This month marked nearly five years since the Cybersecurity Maturity Model Certification, or CMMC, was announced. This initiative by the US Department of Defense (DOD) required DoD Contractors and Subcontractors to achieve verifiable compliance with security controls to protect non-public information, commonly referred to as Controlled Unclassified Information, or CUI, which includes Federal Contract information or FCI.
The primary reason for CMMC implementation was that malicious cyber actors have targeted and continue to target the DIB sector, which consists of approximately 220,000 small- to large-sized entities that support the warfighter.
Actors ranging from cyber criminals to nation-states continue to attack companies and organizations that comprise the Department’s multi-tier supply chain, including smaller entities in the lower tiers. From at least January 2020 through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors.
The actors have targeted sensitive, unclassified information and proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms’ development and deployment timelines, vehicle specifications, communications infrastructure, and IT network architecture designs and diagrams.
Long Awaited Final Rule
Finally, the long-awaited final rule governing the implementation of the CMMC was made official, kicking off the clock for contractor compliance. Otherwise, contractors cannot respond to solicitations or bids on contracts without meeting the required assessment criteria and recording them in the online DoD Supplier Performance Risk System. This process is expected to begin mid-year 2025.
These mandated security controls were determined to be foundational to any organization that maintained US Federal Information, including third parties and service providers that provided support for the Defense Industrial Base (DIB) with products, services, and technology solutions.
Contractors who circumvent these assessment requirements or fabricate assessment results can be punished under the Civil Cyber Fraud Initiative (CCFI), which pursues cybersecurity-related fraud by government contractors and grant recipients.
This final rule includes entities and individuals who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices, or violate obligations to monitor and report cybersecurity incidents.
If organizations fail to comply with CMMC security controls, they can face fines of up to $10,000 per control, with a minimum of 110 controls required for evaluation; this can severely impact an organization financially. In addition, these contractors may be disbarred from future federal contracting opportunities.
Initial Adoption
In October 2020, SecureXperts was approved as a vendor for the DoD Cybersecurity Maturity Model Certification Marketplace, highlighting the growing concern among U.S. national security officials about possible security breaches from China and other nation-state actors. Since the initial adoption, several changes have occurred on the journey to the final rule.
Notably, the CMMC was initially established as a five-level program to eliminate self-certification and self-attestation from organizations and engage with a Certified Third-Party Assessor Organization (C3PAO) –or a certified CMMC assessor to evaluate the security posture of future CMMC-certified companies every three years.
In addition, organizations were required to comply with all security controls without required mitigation requirements fully—known as a Plan of Action and Milestones—and have all cybersecurity controls in place within 180 days.
Final Adoption
On October 15, the final CMMC 2.0 rule became a three-level program allowing self-certification for level 1, consisting of 17 practice areas, and for level 2, consisting of 110 controls. Self-assessments must be reviewed annually and approved by a Senior Official within the company. Compliance Levels of CMMC 1 and 2 can be registered as plans of action or milestones.
Contractors who do not handle information critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
To achieve CMMC compliance, organizations must create a system security plan (SSP) that includes details about each system in their IT environment that stores or transmits controlled unclassified information (CUI) following NIST 800-171.
The SSP outlines information flow between systems, authentication and authorization procedures, company regulations, staff security obligations, network diagrams, and administrative duties. A living document must be updated whenever significant changes are made to a business’s security profile or procedures.
Under CMMC, Contractors and organizations (including subcontractors) that maintain information critical to national security (level 3) must obtain third-party evaluation and certification from a registered 3CPAO.
Cost of Achieving Compliance
Before the release of the Final Rule, most companies began complying with DoD standards when the CMMC final rule was published. I felt that DoD underestimated the assessment cost and should have included the implementation cost (often to include remediation) as reimbursable to the organizations now mandated to meet the defined security requirements.
Now that we have a clear definition of what controls are required to become compliant, it is up to companies to determine if they are in place… and can be verified. If you do have the required controls in place, it is only necessary that you ensure that these controls are up to date (usually within one year of submission) under the current requirements. It is important that you establish a budget for this assessment.
Most government and prime contractors must ensure that any subcontractors engaged in DoD projects comply with CMMC. An organization's minimum cost for a level 1 self-assessment and affirmation is between $4k and $6k per year—a level 2 self-assessment costs companies between $37k and $50k every three years.
DoD programs that support technology implementations, products, and solutions require validated third-party evaluation with CMMC level 2 assessment estimated to cost between $105K and $118K. These costs do not include products, systems, products, labor, or technical resources to bring your organization into compliance.
Despite these expenses, achieving CMMC compliance is a requirement for DoD contractors and a valuable investment in your organization’s cybersecurity posture. After these initial costs, organizations must also consider the ongoing expenses of CMMC compliance.
These include regular cybersecurity audits, periodic network upgrades, and the need for continuous employee training to stay ahead of emerging threats. Additional costs could arise from maintaining the required documentation or if you choose to hire a third-party service provider to manage your compliance process.
Lowering Organizational Cost to become CMMC Compliant
The clock is ticking because the DoD already assumes you have these controls in place. Suppose your organization is a medium-sized business that does not have full-time IT and cybersecurity staff or has hired a CMMC consultant. In that case, you will likely be more than two years away from meeting the required compliance objectives.
Suppose your organization has full-time IT and cybersecurity staff now that the final rule has been published. In that case, you can finally begin documenting the controls and collecting the artifacts needed to prove compliance.
To lower CMMC implementation costs, SecureXperts has developed a select group of products and managed services that isolate CUI data from your existing architecture. These services use network isolation and segmentation of your company’s CUI data and manage it with an on-premise or remote solution that meets all the compliance requirements for CMMC 2.0.
Segmenting the network to become available for users requiring access to CUI data can lower the costs of implementing CMMC. One strategic process, enclaving, allows an organization to segment CUI data repositories and processes separately from normal business operations.
Complimenting the logical security requirements of the NIST CMMC requirements, SecureXperts offers cybersecurity enclosures that provide electromagnetic shielding and physical security countermeasures. These enclosures enable deployment without geographic limitations and are suitable for teleworking or alternative work environments.
Bottom Line
The future of third-party Cybersecurity assessments has finally arrived. The processes that will be used to evaluate and assess compliance are clearly defined, and the rules of engagement have been set. Becoming complaint will not be easy or inexpensive.
Most of the CMMC process involves proving that your organization has proper security controls. This mandatory compliance demands that organizations implement these practices and establish and document mature processes to guide their cybersecurity efforts and achieve a state of “good cyber hygiene.”
Unsurprisingly, once CMMC is implemented, the U.S. government and commercial agencies expect to use this model in critical infrastructure and enterprise commercial sectors.
The bottom line is… If you are seeking to do business with the U.S. Department of Defense, whether you are a prime contractor or subcontractor, now is the time to re-engage with becoming CMMC Complaint. Ensuring you have trusted third-party consultants to assist you along your journey with CMMC compliance is essential to streamlining the time, money, and effort your company expands to meet the new CMMC 2.0 compliance mandates.