The Department of Defense plan to implement the Cybersecurity Maturity Model Certification 2.0 (CMMC) by mid-2025 is presenting some companies with a looming need to complete a daunting certification process.
Business leaders, who have been researching and implementing CMMC for a year or more, say companies should follow an incremental approach to understanding CMMC requirements, tap into multiple sources of expertise on the topic, and carefully assess and contain implementation expenses.
Shortly after he began researching CMMC two years ago, TJ Greenier, President of Clarity Business Solutions, Inc., created a round table of small business leaders to work through questions and share insights. At monthly meetings, representatives of more than 50 companies have worked on a range of issues, such as acceptable processes for encrypting e-mails and early questions about how Google Workspace could meet CMMC requirements.
For Greenier and his company, it was “an extremely valuable” part of a thorough and thoughtful approach to attaining CMMC certification.
“CMMC isn’t a check-the-box exercise,” Greenier said. “It’s an evolution in the way you think about your business and how you protect information. Going through this process is daunting. The biggest challenge is fully understanding how these requirements apply to a small business.”
“The government doesn’t tell you how to meet CMMC requirements because they don’t know everyone’s unique situation,” said Othell Moore, Partner with MissionEdge Technologies.
Companies need to comb through multiple government documents to fully understand CMMC “because they publish the security controls in one document, guidance in another document, and other relevant information in various other documents,” Moore said.
Companies must use that aggregated knowledge to determine what cybersecurity changes they need to make, based on their infrastructure, existing security, operating practices and the type of government data they access.
“Technical implementation is one piece of the process,” Greenier said. “Documenting the procedures and showing that you are actually following those procedures consistently is an even bigger part.”
Various technologies and procedures have been emerging as best practices for many companies seeking CMMC certification, including implementing BitLocker to ensure all data is encrypted, expanding multi-factor authentication, creating virtual desktop environments and restricting data access based on computers’ machine addresses.
Not all purported best practices, however, work out well.
Data Haven Solutions opted to move their operations to Microsoft Office 365 after being advised that meeting CMMC requirements on their existing Google platform would involve extra steps. The migration did not go well.
The process assigned new backend IDs to existing Cloud-based accounts connected to the company, “so all of those logins stopped working,” said President Purvesh Patel.
Employees couldn’t access their virtual desktops. Email to the company bounced. The company temporarily reconnected with Google services to sustain operations and then spent months working through issues to create a fully functional Microsoft environment.
“My recommendation to anyone who is considering switching platforms, is don’t,” Patel said. “Stick with whatever domain you have and work through the issues there.”
CMMC has also spawned a new service industry: consultants who specialize in helping companies attain certification. That extra set of expert eyes can help companies determine if they are positioned to pass a CMMC audit. Some consultants also provide platforms that streamline the process of filing paperwork for CMMC certification.
In the midst of this very thorough and time-consuming process, companies also need to be careful about how they spend their money.
“This is a very costly process. I have read that for a small company, the cost can range from $20,000 to $100,000,” Patel said. “One of the significant costs in this process stems from licensing fees, which are determined by Microsoft and are beyond our control.”
Maryland’s Cybersecurity Tax Credit can offset a portion of that expense, Moore said.
Data Haven Solutions, which is engaging a consultant to help it attain Level 1 certification, expects to spend $80,000 a year achieving and maintaining that status. The company has decided to delay its decision on whether to spend further money to obtain Level 2 certification.
How CMMC gets applied to individual contracts is yet to be seen, but guidance from DoD suggests that some small companies may only need Level 1 for subcontracts and not require Level 2 until they are ready to prime, Patel said. “So, my recommendation would be to wait to see how CMMC is actually enforced.”
Greenier expects to see CMMC provisions start appearing on new and renewed/extended contracts within the next 12 to 18 months. He plans to time his company’s CMMC audit to become certified by then.
Further details about CMMC certification can be found on the DoD website. Information about the Maryland Cybersecurity Tax Credit can be found on the Maryland Department of Commerce site. Small businesses may also want to consider AAEDC’s low-interest loans for their CMMC certification costs.