A Guide for SMB Defense Contractors to Achieve CMMC Compliance

   January 8, 2025  Posted in CyberDefenseMagazine


The Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) program to defend the vast attack surface of the Defense Industrial Base (DIB). CMMC is expected to become law by the end of 2024 and start appearing in contracts by Q1 2025.

For Small and Medium-Sized businesses (SMBs) operating within the DIB, CMMC compliance can seem like a daunting task. However, with proper preparation, the right partners, and a strategic approach, achieving compliance can be manageable and even beneficial. This article will explore the requirements of CMMC, outline the roadmap to compliance, and discuss how companies can save money & expedite compliance.

CMMC Compliance Levels

CMMC establishes three compliance levels, based on the type of information DIB organizations are working with.

  • Level 1 is for organizations working with Federal Contract Information (FCI) only
  • Level 2 is for organizations working with Controlled Unclassified Information (CUI)
  • Level 3 is for organizations working with CUI and subject to Advanced Persistent Threats (APTs)

Third Party Assessment Requirements

Importantly, CMMC doesn’t change existing cybersecurity requirements— it just steps up enforcement. Until now, organizations have been permitted to self-assess their compliance, but under CMMC, the vast majority of defense contractors handling CUI will need to pass independent third-party assessments.

CMMC Timeline

CMMC is on track to become law by the end of 2024 and is expected to start to appear in DoD contracts in early 2025, as shown below:

SOURCE: https://www.preveil.com/blog/cmmc-timeline/

It’s important for contractors to understand that even though CMMC will be phased in over time, it does not necessarily follow that you have more time to achieve certification. Your organization, for example, could be far down the supply chain from a contractor subject to CMMC early on, in which case that contractor must flow down CMMC requirements to your organization at that point.

It takes typical SMBs between 12-18 months to meet CMMC Level 2 requirements, which is past the date in which CMMC requirements are expected to appear in DoD contracts. Now is the time to get started on CMMC certification.

Preparing for CMMC Level 2 Compliance: Key Steps for SMBs

While CMMC compliance may seem like a major undertaking, taking a proactive approach can make the process faster and more cost-effective. Here are some key steps SMB defense contractors should take to prepare:

  1. Familiarize Yourself with the CMMC Framework: Reading this article is a great first step; PreVeil also offers a CMMC whitepaper that’s been downloaded by over 5,000 defense contractors outlining all the details you need to know.
  2. Scope your compliance Boundary: Determine the people, devices, and processes that access, process, and store CUI. The smaller you can make your CUI enclave, the cheaper, faster, and easier compliance will be to achieve because you will have fewer endpoints to secure and fewer people to train on CMMC compliance protocols.
  3. Adopt a Platform to secure CUI: If you’re using Microsoft 365 Commercial or Google Workspace, you cannot support CMMC compliance and you’ll need to make a switch. You must ensure any Cloud Service Provider or technology vendor meets the following:
    • Meets FedRAMP Moderate Baseline or Equivalent
    • FIPS 140-2 certificate for encryption
    • Meets DFARS 252.203-7012 c-g for incident reporting
  4. Develop robust documentation: Achieving CMMC compliance requires more than just safeguarding CUI. The DoD estimates that generating the necessary documentation like a System Security Plan and Standard Operating Procedures will take 168 hours at a cost of $40,000.
  5. Conduct a self-assessment against NIST 800-171A and execute POA&MS: The self-assessment should be conducted according to the DoD’s Assessment Methodology, which is spelled out in NIST 800-171A. It specifies 320 objectives spread across the 110 security requirements. Know that perfect scores of 110 are quite rare for self-assessments done early in your compliance journey; Your organization likely will have some controls that are unmet. Create POA&Ms for those items and specify the technologies and procedures you will use to close those gaps and by when a score of 110 will be achieved.
  6. Schedule your C3PAO assessment: CMMC Level 2 assessments are conducted by CMMC Third Party Assessment Organization (C3PAOs), who will start with their own review of your readiness, then check your documentation and assess your compliance with NIST 800-171. They will also conduct employee interviews, and spot checks for artifacts such as records of training sessions, that prove compliance.

Ways to Reduce Costs 

  1. Reduce your compliance boundary: If only a portion of your organization handles CUI, then it makes sense to narrow the scope of the security requirements by creating a separate enclave. This translates into a simpler assessment process that saves you time and money. Some solutions like Microsoft GCC High often need to be deployed across entire organizations, adding significant costs and complexity.
  2. Choose a platform that’s easy to use and deploy: Platforms like Microsoft GCC High often require expensive consultants, separate email addresses, and a full rip-and-replace. Look for a solution that can be deployed in hours, uses your existing email addresses, and integrates directly with the tools you’re already using, like Outlook, Gmail, File Explorer and MacFinder.
  3. Deploy a solution with proven CMMC credentials: If your organization has migrated to the cloud, know that standard commercial cloud services such as Microsoft 365 Commercial do not meet CMMC requirements for storing, processing and transmitting CUI. You want to verify that it has FIPS 140-2 encryption modules, meets DFARS c-g, is FedRAMP Moderate or Equivalent, and has been used to pass multiple DoD assessments.
  4. Use pre-filled compliance documentation to save you time and money

To pass an assessment, contractors will need detailed, evidence-based documentation clarifying how the controls are addressed within their company. This can be a daunting, time-consuming and costly task so look for a solution that offers pre-filled documentation including a System Security Plan (SSP) and Standard Operating Procedures.

Conclusion

CMMC is on track to become law by the end of 2024. Even today, if your organization handles CUI, you have a DFARS 252.204-7012 clause in your contract that requires you to comply with NIST 800-171. Now is the time to get started on CMMC compliance and protect your business from penalties and contract loss.

While CMMC may seem overwhelming, find a proven partner who can help you achieve CMMC Level 2 faster and more affordably. To learn more about how PreVeil can help your organization achieve CMMC Level 2 compliance, visit preveil.com for a free 15-minute consultation with our compliance team.

About the Author

A Guide for SMB Defense Contractors to Achieve CMMC ComplianceSeth Steinman is the Vice President of Marketing at PreVeil. He is a recognized thought leader with over 15 years of experience in technology and security. He is a regular speaker at the Cybersecurity Marketing Conference, an advisor to leading companies like UserGems and Archilogic, and has published articles in respected publications like Security Boulevard, Security Clearance Jobs, and Digital Guardian. Seth can be reached online at [email protected] and at our company website https://www.preveil.com/



Source link