CMMC Compliance: Will Your SMB Be Effected?


November 22, 2021

With More Factories than Ever Required to Submit their CMMC Certification, the New Workload It Requires Can Seem Overwhelming. Integris is here to help you sort it all out.

If you’ve been reading the headlines lately, it’s no mystery why the United States government considers corporate cybersecurity a national security issue. Cyber attacks are often state sponsored, highly sophisticated, and aimed at our national infrastructure and institutions, like our electric grids, or city, state or national agencies. To combat the growing threat, President Biden has issued an executive order requiring the Department of Defense to verify the safe cybersecurity practices of all their vendors by 2025. And the process they’re using to do that is a rigorous certification known as the Cybersecurity Maturity Model Certification (CMMC). If you work with the Department of Defense in any way, you’ll need to have some level of CMMC compliance, or risk losing your contract.

When your company has invested in CMMC compliance, you’ve certified that you have safe cybersecurity practices, and can manage Controlled Unclassified Information (CUIs) across the entire DoD supply chain. It really is that simple.

So, what kinds of companies need to worry about CMMC compliance? The answer is not as simple as “any defense contractor.” Let’s break it down.

CMMC Compliance: What Is It, And Who’s Governed By It?

First, let’s talk about the conditions leading to the development of CMMC. Government contractors have always had to follow some kind of guidance about cybersecurity. Only, up to now, that guidance lacked much in the way of enforcement teeth. Contractors were asked to follow the  National Institute of Standards and Technology’s 800-171 guide , which in essence, asked contractors to “self attest” that they were following the guidelines.

The threat of cyber spying and cyber crime has gotten so great, however, that the government can no longer simply “take their word for it.” Enter CMMC. This certification is a now a requirement for any firm wishing to do business with the government. The CMMC certification is tiered, based on the level of sensitive data a contractor will handle. The government jobs going up for bid will specify which level of certification you need.

So, when will CMMC be required? The government has requested that DoD vendors and consultants start applying as of 2020. However, companies will have until 2025 to comply. That extra buffer time is necessary, because the bar is set high to reach compliance. Here’s how the tiered levels look for consulting companies.

How Many Levels of Certification Are There?

In November 2021, the DoD completed a review of the CMMC process that was prompted by complaints from vendors about its complexity. As a result, they came out with CMMC 2.0, a program which streamlined the process from five security levels, to three, as is shown in the the DoD’s chart below.

Where your organization falls on this chart will depend on what services/products you provide for the Department of Defense, and the sensitivity level of the data you handle. Each level builds on the next, so that those in level three will have to have all the safeguards of the first two levels, as well as a whole new set of rigorous data handling standards.

The bids you make will already have their own predetermined levels. So be sure to contact your government clients for details on what’s expected of your bids.

Does all this sound complicated? It is, actually. Getting a CMMC certification usually takes months to complete, and requires the help of an MSP like Integris, or specialized consultants who can help you get the proper training and assemble the proper documentation to apply. Also keep in mind, it’s not just a matter of filling out forms. You must demonstrate that your systems are configured properly with the right kinds of safeguards. So, keep in mind capital investments may be necessary, and new systems might need to be put in place before you can apply for your certification.

What does CMMC Compliance Cover?

 CMMC Compliance can be expensive—requiring upgrades and new processes that could cost your company as much as $3,000 per employee per year, according to AT&T’s latest estimates. Initial set up fees could cost as much as $500 to $1000 per employee.

Why is it so pricey? Because the certification touches nearly every part of your IT operation and physical plant security. To earn your certification in CMMC compliance, your company must meet the requirements for 43 different capabilities spanning 17 different domains, including:

  1. Access Control
  2. Asset Management
  3. Audit and Accountability
  4. Awareness and Training
  5. Configuration Management
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical Protection
  12. Recovery
  13. Risk Management
  14. Security Assessment
  15. Situational Awareness
  16. System Communications and Protections
  17. System and Information Integrity

If this seems like an insurmountable hill to climb, take heart. There is plenty of great contract help that specializes in CMMC requirements for small business.

Where to Go for Help

Before you can begin the certification process, you’ll need to articulate all the parts of your current cybersecurity plan, so it can be reviewed. Then, you’ll need a CMMC preparedness consultant, or an MSP like Iconic that understands CMMC compliance requirements, and can revise your cybersecurity plan to achieve true CMMC compliance. That consultant can work with your internal staff to do a comprehensive review and risk assessment, to determine where your deficiencies are. They’ll help you identify which cybersecurity products, platforms and services you’ll need before the CMMC compliance deadline.

Would you like to do a little homework and see if your cybersecurity is up to the test? Try our free DIY Cybersecurity Assessment Checklist, to see where the holes in your cybersecurity operation are. And if you’re in one of our service areas, contact us. We’d love to help you get started on the road to CMMC compliance!

Susan Gosselin is a Senior Content Writer for Integris. A career communicator and business journalist, she's written extensively on IT topics and trends for IT service providers like Iconic IT and ProCoders Ukraine, as well as business publications such as,, The Lane Report and many others. Connect with her on LinkedIn.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...