After the U.S. Department of Defense (DoD) unveiled the Cybersecurity Maturity Model Certification (CMMC)’s latest version – CMMC 2.0 – on October 15, 2024, compliance with the framework became mandatory for all Defense Industrial Base (DIB) organizations.
That includes smaller businesses, which were generally subjected to lenient conditions in CMMC’s previous iterations.
Although the new framework will be rolled out in phases, there’s much to benefit from pursuing early certification. We’ve prepared a beginner’s guide to the requirements for small businesses seeking CMMC certification.
1. Distinguish Between CUI and FCI
The Cybersecurity Maturity Model Certification primarily seeks to secure two categories of sensitive information, namely Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Differentiating between these two data classes is the first requirement for businesses seeking CMMC certification.
Federal contract information refers to sensitive data that comes with federal contracts, which is not intended for public dissemination. Examples include maps of critical military infrastructures, such as nuclear reactors.
Controlled unclassified information is federally-designated sensitive data that may be shared with the general public. It includes military expenditures, intelligence information, etc.
While both FCI and CUI are designated as sensitive information, CUI requires higher protection levels.
2. Define the CMMC Certification Level Applicable to Your Business
CMMC 1.0 originally had five maturity levels. However, those were revised to three in the program’s latest issue.
Level 1
Level 1 is considered the foundational level. It focuses on basic cybersecurity hygiene and specifically targets federal contract information.
To obtain CMMC Level 1 certification, your business must meet all 17 security controls highlighted in the Federal Acquisition Regulation (FAR) Clause 52.204-21.
Level 2
CMMC Level 2, or expert level, requires compliance with 110 cybersecurity requirements. These controls are based on the National Institute of Standards and Technology (NIST)’s Special Publication (SP) 800-171.
You don’t need to satisfy all Level 2 security controls. The DoD may issue conditional certification if you score at least 80% during assessments, provided that you remediate the gaps within 180 days of the last assessment.
Another noteworthy requirement is that all CMMC Level 2 audits must be undertaken by independent agencies known as third-party assessor organizations (C3PAOs). These assessors are authorized by the CMMC Accreditation Body (CMMC AB).
Level 3
Level 3, also called expert level, seeks to safeguard the DIB against Advanced Persistent Threats (APTs).
To obtain certification under this maturity level, your business must meet all Level 2 requirements plus additional security controls outlined in NIST SP 800-172.
Besides, all assessments are led by an official appointed directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
3. Set Aside Resources
CMMC certification is a resource-intensive procedure. To ace the process, you’ll need to allocate a budget and make sufficient time provisions.
Navigating Certification Costs
There are no standard CMMC certification fees. The cost can range from $3,000 to over $150,000, depending on the certification level required, your business niche, and your current cybersecurity posture.
Businesses seeking CMMC Level 1 certification can self-assess and report on their compliance status annually. As this maturity level doesn’t involve a third party, certification costs are relatively lower.
Level 2 and Level 3 certifications require accredited third-party assessors. Both maturity levels also involve extensive audits, which explains their higher certification costs.
Fortunately, you can manage CMMC certification costs by undertaking regular audits and consistently sealing security loopholes.
Managing Associated Downtimes
Like cost, the time it takes to obtain CMMC certification can vary significantly. The procedure may last 6 – 18 months, based on the assessment scope.
It’s also worth noting that your business may experience significant operational disruptions during CMMC audits.
Information technology (IT) and software vendors often face acute downtimes, considering that CMMC assessments typically focus on IT systems.
4. Undertake a Gap Analysis
Conducting a gap analysis is a critical step for any business seeking CMMC certification. It helps detect any security gaps and seal them before an actual audit.
First, you’ll need to define the assets that store most of your organization’s information. These range from physical devices like hard disk drives and USBs to software systems like cloud storage.
Next, thoroughly scope your system for DoD-designated sensitive information. Ensure you classify the data as FCI or CUI. Now, compare your current cybersecurity policy against the CMMC’s requirements under relevant maturity levels. This enables you to identify areas for improvement and develop remediation strategies.
5. Develop an SSP
Each CMMC gap analysis should culminate in a System Security Plan (SSP), a document that highlights your company’s cybersecurity policies and procedures.
An SSP specifically outlines the measures your organization is implementing or plans to implement to avert cybersecurity threats. Some of its core components include data storage assets, cybersecurity protocols, and responsible personnel.
If you’re conducting your maiden CMMC assessment, you can benchmark with the DoD’s ready-made SSP templates. However, you’ll need to update the document after each audit.
With a duly updated SSP, you can proceed to conduct actual CMMC compliance.
Final Thoughts
Navigating CMMC’s regulatory landscape can be challenging for new defense vendors. Fortunately, you can accelerate the certification process by enlisting the help of a licensed cybersecurity compliance agency.
The CMMC Accreditation Body is an excellent place to kick-start your search for a competent cybersecurity auditor. Head to the CMMC AB’s marketplace and choose an agency that’s duly authorized to undertake CMMC assessments.
More importantly, choose a CMMC auditor that demonstrates advanced knowledge of the framework’s latest iteration – CMMC 2.0.
