An Overview of CMMC Compliance

Who issues CMMC certification?

A non-government body called the CMMC accreditation, or accreditation board (AB), is an organization made up of industry professionals, government officials, etc. that understand what the DOD needs and how private industries can relate back to it. 

With a few different certifications that are available to the private industry surrounding CMMC, the CMMC-AB members will authorize and accredit C3PAOs and the CMMC Assessors and Instructors Certification Organization (CAICO) in accordance with DoD requirements.

Types + Levels of 3rd Party CMMC Certifications

• Certified Third-Party Assessor Organizations (C3PAOs)

• Certified Professionals (CPs)

• Certified Assessors (CAs)

• Registered Provider Organizations (RPOs)

• Registered Practitioners (RPs) 

• Licensed Partner Publishers (LPPs)

What are C3PAOs?

CMMC Third Party Assessment Organizations (C3PAOs) are certified CMMC assessors responsible for conducting CMMC assessments on behalf of the DoD. Once the assessment is completed, the C3PAO can appropriately issue CMMC certificates. 

C3PAOs are authorized to:

• Schedule, perform, and manage assessments 

• Provide advisory services

• Hire and train individual assessors 

• Review results with the CMMC Accreditation Board (CMMC-AB) Quality Auditors

What are RPOs?

The role of Registered Provider Organizations (RPOs) is largely consultative. RPOs are well-versed in CMMC and help Organizations Seeking Certification (OSC) within the Defense Industrial Base (DIB) navigate the CMMC process.  

As part of the RPO certification process, each organizational applicant must have at least one Registered Practitioner (RP) – someone trained and authorized by the CMMC-AB to deliver “non-certified advisory services informed by basic training on the CMMC standard” — must be “associated” (as an employee or contractor) with the RPO at all times.

At this point, RPOs looking to achieve C3PAO status may offer assistance around setting up the initial self-assessment and management of the action items that come out of the self-assessment in preparation for CMMC.

What role does a CMMC Audit play within the certification process?

CMMC Certifications are achieved through passing an external audit. Otherwise known as a CMMC Audit, it is an assessment of your organization’s cybersecurity by an accredited CMMC third-party assessment organization (C3PAO).

Related Resource: 7 Metrics to Measure the Effectiveness of Your Security Operations

When will CMMC 2.0 be required? When will CMMC audits begin?

The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.

Title 48 CFR deals with Federal-level regulations for Acquisitions. This is where instructions to acquisition and procurement officers about how to manage contracts are kept.

CMMC 2.0 is expected to be required by mid-2023.

What is the cost of CMMC 2.0 Compliance? Is CMMC pay-to-play?

Since the CMMC certification is a new requirement, concrete costs are yet to be determined. What we do know is that there will be a varying range of costs depending on the level of CMMC achieved, along with preparation and audit costs. 

In order to determine the variables that do impact the cost, start by asking the following questions: 

• Which level of CMMC are you looking to pursue? (Note that the higher the level, the greater the cost.)

• What level of maturity does your current IT and cybersecurity infrastructure have? What changes need to be made in order to reach your desired level of CMMC compliance?

• How big is your organization? How complex are the systems, processes, etc.?

• What volume of CUI can you and your team handle? What scope of CUI does your team handle? How much CUI do you exchange with other DIB companies or government agencies? How many databases store CUI?

• If your team does not have the bandwidth to take the necessary steps, how much will you have to rely on outside help (consulting our outsourced cybersecurity services) in order to prepare for the CMMC assessment?

• What are the expenses associated with protecting the infrastructure that protects day-to-day tasks like email, file sharing systems, or cloud storage?

• How much does it cost to engage a Certified Assessor? How much supply or demand exists in the market for Certified Assessors? 

To give a well-informed estimate, not including preparation and audit expenses, it could cost an organization pursuing a CMMC Level 1 certification from $3000 to $5000. As the levels go up, the cost increases. 

Achieving CMMC requirements for small businesses + SMBs:

While market forces will ultimately dictate the audit costs, the DoD has considered the financial burden that CMMC poses to SMBs.

At the end of the day, the cost depends on your cybersecurity maturity and can be anywhere from $20,000-$100,000. Companies with less mature environments – think non-compliance with comparable regulations like NIST 800-171 – will need to contend with consulting fees, increased CAPEX (on things like multifactor authentication, mobile device management, log monitoring), and increased OPEX (on things like security awareness training, additional personnel, etc.

Are there penalties for noncompliance with CMMC?

Because the CMMC certification is a prerequisite for working with the DoD and is awarded by levels, the DoD anticipates that it will not impose penalties for CMMC noncompliance. However, failure to qualify for a required certification level will prevent a contractor from working with the DoD.