What is CMMC?
The Cybersecurity Maturity Model Certification (“CMMC”), is a unified standard and framework of cybersecurity best practices and controls. The intent of CMMC is to enhance the cybersecurity of government contractors who serve the Department of Defense (“DoD”), who make up the Defense Industrial Base (“DIB”). CMMC is a framework and a standard, but it also has a certification component that verifies compliance with the standard.
Why was CMMC created?
The theft of intellectual property and sensitive information due to malicious cyber activity threatens economic security and national security. As part of multiple efforts focused on enhancing the security and resiliency of the Defense Industrial Base, the DoD created CMMC to assess and enhance the cybersecurity posture of contractors who serve the DoD. The certification creates a mechanism that helps DoD assess and verify contractor compliance with cybersecurity practices, controls, and processes, that are aimed to protect certain unclassified information (described in more detail below) that may be in the possession of those contractors, or which resides on or is transmitted through contractor information systems.
What kind of information is CMMC designed to protect?
CMMC is primarily designed to protect Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”).
FCI is information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
CUI is generally unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies. A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at https://www.archives.gov/cui and https://www.dodcui.mil/Home/DoD-CUI-Registry/
Resources, including online training to better understand CUI can be found on the National Archives’ website at https://www.archives.gov/cui/training.html as well as the Department of Defense’s website: https://www.dodcui.mil/
What rules govern and implement CMMC?
DoD recently issued an interim rule called Assessing Contractor Implementation of Cybersecurity Requirements, published in Federal Register, 85 Fed. Reg. 61505 on Sept. 29, 2020, and effective on Nov. 30, 2020. The interim rule will be followed by future rulemaking that may amend rule content and requirements. Public comments were due Nov. 30, 2020, and will be considered in the formulation of a final rule sometime this spring or summer of 2021.
DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is already included in all DoD solicitations and contracts, including those using Federal Acquisition Regulation (FAR) part 12 commercial item procedures, except for acquisitions solely for commercially available off-the-shelf (COTS) items. This clause which is described in detail in a video below requires contractors to apply the security requirements of NIST SP 800-171 to “covered contractor information systems,” as defined in the clause, that are not part of an IT service or system operated on behalf of the Government. NIST SP 800-171 is a cybersecurity standard and assessment methodology developed by the National Institute of Standards and Technology that requires an assessment of a contractor’s implementation of the security requirements outlined in NIST SP 800-17. As mentioned, you can learn more about NIST SP 800-171 by watching the video below.
Traditionally, contractors and subcontractors self-certified compliance with DFARS clause 252.204-7012 and NIST SP 800-171. The DoD Assessment Methodology requirement was developed to provide DoD an easier way to gauge contractor compliance with NIST SP 800-171 and DoD’s own confidence with that contractor’s compliance and is implemented in contracts via DFARS Clause 252.204-7020. The DoD Assessment Methodology creates three confidence levels – Basic, Medium, and High – which roughly translates to the confidence level DoD has in the contractor’s implementation of NIST SP 800-171 and factors in how many of the 110 NIST SP 800-171 security controls the contractor has implemented.
Basic assessments are contractor self-assessments using the DoD Assessment Methodology. With respect to Basic (self) Assessments, DFARS 252.204-7020, asks DoD Contractors to submit their Basic (self) Assessment scores into a web-based system called the Supplier Performance Risk System or SPRS. Assessment summary level scores posted in SPRS are then available to DoD personnel and are protected, in accordance with the standards set forth in DoD Instruction 5000.79. For more details, review DFARS Clause 252.204-7020.
An interim rule effective on Nov. 30, 2020, requires that contracting officers verify in the Supplier Performance Risk System (SPRS) at https://www.sprs.csd.disa.mil/ the scores of NIST SP 800-171 assessments already completed; and verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) assessment, at any level, on record prior to contract award. Therefore, defense contractors should upload and submit Basic (self) Assessment scores for each system supporting the performance of a contract (or potential future contract) as DFARS 252.204-7020 will appear in all DoD solicitations and contracts, task orders, or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial items, except for those that are solely for the acquisition of COTS items.
The rule states that the offeror/contractor may submit scores via encrypted email to firstname.lastname@example.org for posting to SPRS. SPRS now has increased functionality for offerors/contractors to enter scores directly into SPRS. (See https://www.sprs.csd.disa.mil/pdf/NISTSP800-171QuickEntryGuide.pdf). You can find additional resources and help on using SPRS at this website. The rule also states that prime contractors must also ensure applicable subcontractors have the results of a current assessment posted in SPRS prior to awarding subcontracts. We encourage all of our clients who are DoD contractors, who have DFARS clause 252.204-7012 in their contracts, and who are likely to have DFARS 252.204-7020 in their contracts going forward, to upload their Basic (self) Assessment scores into SPRS.
Building upon NIST SP 800-171, the CMMC framework adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk.
DoD is implementing a phased rollout of CMMC. CMMC will be primarily implemented by DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements. This clause is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for COTS items, if the contract requirement document or statement of work requires a contractor to have a specific CMMC level. In order to implement the phased rollout of CMMC, the inclusion of a CMMC requirement in a solicitation until September 30, 2025, must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.
Starting on or after October 1, 2025, CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold. Contracting officers will not make an award, or exercise an option on a contract if the offeror or contractor does not have current (i.e. not older than three years) certification for the required CMMC level. Furthermore, CMMC certification requirements are required to be flowed down to subcontractors at all tiers, based on the sensitivity of the unclassified information flowed down to each subcontractor.
What are the CMMC Levels?
There are multiple CMMC levels (1-5) you can implement and get certified for. To achieve a specific CMMC level, a defense contractor must demonstrate to an accredited CMMC Third Party Assessment Organization (C3PAO) that they have put into place the controls, processes, and practices commensurate with the applicable CMMC level desired. Therefore, what steps your company needs to take depends on which CMMC level your company is seeking to achieve. Many defense contractors, will need to acquire only level 1 certification. Some will require level 3 certification. Very few contractors will need level 4 or 5. The level of certification needed, depends on the requirements of the contracts you are working on or seek to work on for DoD. The solicitations and contracts issued by DoD will generally outline the applicable CMMC level required for that opportunity.
CMMC assessments are not done by the government but are conducted by accredited CMMC Third Party Assessment Organizations (C3PAOs). Upon completion of a CMMC assessment, a company is awarded certification by an independent CMMC Accreditation Body (AB) at the appropriate CMMC level (as described in the CMMC model). The CMMC certification level is then documented in SPRS to enable the verification of an offeror’s certification level and currency (i.e. not more than three years old) prior to contract award.
Below are the applicable CMMC levels:
Level 1: This is the most basic level. It consists of the 15 basic safeguarding requirements from FAR Clause 52.204-21. This is the easiest level to achieve, and most government contractors should already meet these requirements. If they are not meeting these requirements, they should be able to be achieved with minimum effort. Many small businesses that do business with DoD, but who do not receive or create CUI, may only need to achieve this level.
Level 2: Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes. Level 2 is intended as an optional intermediary step for contractors as part of their progression to Level 3. While Level 2 exists, it is anticipated that many contractors will not seek Level 2 but will pursue Level 3 instead.
Level 3: Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes. DoD contractors that receive or create CUI will need to achieve this level. This will be a level that many mid-size and large government contractors will need to achieve.
Level 4: Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes. This level will likely only be necessary for government contractors who possess or create sensitive or mission-critical CUI. This will be mostly large government contractors and some of their key subcontractors.
Level 5: Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes. This level will only be necessary for a small number of contractors who possess or create what the DoD considers the most sensitive or mission-critical CUI. This will be an exclusive group and only a small number of mostly large government contractors and some of their key subcontractors.
To understand in more detail the different levels and controls, you need to download and review the CMMC model. Additional information on CMMC and a copy of the CMMC model can be found at https://www.acq.osd.mil/cmmc/index.html.
Why does CMMC matter?
The CMMC model consists of processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community.
As noted earlier, at the current time, DoD is implementing a phased rollout of CMMC over the next several years. While it will be a slow and phased-in rollout, the CMMC requirement may start to appear in some contracts in the next several years by the insertion of clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements. Therefore, it may start to appear in some solicitations and contracts, including solicitations and contracts using FAR Part 12 procedures for the acquisition of commercial items (excluding acquisitions exclusively for COTS items). The consequence is that if the requirement document or statement of work in a contracting opportunity or solicitation requires a contractor (or its subcontractors) to have a specific CMMC level, only contractors and subcontractors who have achieved the specified certified level can perform that work for DoD. To put it simply, if you want to do business with DoD on a contract where CMMC is required, you will have to achieve the applicable CMMC certified level that the contract or subcontracting opportunity requires, or you will not be eligible to perform the work.
In order to implement the phased rollout of CMMC, the inclusion of the CMMC requirement in a solicitation up until September 30, 2025, must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. The rollout is anticipated to be gradual. DoD has indicated the following targets for the number of prime acquisitions that will include a CMMC requirement: FY2021 (15), FY2022 (75), FY2023 (250), FY2024 (325), FY2025 (475). DoD may move faster or slower than their anticipated goals depending upon how quickly companies get CMMC certified.
However, eventually, on or after October 1, 2025, Dod plans to apply CMMC to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold. Contracting officers will not make an award, or exercise an option on a contract if the offeror or contractor does not have current (i.e., not older than three years) certification for the required CMMC level. Furthermore, CMMC certification requirements are required to be flowed down to subcontractors at all tiers, based on the sensitivity of the unclassified information flowed down to each subcontractor.
I understand that this is important if I want to continue to do business with DoD, how do I get certified?
To get certified, a contractor must both implement AND demonstrate they have the controls, processes, and practices in place commensurate with the applicable CMMC level to an accredited CMMC Third Party Assessment Organization (C3PAO). Upon successful completion of a CMMC assessment by a C3PAO, a company is awarded certification by an independent CMMC Accreditation Body (AB) at the appropriate CMMC level. The certification level is then documented in SPRS, which enables the federal government to verify an offeror’s certification level and that it is not more than three years old prior to contract award. You can find a marketplace of accredited CMMC Third Party Assessment Organizations (C3PAOs) on the CMMC Accreditation Body (AB) website here: https://cmmcab.org/marketplace/
How much will this cost?
This is a difficult question to answer. The cost of the CMMC certification depends on which level you are seeking. There are also a lot of factors involved in determining cost, including the state of your current IT system and existing compliance with other cybersecurity standards and practices such as NIST 800-171 (described in detail in the video below).
Most government contractors, including small business government contractors pursuing a Level 1 certification should have already implemented the 15 basic safeguarding requirements under FAR clause 52.204-21. You can review these basic requirements here. If you have not complied with the 15 basic safeguards, then you should implement them, and such implementation should be fairly easy to achieve. Therefore, there should be minimal cost to implement the Level 1 CMMC requirements. However, the CMMC Level 1 assessment, which will need to be performed by a certified CMMC Third-party Assessment Organization (C3PAO) in order to achieve Level 1 certification, will likely cost around $3,000. The certification will then last three years.
When it comes to achieving Levels 2-5, acquiring and maintaining certification gets more expensive. There are going to be certain nonrecurring costs needed to achieve and implement the necessary controls, processes, and practices to achieve the desired CMMC level. Again, the costs associated with that depend on your existing IT system and practices. You will have to have either a current employee perform this IT work or you will have to hire IT consultants or outside firms with expertise in this area, to help your company implement the necessary controls, processes, and practices. It may be possible to recoup these investments as an allowable cost item if you are working on a current DoD cost contract. Check with your Contracting Officer.
How this work is performed depends upon your equipment, information systems, your software, computer operating systems, and network topology. There will also be recurring IT costs associated with maintaining compliance with the necessary controls, processes, and practices because equipment, IT systems, and network environments often change over time. There will then be an assessment cost from the C3PAO, which is going to range in price. However, it is estimated to be around $7,489 for Level 2; $17,032 for Level 3; $23,355 for Level 4; and $36,697 for a Level 5 assessment. There also may be reassessment costs every 3 years to renew your CMMC certification. Total annual costs of achieving and maintaining a certain CMMC level are estimated to be the following:
Level 1: $1,000 per year.
Level 2: $28,050 per year.
Level 3: $60,009 per year.
Level 4: $371,786 per year.
Level 5: $482,874 per year.
These cost estimates been provided by the DoD in their interim rule cited below.
I’m ready to take the necessary steps to get certified. What are the key websites and resources?
- The official website for CMMC, run by the Office of the Under Secretary of Defense for Acquisition and Sustainment: https://www.acq.osd.mil/cmmc/index.html
- The CMMC Model and Assessment Guides: https://www.acq.osd.mil/cmmc/draft.html
- CMMC Frequently Asked Questions: https://www.acq.osd.mil/cmmc/faq.html
- DoD issued an interim rule, Assessing Contractor Implementation of Cybersecurity Requirements on Sept. 29, 2020 (effective Nov. 30, 2020): https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
- CMMC Accreditation Body Website: https://cmmcab.org/
- CMMC AB Marketplace of accredited C3PAOs: https://cmmcab.org/marketplace/
If you need additional guidance understanding CMMC. Please reach out to one of our Procurement Counselors.
However, please understand that GTPAC Counselors are not IT professionals, so we generally cannot implement the necessary software, policy, or process changes needed to achieve compliance with the CMMC standard. Further, GTPAC cannot perform an assessment of your IT system as we are not a C3PAO. What we can do is provide you guidance on the process, the rules, and requirements, so you can make the best business decision possible to achieve compliance with the applicable rules and regulations.
DFARS clause 252.204-7012 / NIST 800-171 Guidance
This video provides a step-by-step guide on how government contractors can achieve compliance with the cybersecurity requirements established by the U.S. Department of Defense (DoD), specifically Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, entitled “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
DFARS Clause 252.204-7012 – This contract clause, entitled “Safeguarding Covered Defense Information and Cyber Incident Reporting,” is included in all DoD solicitations and contracts, including solicitations and contracts using FAR Part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of commercial-off-the-shelf items.
NIST SP 800-171 Rev. 2 – Entitled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” this National Institute of Standards and Technology (NIST) publication provides federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).
Cybersecurity Self-Assessment Handbook – The National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) Cybersecurity Self-Assessment Handbook was developed to assist U.S. manufacturers who supply products to the DoD implement NIST SP 800-171 as part of the process for ensuring compliance with DFARS Clause 252.204-7012. It should be noted that this Handbook can be utilized by any DoD contractor to help them conduct an assessment of their NIST SP 800-171 compliance.
Cybersecurity Template – This is a 127-page template, developed by the Georgia Tech Procurement Assistance Center (GTPAC), designed to help contractors create a Security Assessment Report, System Security Plan, and Plan of Action. The template is a Word document, designed for easy customization. It is intended to be used in conjunction with the NIST-MEP Cybersecurity Self-Assessment Handbook linked above. Please note that NIST now also provides several templates that you can download here.
The video and template linked above were funded through a cooperative agreement with the Defense Logistics Agency, and created with the support of the Georgia Institute of Technology. The content of the video presentation does not necessarily reflect the official views of or imply endorsement by the U.S. Department of Defense, the Defense Logistics Agency, or Georgia Tech.
For further assistance with complying with DoD’s contractual cybersecurity requirements, please feel free to contact a GTPAC Procurement Counselor. A list of Counselors, their locations, and contact information can be found at: http://gtpac.org/team-directory.
Companies located outside the state of Georgia may contact their nearest Procurement Technical Assistance Center (PTAC) for assistance with government contracting matters. PTACs are located in all 50 states, the District of Columbia, Guam, and Puerto Rico. Find a directory of PTACs at: http://www.aptac-us.org/find-a-ptac.
GTPAC is a part of the Enterprise Innovation Institute (EI2), Georgia Tech’s business outreach organization which serves as the primary vehicle to achieve Georgia Tech’s goal of expanded local, regional, and global outreach. EI2 is the nation’s largest and most comprehensive university-based program of business and industry assistance, technology commercialization, and economic development.