Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


How to prepare for CMMC

Feb 05, 2021

If you’re among those who serve the Department of Defense (DoD), you’ve likely become aware of the Cybersecurity Maturity Model Certification (CMMC) mandate. This set of processes and practices are designed to prepare organizations against cyber threats.

Cybercrime is a growing concern across all industries. But, within the defense industrial base (DIB) cybercrime could unveil national security data like controlled unclassified information (CUI). Releasing CUI to malicious actors could have grave consequences, including harm to our warfighters.

Every organization in the DIB that has CUI is required to protect it. Soon, protecting it means you must  adopt CMMC practices and processes to keep it and your business safe.

Achieving CMMC can be a daunting task – here’s what you need to know to get prepared.

What is CUI?

Fundamentally, CMMC exists to protect a category of data called CUI. Broadly speaking, CUI can include any type of data that, if released, could cause harm to our warfighters or national defense.

All CUI is created by or on behalf of the DoD. From the DoD’s perspective it relates to any technical information with military or space application.

A major challenge in preparing for CMMC is understanding what CUI is and where it exists within an organization. Many times, knowing where that data resides is just the tip of the iceberg. That’s because existing CUI could be mislabeled or unlabeled – that means that you may not even know that you have CUI.

As you prepare for CMMC, a key first step is to assess your organization’s preparedness. Part of this assessment will be to ensure you have a full understanding of how much CUI data your organization has in its possession. This understanding will allow you to define your organization’s scope, supporting eventual representations to the government that no CUI data exists outside of it.

Partnering with a Registered Provider Organization (RPO), like Wipfli, may be a smart place to start in your CMMC preparedness assessment. These organizations have been security vetted and have also demonstrated a comprehensive understanding of CMMC. Working with one may help expedite your organization’s path towards sustainable certification.

Where can I find CUI in my organization?

Most businesses in the DIB encounter CUI at some point in their work. It can come in many forms like contract documentation, blueprints, schematics, tax information, and even some communications. When you’re searching for CUI in your organization, here are some important questions:

  1. How did we receive the CUI?
  2. Who needs to access it in their day-to-day work?
  3. Who did we send it to?
  4. Where do we store DoD working files and program files?
  5. Do we keep hard copies of any documentation for DoD clients or prime contractors?

What is the latest DoD guidance on CMMC?

The government’s guidance on CMMC is evolving. The latest update specifies that certain CMMC requirements do not apply to organizations that produce strictly commercial off-the-shelf items. Another recent update helped to clarify which level of CMMC will likely be required of organizations, further indicating that as many as 47,000 organizations will need to reach some level of CMMC by 2024-2025.

Does the commercial item exception apply to my products?

Some organizations may benefit from an exception stating that providers of commercial items only need to achieve level one CMMC certification. A RPO can help you determine if this applies to you and help to build your organization’s commercial item representation.

What processes do I need to establish for CMMC? 

CMMC has five levels, each with one or more processes, practices, and capabilities. It also has 17 domains that cross all five levels.

Before you can determine which processes you need, you’ll first need to determine which level of CMMC your organization needs to achieve.

Can I self-certify CMMC?

Unfortunately, only CMMC Third-Party Assessment Organizations (C3PAO) can certify CMMC. However, organizations can perform a self-assessment to prepare for certification. Different versions of the assessment are available on the DoD’s CMMC website.

Does my organization need to be compliant with DFARS 252.204-7012 and 7019?

The DoD assumes that organizations who are now starting to prepare for CMMC have already achieved compliance with DFARS 252.204-7012 and 7019. If your organization hasn’t done this yet, you may be late to the game and you’ll need to catch up to where the DoD expects you to be prior to starting your preparations for CMMC.

If you think this is the case for your organization, Wipfli can help you assess your practices against the National Institute of Standards and Technology (NIST) 800-171 requirements and prepare for DFARS 252.204-7019 and 7020 compliance.

How much does CMMC cost?

The DoD has established a rough order of magnitude (ROM) of how much it is expected to cost organizations to achieve CMMC, broken down by size of business and shown as a percentage of annual income. You can find this assessment within the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041. Note, this ROM assumes the organization is already compliant with DFARS 252.204-7012 and has all the required NIST SP 800-171 controls in place.

Are CMMC costs allowable?

The DoD understands that organizations will incur costs in preparing for and sustaining CMMC. Fortunately, the DoD has also determined that some of these costs are allowable indirect costs. An RPO can help you understand which costs are allowable and which are unallowable.

Where can I learn more about how to prepare for CMMC?

Click here to read more about Wipfli’s CMMC preparation services.

Or check out these additional sources:


Tom Wojcinski
View Profile