If a company is not currently CMMC certified but are in proposal for a contract with the DoD that requires CMMC certification, when do they have to be certified? The Cybersecurity Maturity Model Certification (CMMC) is a five-level training, certification, and third-party assessment program of cybersecurity put forth by the U.S. Government. The aim of the framework is to certify that organizations handling federal data can securely process and store Controlled Unclassified Information (CUI).
Cybersecurity laws and regulations like NIST 800-171, ITAR, and CMMC are put in place to ensure that organizations are taking the right steps to protect sensitive federal data. But what makes CMMC significant?
In this blog, we’re answering five of the most frequently asked questions about the CMMC framework.
What’s the difference between the NIST 800-171 assessment and CMMC framework?
While NIST 800-171 and CMMC compliance requirements both deal with CUI and are fairly similar in rigor (with Level 3 CMMC requirements covering all NIST 800-171 requirements with an additional layer of controls), the frameworks differ in their scope and assessment standards.
The main difference between the NIST 800-171 assessment and CMMC certification is that for NIST 800-171, companies can set and execute their own cybersecurity framework and declare themselves compliant with the NIST standards.
On the other hand, to obtain a CMMC certification, your organization must be certified by a CMMC Third-Party Assessment Organization (C3PAO). These organizations conduct audits to certify that companies in the Defense Industrial Base (DIB) meet a specified level of CMMC cyber hygiene. C3PAOs are authorized by the CMMC Accreditation Body (CMMC-AB), which is the only entity charged by the Department of Defense (DoD) with accrediting, licensing, and managing the CMMC ecosystem.
Additionally, the scope of NIST 800-171 covers Non-Federal Organization (NFO) controls, while the CMMC framework does not.
Do DoD subcontractors also have to be CMMC certified?
Effective October 1, 2025, all DoD contractors and subcontractors will need to be CMMC compliant. By then, fiscal year 2026, all DoD solicitations and contracts will be required to incorporate at least minimal compliance requirements. The DoD estimates the roll-out of CMMC standards will affect 300,000 companies.
In the meantime, organizations will need to discuss this matter with their Contract Officers, because if a subcontractor does not meet the minimum NIST 800-171 cybersecurity hygiene standards, contractors cannot process, store, or deliver CUI through that organization.
If a company is not currently CMMC certified but are in proposal for a contract with the DoD that requires CMMC certification, when do they have to be certified?
If entering a contract that requires CMMC certification, the organization must be fully certified by the time the contract goes into effect. For this reason, the government and C3PAOs are prioritizing organizations in the process of securing a contract with the DoD that requires CMMC certification.
Can a company be CMMC certified at any time?
At this time, C3PAOs are strictly certifying companies that already have contracts requiring CMMC. As the framework becomes more ubiquitous, that will change and companies should be able to approach C3PAOs with a desired level of certification and meet the audit needs. The DoD is aiming to have 1,500 CMMC certified contractors by 2021 and 48,000 by 2025.
What does this mean for your company?
If your organization is looking to enter a contract with the DoD or anyone in the defense contract supply chain, you will eventually need to achieve the CMMC certification. If your organization is not one of the select organizations in the implementation phase prior to 2025, you can begin preparing for an eventual audit now.
Companies seeking a CMMC certification will first need to identify the desired maturity level (1-5) they want to be audited for compliance. The company will then need to hire a C3PAO to schedule the assessment with the certified independent assessor.
When performing the assessment, the independent assessor will evaluate security gaps and weaknesses and determine if the company’s environment meets the CMMC requirements necessary for that specific level. Companies will have up to 90 days to resolve any issues and close any gaps with the C3PAO.
What does a CMMC certification cost?
The short answer is: it depends on the desired maturity level and the size of the company.
And the good news? The cost of the certification is said to be an allowable, reimbursable cost and will be valid for three years.
If you’re a DoD contractor or subcontractor looking to enter a federal contract in or before 2025, you probably have some questions on your path to compliance. You’re not alone.