likely have less time to get ready than you think.
What is CMMC 2.0?: The Cybersecurity Maturity Model Certification (CMMC) is a set of security standards that help organizations protect controlled classified information (CUI) and federal contract information (FCI).
From CMMC 1.0 to 2.0
Contractors and subcontractors have been subject to NIST 800-171 compliance since 2018 and in 2019, the U.S. government announced the CMMC framework design. After receiving public feedback, CMMC 1.0 was introduced.
CMMC 1.0 was a collection of standards from the National Institute of Standards and Technology (NIST) cybersecurity standards to protect controlled classified information (CUI) and federal contract information (FCI). It also included obligations from the Carnegie Mellon CERT Resilience Management Model and the Center for Internet Security.
Once those obligations became public, the government created the Defense Federal Acquisition Regulation Supplement (DFARS) interim rule near the end of 2020, which indicated that organizations would need to conduct independent assessments and submit scores to the Supplier Performance Risk System (SPRS). It was also announced that CMMC would be included in future contract language for all requests for information (RFIs) or requests for proposals (RFPs).
Seeing the scope of the requirements, the industry pushed back. Many organizations argued the mandates would be too burdensome and too costly, even though those contractors were already obligated to meet the DFARS requirements for CUI, which included NIST 800-171 controls.
The government responded and capitulated. The result was a reduced scope of controls. CMMC 1.0, which began with five certification levels, was reduced to three. Which level a contractor must meet depends on the scope of CUI accessed and other factors. While the CERT and CIS controls were removed from 2.0, the focus remains on the 110 NIST 800-171 controls, which the government sees as a reasonable cyber risk management approach.
Who Needs CMMC 2.0 Certification?
If you’re doing work with the government, even if it’s beyond the DoD’s Defense Industrial Base (DIB), you should already plan for CMMC requirements because many anticipate it will likely quickly spread across other government agencies as an RFI and RFP requirement.
Exactly which certification level you need depends on the type and sensitivity of the government information you handle.
Here’s a quick overview:
- Level 1: Foundational
- There are 17 practices and enables an annual self-assessment for certification. This is for organizations with FCI only.
- This is for general contracts that do not have any CUI, with an estimate between 120,000-140,000 contractors needing this level.
- Level 2: Advanced
- There are 110 practices aligning with NIST SP 800-171. Third-party assessments are required for prioritized acquisitions; however, self-assessments may be applicable for certain programs, such as non-prioritized acquisitions. This is for organizations with CUI.
- About 80,000 organizations will likely need this level.
- Level 3: Expert
- There are 110 practices based on NIST SP 800-172. There are also triennial assessments for this level, but they are government-led assessments. This is for the highest priority programs with CUI.
- Only about 400-500 organizations will need this certification level, however, it wouldn’t be surprising to see in the near future even more organizations mandated to meet Level 3 requirements.
Compliance Timeline Shifts
At the time, the government estimated it would take up to 24 months for CMMC 2.0 rulemaking finalization. And, because 1.0 had a phased approach targeting 2025 as a date for full requirements in RFPs and RFIs, many organizations have believed they have until 2025 to become compliant.
However, in May of this year, DoD indicated the final rules could be complete by March 2023. As such, contractors may begin to see CMMC requirements in RFIs as early as May 2023.
And, unlike 1.0 where contractors did not need certification at bid, with 2.0 organizations will have to be certified at the appropriate contract level with package submissions.
That means the timeframe to be CMMC compliant for many organizations is now much shorter than some may have thought.
If you’re an organization wanting to bid on or renew contracts in early 2023, and you haven’t already begun your CMMC 2.0 journey, now is the time to get certified at the appropriate CMMC level you’ll need for those contracts.
So it’s important to think about the contracts you’re going to want to go after. Will you have upwards of a year to get your certification complete before submitting your bid package?
No two organizations will have the same timelines and expenses related to CMMC 2.0 certification. There are a range of factors in play such as organization size and location. As such, organizations should expect variance in timelines and costs across the industry.
If your team members are still focused on the 2025 deadline, now is the time to shift away from that perspective.
First, the DFARS clauses already have control requirements. The 2025 date some stay focused on was for CMMC only. If you have DFARS obligations in your existing contracts, you’ll need to meet those now or be at risk of breach of contract.
So, if you haven’t already met those standards, what are you looking at in terms of a realistic CMMC 2.0 timeline?
The reality is, from start to finish, you might be looking at a process that could take a full year to traverse.
What would that look like? Here’s an example:
Let’s say you target getting started in May 2023 when it’s anticipated to show up in RFPs. You’ll need to create your System Security Plan (SSP), which depending on the size of your organization could take about six months to complete and ensure accuracy. For smaller organizations, your SSP might be about 100 pages, but the larger you are, the larger your SSP will be and it’s not unrealistic to see some of those spanning 1,000 pages.
Once you’ve created your SSP, you will need to identify your Plan of Action and Milestones (PAOMs) to demonstrate how you plan to close the gaps for standards you’re not meeting now.
After that, if you’re required to get an assessment from a Certified Third-Party Assessment Organization (C3PAOs), you’re going to need to select one and get on their calendar. Right now, there are about 21 C3PAOs listed in the marketplace. With the volume of organizations that will need assessments, don’t be surprised if it takes a while to get that process started. And, even when that happens, it may take several months to complete that process.
From start to finish, if everything goes in your favor, your organization could anticipate this entire timeline to span about a year. If you’re targeting May 2023 and haven’t started, you’re already behind.
During a recent Apptega CMMC 2.0 webinar with partner SoundWay, we asked attendees about the current stage of CMMC preparation. Here’s what that looked like:
- Have not started: 21%
- SPRS Score Only: 27%
- Systems Security Plan (SSP) Only: 25%
- Ready for assessment: 7%
- Ready to self-attest: 21%
Early government estimates for CMMC 1.0 Level 3 certification, which is now the same as CMMC 2.0 Level 2, were about $51,000. Contractors could then modify operating costs and overhead to absorb that amount and then build it back into the rack right submitted to the government.
However, those numbers may be short of the real mark. Right now, only one C3PAO has published rates for a Level 2 assessment and that’s already more than $60,000.
Reduce Breach of Contract Exposure
We can talk a lot about CMMC 2.0 as an effective way to reduce cyber risk, but in the end, what it’s really about is ensuring you can reduce your exposure for breach of contract. If you don’t meet government obligations for your DFARS and CMMC requirements, your organization can be subject to a breach of contract.
How do you ensure you don’t go down that path? Here are 3 recommendations:
- Ensure you have uploaded your SPRS score to the government database. Be honest and accurate. Remember, the government says you shouldn’t submit your SPRS unless you’ve completed your SSP. So, you’ll need to get through the SSP process before submitting your SPRS. Apptega can help you simplify your SSP and POA&M processes in its easy-to-use framework management solution.Point of caution: If you’re a small or medium size contractor and you say your SPRS score, for example, is 110, there’s a decent chance you’re setting yourself up for an independent government audit. Officials have indicated they would rather see a lower initial SPRS score that improves over time. That means they want to see what’s accurate and what shows a rate of progression to meet total goals and objectives. If you haven’t done your SSP, don’t upload your SPRS. Apptega can auto-generate and create an SSP in a visual framework consistent for authorizations to operate (ATOs) with the federal government.
- If you’re self-attesting to CMMC 2.0 Level 1, be sure you fully understand what your organization is committing to. Even at Level 1, the business owner (CEO, COO, board, etc.) signing documents will be legally bound to document accuracy. The new Civil Fraud division can use this against you if you are willfully misrepresenting your cyber practices.
- Even if a C3PAO certifies you at CMMC 2.0 Level 2, you’ll need to ensure resiliency to withstand an attack to prevent a claim against performance and schedule deficiencies. A C3PAO will only look at the goals and objectives defined by DoD under NIST 800-171. That is not a silver bullet and it was never designed to be. Be sure your organization understands all of the obligations to which you may be exposed. Do you have data breach notification requirements in the states you operate in? If you meet the requirements that trigger a breach notification—and don’t do so—those financial penalties alone could force you out of business or impact your organization in a way you can’t perform at the same level of fidelity to the government.
Should you anticipate a future CMMC 3.0? Likely. NIST has put out a call for comments on 800-171 revision 3, which is included in CMMC 2.0 requirements. CMMC was always meant to be dynamic and flexible for the cyber threat landscape. What might a CMMC 3.0 include? Maybe changes reflected in NIST 800-171 v3, and possibly also results from common findings of the C3PAO audits.
Next Steps and Tracking progress
When we talk about cost of ownership for CMMC certification, it’s not going to be just about the applications you purchase or the consultants you work with. You’ll also need to take into account all of the internal time and effort invested in this process. The more manpower hours it takes, the more it will likely cost you.
If your organization is still relying on traditional tools to track and manage CMMC framework implementation, go ahead and get out your checkbook because it’s going to be a slow, burdensome process.
Even if you do have the time and money to push through that, you’re likely going to be working with disparate systems and data that doesn’t communicate with one another thereby also increasing the chance of errors.
Why would that be of concern, especially if you’re just self-attesting at Level 1? Well, in 2021, the U.S. Department of Justice announced its Civil Cyber-Fraud Initiative. Operating under the False Claims Act, this will enable the government to go after contractors and grant recipients who make false claims about their cybersecurity practices.
The good news is there is a faster, more efficient, and accurate way to plan for, implement, and manage your CMMC 2.0 framework. With Apptega, you can work through a user-friendly assessment methodology. You’ll be led through questions for each control objective and can measure how well your controls are performing and instantly see where you have gaps in your CMMC 2.0 requirements. You can even track your burn rate for your budget for project completion.
And, if you have other frameworks you’re managing, if they use the same controls as the NIST controls in CMMC, then you can quickly get a snapshot in that context. No more duplicating work or processes.
Apptega even has an easy-to-use solution to accurately get your SPRS score, which you can submit to the government with a higher level of confidence about its accuracy.
Another bonus? With CMMC 2.0, whoever signs those government contracts, whether that’s an executive or board member, will ultimately be responsible for ensuring those standards are met. Apptega’s dashboard makes it easy to provide information about CMMC performance to your C-suite and key stakeholder, in a language they understand, and with a connection to your organization’s goals and objectives. This is much easier through a single pane of glass like Apptega, especially compared to hours lost making hard-to-understand charts and spreadsheets using legacy word processing tools.
If your organization already is on your CMMC journey, you may want to consider conducting a preliminary self-assessment to see if you satisfy requirements. This can provide a range of helpful information to help ensure you have everything functioning as expected once you’re ready to either formally self-attest or go for your official certification.
Nothing prevents you from contacting a C3PAO right now to do that. If you do, keep in mind all the C3PAO can do is tell you if controls are met or not. If you want an organization to provide consultative guidance, including walking you through the standards you didn’t meet, explaining why, and then offer suggestions on closing those gaps, you might find it beneficial to work with a CMMC Registered Provider Organization (RPO), like SoundWay.
Want to take a deeper dive into CMMC 2.0 and what you should do now to prepare? Check out our on-demand webinar, “CMMC 2.0: Wait and See Game?” with Carter Schoenberg, CISSP/ CMMC-RP and Vice President of SoundWay Consulting Inc. and Armistead Whitney, CEO of Apptega.