There are five levels of certification. Level one is the easiest to earn (17 security practices), and five the most difficult (171 security practices). Contracts will specify the required CMMC level.
CMMC comes with a new security control framework. It includes 171 security practices. Many security practices are drawn from FAR 52.204-21, NIST SP 800-171, and NIST SP 800-171B. CMMC also draws requirements from other international security frameworks.
Does my company need to earn a CMMC?
Every company providing services to the U.S. Department of Defense will need to earn a CMMC certification. This equates to over 300,000 companies worldwide.
If you do not have any U.S. Department of Defense contracts but are planning to compete for them you will need to earn a CMMC certification. The vast majority of CMMC contracts will have a level 1 requirement (17 security practices). Always check your contract to ensure that it has the CMMC requirement.
What happened to NIST SP 800-171?
CMMC draws many security practice requirements from NIST SP 800-171. CMMC levels 1-3 take almost all of the requirements from 800-171. If your company has already been implementing NIST SP 800-171 controls then you are in a good position for CMMC.
Defense contractors should expect to see new Cybersecurity Maturity Model Certification version 1.0 requirements in requests for information in June and in requests for proposals in November.
In 2021 about 1,600 companies will have a CMMC requirement. The U.S. Department of Defense plans to have all 300,000 companies CMMC certified within the next five years.
CMMC Accreditation Body
The Department of Defense (DoD) set up an independent third party accreditation board. The CMMC Accreditation Body is responsible for organizing the training of 10,000 assessors needed to certify the 300,000 companies working with the DoD. The board will designate certified third party assessment organizations (CSPAOs). Company's will be paying these C3PAOs to assess their cybersecurity controls. The assessment results will be used to assign a cybersecurity maturity level. Based on the assigned level companies will receive a CMMC between level one and five.
As of June 4, 2020 there are no certified CMMC assessors or certified third party assessment organizations. Towards the end of 2020 and the beginning of 2021 assessors will start to become available as they complete their own training and certification process. Assessors will primarily be from the private sector however the U.S. Department of Defense will also have some of its own assessors.
How much does a CMMC certification cost?
No official pricing has been released yet. The U.S. Department of Defense said that it will cover the cost of undergoing the assessment to earn the CMMC certification. The real cost for CMMC is preparing your organization to earn it.
How do I prepare for CMMC?
If you currently have a contract requiring the implementation of NIST SP 800-171 controls then continue implementing them. Finish the action items on your plan of action and milestones (POA&M).
Do you have a U.S. Department of Defense contract but don't have DFARS clause 252.205-7012 in it? Then beginning to implement level 1 CMMC controls is a good idea.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.