DOES YOUR ORGANIZATION INTERACT WITH FCI OR CUI?

The Certified professionals at Hill Tech Solutions can help with CMMC 2.0 compliance.

CMMC 2.0 is the new standard for those handling FCI or CUI.

Version 2.0 of the Cybersecurity Maturity Model Certification (CMMC 2.0) was published for public comment in December of 2023, and is expected to begin becoming a contractual requirement as early as the first quarter of 2025. That means that defense contractors and other organizations handling federal contract information (FCI) or controlled unclassified information (CUI) must be compliant.

Within the CMMC 2.0 framework there are three levels of certification, depending on the types of data being handled. Level 2 is most common, and preparing can take months, as can scheduling that assessment. The time to start preparing is now.

Some questions about CMMC and their answers:

What is CMMC? CMMC is a framework designed to protect sensitive unclassified information from the ever-increasing threat of cyberattacks, and more specifically from the theft of confidential intellectual property by foreign powers. CMMC seeks to protect defense contractors and other trade partners from being potential vectors for attacks or information theft, as well as to better define the process for reporting incidents when they do occur.

How long does the process take?  Depending upon the complexity, budget and internal resources allocated, the process can take six months to a year. That’s why it’s vital to start now.

How much will it cost? The Pentagon estimates that a Level 2 self-assessment and related affirmations will cost over $37,000 for small entities and nearly $49,000 for larger entities, including the triennial assessment and affirmation and two additional annual affirmations. A Level 2 certification assessment is estimated at nearly $105,000 for small entities and approximately $118,000 for larger ones, again including the triennial assessment and affirmation and two additional annual affirmations. 

Why Hill Tech? Hill Tech’s Principal Consultant, Ron Hill, CISSP, is a Certified CMMC Professional (CCP) and a CMMC Registered Practitioner (RP), trained to guide your organization through the multiple layers of the assessment process. Hill Tech has also been named one of the world’s premier managed services providers on the prestigious Channel Futures NextGen 101 list for three consecutive years, and is a 2023 Harford Award recipient.

What’s the process? These are the steps generally required to achieve CMMC compliance:
  • Determine the required CMMC level. There are three levels of CMMC certification. Most organizations will require Level 2.
  • Identify relevant assets. A crucial step to identify which of an organization’s assets are relevant to the process.
  • Assess shortcomings. Having identified which assets are relevant, we now identify the gaps between current conditions and those required for compliance.
  • Create a plan. Identify the steps to remediating the shortcomings revealed above.
  • Execute changes. Implement the changes identified as necessary.
  • Prepare for assessment. Compile and review the documentation that is vital to a successful CMMC assessment.
  • Complete assessment.
  • Continued governance. Third-party assessments are triennial. Self-assessments must be done annually at a minimum. Ongoing monitoring and governance will ensure compliance with any future changes.

See our blog posts about CMMC 2.0 and CMMC Compliance Mistakes to Avoid.

Contact us at 410-671-5780 or [email protected] to learn more or schedule a consultation.