It’s been a long, winding road to CMMC implementation, but we are finally here. In the first webinar of our CMMC Compass series, Virtru’s Andrew Lynch sat down with Joe Devine, president of cybersecurity assessment firm Axiotrop, to discuss what comes next for the defense industrial base (DIB).
With the publication of CMMC Title 32 in October 2024, the Cybersecurity Maturity Model Certification (CMMC) 2.0 program has been finalized, marking a significant milestone for defense contractors. As organizations prepare for CMMC to take effect as part of DoD contracts — and as Prime Contractors begin to require CMMC readiness of their own supply chain partners — here's what we know so far about the upcoming requirements, timelines, and assessment process.
The DoD outlines the 3 CMMC levels based on the sensitivity of information handled as part of any given defense contract. "Most of our audience is going to be Level 1 or Level 2," explained Devine. "There's a small, small number of companies that will be Level 3." He gave an overview of the three levels and what they mean for contractors:
One of the most common audience questions was related to the third-party assessment process, most notably: How much does CMMC assessment cost?
As you would expect, Devine says that the cost can vary depending on the size of the organization; its physical locations; how data is managed and shared; and the CMMC level they seek to attain: "I haven't had a quote for any size organization below $50,000. Assessments typically range from $50,000 to $80,000+ depending on organization size.”
The assessment process may look different depending on which CMMC C3PAO vendor you choose. Speaking from his personal experience at Axiotrop (which is tracking toward C3PAO status), Devine said that once your organization has made it through the queue, the assessment itself will likely span roughly four weeks and may include:
Devine highlighted the role of SPRS Scores (named for the Supplier Performance Risk System), which are based on NIST SP 800-171.
“Those 110 controls have a value of 1 point, 3 points, or 5 points, depending on how important they are to securing CUI. And when you build up all those points, it's a 313-point range. That range is perfect at 110, and it actually goes all the way down [below zero] to -203.”
"If you fail your C3PAO assessment and you don't have a score of 88, then you have failed," warns Devine. However, there is some flexibility: Organizations that achieve a score of 88 or higher and only miss certain one-point controls may qualify for a Plan of Action and Milestones (POAM) with 180 days to address deficiencies.
For organizations where defense contracts represent a small portion of their business, Devine offers guidance: "If you have CUI, you have CUI. You need to protect it. What you can do is, you can limit the scope... If you're a 100-person organization and 90% of your business is coming from other places — the commercial world for instance — you can build an enclave solution instead of an enterprise solution." This scoping of CUI can help reduce complexity and cost for an organization going through the CMMC assessment process.
Even before Title 48 implementation takes effect in early 2025, many Prime Contractors are already requiring CMMC readiness. As Devine explains, "Primes can officially start requiring their supply chain to go get that certification... The Primes don't want to lose their business. They want to be able to continue to provide their military systems to the DoD."
Some Prime contractors are implementing scoring systems with specific SPRS Score thresholds such as Green (110), Amber (70+), and Red (< 70, which may restrict new contract awards).
Lynch noted, "I commend all these organizations in the DIB for for going through this. It's important for our nation's security, but I know it's not easy. On a regular basis here at Virtru, I talk to organizations working towards CMMC weekly, and, it's complex. There's been a lot of uncertainty and and and questions that they didn't know the answers to until recently. But it sounds like a takeaway is, that, often, organizations think they are further along than they actually are, And these large Primes already are essentially saying, 'We need to see that you're gonna be ready for it.'"
Devine agrees that Primes are already expecting readiness from their subcontractors: "I think it's prudent that [Primes] are working with the supply chains to ensure that, you know, the tier ones, the tier twos, all the way down are [ready]."
Devine notes that one of the most critical, yet commonly failed controls, is encryption. "Of all the things that we do... of all those 110 controls, the most important thing is trying to make the data not obtainable," states Devine. "If all those other things fail and our adversary gets access to our data, we at least want it to be encrypted so they can't use it... That, surprisingly, is the number-one unmet control."
Lynch notes that this is why many defense contractors look to Virtru for data encryption and access control solutions. Virtru integrates with Google Workspace and the Microsoft 365 ecosystem to enable secure email and file sharing to support compliance with CMMC. Lynch references the Virtru Shared Responsibility Matrix, which highlights 27 CMMC practice IDs across five domains, where Virtru supports compliance through encryption, access control, and CUI protection.
When selecting vendors for CMMC compliance, particularly cloud service providers, FedRAMP Moderate authorization is important in terms of your liability. While providers can claim to be "FedRAMP Moderate equivalent," Devine explains why this distinction matters:
"If you have picked somebody that's FedRAMP moderate equivalent, then you're on the hook as the organization using that company... you are on the hook to kind of validate and verify that they've met all those requirements and they continue to meet them and that they continue to perform the due diligence that they're supposed to do in order to maintain that equivalency."
This creates additional work and risk for organizations seeking certification. As Devine notes, "That's a mountain of work, and there's no way you can do that work, really. You have to kind of trust, and that means the person at that company has to hit everything perfectly."
Conversely, using FedRAMP Moderate authorized vendors simplifies the compliance assessment process, because those solutions are already vetted: "If I'm going to use a tool that has gone through that [FedRAMP authorization] process, I don't have to worry about it."
To verify a vendor's FedRAMP status, Devine advises: "If somebody's saying that they're FedRAMP approved, FedRAMP Moderate approved, then they will be listed in the FedRAMP Marketplace. If they're not there, then I would ask more questions."
As a FedRAMP Moderate authorized data security provider, Virtru helps organizations support CMMC encryption requirements for CUI protection while enabling crucial collaboration workflows to take place. With Virtru, defense contractors of all kinds can encrypt and share sensitive information while maintaining control of that data at all times.
Here's what Virtru brings to the table for CMMC:
Devine said it well: "You have to protect the CUI, but then you also have to make it amenable to good business workflows." This is where Virtru shines, and why organizations across the DIB use Virtru to support their CMMC compliance efforts.
With limited C3PAO availability and growing pressure from Prime Contractors, organizations should begin preparations now, rather than waiting for Title 48 implementation. Early preparation and the right tools will be key to maintaining your competitive advantage in the defense industrial base, especially if you are entrusted with protecting sensitive CUI.
Want to see how Virtru can be an easy win for your CMMC strategy? Contact our team today. We'd love the chance to talk with you.