Industry Voice: The CMMC interim rule and the assessment process

By Mike Olivier | Oct 08, 2020

As mentioned in my last few columns, the compliance requirement for businesses working with the U.S. Department of Defense (DoD) is the Cybersecurity Maturity Model Certification (CMMC). The CMMC framework is designed to protect federal contract information (FCI) that is by default in all federal government contracts and controlled unclassified information (CUI), which is often technical information. Both classes of information consist of information that is not in the public domain; it is provided by the government or may be produced by the defense contractor.

The framework consists of five levels, with each higher level incorporating increasing levels of security. These levels are based on practices that are grouped into 17 domains. At the basic level, there is Level 1 with 17 practices across six domains, at Level 5, there are 171 practices spread across all 17 domains. The goal is for all 300,000 companies in the defense supply chain to be audited and certified compliant to one of the CMMC levels by 2026. The CMMC compliance certification will be a baseline requirement; with the appropriate certification level, there will be access to DoD contracts; without certification, a company will be deemed unqualified.

Level 1 will be the most common level of CMMC compliance, constituting about 80 percent, or 240,000 companies, of the defense supply chain. All contractors will be assessed, and all will have to be certified to the level that corresponds to their contract. It is possible that a contractor with multiple contracts may have different CMMC requirement levels. In this case, the contractor will need to be certified at the lightest level, and by default, the contractor will meet the lower-level requirements.

On September 29, 2020, the DoD submitted the interim rule (Docket DARS-2020-0034) for Defense Federal Acquisition Regulation. The interim rule begins to put into place the CMMC framework requirements and is another step toward requirement implementation. This is a slow rollout of the requirement, one that is referred to as crawl-walk-run. We are now in the crawl phase, with the CMMC requirement slowly moving into actual contract requirements. The organization that is managing this process is called the CMMC Accreditation Body (AB). The CMMC AB is a non-government, nonprofit entity that constructs and manages what is called the CMMC ecosystem with the DoD. This is the assessment standards and the standards for accessors, educational material, trainers, accredited consultants, etc. It is the government that sets practice requirements for each CMMC Level. It is then the CMMC AB, working with the government, that sets the standards for how these requirements are met. It is the CMMC AB that manages the assessment process through certified service provider organizations. These service providers provide individuals who are certified to perform training, consulting services, and on-site assessments. It is important to note that there is a prohibition for the same provider organization to assist with consulting and then conducting an assessment on the same company.

In terms of the assessment process, a company that needs an assessment for CMMC certification will contact an accredited Third Party Assessment Organization, which will then assign an assessment team for the assessment. Once the assessment is completed and passed, the Certified Third Party Assessment Organization will send the assessment results to the CMMC AB for review and the certification of the company. The CMMC AB will not conduct assessments; this is the domain of the assessment organizations. The CMMC AB will be responsible for managing and ensuring the integrity of the process.

The interim rule outlines a cost estimate for assessment preparation, the assessment itself, and sustainment to some degree. These are general cost estimates, based on very low labor rates and few labor hours. A premise of the DoD in this exercise is that companies are currently in compliance with many of the requirements. This is an assumption due to the fact that all companies working under federal contracts must be in compliance with current system security or cybersecurity requirements. Essentially in terms of recognizing the cost for compliance, if a company has not met these past requirements, they will not get credit for meeting them now. The bottom-line estimated cost for CMMC Level 1 to include preparation and assessment is estimated to be about $3,000. The assumption is that the organization is already performing at Level 1. Note too the labor rates are low; the hourly rate for a Level 1 accessor is at $83.32/hour; you cannot get someone to change a light bulb at that rate. The hours may be reasonable: 14 hours in company support of the assessment and 19 hours for the assessment. In real life, the assessment cost will increase by about $1,000 or more. To get ahead of these costs, start working on compliance now.

With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at