CMMC Certification Challenges and Solutions

The Department of Defense (DoD) awarded more than $460 billion in contracts during its 2023 fiscal year. For businesses large and small, that is a huge potential revenue stream to tap into. But for a business to be a DoD contractor or subcontractor, it must achieve CMMC certification. Cybersecurity Maturity Model Certification is a DoD program designed to protect data in the Defense Industrial Base (DIB).

Securing CMMC certification is not an easy task. It will require time, money, and cybersecurity expertise to be able to demonstrate compliance. For organizations operating in the DoD space, the effort is worth it because of the business opportunities that could be won or lost depending on their CMMC status.

In this article, we’ll explore some of the challenges businesses can expect to encounter on their CMMC certification paths. We’ll also provide some strategies and highlight available resources that can help in overcoming the challenges.

Understanding CMMC

CMMC is a complex cybersecurity framework. It can be tough for organizations to fully comprehend the requirements, especially those without experienced cybersecurity professionals on staff.

The ongoing transition to CMMC 2.0 creates more moving parts to be aware of. The updated standard is expected to be phased in starting in Q1 2025 with CMMC 2.0 in all DoD contracts by 2028. Businesses should strive to achieve compliance by 2025 to avoid losing potential opportunities.

CMMC 2.0 has three certification levels with different security control requirements. Businesses need to understand which level fits best. Once a certification level is selected, the organization needs to determine how its current security program measures up to the standards and identify the gaps that need to be addressed.

Level 1: Foundational

Level 1 compliance will be an appropriate target for organizations that handle Federal Contract Information (FCI), but not Controlled Unclassified Information (CUI). Organizations can conduct an annual self-assessment to show Level 1 compliance. They must meet Federal Acquisition Regulation (FAR) 52.204.21 cybersecurity requirements.

Level 2: Advanced

Level 2 will likely be the most common certification level. It requires organizations that handle CUI to work with a C3PAO to complete certification. Those organizations will need re-certification every three years. Organizations that don’t work with CUI can do an annual self-assessment.

All organizations seeking Level 2 certification must satisfy the 110 security requirements in NIST SP 800-171.

Level 3: Expert

The most rigorous level of certification. Level 3 should be the target for organizations accessing CUI for high-priority DoD projects. For Level 3 certification, organizations must meet all the requirements found in NIST 800-172. NIST 800-172 largely mirrors NIST 800-171 but contains enhanced controls in 10 of the 14 families. Assessments for Level 3 certification will be government-led. They need to be completed every three years.

Fortunately, resources are readily available for those looking to become more knowledgeable about CMMC. The DoD has an extensive list of CMMC resources. The CMMC Accreditation Body also has a valuable resource library.  

To stay up to date with changes that happen with the CMMC 2.0 rollout, sign up for notifications from organizations and publications that produce CMMC content. Subscribe to the CompliancePoint Newsletter.

Share these resources with team members involved with the certification process. They can serve as a jumpstart to more thorough training.

Identifying Controlled Unclassified Information (CUI)

CMMC focuses on protecting two types of data, Federal Contract Information and Controlled Unclassified Information.

FCI is information generated for the Federal Government under a contract to develop or deliver a product or service that is not intended for public release.

CUI is information that does not carry classified status but needs safeguarded due to government policies and laws or ordinances. Examples of CUI include data on defense, nuclear, and natural resources infrastructures, financial records, international agreements, and defense data.

Certifications levels 2 and 3 deal with CUI. Since those represent the most common levels, most CMMC-certified organizations need to know what CUI they possess and where it is stored.

The CUI registry is a good resource for identifying what data types qualify as CUI and how documents containing CUI should be marked. The National Archives website has a library of CUI training resources.

Once your CUI is identified, track its flow to identify what divisions do and do not encounter the data. Departments of the business that don’t encounter CUI can be removed from CMMC certification efforts, saving time and money.

CMMC Control Implementation

Implementing the security controls that meet CMMC requirements is where the rubber meets the road in the certification process. Controls can be complex, requiring a level of cybersecurity expertise many organizations won’t have within their personnel. Certain controls could require purchasing new hardware, software, or services.

Businesses that don’t feel prepared to design and implement the necessary controls can turn to a cybersecurity service provider or a Virtual CISO (vCISO) for help. They can rely on the experience and expertise of their chosen partner to do the heavy lifting.

Some organizations will also find it beneficial to outsource some IT functions, such as cloud computing, security monitoring, and data backup and recovery to a third party.

If your organization is compliant with another framework such as ISO 27001 or SOC 2, there could be some overlapping controls you already have in place.

Time and Resources

The to-do list for CMMC certification can be long. It will include conducting assessments, implementing controls, producing the proper documentation, and more. Checking all the items off the list will cost money and require hours of dedication from your staff.

It’s key for businesses to get ahead of the certification process. Avoid being caught off guard by the costs and labor required by allocating budget and resources well before the project gets underway. Communicate realistic cost and time requirement expectations to company leadership early on.

If your organization is handling the bulk of the tasks internally, look for automation tools that can streamline workflows. If you’re working with a vendor, ask how they utilize technology to expedite the process and stay on schedule.

Preparing for the Third-Party Assessment

To secure CMMC certification, organizations that handle CUI must go through an assessment conducted by a third party that requires significant logistical and technical preparation. A successful assessment requires evidence, documentation, and that all necessary security controls are implemented and working.

The CMMC Assessment Guide offers guidance for preparing for a Level 2 assessment.

Assessment preparation is a key time to leverage the experience of a service provider. If you chose to work with a vendor, it was likely because they have expertise your organization is lacking. Let your partner lead you through the documentation, evidence-gathering, and control implementation needed to secure your certification

CompliancePoint has a team of cybersecurity professionals who can guide your organization through every step of the CMMC certification process. Once certification is secured, we can help manage your program to maintain compliance. Contact us at connect@compliancepoint.com to learn more about how we can help.