26 Mar


Can SMBs Afford The CMMC?

posted by: William White

Is getting Cybersecurity Maturity Model Certification (CMMC) certified going to cost an arm and a leg?

CMMC was officially let loose on January 31st, 2020. And things will never be the same for defense contractors.

“How can I afford to become CMMC certified?”- A worried small business owner

We’ve gotten that question a lot from our SMB clients. Is getting Cybersecurity Maturity Model Certification (CMMC) certified going to cost an arm and a leg? The answer for most contractors is: No.

CMMC was officially let loose on January 31st, 2020. And things will never be the same for defense contractors. Prior to the release of CMMC, contractors would promise to do their best to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and National Institute of Standards and Technology (NIST) SP800-171 requirements to win contracts. Contractors said they would comply. DOD trusted the contractors and took their word for it. Now, with the CMMC, DOD is asking the contractors to prove that they are complying.

CMMC is a methodology used to build and enhance a company’s cyber security program. It details five levels of increasingly structured and mature cyber security controls and processes. CMMC levels start with basic hygiene and build up to enterprise level processes and controls.  Level 1 has some low hanging fruit and maps to the FAR 52.204-21 (aka Basic 17) requirements. CMMC levels 2 and 3 map directly to the NIST SP800-171 requirements. Levels 4 and 5 are based on the NIST SP800-171B, which is still a draft as of the date this article was published, and several other practices to demonstrate an advanced cyber security program is established. Level requirements will be spelled out in the contract and will generally be based on the Controlled Unclassified Information (CUI) being processed or created.

According to Department of Defense CISO, Katie Arrington, the good news is that most government contracts (over 90%) will require only Level 1 certification.  Level 3 will be required for about 5% of the roughly 300,000 contractors in the Defense Industrial Base (DIB).  Levels 4 and 5 bring up the rear, being required in <2% (combined) of the contracts. Level 2 will most likely not be found in any contracts as it is meant to be a bridge from Level 1 to Level 3.

So, for the overwhelming majority of DOD contractors, it will not cost much to get that Level 1 certification and win that bid. In fact, if you already practice basic cyber hygiene, you are most of the way home. In laypersons’ terms, you are almost to Level 1 simply by:

  • Not allowing visitors to walk around your place unattended
  • Locking up the important stuff
  • Not talking about sensitive stuff on Facebook, Snapchat, Twitter, etc
  • Using up-to-date anti-virus software
  • Implementing firewalls properly
  • Making sure that only employees permitted to access FCI or CUI are actually accessing it

See.  Nice and easy.  Ok, so it isn’t as easy as I make it out to be.  But it’s close. There are some additional things; however, if you are already following the list above they won’t break the bank.

If you are interested in the real 17 things you have to do, here they are:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users or devices.
  6. Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity.
  10. Maintain audit logs of physical access.
  11. Control and manage physical access devices.
  12. Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  13. Implement sub-networks for publicly accessible system components that are physically or logically separated from internal networks.
  14. Identify, report and correct information and information system flaws in a timely manner.
  15. Provide protection from malicious code at appropriate locations within organizational information systems.
  16. Update malicious code protection mechanisms when new releases are available.
  17. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.

Making the move from Level 1 to Level 3 is going to require a bigger investment.  The good news though: Making that jump should only be necessary for about 5% of the DOD contractors out there.

As of the date this blog is published, CMMC is still a moving target.  No security firm should claim to be experts on the model.  However, URS can assuredly get you started down the road towards Level 1 compliance immediately.  Give us a call if you need some help!

610.755.0728 or 800.55.HELPS

Remember, a strong Cyber Security Program is much more than just a firewall and antivirus. To be prepared for today’s threats,  a layered defense, should be implemented by every company, regardless of size.

About Ultimate Risk Services

At URS, we have a layered solution for every need and any budget.

Highlights of our solution are:

  • Helps you navigate the Cybersecurity maze.
  • Budget friendly! Available as a low cost monthly subscription.
  • Something for everyone! Subscription levels designed with small business in mind. Robust enough to scale to large enterprises.
  • Does not require full-time IT staff.
  • Gives you peace of mind.

So how does it work?  What does the subscription give you?

Depending on your subscription level, your 5 Steps may include:

  • An “Always On” Unified Security Management system that safeguards your network, systems, users, and data
  • Security Policies and Plans created via an easy to use Online Wizard
  • Customized Online Training
  • Automated Hardware and Software Inventory Tool
  • Automated Vulnerability Assessments
  • A Breach Coach for when the bad guys get in
  • Much more

To take a deeper look into our five steps click here.

Want to speak with one of our experts?  Or are you ready to protect your assets now? Contact us at:

610.755.0728 or 800.55.HELPS


Something CMMC This Way Comes


Can SMBs Afford The CMMC?