Episode 1 - What is CMMC and How Does it Effect Me?

Show Notes

If you are considering entering the Department of Defense market—or you are already in it but hoping CMMC might quietly go away—this episode is for you.

In this foundational discussion, I break down:

• What CMMC actually is (and what it is not)
• How CMMC relates to DFARS 252.204-7012 and NIST SP 800-171
• When CMMC applies—and when it does not
• Why there is no universal CMMC deadline
• What “condition precedent to award” really means
• How scoping decisions materially impact cost and audit burden

In this episode, I also examine the phased implementation timeline, the contracting officer’s discretion in including CMMC requirements, and the structural realities of the C3PAO ecosystem that influence assessment cost and availability.

Bottom line:
CMMC is a DoD acquisition requirement designed to verify implementation of NIST SP 800-171. It becomes binding when it appears in your solicitation or contract—and it follows the flow of DoD information within your environment, not necessarily your entire enterprise.

If you work with DoD information—or are considering entering that market—strategic scoping and early planning are not optional.

Connect with me on LinkedIn, and if this episode clarified something for you, share it with your work bestie.

And remember—don’t say “cooey.” It’s ooey.

Transcript

SPEAKER_00 0:00

Welcome back to Ooe Kooe. I'm Leslie Weinstein. Although I just graduated from law school, this show is not meant to be legal advice. This is the first episode of season two, which I'm calling What is CMMC and What Does It Mean for Me? If you're a company considering entering the DoD market, or if you're already a defense contractor but you've been living in denial, you've likely heard about the CMMC, but you aren't quite sure what it means for you or how it's going to impact you today. And if you've not yet heard about the CMMC, let me introduce you. Here's the bottom line up front. CMMC is a Department of Defense acquisition requirement tied to cybersecurity. It applies only when a DOD solicitation or a contract includes the CMMC requirement. When it is included, it conditions contract award on obtaining the identified CMMC status. CMMC requires contractors to implement a defined set of cybersecurity controls within their own information system if those systems will process, store, or transmit DoD information. And in some cases, the CMMC will also require an independent third-party assessment of your security controls, but not in all cases. That's the short version. Now let's translate this into practical implications. First, the CMMC is a Department of Defense acquisition requirement. It only applies to DoD acquisitions. It does not apply to any other federal agencies. But it's not the first time that the DoD has required contractors to implement cybersecurity controls as part of a DoD contract. Under DFARS 252.204-7012, also known or referred to as just the DFARS 7012 clause, DoD contractors that handle controlled unclassified information or CUI, some who call it CUI, have been required to implement the security requirements within NIST 800-171 within their own information systems since 2017. And that requirement still exists. The DFAR 7012 clause has not gone away. The CMMC does not create a new set of cybersecurity requirements caveat for level three. It does, but that's another story for another day. But the CMMC does not replace or remove the DFAR 7012 clause. The 7012 clause will appear alongside the CMMC clause in contracts because the CMMC is built on NIST 800-171 requirements. The CMMC introduces a new verification mechanism of contractor implementation of those NIST 800-171 controls. Second, and this is where the confusion usually begins. The CMMC applies only when it is included in a DOD solicitation or contract. A solicitation with the CMMC requirement will contain a DFARS 7025 clause, which is called Notice of Cybersecurity Maturity Model Certification or CMMC level requirements. And a contract with the CMMC requirement will contain the DFARS 7021 clause, which is called contractor compliance with the cybersecurity maturity model certification level requirements. The final CMMC rule outlines a phased implementation approach of the CMMC with phase two beginning in November of 2026. But that phased rollout provides guidance to contracting officers about when they may begin incorporating CMMC requirements more broadly. Phase two that begins later in November 2026, it's not a universal activation date. The rule also makes it very clear that through November 2028, inclusion of a CMMC requirement in a contract remains discretionary, meaning the contracting officer has the sole discretion to include a CMMC requirement or not. So the mere existence of the CMMC regulation does not automatically impose the requirements on every contractor. CMMC becomes binding when it appears in the solicitation or contract you are pursuing. If a solicitation does not include a CMMC requirement, then the CMMC is not a condition of award for that procurement. And third, when a CMMC requirement is included in a solicitation, then the CMMC is a condition precedent, meaning that you must obtain the identified CMMC status to be eligible for contract award. The government cannot award a contract with a CMMC requirement to a contractor that has no CMMC status at all. And importantly, contractors must maintain the required CMMC status at the specified level or higher throughout the entire contract performance for all information systems that process, store, or transmit government information in support of that contract. And fourth, the CMMC requires implementation of defined cybersecurity controls within your own information system. CMMC scoping is driven by DoD information flow. Wherever DOD information, whether it's federal contract information or FCI, or controlled unclassified information, CUI, wherever that goes, whether it's processed, stored, transmitted, worked on, saved, accessed, wherever that is in your environment, the applicable CMMC requirements flow to that environment. CMMC does not automatically apply to your entire enterprise, though. It applies to the systems, the assets, the environments, and the humans that handle the DOD information as part of the contract performance. Now here's some free consulting advice for companies who may work with other federal agencies beyond the DoD. NIST 800-171 applies to federal CUI broadly. It's not just to DOD CUI and it's not, NIST 8171 is not just for the DoD, it's for all federal agencies for all CUI. But the CMMC assessment and reporting requirements apply specifically to DoD contracts. Companies entering the DoD space should carefully evaluate the relative size and importance of their DOD portfolio compared to their broader federal business before deciding how broadly to scope their DoD environment. If DoD CUI is confined to a segmented enclave, the CMMC assessment can be confined to that enclave as well. If DOD information flows across your entire enterprise, then your assessment boundary expands accordingly. Unnecessarily enlarging the CMMC assessment scope, particularly where a third-party assessment may be required, will increase preparation effort, documentation burden, audit time, and audit cost. Strategic scoping decisions can materially affect the cost-benefit analysis for companies who are considering entering the DOD market. And finally, the CMMC does not automatically mean a third-party assessment. That is how it became famous, and it's probably why you've heard of it, but it's not universally how it works. When the CMMC was first introduced, the emphasis was on an independent certification through external validation, and that narrative has understandably stuck. But under the current CMMC 2.0 framework, there are only two CMMC statuses that require a third-party assessment, and two that don't. There are three general levels for the CMMC: level one, two, and three. Level one is always a self-assessment. This is the level that you need if you handle only FCI or federal contract information. You are not allowed to handle CUI at this level. Level two is the minimum level to handle CUI. Level two may be a self-assessment or a third-party assessment depending on the solicitation, and the solicitation should indicate which one is required. And the third level is level three DIBCAC. Level three DIPCAC always requires a government-led assessment, and the assessment involves just the additional level three controls above and beyond the level two. Now I caveated earlier that the CMMC is built on NIST 800-171. The caveat is that level three is built on NIST 800-172, not 171 like level two. And level three adds an additional 24 controls that are taken from NIST 800-172. And there are different scoping considerations or at least different considerations for how you assess assets within your environment at level three that are different from a level two. So there's a whole lot of difference between level two and level three. It's unclear right now which types of contracts might require a level three. We don't have good guidance there, so that can just be a TBD for now. So the key takeaway here is if you handle CUI on behalf of the Department of Defense, you will need at least a CMMC level two and at least a self-assessment. It's unclear if you'll need a third-party assessment, so be prepared to at least pass a CMMC level two self-assessment if you want to do work with the Department of Defense. Now, regarding these third-party assessments, when a CMMC level two C3 PAO is required, the DoD will only recognize assessments performed by a certified third-party assessment organization, also called a C3PAO. C3 PAOs are privately owned companies that are authorized to perform CMMC level 2 assessments by the CMMC AB, which is now doing business as the Cyber A B. The Cyber A B is a nonprofit organization incorporated in 2020 for the sole purpose of administrating the CMMC ecosystem, which includes vetting C3PAO companies as well as the individual assessors. The Cyber AB is also responsible for vetting and approving training providers who provide mandatory training for the CMMC assessors and other official roles within the CMMC ecosystem. The timeline for companies to achieve a C3PAO status is typically 6 to 12 months. The direct costs of becoming a C3PAO are often more than$40,000. The cost for one individual to become a certified CMMC assessor can range from roughly$4,000 to$7,000 in direct costs. In addition to a certified CMMC assessor, every C3 PAO must associate with a lead assessor and a quality assurance professional, which can add an additional$10,000 to$20,000 in direct costs upfront. And in addition to all of these upfront costs, all C3PAOs and individuals operating within the CMMC A B ecosystem, they must pay an annual recurring fee to the Cyber A B to remain in good standing. Even at the smallest viable scale, a C3PAO faces roughly$25,000 to$30,000 per year in ecosystem and accreditation maintenance costs alone. This cost structure inevitably influences the supply and price of a C3PAO assessment and creates a meaningful barrier to entry for new entrants into the C3PAO market. When barriers to entry constrain supply, regardless of the demand, costs will predictably increase. Companies should consider that a CMMC level 2 C3PAO assessment is materially more expensive than a CMMC level 2 self-assessment, and it can take many more months to actually schedule and complete that assessment with a C3PAO. And now that I have thoroughly depressed you, we're going to wrap this up by circling back to the main key points here. First, CMMC is a DOD-specific acquisition requirement that is designed to verify your implementation of NIST 80171. And remember, if you already handle DOD CUI, then you have already been required to implement NIST 800171. CMMC applies only when it is included in a solicitation or a contract. And when it is included, it is a condition required at the time of contract award. And when CMMC applies, it applies to your systems where the DOD information flows and not necessarily to your entire enterprise. Right now, there is still a lot of uncertainty about how broadly and how quickly third-party assessments will be required. Companies considering entering the DoD market should evaluate the effort required not only to align with NIST 800 171, but if necessary, the cost to undergo a C3 PAO assessment. Strategic CMMC scoping through a careful analysis of how DoD information will flow through your environment is the most effective way to control the cost and the burden of CMMC compliance. Thank you so much for listening to this episode of Ooey Kooey. Please connect with me, Leslie Weinstein, on LinkedIn if you have not already. If you liked this episode, please share it with your work bestie. And remember, don't say cooey. That would be ooey.