Do I need to be CMMC Certified?
Many customers we speak to present a recurring theme. Either they are being told by their Prime that they need to become Cybersecurity Maturity Model Certification (CMMC) level 3 certified, regardless of whether they handle Controlled Unclassified Information (CUI), or they are being proactive and want to become certified to compete for future DoD contracts. Neither is a valid reason for a small business to take on the expense of level 3 certification.
We at Ascolta believe in cybersecurity and believe that all companies, regardless of line of business or sector should do their best to protect their and their customers data. Having said that, the expense of a level 3 certification for a small business, estimated for a do-it-yourself level 3 certification to be around $300,000, just to placate a nervous Prime or to compete for a future contract that may or may not handle CUI is just too great. Is that expense and effort worth it if you don’t have the existing requirement?
The only legitimate current requirement for CMMC certification, and the only companies that Certified Third-Party Assessment Organizations (C3PAO) are currently permitted to certify, are companies bidding on the following pilot contracts:
U.S. Navy
Integrated Common Processor
F/A-18E/F Full Mod of the SBAR and Shut off Valve
DDG-51 Lead Yard Services / Follow Yard Services
U.S. Air Force
Mobility Air Force Tactical Data Links
Consolidated Broadband Global Area Network Follow-On
Azure Cloud Solution
Missile Defense Agency
Technical Advisory and Assistance Contract
If you’re not bidding on one of the pilots, you couldn’t get certified if you wanted to, at least not yet. So, what does that mean? It means that if your company currently handles CUI, you should find the following or similar wording in your contract:
DFARS 252.204-7012 Clause: Safeguarding Controlled Unclassified Information: If Seller handles or possesses Customer information that has been declared to be CUI or can be reasonably assumed to be CUI as defined by the National Archives and Retrieval Administration, Seller shall protect the information in accordance with the DFARS 252.204-7012.
Which means you should already be complying with the National Institute of Standards and Technology (NIST) Special Publication 800-171 requirements and making sure you meet those security controls. This requirement has been in place for over five years and is why the government feels that the cost of CMMC should be minimal, industry (all of us) has been telling the government that we’ve implemented the 110 NIST SP 800-171 controls already. In the governments eyes all that’s needed is the implementation of the remaining 21 practices that CMMC level 3 adds.
The new DFARS clause 252.204-7021 requires contractors to have a current CMMC certificate at the CMMC level required by the contract and maintain the CMMC certificate at the required level for the duration of the contract. If your contract or request for proposal does not contain that clause, you DO NOT have to worry about CMMC just yet. However, you should be monitoring for when your existing contract expires and is recompeted, that’s when the CMMC requirement may be levied.
A search for DFARS clause 252.204-7021 in the governments system for award management (SAM.gov) returns 11 of over 8,000 active solicitations. If you’re not competing for one of those 11 opportunities, you do not have a CMMC level 3 requirement but should be preparing for CMMC compliance in future bids. As previously mentioned, if you currently are required to meet DFARS clause 252.204-7012, you should have already implemented the bulk of the controls through your application of NIST SP 800-171. Regardless of your compliance status with NIST, your companies future CMMC plans need to consider your current and anticipated CUI requirements. If CUI is a factor, you should conduct a gap analysis to see where you stand regarding level 3 CMMC practices and processes and create a program of action and milestones (POAM) to start filling in the gaps. Don’t pursue CMMC certification until and if you need it.
Protecting government CUI data is critical to our national defense. Regardless of your contractual requirement for CMMC, if you handle CUI, you are already on the hook for NIST SP 800-171 protections. Start there and CMMC will be an easier task once it’s required.