News From the World Wide Web, Not the Regular Blog

An introduction to CMMC for the small and medium-size contractor by NH Business Review for Jeff Stutzman

Posted on by FromAround TheWWW
An introduction to CMMC for the small and medium-size contractor by NH Business Review for Jeff Stutzman
Jeff Stutzman Headshot

Jeff Stutzman

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to enhance cybersecurity measures across the defense industrial base (DIB), and it becomes law on December 16, 2024. The aim of CMMC is to protect sensitive unclassified information, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), from increasingly sophisticated cyber threats.

As of March 1, 2025, defense contractors without a CMMC self-attestation and a SPRS (Supplier Performance Risk Score) to back it up, will no longer be allowed to bid on government contracts or renew existing contracts. 

CMMC 2.0, the latest version, consists of three levels of certification:

  • Level 1 (Foundational): Basic cyber hygiene practices. Companies are required to prove compliance with 17 controls, and not miss any.
  • Level 2 (Advanced): Intermediate cyber hygiene practices. Level two includes 110 controls.
  • Level 3 (Expert): Advanced/progressive cybersecurity practices.

For small and medium-sized businesses (SMBs) in the defense supply chain, CMMC compliance is critical:

  1. CMMC certification will be mandatory for bidding on DoD contracts beginning December 16, 2024.
  2. Certification demonstrates a commitment to cybersecurity, making SMBs more attractive to potential clients and partners.
  3. Implementing CMMC practices helps SMBs reduce the risk of cyberattacks and data breaches.
  4. CMMC aligns with other cybersecurity frameworks, such as NIST SP 800-171 and NIST 800-53.

SMBs face several challenges in achieving compliance:

  1. Cost: Implementing required controls and undergoing certification can be financially burdensome. The CMMC level a small business aims to achieve directly impacts costs:
    1. Level 1 self-assessment: Approximately $5,000-$6,000
    2. Level 2 self-assessment: Around $34,000-$37,000
    3. Level 2 third-party assessment: About $102,000-$105,000
    4. Level 3 certification: Estimated at $2.7 million
  2. Resource constraints: Many SMBs lack dedicated IT or cybersecurity personnel.
    1. Many SMBs indeed lack dedicated cybersecurity personnel. Studies show that 38% of SMBs have no employees dedicated to cybersecurity, while 42% have only one. Given the complexities, ambiguities and a shortage of qualified cybersecurity talent, this could leave SMBs vulnerable to cyber threats and struggling to maintain even basic adequate security measures
  3. Technological upgrades: Upgrading systems and software to meet CMMC requirements can be costly and time-consuming.
  4. Training and education: SMBs may struggle to provide necessary cybersecurity training to employees.

To address these challenges, SMBs can consider the following strategies:

  1. Leverage good cybersecurity tools and train for the fight: Many cost-effective solutions are designed specifically for smaller businesses, however, the No. 1 most cost-effective solution is skill. Train your defenders to fight the network. If you can’t, hire an MSSP to do it for you. 
  2. Seek government grants: Federal and state programs often provide financial assistance to SMBs working toward compliance with security standards like CMMC.
  3. Work with Managed Security Service Providers (MSSPs): Partnering with an MSSP can provide specialized expertise and access to tools that are often more affordable than hiring in-house security personnel.
  4. Implement a phased approach: Get to Level 1 first, then if required by your contracts, move to Level 2. Plan strategically to spread the cost over time rather than dealing with upfront lump sums. 

While the process of obtaining CMMC certification may seem daunting, with proper planning and support, small businesses can navigate these regulations successfully. The long-term benefits of reduced cyber risks and potential cost savings from preventing breaches can outweigh the initial investment, especially considering the potential for larger government contracts.

Jeff Stutzman is the CEO of Trusted Internet, an Amherst, NH-based managed security service provider and cyber AB registered provider organization. 

Categories: Cybersecurity
FromAround TheWWW

A curated News Feed from Around the Web dedicated to Real Estate and New Hampshire. This is an automated feed, and the opinions expressed in this feed do not necessarily reflect those of stevebargdill.com.

stevebargdill.com does not offer financial or legal guidance. Opinions expressed by individual authors do not necessarily reflect those of stevebargdill.com. All content, including opinions and services, is informational only, does not guarantee results, and does not constitute an agreement for services. Always seek the guidance of a licensed and reputable financial professional who understands your unique situation before making any financial or legal decisons. Your finacial and legal well-being is important, and professional advince can provide the support and epertise needed to make informed and responsible choices. Any financial decisons or actions taken based on the content of this post are at the sole discretion and risk of the reader.

You might also like

NRMLA’s Steve Irwin on political change and the 2025 HECM limit by Chris Clow for HousingWire
December 26, 2024
Miami homeowner sues eXp for fraud over renovation by Brooklee Han for HousingWire
December 26, 2024
Appeals of NAR settlement approval continue to pile up by Brooklee Han for HousingWire
December 26, 2024

Leave a Reply