Taking the pain out of CMMC Level 2 certification

The sheer complexity facing organizations seeking CMMC certification for DoD contracts 

CMMC 2.0 is mandatory for all contractors and subcontractors that form part of the U.S. Defense Industrial Base (DIB). CMMC certification involves meeting 17 Federal Contract Information (FCI) controls, which include identity and access management (IAM), physical security, media sanitization, assets, and configuration management, plus an additional 93 Controlled Unclassified Information cybersecurity requirements. No failures are allowed among the 17 controls. 

CMMC is not a standard. It is a certification program that relies on a National Institute of Standards and Technology (NIST) standard, NIST SP 800-171. This Special Publication impacts the Federal Government itself and any companies working within government contract-related supply chains. It serves to protect CUI that is processed, stored, or transmitted by organizations operating non-federal information systems. The difference between NIST 800-171 and CMMC is that the former is a regulatory standard, and the latter is the certification that is granted when an organization is independently deemed compliant with it. 

To achieve certification, which is focused exclusively on the contract scope, organizations must demonstrate compliance by physical or logical means. Companies in a position to easily separate their commercial business from their DoD contracts — and that can afford to do so — might opt to sequester their DoD operations from their commercial operations by creating a secure enclave environment. Secure enclaves function as digital fortresses that store, process, and safeguard CUI that is separate from the broader company network.  

Making things even more complicated, businesses must attest that their contractors are also able to meet these requirements successfully. Depending on the size of the organization, the assessment cost can be anywhere between $50,000 and $100,000. If certification is not granted, and the company wants to try again, they can expect to pay this exorbitant price a second time. 

Given the arduous process, huge expense, and lack of tolerance for any shortcomings, many companies in this position seek out expert guidance to conduct a Readiness Assessment before trying to get CMMC certified. These include companies — like our client — that service both commercial and government sectors and find it advantageous to have ongoing government opportunities despite receiving only a percentage of their total revenue this way.   

Expanded scope, limited CMMC assessor availability, and a time crunch exacerbated matters  

The way things played out specifically for the client, who provide extensive multi-modal capabilities in transportation and logistics, made CMMC certification even more complex. Only after the contract was signed did it become clear that the assessment targeted for one company in fact required assessing a family of 12 companies. Each of these companies shared core infrastructure and IT but had completely different operational processes. The choice to seek a single assessment was risky; if any of the 12 companies failed just ONE of the 110 requirements, all companies would fail that requirement. 

Lack of time was a major issue. The client could start losing DoD contracts as early as March 2025. This time crunch meant that speedy navigation of the CMMC certification labyrinth was vital for a sizable chunk of business. With only 50 C3PAOs (CMMC Third-Party Assessment Organizations that are authorized by the CMMC Accreditation Body) for the entire country at the time of engagement, timing could be even more critical to meet the first wave of official assessments. (The lack of approved assessors is a major issue facing the roughly 300,000 DoD providers expected to achieve and maintain certification.) To reserve a C3PAO, the company would need to demonstrate likelihood to succeed in an independent assessment with an SPRS score of greater than +88.