CMMC

What is CMMC?

Black background with bold white and blue text in the center reading WHAT IS CMMC? and a small stylized R3 logo in the top right corner. Blue gradient lines appear in the bottom right corner.

The CMMC: What It Is, Why You Need It, and How a Managed Service Provider Can Help

If you’re looking for a Managed Service Provider (MSP) to help your organization with the Cybersecurity Maturity Model Certification (CMMC), what should you be looking for?

In addition to tried and tested industry knowledge, experience, and expertise, your partner also needs to have the CMMC themselves. In this post, we’ll take a closer look at what the CMMC is, the benefits it can provide your business, and how much certification costs.

What’s the Cybersecurity Maturity Model Certification?

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for adopting cybersecurity across the Defense Industrial Base (DIB) sector and the Department of Defense (DoD) supply chain. It’s a training, certification, and third-party assessment program that measures the maturity of an organization’s cybersecurity processes and demonstrates compliance with the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Unlike the FedRAMP, which is required for nearly all contractors, the CMMC is only required for DoD preferred contractors. The CMMC framework was designed to increase “cyber hygiene” via the maturation of processes and practices—moving from a self-assessment to a third-party assessor model—after a series of breaches in the supply chain. The CMMC model is now under contract between a non-profit CMMC Accreditation Body composed of industry stakeholders and the US DoD.

On December 31, 2020, the General Services Administration noted that while CMMC currently only applies to the Department of Defense, all government contractors—civilian or military—should prepare to meet CMMC requirements.

What It Protects

The main objective of the CMMC is to protect unclassified information, including Federal Contract Information (FCI)—information not intended for public release that’s provided by or generated for the Government under contract—and Controlled Unclassified Information (CUI)—information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.

via the CUI Program Blog

The 5 Maturity Levels

In order to become and stay a prime contractor, companies need to meet at least one of the five CMMC maturity levels:

  • Level 1 – Processes: Performed, Practices: Basic Cyber Hygiene (recertify every three years)
  • Level 2 – Processes: Documented, Practices: Intermediate Cyber Hygiene (recertify every three years)
  • Level 3 – Processes: Managed, Practices: Good Cyber Hygiene (recertify every two years)
  • Level 4 – Processes: Reviewed, Practices: Proactive (recertify every year)
  • Level 5 – Processes: Optimizing, Practices: Advanced/Proactive (recertify every year)

These levels apply to the CMMC’s 17 controls across multiple domains, ensuring comprehensive cybersecurity coverage, these can be can be found here.

Benefits of Having the CMMC

Obtaining the CMMC means organizations are permitted to receive and share DoD information related to programs and projects.

Furthermore, they’ll be able to improve their processes while simultaneously enhancing the protection of controlled, unclassified information and intellectual property within the US DIB supply chain.

Additional benefits include:

  • Collaborative Risk Management: The implementation of a collaborative risk management approach.
  • Best Practices: The adoption of best practices in cybersecurity.
  • Risk Preparedness: Preparation for, prevention of, and reduction of risk against a specific set of cyber threats.
  • Incident Recovery: The ability to recover from a cyber incident without financial penalization.
  • Enhanced Resilience: The maximization of DoD and DIB cybersecurity resilience.

How Much Does the CMMC Cost?

CMMC costs vary by tier level certification, meaning higher-level certifications cost more than lower-level ones. Katie Arrington, Chief Information Security Officer (CISO) at the Office of the Under Secretary of Defense Acquisition & Sustainment, said that organizations should expect to pay between $3,000-$5,000 for CMMC level one certification—but that doesn’t include getting your organization ready for the audit.

To get a more accurate number, it’s important to keep both soft and hard costs associated with both preparing for the audit and the audit process itself in mind.

Preparing for the Audit

Soft Costs:

  • $0 to $10,000 if your organization already has an up-to-date risk assessment and system security plan
  • $10,000 to $40,000 if your business has a less mature NIST SP 800-171 compliant environment
  • $15,000 to $35,000 in consulting costs if you need to outsource CMMC gap+readiness assessment services

Hard Costs:

  • $20,000 to $60,000 for businesses without a reasonably mature NIST SP 800-171 compliant environment

The Audit Itself

Hard Costs:

  • $20,000 to $40,000 for a typical, standardized control assessment audit program by certified third-party auditors

Do It Yourself, or Hire a Certified MSP

Completing the CMMC yourself isn’t the only way—you can also hire an MSP that already has this certification.

Not only does it cost less, but it also means:

  • An easier certification process
  • Time savings
  • Deferred risk for your organization
  • Help maintain your current level of compliance
  • Support when adapting to changing standards
  • Assistance with the recertification process

…among other benefits. At R3, we’ll help your business identify the most cost-effective and efficient way to achieve its desired CMMC maturity level so that you can stay ahead of the competition and compete for DoD business.

Ready to get started? Send us a message today to learn how we can provide the experienced, knowledgeable CMMC support you need.