The Ins-And-Outs Of CMMC 2.0 Compliance—Everything You Need To Know

Secure defense contracts and enhance cybersecurity practices

With increased competition amongst shops and discrete manufacturers, who doesn’t want to stand out? Perhaps you’ve started looking into defense work or consider yourself a contract manufacturer. CMMC may be just the certification you want to level up your manufacturing business.

The Department of Defense (DoD) has a set of requirements called the Cybersecurity Maturity Model Certification (CMMC) that some contract manufacturers have already started investigating. It safeguards federal contract information (FCI) and controls unclassified information (CUI). Though there is an upfront cost, following this regulation will allow manufacturers to keep their existing contracts and expand their work into sub-primes and even primes.

The DoD is expected to enforce CMMC compliance in late 2025; however, our customers have already found CMMC-related questions on some customer contracts.

Is the cost of CMMC worth the benefits?

Before you rush to begin taking the steps to compliance, we recommend your company run a cost-benefit analysis to determine if CMMC is suitable for your shop. The CMMC compliance process is a complete change involving people, processes, and technology and requires a sizable upfront cost of around $60-200K. Additionally, due to the scale of change, it has taken our customers about one to one and a half years to feel confident about a CMMC audit.

When considering costs, understand that shops must pay at least $60K up front. CMMC compliance also involves changes in human resources, and your facility may need to hire additional resources. Like ISO, CMMC requires plenty of documentation. Is your team ready for the paperwork and changes like MFA? CMMC also requires that all technology handling CUI be compliant. Is your ERP and other technology compliant?

A cost-benefit analysis will also involve talking with your customers. Assess what level of compliance your customers need. CMMC 2.0 includes three levels of compliance. Manufacturers handling CUI will generally need to meet Level 2 requirements. Level 3 is reserved for high-priority CUI programs containing data critical to national security. Specific requirements should be detailed in existing contracts. If a customer has not already told you your level, you most likely need Level 2 compliance. Some of this information can be in your existing contracts. How many of your existing contracts are from customers needing CMMC compliance? Or how many will eventually roll up into government work?

Do I handle CUI?

To answer that, it may be wise to identify who in your organization accesses CUI, which devices process CUI, and which processes are related to protecting CUI. Determine how these users, systems, and devices can be segregated into a group distinct from the non-CUI parts of your organization. After answering these questions, aim to narrow your compliance boundary or scope.

The size of the group with CUI access will influence the cost of compliance. Restrict CUI access to only those team members who need it for their work. Each person with access will require training in CUI management and licenses for compliant technologies. Fewer people with access will streamline and reduce the cost of training and licensing.

Similarly, the size of the CUI group affects compliance costs. A smaller amount of CUI will make compliance cheaper, faster, and easier by reducing the number of endpoints to secure and the number of people needing CMMC compliance training.

What steps are needed to become compliant?

Now that you’ve decided your manufacturing facility will benefit from becoming compliant, you may be curious about what it will take to begin your journey. Here are some best practices recommended by our internal CMMC experts.

Beginning documentation

CMMC aims to ensure that manufacturers employ cybersecurity best practices and protect CUI. However, protecting CUI is only half the battle; the other is proving compliance, which requires detailed documentation and meticulous effort.

Your first task is to develop a System Security Plan (SSP) as mandated by NIST 800-171. The SSP outlines how your organization meets the 110 security controls specified in NIST SP 800-171. This document is essential for a NIST SP 800-171 assessment and is a prerequisite for consideration for any DoD contract.

Create your SSP early in your compliance journey. It is a living document that will evolve as you enhance your cybersecurity measures and work towards full compliance. You will also need a Customer Responsibility Matrix (CRM) from your Cloud Service Provider (CSP) and any External Service Providers (ESPs). The CRM should indicate which NIST 800-171 controls the CSP/ESP supports, either by allowing the customer to inherit the control or objective or by sharing the responsibility with the customer.

Additionally, you will need policy and procedure documents for each security control. Following a self-assessment, you must develop Plans of Action and Milestones (POA&Ms) for all failed controls.

Completing a self-assessment

The only path to achieving CMMC Level 2 certification is compliance with NIST 800-171. Once you have adopted a platform to implement NIST 800-171's security controls to the best of your ability—by developing your SSP and other essential documents—you are ready for your first NIST 800-171 self-assessment!

This self-assessment should be conducted according to the DoD’s Assessment Methodology outlined in NIST 800-171A (the "A" stands for assessment). The assessment will cover 110 security control requirements, each with associated objectives. To be considered satisfactory for a control, you must meet each objective.

Each of the 110 NIST 800-171 security controls is assigned a weight of either 1, 3, or 5 points. Scoring starts at a maximum of 110 points, with deductions for each unmet control. Additionally, you must submit your self-assessment score to the DoD’s Supplier Performance Risk System (SPRS), commonly known as an SPRS score. Your SPRS score must be updated at least once every three years.

Understand that perfect scores 110 are rare for self-assessments in your early compliance journey. Your organization will likely have some unmet controls. For these, create POA&Ms that detail the technologies and procedures you will use to address these gaps and set a timeline for achieving a score of 110.

Execute your POA&Ms and close your security gaps. Under CMMC, PoA&Ms will be time-bound, requiring organizations to close all listed security gaps within 180 days.

CMMC compliance software

CMMC-compliant software is crucial in ensuring that all technologies interacting with CUI are properly evaluated. ECI’s Government Compliance Cloud supports customers by addressing over 90 of the 110 CMMC controls, eliminating the need for on-premises servers, networks, and additional staff to maintain the technology.

Our ERPs centralize data and prints, including CUI, by consolidating all job-related information in one secure location. This approach enhances data security and transparency while boosting efficiency, eliminating the need for disparate spreadsheets on individual computers.

We have a history of committing to cloud security from our board to individual contributors. We are dedicated to employing best-in-class practices to keep your data secure; this includes security discussions in daily stand-ups, weekly touch points, monthly and quarterly business reviews, and board meetings. We run an Enterprise Risk Management (ERM) Program; our Information Security team performs an annual risk assessment that incorporates the likelihood and impact of several critical risk categories.

The big picture

CMMC is crucial for ensuring the security and integrity of sensitive information within the defense industrial base. By mandating stringent cybersecurity standards, CMMC helps protect federal contract information (FCI) and controlled unclassified information (CUI) from cyber threats. This not only safeguards national security but also enhances the overall resilience of the supply chain. Compliance with CMMC fosters trust and accountability among defense contractors, enabling them to continue supporting the Department of Defense's critical missions. Ultimately, CMMC represents a significant step in fortifying our nation's defense infrastructure against ever-evolving cyber risks.