After four years of announcements, delays and revisions, the Cybersecurity Maturity Model Certification, or CMMC, has finally been released to the public. The new CMMC 2.0 standard will be finalized in 2024 and the DoD projects will impact 220,000 companies across the Defense Industrial Base.
In 2019, the Department of Defense concluded that most Department of Defense (DoD) contractors did not meet basic cybersecurity standards, specifically DFARS & NIST 800-171. Through the audit process, the DoD learned that the self-assessment process and self-determined timelines for implementation were not sufficiently strengthening contractor cybersecurity. With this shortcoming in mind, the DoD developed a new standard and governing body to oversee the certification process. The Cybersecurity Maturity Model Certification (CMMC) was born but the road to becoming law has been smooth.
By 2020, an initial framework of the new cyber standard was released, some of which caused an immediate clash with small businesses. In the first iteration, CMMC was to eliminate all self-assessments. While this seemed like a step towards better oversight, it meant a substantial new business expense. In addition, CMMC planned to have five maturity levels to accommodate the variety of businesses in the Defense Industrial Base (DIB). The five maturity levels made sense but confusion quickly followed as small businesses tried to guess which level they might fall into. With all these questions and a tight timeline for expected release, CMMC was delayed.
After various changes, simplifications and organizational changes, CMMC is finally ready for public consumption. On December 27th, 2023, the rule was released to the public, kicking off a 60-day hearing period. Businesses impacted by the rule are encouraged to submit comments, questions, and concerns during the hearing. At the end of the hearing period, the CMMC-AB (Accreditation Body) has 6-12 months to release the final rule.
Implications for DIB Contractors
For companies in the DIB, CMMC offers a reasonable cybersecurity target to aim for. The biggest challenge will be having the staff, time, and resources to accomplish certification. CMMC requirements are similar to existing NIST 800-171 requirements, other than the requirement for external assessment. This means that most DIB companies should not be thinking of a new set of requirements, but instead auditing the requirements that have been in place for over a half-dozen years.
The cost estimates assume that all companies in the DIB are currently adhering to NIST 800-171 and are not “starting from scratch” regarding cybersecurity and documentation. This critical assumption may confuse or alarm small businesses when they see the price tag for CMMC certification. How should DIB companies interpret this? To get moving on cybersecurity compliance today, as has been required since 2017. The cost for a CMMC certification ranges from around $6,000 for a Level 1 certification, to about $105,000 for a Level 2 certification. Those prices will vary depending on size, complexity, existing IT infrastructure, etc.
What Contractors Should Do Today
The biggest mistake a DoD contractor can make in this environment is waiting until the last minute to comply. CMMC Level 2 compliance includes 110 controls/practices. Getting those controls implemented and verified can take months if not a full year. Waiting until CMMC is law to begin implementing these controls is a recipe for disaster and could cause significant business loss. Start today and avoid the mad dash for cybersecurity compliance support that will likely occur over the next year as CMMC becomes law.
Contact NC State University Industry Expansion Solutions IES today for a free consultation to learn more about CMMC and your business.