Your Top CMMC Questions Answered

With the passing of the Cybersecurity Maturity Model Certification (CMMC), any company working with the DoD will be required to meet a certain standard of cybersecurity verification in order to win—or even bid on—contracts, whether as a prime or a  sub-contractor

This regulation comes from two different trends in the cybersecurity landscape. One is that over the past several years, billions of dollars have been lost in intellectual property theft from defense contractors working with or for DoD programs. The second is that because of major hacks over the years, it has been made clear that without a solid cybersecurity foundation, documents, assets, and contractors partnering with the DoD are at risk.

If you have questions about CMMC and who the new regulations apply to, know that you’re not the only one. Here, we’re breaking down questions that we’re commonly asked in regards to CMMC. 



1.  I don’t have CUI or FCI that I’m aware of, do I need to comply with CMMC and NIST 800-171?

Yes, you must begin to prepare and comply at the minimum with NIST 171. CUI and FCI information is beginning to show up in correspondences with the government and/or prime contractors, meaning you still need to comply.

2.  All my employees work onsite in a Government Facility do I have to comply?

Yes, CMMC and NIST 171’s intent is for DIB organizations to become secure. Securing every endpoint to the user is required to comply with this new regulation if that environment also is intended to be used to process, store and transmit CUI and FCI data. The costs associated with securing every employee will depend on the privileges required and access requirements to CUI and FCI.

3.  Can I achieve CMMC and NIST 171 by purchasing a system or software?

No, there is no one product that can automatically get you compliant. CMMC and NIST 171 require a combination of tools, secure configurations of those tools, and services to carry out the cybersecurity and compliance practices outlined in NIST and CMMC security controls. For instance, you can’t just buy Microsoft Office 365 and assume you’re now compliant. You need to configure all the security and compliance configurations to make it compliant, and then perform practices such as change/configuration management, vulnerability management, intrusion detection and analysis, weekly/monthly audits, backups, etc.

4.  I am only a subcontractor, do I have to comply?

Yes, subcontractors are required to comply with CMMC as well. It is likely that your prime contractors are already requiring you to comply and attesting that you are compliant. Prime Contractors are responsible for ensuring you comply as well, based on the flow down rule within DFARS. Furthermore, if a subcontractor has suppliers and/or subcontractors underneath them that handle CUI and FCI data, they are responsible for every person in their organization to comply. 

5.   How much does it cost and how long will it take to get compliant?

This will all depend on the size of your organization, the complexity of your existing IT environment, and the legal structure of the company. On average, a small business should allocate at least $25,000 a year for managed IT, cybersecurity, and compliance services. Compliance costs can be much more for larger organizations, although each employee in a larger organization costs less to get compliant, as those organizations will have a larger scale to spread costs. All companies should expect 3 to 6 months to get compliant with both NIST 171 and CMMC Level 3, assuming proper attention and resources are assigned to execute the project.


Start your compliance journey with Hyper Vigilance 

At Hyper Vigilance, our goal is to make getting CMMC complaint as simple and accessible as possible for companies of all sizes. When we work with our clients, we do more than prepare them for their CMMC audits — we get them set up to take on whatever the world throws their way. Get a free cybersecurity consultation when you contact the experts at Hyper Vigilance today

Write a comment