After a five-year development cycle for the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense published the final rule on October 15th. The initial rule— CMMC 1.0— was published in 2020 and has since undergone different iterations and extensive comment periods. With the final rule now complete, CMMC 2.0 will become effective on December 16th, 2024.
CMMC changes how companies that want to contract with the government must handle their cybersecurity practices. With the ruling, companies need to verify that they have implemented thorough security safeguards for Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Noncompliance with the rule can result in steep fines and disbarment from federal contracting.
The Three Levels
CMMC offers three different levels of certification depending on the type of government contract it supports.
Level 1 is the most basic certification and is for organizations that only work with FCI. It will only require an internal assessment that must be completed annually. This is the cheapest assessment, estimated to cost contractors just over $5,900.
Level 2, which is the most common, is for organizations that work with CUI. This level requires a third-party assessment that occurs every three years. The estimated costs for this assessment alone is about $50,000, but this does not include the cost to implement the controls, which will cost companies another estimated $50,000. Meeting the requirements for Level 2 CMMC can take months or more to complete. With 110 controls, or requirements, companies that are just starting now could miss out on government contracting opportunities as soon as December 2024.
Level 3 is for organizations that work with CUI and are subject to Advanced Persistent Threats (APTs). This level requires a government-led assessment every three years. Becoming Level 3 Certified is expected to cost contractors an additional $12,802 on top of the Level 2 costs. It will only apply to companies supporting the government’s most critical programs and technologies, so this level of certification will not be required for most contractors.
If a company doesn’t entirely meet the requirements, it can still be technically compliant with a written Plan of Actions and Milestones (POAMs). A POAM outlines how the company is deficient, expresses its steps to become level complaint, and timelines the milestones to do so. POAMs must be completed within 180 days or else companies may be deemed non-compliant and will need to pay to be reassessed.
Supporting the Certification Process
Becoming CMMC certified is not an overnight process, nor is it cheap. As previously mentioned, the DoD estimates that companies becoming Level 2 certified can expect to spend over $100,000 every three years. However, there are different financial support avenues available for companies to utilize to help mitigate the cost.
First, the NSA offers a free Cybersecurity Program for all DoD contractors that supports several CMMC requirements. While not specifically focused on CMMC, this program provides several cybersecurity solutions to help bolster a company’s security.
Additionally, companies can utilize state funded grant programs aimed at improving cybersecurity. For Michigan-based companies, the Michigan Office of Defense and Aerospace Innovation (ODAI) provides contractors’ cybersecurity technical services to assist in preparing for CMMC. This program offers reduced pricing on a Gap Analysis and funding up to $22,500 for remediation efforts.
The best time to start thinking about CMMC is, well, yesterday. While CMMC is effective starting in December, it is not expected for most contracts to have CMMC clauses incorporated until Spring of 2025. CMMC will have lasting impacts on the way companies look at cybersecurity. While small businesses should always take cybersecurity seriously, CMMC will make U.S. domestic security a necessary focus point for companies hoping to support the defense industry.
About the Author
Quinton Kichak
Quinton Kichak is the Administrative Operations Lead, where he manages administrative and finance as well as supporting marketing objectives. View our team.