How to prepare for the new CMMC readiness standards required to bid on DoD contracts

Contractors and third-party vendors who work with the Department of Defense (DoD) must now comply with Cybersecurity Maturity Model Certification (CMMC) readiness requirements. This set of processes and practices is designed to strengthen organizations connected to the DoD (sometimes informally called the Department of War) against cybersecurity threats by protecting controlled unclassified information (CUI) and federal contract information (FCI).

Here’s what you need to know from a readiness standpoint.

What are the CMMC 2.0 requirements?

The CMMC 2.0 framework requires that DoD contractors — officially any organization that’s part of the defense industrial base (DIB) — meet certain cybersecurity standards. If you want to do business with the DoD, you’ll need to be CMMC compliant.

However, CMMC standards don’t kick in all at once. Instead, businesses will need to ramp up compliance over a three-year period stretching from November 2025 through November 2028.

Maintaining compliance includes identifying whether your company meets one of three CMMC levels based on your degree of exposure to CUI, implementing relevant controls and safeguards and passing regular assessments.

Here are the three CMMC levels:

1. Level 1: Foundational cybersecurity for any federal contractors who handle FCI.
2. Level 2: More advanced security standards for organizations that also deal with CUI.
3. Level 3: The highest level of CMMC, meant to protect CUI from advanced threats.

Why do you need to achieve CMMC compliance?

CMMC exists largely to protect a category of data called CUI. Broadly speaking, CUI is unclassified information that is still sensitive and should be protected for security reasons.

All CUI is created by or on behalf of the DoD and is technical information with military or space applications.

Where can I find CUI in my organization?

Most businesses in the DIB encounter CUI at some point in their work. It can come in many forms like contract documentation, blueprints, schematics, tax information and even some communications.

Here are some questions to help you consider where you should look for CUI within your organization:

1. How did we receive the CUI?
2. Who needs to access it in their day-to-day work?
3. Who did we send it to?
4. Where do we store DoD working files and program files?
5. Do we keep hard copies of any documentation for DoD clients or prime contractors?

How do you prepare for CMMC compliance?

Achieving and maintaining CMMC compliance is a process. Here’s how to get started.

1. Find an advisor to guide you through the process

A third-party advisor can help you understand and implement CMMC requirements. This will make the process significantly easier and more successful than trying to do everything internally.

Look for an advisor with cybersecurity and compliance experience that’s also a Registered Provider Organization (RPO). An RPO has been security vetted and has also demonstrated a comprehensive understanding of CMMC 2.0 requirements.

2. Conduct a CMMC readiness assessment

Next, work with your advisor to assess your organization’s existing cybersecurity preparedness through the lens of CMMC 2.0 compliance. What are you doing right and where are the gaps in your current safeguards or controls?

Part of this assessment will be determining how much CUI your organization has in its possession. This understanding will allow you to define your organization’s scope, supporting eventual representations to the government that no CUI data exists outside of it.

3. Implement additional governance structures, controls and safeguards to meet CMMC 2.0 standards

Depending on the results of your CMMC readiness assessment, you’ll likely need to make internal changes within your organization to meet new compliance requirements. Your advisor can help you determine specific changes and recommend strategies, processes or systems to implement.

4. Undergo regular assessments

You’ll need to undergo regular CMMC assessments in order to maintain compliance and remain eligible to bid on DoD contracts. Depending on your level within the CMMC level classification system, you may be able to self-assess or be evaluated by an outside entity.

Continue to engage with your advisor to make sure you’re prepared for your CMMC assessments so you don’t experience any unexpected surprises that limit your ability to bid on DoD contracts.

What else should you know about CMMC readiness?

Here’s what else businesses need to know to prepare for CMMC and meet cybersecurity readiness requirements:

What is the latest DoD guidance on CMMC?

The government’s guidance on CMMC continues to evolve. CMMC 2.0 requirements and timelines have changed significantly since they were first introduced, with additional revisions likely should the cybersecurity threat environment warrant it.

Your advisor can help you stay on top of any new developments and adapt as needed.

Does the commercial item exception apply to my products?

Some organizations may benefit from an exception stating that providers of commercial items only need to achieve level one CMMC certification. An RPO can help you determine if this applies to you and help to build your organization’s commercial item representation.

What processes or tools do you need to comply with CMMC?

CMMC requirements change depending on which of the three levels your business falls under. Before you can determine which processes you need, you’ll first need to determine your level within the CMMC framework.

How long does it take to become CMMC compliant?

Depending on your CMMC level, achieving compliance will take anywhere from several months to well over a year. The specifics depend on your current cybersecurity readiness, the size and capabilities of your organization, your degree of advisory support and the particular requirements you aim to meet, with Level 3 compliance estimated to take as long as 18 months.

Can businesses self-assess CMMC compliance?

CMMC assessment rules change depending on whether your organization is aiming to meet requirements for Level 1, 2 or 3:

• Level 1 organizations can self-assess CMMC compliance on an annual basis.
• Level 2 organizations can either self-assess or work with a third-party assessment organizations (C3PAO) to certify compliance.
• Level 3 organizations must complete a third-party assessment by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years.

Do organizations also need to be compliant with DFARS 252.204-7012 and 7019?

The DoD assumes that organizations who are now starting to prepare for CMMC have already achieved compliance with DFARS 252.204-7012 and 7019. If your organization hasn’t done this yet, you’ll need to catch up to where the DoD expects you to be prior to starting your preparations for CMMC.

How much does CMMC cost?

The DoD has established a rough order of magnitude (ROM) of how much it is expected to cost organizations to achieve CMMC, broken down by size of business and shown as a percentage of annual income. You can find this assessment within the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041.

Note, this ROM assumes the organization is already compliant with DFARS 252.204-7012 and has all the required NIST SP 800-171 controls in place.

Are CMMC costs allowable?

The DoD understands that organizations will incur costs in preparing for and sustaining CMMC. Fortunately, the DoD has also determined that some of these costs are allowable indirect costs. An RPO can help you understand which costs are allowable and which are unallowable.

How Wipfli can help

We help organizations prepare for, achieve and maintain CMMC 2.0 compliance. Let’s talk about your business and specific compliance needs. Start a conversation.

Read more

• From compliance to confidence: Mastering the new CMMC requirements
• The 3 pillars of smarter cybersecurity program management
• The right cybersecurity framework boosts a business’s value