Preparing for CMMC Compliance
In spite of there being some speculation about DoD delaying the rulemaking, CMMC 2.0 compliance will be inevitable in the times to come. Since we are currently chasing the timeline of the compliance deadline of October 2025, companies need to strategically think about how they can get certified. If you are wondering how to prepare for CMMC and achieve compliance, we will walk you through the process and help you with a CMMC audit checklist.
By some estimates, it can take around 18 months for organizations to achieve compliance with CMMC. With this timeline in mind, it would help to start preparing for the CMMC audit now so that the deadline of October 2025 can be met. Since CMMC will be mandatory for all DoD contracts, organizations in the DoD supply chain or those wanting to bid on future DoD projects must start planning for CMMC audit and certification soon.
2. A CMMC audit checklist involves steps like gap assessment, implementing controls, creating POA&M and SSP, monitoring controls, etc. Documentation is key in a CMMC audit.
3. I.S. Partners provides end-to-end CMMC audit services including assessments, identifying controls, creating POA&M, mock audits, and evidence gathering. Their expertise can guide organizations through the audit process.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a framework designed for all contractors and subcontractors in the DoD supply chain so that they maintain the required level of cybersecurity maturity. The goal of CMMC is to help protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that might be exposed to organizations working on DoD contracts.
CMMC was first introduced in January 2020, and the earliest version is known as CMMC 1.0. The latest version is CMMC 2.0 and is still in the rulemaking phase. However, it is expected to roll out in the coming months, and organizations must be prepared to comply with the new CMMC rules.
What CMMC Level Do I Need?
There are different CMMC levels, each defining how defence contractors should handle FCI and CUI while aligning with the required cybersecurity maturity to protect sensitive information. CMMC 1.0 had 5 maturity levels. CMMC 2.0 has been streamlined to have 3 maturity levels.
The maturity levels are progressive with each higher level having increasingly stringent cybersecurity requirements. While contractors handling low-sensitivity data will need lower CMMC levels, the highest levels apply to organizations that handle sensitive CUI of high priority.
As mentioned earlier, CMMC 2.0 is in the rulemaking phase. Once CMMC 2.0 is officially rolled out, DoD will specify the required level in solicitation and in any RFIs.
Below is a breakdown of the CMMC levels including how the levels apply to organizations. This will give you some insights into which CMMC level would apply to you based on the information you handle as part of DoD contracts.
CMMC 1.0 Certification Levels
|CMMC 1.0 certification levels||Description||Applicable to organizations|
|Level 1: Basic cyber hygiene||It includes 17 controls from NIST SP 800-171 Rev2 for basic cybersecurity practices.||All DoD contractors and subcontractors handling only FCI.|
|Level 2: Intermediate cyber hygiene||It includes an additional 46 controls from NIST SP 800-171 Rev2.||This is a transition level for organizations seeking to move up in cybersecurity maturity.|
|Level 3: Good cyber hygiene||It also includes the remaining 47 controls from NIST SP 800-171 Rev2 along with the controls in the previous levels.||All DoD contractors and subcontractors handling CUI.|
|Level 4: Proactive cyber hygiene||It includes 26 controls from NIST SP 800-171 Rev B.||This is a transition level for organizations seeking to move up in cybersecurity maturity.|
|Level 5: Advanced cyber hygiene||It requires the implementation of all controls from NIST SP 800-171 Rev B and also needs continuous cybersecurity improvement.||All DoD contractors and subcontractors handling CUI and involved in critical programs.|
CMMC 1.0 framework was deemed as complex. Also, the cost associated with implementing CMMC 1.0 was higher making it challenging for SMBs in the DIB. Thus, CMMC 2.0 is being introduced to streamline the framework and its levels. The cost of achieving compliance is also expected to be lower compared to CMMC 1.0. The table below shows a breakdown of CMMC 2.0 certification levels.
CMMC 2.0 Certification Levels
|CMMC 2.0 certification levels||Description||Applicable to organizations|
|Level 1: Foundational||It includes basic cybersecurity practices to protect sensitive information.||All DoD contractors and subcontractors that handle FCI.|
|Level 2: Advanced||It includes advanced cybersecurity practices based on NIST SP 800-171. 110 controls need to be implemented.||All DoD contractors and subcontractors handling CUI or Covered Defense Information (CDI).|
|Level 3: Expert||It includes the implementation of all controls from NIST SP 800-171 and additional requirements such as incident reporting.||All DoD contractors and subcontractors handling CUI for DoD projects with the highest priority.|
CMMC Training for Contractors
The CMMC framework can be daunting for SMBs, even though CMMC 2.0 is being rolled out with the aim of streamlining the requirements and assessments. Even with the revised framework, planning the cybersecurity activities to achieve compliance can be a mammoth task.
Hence, contractors who are looking to get certified need some guidance to get started. Contractors also need support at each step of implementing cybersecurity controls and demonstrating compliance to get CMMC certified.
Below are some steps contractors can take to educate themselves about CMMC and seek appropriate guidance.
CMMC Audit Checklist
A CMMC audit evaluates the cybersecurity posture of an organization. It is performed by a C3PAO (Certified Third-Party Assessment Organization) accredited by the CMMC Accreditation Body (CMMC-AB).
There are an estimated 300,000+ organizations that need to be certified. Since C3PAOs are still in the training phase, it might be some time before an organization has access to a C3PAO for an audit. However, it is recommended that organizations start preparing for an audit. This way, they can speed up the process of compliance and get certified before the CMMC 2.0 deadline.
Below is an 8-step CMMC audit checklist to help you get started.
Step 1: Identify the type of information that needs to be protected.
Identify the FCI, CUI, and CDI that will need to be handled as part of the DoD contract. In addition to the information itself, you will also need to determine how the information would be processed, stored, and transmitted since the CMMC auditor will evaluate this information closely.
The information that needs to be protected will be defined in the contract information of the DoD project. If you are unsure whether the data you handled qualifies as CUI or CDI, you can get information from the contracting official for DoD (or the prime contractor if you are a subcontractor).
Step 2: Identify the controls to be implemented.
Since CMMC is related to controls specified in DFARS and NIST SP 800-171, you will need to identify the systems, processes, and services that are in the scope of these frameworks.
For these systems, processes, and services, you will need to identify the controls that are applicable. The controls to be applied will also depend on the type of data being handled and the target CMMC level.
Step 3: Identify the regulatory requirements to address CMMC compliance.
You will need to identify the domestic and international laws and regulations applicable to your organization in the context of the DoD contract. This includes cybersecurity regulations, industry-specific regulations, data privacy and protection laws, etc.
Step 4: Create relevant documentation.
Documentation is important from the perspective of a CMMC audit. The controls being implemented, policies, and procedures need to be adequately documented. Documentation will not only help in providing the necessary information to the CMMC auditor but will also be useful in making organizational decisions about managing risks.
Step 5: Implement the cybersecurity controls.
Implementing cybersecurity controls applicable to the organization will require aligning people, processes, policies, etc. It will be a step to improve the cybersecurity maturity and be ready for the CMMC audit.
To implement appropriate NIST SP 800-171 and CMMC controls effectively, identify the right people in charge of each environment in scope and define roles and responsibilities related to implementing controls and measuring their effectiveness.
Step 6: Create POA&M and SSP.
Sometimes, it might not be possible to implement all applicable NIST SP 800-171 and CMMC controls. In this case, the control deficiencies need to be documented in a POA&M (Plan of Action and Milestones). The POA&M is a time-bound document and will have an action plan to address the control deficiencies within 180 days of the assessment.
Similarly, you will also need to create a System Security Plan (SSP) which will detail how each control will be useful for improving the cybersecurity posture. Both POA&M and SSP are important documents that a CMMC auditor will check.
Step 7: Evaluate the effectiveness of the implemented controls.
You can choose an appropriate risk management methodology to get a better view of security risks and evaluate how the implemented controls would reduce or remove the identified risks. Any third-party risks also need to be taken into account and the effectiveness of the controls needs to be determined.
Step 8: Monitor and improve controls.
Tracking key metrics is an effective way to monitor CMMC controls. Metrics can also help understand long-term trends that can help in identifying areas of improvement. You will need to identify Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) relevant to your organization and the controls being implemented. The KPIs and KRIs will also depend on the regulatory and contractual requirements.
A reliable service provider such as I.S. Partners can help you conduct CMMC audits and assessments and prepare for certification.
CMMC Audit Checklist
What Does The CMMC Auditor Check?
CMMC audit can be performed by an authorized CMMC auditor. A CMMC auditor will conduct audits depending on the CMMC level applicable and the contractual requirements.
A CMMC auditor will perform the audit but they are not authorized to issue CMMC certification. Below are some of the major responsibilities of a CMMC auditor.
- Performing data checks
CMMC auditors will perform data checks to identify the type of information (FCI, CUI, CDI) that the organization handles. This is a critical step in the audit since the CMMC level depends on the type of information being handled. It will eliminate any confusion regarding the level and save time and cost in implementing the appropriate controls.
- Evaluating cyber resilience
A CMMC auditor will help evaluate the existing cyber resilience of the organization which would provide a baseline for implementing CMMC controls. Typically, auditors will check for weaknesses in physical security, hardware, software, data mapping, etc. in the context of the threat landscape. They will also advise on the best approach to implement CMMC controls.
- Assessing the security training of the staff
The security training and cybersecurity awareness of the staff has a huge impact on the cybersecurity posture. The staff’s security awareness is even more important for higher CMMC levels. An auditor will check the awareness levels as well as look at how training is provided to the staff.
- Assessing domains and capabilities
A CMMC auditor will check which domains are applicable for CMMC certification. They will also help identify the capabilities required for implementing controls in each domain.
- Auditing process integration
Process integration is an important consideration in CMMC audit since it is a reflection of the cybersecurity maturity. It is an important step in achieving CMMC certification and a C3PAO will also perform this assessment before granting the certification.
How Much Does CMMC Cost?
The CMMC certification cost depends on several factors such as:
- The size and complexity of the organization
- CMMC level applicable
- C3PAO charges
- The current level of cybersecurity maturity
Higher CMMC levels incur a higher cost. In addition to the certification charges, there is a cost involved in carrying out risk assessment and implementing controls. Implementing controls requires personnel engagement as well as investment in tools and technologies.
CMMC 2.0 is expected to roll out and there is some indication from DoD that the cost of CMMC 2.0 would be significantly lower. The DoD plans to release a comprehensive cost analysis for each level of CMMC 2.0 as part of the rulemaking. This will bring more clarity to the estimated cost.
Since several factors impact CMMC cost, cost estimations can vary. Typically, the cost of CMMC can be anywhere between $20,000 to $200,000. However, in some cases, the cost for Level 1 certifications could be as low as $3,000. It is best to contact a trusted service provider to get a cost estimation depending on your specific requirements.
However, do remember that CMMC is a recurring cost since organizations need to go for certification every three years. There is also the cost attached to annual assessments. Also, the C3PAO charges can vary. Hence, it’s a good idea to get quotes from multiple third-party assessors and choose based on the cost as well as the services offered.
CMMC audit cost can also be a significant investment. However, I.S. Partners provides comprehensive audit services which include gap assessments and compliance readiness to help you prepare for certification.
In conclusion, preparing for the inevitable CMMC 2.0 compliance is a strategic endeavor that organizations must take seriously. Achieving compliance doesn’t happen overnight and will require an understanding of the CMMC levels, relevant legislation, and the ability to implement and document cybersecurity controls. The outlined CMMC audit checklist and understanding of the certification process can serve as a valuable guide in this journey.
Looking towards service providers that can offer expert help, such as I.S. Partners, can be an efficacious approach in navigating these complex requirements. Remember, starting early, staying informed, and remaining proactive are the keys to a successful audit and achieving CMMC compliance before the October 2025 deadline.