The purpose of the CMMC program is to verify that contractors have proper safeguards for Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) by moving from self-assessment to third-party or government assessments. This marks a significant change for DoD contractors, aimed at increasing accountability and ensuring the implementation of cybersecurity controls across the defense industrial base. However, this shift introduces several barriers to achieving certification:
1. Cybersecurity Investment
Meeting CMMC requirements demands significant financial investments, which can be particularly tough for smaller companies in the supply chain. Hiring third-party experts adds to this financial strain. We shall talk more about this later.
2. Market Dynamics
A strong cybersecurity posture is becoming a competitive advantage. Companies with robust security measures are better positioned to secure contracts. Those who can afford certification sooner are more likely to secure contracts, leaving smaller companies in the dust.
3. Assessment Readiness
Defense contractors must prepare for third-party assessments. This involves a thorough review and potential upgrade of their security infrastructure and documentation, which takes time, money, and expertise.
4. Cost Management
The financial burden of CMMC compliance, including assessment costs, needs careful planning. The Department of Defense (DoD) assumes most companies have already incurred costs aligning with existing cybersecurity clauses, but new assessment costs are separate and must be factored into business decisions.
CMMC Costs Summary
The DoD has provided estimated costs for each CMMC level, considering factors like entity size and assessment type. These costs cover a 20-year horizon in 2023 dollars, using both a 7 percent and 3 percent discount rate, as per OMB guidance. (This is from the Proposed Rule published in December, 2023)
Key Cost Categories:
- Nonrecurring Engineering Costs (NRE): One-time expenses mainly for CMMC Level 3.
- Recurring Engineering Costs (RE): Annual expenses for maintaining security, also mainly for Level 3.
- Assessment Costs: Costs for preparing, conducting, and reporting assessments, varying by CMMC level and type.
- Affirmation Costs: Costs for submitting annual affirmations of compliance to the Supplier Performance Risk System (SPRS).
Costs for Other Than Small Entities
| CMMC Level | Cost Type | Initial Cost | Annual Affirmation Cost | Three-Year Cost | Total Cost |
|---|---|---|---|---|---|
| Level 1 | Self-Assessment and Affirmation | $4,042 | $584 | – | $5,794 |
| Level 2 | Self-Assessment | $43,403 | – | $48,827 | $92,230 |
| Level 2 | Certification Assessment | $112,345 | – | $117,768 | $230,113 |
| Level 3 | Nonrecurring Engineering Costs | $21,100,000 | – | $44,445 | $21,144,445 |
| Level 3 | Recurring Engineering Costs | $4,120,000 | – | – | $4,120,000 |
Total Costs for Other Than Small Entities per Level
| CMMC Level | Total Cost |
|---|---|
| Level 1 | $5,794 |
| Level 2 | $322,343 |
| Level 3 | $25,264,445 |
Costs for Small Entities
| CMMC Level | Cost Type | Initial Cost | Annual Affirmation Cost | Three-Year Cost | Total Cost |
|---|---|---|---|---|---|
| Level 1 | Self-Assessment and Affirmation | $5,977 | $560 | – | $7,657 |
| Level 2 | Self-Assessment | $34,277 | – | $37,196 | $71,473 |
| Level 2 | Certification Assessment | $101,752 | – | $104,670 | $206,422 |
| Level 3 | Nonrecurring Engineering Costs | $2,700,000 | – | $12,802 | $2,712,802 |
| Level 3 | Recurring Engineering Costs | $490,000 | – | – | $490,000 |
Total Costs for Small Entities per Level
| CMMC Level | Total Cost |
|---|---|
| Level 1 | $7,657 |
| Level 2 | $277,895 |
| Level 3 | $3,202,802 |
Note: These costs, derived from government estimates, should not be considered definitive and may vary based on individual circumstances.
5. Scoping and Implementation of NIST SP 800-171
Understanding the scope of CMMC requirements and accurately implementing the 110 security controls outlined in NIST SP 800-171 is crucial. The DoD has noted inconsistencies in how contractors implement these controls. It takes expertise specific to CMMC to get this right. (Reach out if you need help, my contact info is here).
6. Understanding and Managing CUI
Contractors must clearly understand what constitutes CUI and how to manage it properly per their contract and relevant regulations. This includes marking, identifying, and safeguarding CUI throughout its lifecycle.
About CUI
The NARA CUI Registry serves as a central resource for information, guidance, policies, and requirements related to CUI handling.
Key Considerations:
- Agreements: CUI typically flows to contractors through specific agreements. Reviewing these agreements (contracts) is crucial in determining if a company handles CUI.
- Markings: Markings help identify potential CUI, but further investigation is necessary to confirm.
- Definitions: The CUI Registry provides valuable information, but it’s essential to remember that the category descriptions are not definitive legal definitions. Talk to a legal expert (I am not one of those).
Practical Steps for Companies to Identify CUI:
- Contract Review: Carefully review contracts to identify any clauses or language related to CUI, such as DFARS clause 252.204–7012.
- CUI Registry Consultation: Utilize the CUI Registry to research and understand the specific CUI categories relevant to the company’s industry or services.
- Go to the CUI Registry at https://www.archives.gov/cui/registry/category-list,
- Click the category of CUI that you have.
- Near the bottom of the page, there is a table that says “Safeguarding and/or Disseminating Authority”. The links will lead to a downloadable PDF that contains a section of either the U.S. Code or the Code of Federal Regulations. Somewhere in that PDF will be a sentence or paragraph that provides the definition of CUI by explaining what information must be safeguarded or have its dissemination controlled.
- Data Flow Analysis: Conduct a thorough analysis of the company’s data flow to understand how information is received, processed, stored, and transmitted.
- Expert Guidance: Seek guidance from legal experts specializing in CUI and government contracting when in doubt.
7. Evolving Threat Environment
Contractors must adapt their security posture to counter new threats and vulnerabilities, particularly Advanced Persistent Threats (APTs), which demand more advanced security measures outlined in NIST SP 800-172 for CMMC Level 3. The CMMC framework promotes continuous monitoring, regular assessments, and updates to keep pace with evolving threats, which can be resource-intensive.
8. Supply Chain Management
Prime contractors are responsible for ensuring their subcontractors also comply with CMMC requirements, leading to challenges in managing and enforcing compliance across the supply chain. The flow-down of requirements and the need to verify subcontractor compliance introduce additional hurdles.
9. CMMC Timeline and Phased Rollout
The DoD is implementing CMMC in phases, with full implementation expected by 2026. Contractors need to stay informed about the rollout schedule, understand which contracts require CMMC compliance, and strategize accordingly.
10. Keeping Pace with Regulatory Changes
Keeping up with the evolving regulatory environment, including changes to NIST SP 800-171, NIST SP 800-172, DFARS clauses (like 252.204-7012 and 252.204-7021), and CMMC itself, is essential for maintaining compliance and securing future contracts. Contractors must be proactive and seek clarification on ambiguous guidance, leverage resources like FAQs, and engage in industry forums to ensure their understanding of the requirements remains accurate and up-to-date.
Last Thoughts
Addressing these barriers requires a proactive approach to cybersecurity, a clear understanding of both CUI regulations and the CMMC program, and a commitment to continuous improvement in security practices. Defense contractors that effectively tackle these issues position themselves for success with certification, success with DoD contracts, and will contribute to a more secure defense industrial base.