A guide for businesses of all sizes to start your journey toward CMMC Certification.
Since the announcement of the Cybersecurity Maturity Model Certification, which was developed due to the rising supply chain risks across the Defense Industrial Base (DIB), organizations of all sizes have been scrambling to figure out how it impacts them and what they need to do to prepare for and obtain CMMC Certification. As the news of CMMC has trickled down to even small businesses that play a role in DoD contracts, we have been asked many questions by organizations trying to understand the steps to certification and how to get started. This document attempts to tackle a simplified and structured approach to CMMC readiness.
**Disclaimer: It’s important to note that there are still a lot of moving parts with CMMC and things can change periodically as they are finalizing items. We will attempt to update this guide as significant changes occur. (Last updated 1/5/2024)
Who Needs CMMC Certification?
Any organization that is a contractor or subcontractor delivering services that involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will need some level of CMMC certification. The question is what level? The quick answer is that your contract should tell you. Here is a general breakdown:
Level 1 certification is required for contracts that involve FCI only.
Level 2 certification is required for contracts that involve CUI.
Level 3 certification is still under development and applies to the highest priority programs with CUI.
Even with this information, the best thing you can do is check your contract. Your contract should indicate what type of information you may be processing, storing, or transmitting and what level certification is required. If it is unclear within the contract, then reach out to your client or prime contractor for clarification.
How to get CMMC Certification?
Once you know that you need CMMC certification, and you know what level is needed you can start your road to certification. One way to do this is to engage with a CCP (Certified CMMC Professional) or someone well versed in the CMMC process to help prepare you for an official audit. There are many ways to approach CMMC readiness, but we have put together a simple roadmap to help guide you on your journey. The simplest way to explain where to start is the first 3 steps.
Step 1: Level of Certification
As stated earlier, understanding what level you actually need to achieve is important, and it should be clearly stated in the contract. If you are uncertain, you can always start with level 1. All of the levels build off each other so if you determine you need level 2 down the road, your efforts toward level 1 will not be wasted. Level 1 certification requires an annual verification, through a self-assessment, that all applicable “basic safeguarding” requirements of FAR clause 52.204-21 have been implemented. This assessment is submitted electronically in the DoD’s Supplier Performance Risk System (SPRS). The newly proposed rule also requires annual affirmation by the prime contractor and applicable subcontractors.
Step 2: Scope
To determine the scope that the auditors will be assessing, you need to know where the FCI and/or CUI flows within your organization. You can illustrate this by building a Data Flow Diagram which is basically a network diagram or a digital drawing of where FCI/CUI starts, flows, and ends. The audit for certification will only be necessary for the systems that have access to FCI/CUI. If you can show the auditor that there are certain systems that are physically or logically separated from that data, then those systems will not need to be assessed. It is also a good exercise in general to know where sensitive data is stored, processed, and transmitted in your organization.
Step 3: Policies
Policies are the rules of the organization as directed by leadership. Every requirement for CMMC certification will need a corresponding policy. Since many organizations, especially small businesses, often lack these kinds of administrative controls, starting with creating the policies that match the requirements is going to give you a great start.
You can view the full illustration of our step-by-step journey to certification in the image below. If you would like to learn more about how Top Dog PC can help walk you through these steps, you can schedule a free consultation here
How Much does it Cost to get Certified?
According to the DoD, “The CMMC assessment costs will depend upon several factors including the CMMC level, complexity of the DIB company’s unclassified network for the certification boundary, and market forces. DoD will develop a new cost estimate associated with CMMC 2.0 to account for the changes made to the program which will be published on the Federal Register as part of the rulemaking process.”
CMMC Assessments (defense.gov)
It’s hard to predict all the costs involved. So much depends on determining where your organization is today. As in any information security assessment, it’s important to know where you are and where you want to go, and then prioritize the items needed to get there. Starting with Level 1 should be relatively inexpensive since it requires implementing just 17 basic practices and can be self-assessed. The majority of your cost will be the projects needed to implement the practices that you currently do not have in place. Some states may have programs that can help subsidize the cost of implementing certain cybersecurity practices. Looking into the options available to you can help ease the sting of unexpected projects in your budget.
For companies that are required to have a 3rd party certification assessment, the new rule indicates businesses could end up paying over $100,000 every 3 years to have this assessment performed. This clearly could cause an issue for companies, so we will see how that plays out as the rule gets finalized.
For more information, schedule a free consultation with one of our CCPs, and get started on your road to CMMC certification today!