CMMC is Published: What Now?

If you want to stay competitive, your best chance is to get CMMC ready before Q1 2025. How long does it take to become compliant? We’ll cover that and other key questions in this blog.

By the end of this you should have a solid understanding of the CMMC rule and what you need to do to prepare your organization for compliance. We’ll cover what CMMC is, what's in the rule, the rulemaking timeline, the cost of compliance, and next steps to take.

Executive Summary:  

• “CMMC isn't making you do the requirements; it's making sure you did the requirements.” – Jacob Horne 
• With prime demands, market competition, and limited CMMC assessors, most organizations are looking to be assessment ready right when certifications become available in Q1 of 2025. 
• CMMC Level 2 readiness means implementing existing DFARS 7012 requirements and NIST SP 800-171 controls mapped to the assessment objective level.  
• Any managed IT service (MSP/MSSP) working with a Level 2 organization must have a CMMC Level 2 final certification as well.
• Getting CMMC ready and certified is typically a multi-year, six-figure investment.

The DoD has released the proposed version of the Cybersecurity Maturity Model Certification (CMMC) rule. This long-awaited assessment framework provides a clear path for defense contractors to protect controlled unclassified information (CUI) and meet the DoD's cybersecurity requirements. 

Looking for a deeper dive? Watch our free CMMC Published Webinar walks will guide you through all we cover here, highlighting vital details with expert insight from Scott Edwards, Summit 7 CEO, CMMC Evangelist Jacob Horne, and Sam Stiles, our Marketing VP.  

At the end, you’ll have the chance to download our free, comprehensive resource, the CMMC Readiness Brief, your roadmap to CMMC success with leadership support.

What Does CMMC Say We Have to Do?

Expert Insight: "CMMC isn't making you do the requirements; it's making sure you did the requirements." - Jacob Horne

CMMC acts as a verification of a contractor's cybersecurity posture.

CMMC compliance is mandatory for all DoD contractors and subcontractors who handle CUI. By adhering to the controls outlined in NIST SP 800-171 and obtaining third-party certification of its implementation, organizations can achieve CMMC compliance.

CMMC explains what is required for each CMMC level. Knowing your level will help you know what is required of your organization. Your level is determined by what type of data you handle for the DoD.

• Level 1 is for Federal Contract Information (FCI)  
• Level 2 is for Controlled Unclassified Information (CUI)  
  • CUI is an umbrella term that includes common data types such as Controlled Technical Information (CTI) and ITAR data.   
• Level 3 is for ”Critical” CUI

Since the majority of Organizations Seeking Compliance (OSCs) will be CMMC Level 2, we will focus on takeaways for Level 2.

Key Question: If we are CMMC level 2, have we looked at both NIST SP 800-171 and NIST SP 800-171A to see if we have done all 320 assessment objectives?

What Do CMMC Level 2s Need to Know?

Expert Insight: Any MSP/MSSP working with the organization must have a Level 2 final certification as well.

• A Certified 3rd Party Assessment Organization (C3PAO) will attest that you have fully implemented all assessment objectives for you to receive a CMMC certification through them.
• Every year a senior company official must re-affirm that all 320 assessment objectives are still being met.
• Every 3 years a C3PAO must re-certify the organization

Key Question: Is my MSP/MSSP actively working to become certified at my CMMC level?

When Will This Matter for Us?

Expert Insight: If you want a shot at staying competitive, your best chance is to start NIST SP 800-171 implementation today.

Why start today?

1. Primes will be asking their Subcontractors to become CMMC certified as soon as possible to keep their competitive edge when bidding on contracts.

2. Your competitors will be picking the earliest possible moment to become compliant (Q1 of 2025), seeking a competitive edge in bidding for new contracts.

3. There are more OSCs than there are C3PAOs, causing a bottleneck effect (see timeline). If you wait until the DoD Phased rollout starts, you will already be behind because of the inevitable backlog.

4. There are even fewer implementors of NIST SP 800-171 to help you. Make sure you get in line for your implementations, migrations, documentation, etc.

With prime demands, market competition and limited assessors, most organizations are looking to Q1 of 2025, when the rule is published, to be assessment ready.

The average time it takes to implement NIST SP 800-171 is 12-18 months for a 50-500 person company starting from an average compliance posture.

If you want to stay competitive when certifications become available Q1 2025, and it takes 12-18 months for implementation, today is the day to start.

Key Question: When is my customer/prime contractor asking for CMMC?

How Much will CMMC Cost?

Expert Insight: Getting CMMC certified takes about year of preparation, and easily could cost six figures to get there.

For Level 2, the cost of a CMMC Certification will include Assessment Costs (initial and every three years after) and Affirmation Costs (annually): estimated to be $104,670 total based on the CMMC proposed rule documentation.

Remember: the cost of CMMC does not include the cost of implementing NIST SP 800-171, which is assumed to have been already implemented.

Key Question: Is my staff and budget poised to engage on a year plus journey of NIST SP 800-171 implementation? 

What Are My Next Steps?

• Implement NIST SP 800-171 (CMMC L2) now.
• Ask your MSP/MSSP if they are preparing to be CMMC compliant to your same level (if L2 or L3).
• Reach out to a C3PAO and start your pre-assessment readiness activities. 

Need a roadmap to CMMC? Download the CMMC Readiness Brief. 

This is a tool tailored for CISOs and IT professionals tasked with compliance to communicate a plan to the decision makers in their organizations with confidence.