What Small Business Contractors Need to Know About CMMC

The mandatory implementation of cybersecurity regulations is quickly approaching for contractors in the defense industrial base.

As the Pentagon rolls out the second version of Cybersecurity Maturity Model Certification, aka CMMC 2.0 changes, interim rules are expected to go online. As a result, companies can anticipate seeing CMMC 2.0 language appear in the U.S. Department of Defense (DoD) and other lucrative contracts brokered by the federal government. The first interim rules are set for March 2023, meaning CMMC 2.0 mandates will likely appear in agreements come July 2023.

The idea that CMMC 2.0 rules won’t impact deals until July may not create a sense of urgency. But the time it takes to conduct a comprehensive cybersecurity analysis of systems, employee practices, and the way sensitive data is stored and transmitted could take months. Moreover, given the impact the following changes could have on contractors, business leaders could get sidelined if they procrastinate.


1: More Stringent Policies and Procedures

Organizations will be tasked with meeting the NIST 800-171 requirements assigned to each of the three cyber hygiene levels. The forthcoming mandate does away with some process requirements at the lowest level but insists an enterprise “define” upwards of 49 of 110 controls. A cursory look at the three levels shows this could prove a Herculean task for organizations.


  • Level 1: Cyber hygiene at this level involves the protection of Federal Contract 

Information (FCI) not intended for public disclosure. Although considered “basic” cyber hygiene, military supply chain businesses must address how FCI is handled and stored.

  • Level 2: Companies will be required to document the processes used by staff members. It involves achieving cyber hygiene concerning 14 domains and 110 controls.
  • Level 3: A contractor’s cybersecurity posture must be so rigorous it can repel the advanced persistent threats presented by enemy nations. Companies must have a regular third-party assessment and maintain a determined posture.

Industry leaders must often prove they achieved the necessary cyber hygiene level to bid on DoD and other federal contracts. Before the federal government crafted the CMMC 2.0 policy, they primarily took a contractor’s word they complied. That all ends now.


2: Plan of Action and Milestones & Waivers

The number of waivers granted is expected to be slimmed down considerably, and a tight policy has reportedly been established. A minimum score for each control must be satisfied, and no waivers will be allowed for the highest weighted controls (i.e., those worth five points).

Cybersecurity experts and national security insiders are hailing this as a win for America’s digital defense. Contractors who previously relied on stop-gap waivers would be well-served to contact a CMMC Third Party Assessment Organization (C3PAO), conduct the necessary due diligence, and harden their defenses.


3: Changes to Self-Assessments

One of the changes from CMMC 1.0 to 2.0 involves what appears to be flexible self-assessments, at least at first blush. The approaching mandate indicates outfits that fall under Level 1 may conduct their assessment and file a score online.

Initially, some Level 2 organizations were going to have a self-assessment option, while others needed to work with a C3PAO, depending on the nature of the FCI or Controlled Unclassified Information (CUI). However, recent reports indicate Level 2 companies will all be mandated to undergo a third-party assessment. As a result, an estimated 80,000 contractors and subcontractors handle FCI and CUI required to meet Level 2 standards. The same holds for contractors within the Level 3 framework.


4: Senior Officials Tasked with Annual Affirmations

One of the top-tier issues CMMC 2.0 seeks to address is accountability. The DoD once fined or suspended companies after determining they failed to meet federal cybersecurity guidelines. Unfortunately, many of the penalties came after a hacker had already absconded sensitive FCI or CUI.


According to a filing in the Federal Register, the newly-conceived cybersecurity regulations allow “annual self-assessment with an annual affirmation by DIB company leadership” in some cases. This means that faulty self-assessments and failure to maintain a Level 1-3 posture may result in the company and senior management personnel suffering consequences. Given the wide-reaching things that could go awry during internal audits, industry leaders would be well-served to onboard a C3PAO.


5: Preparation Timeline Shortened

Early expectations around the CMMC 2.0 rulemaking process were that it would take 9-24 months. Now, contractors and subcontractors have until July before mandates appear in agreements. Industry leaders should start implementing NIST 800-171 controls before the year’s end. When the first quarter of 2023 kicks off, the 300,000 organizations in the defense industrial base will likely overwhelm the availability of C3PAOs, creating a bottleneck.


How to Prepare for CMMC 2.0 Appearing in Contracts

The best preparation strategy may involve scheduling a gap assessment. This cybersecurity analysis deeply delves into systems, best practices, programs, and how FCI and CUI are stored and transmitted. Business leaders receive a report showing network strengths and vulnerabilities. Accompanying recommendations highlight ways to close security gaps and meet the CMMC 2.0 mandate.


Sedulous Consulting Services is an Approved C3PAO Candidate firm. Our dedicated team members can comprehensively conduct a gap assessment and overcome any CMMC 2.0 challenges contractors and subcontractors face. To schedule a gap assessment, contact Sedulous Consulting Services today


What Small Business Contractors Need to Know About CMMC

More than 300,000 businesses in the military-industrial base need to implement the Pentagon’s latest cybersecurity policy. The Cybersecurity Maturity Model Certification (CMMC 2.0) does not discriminate between small, mid-sized, and large corporations. The U.S. Department of Defense (DoD) announced it would publish an interim CMMC 2.0 rule in March, with small business contractors seeing it in their agreements soon after. Small business owners may view the federal government’s mandate as overkill. But Robert Metzger, who reportedly inspired CMMC with the startling “Deliver Uncompromised” report, recently explained why small business contractors need to adopt the measure and understand the CMMC Requirements. 

“We know that adversaries will seek the so-called low-hanging fruit and mount attacks against less well-defended companies. The problem is that for smaller businesses, (NIST Special Publication 800-171) can be daunting, intimidating, frustrating, confusing and expensive,” Metzger reportedly said at the Washington Technology CMMC Summit. “But we cannot decide that security is unimportant for small businesses. We cannot give them a waiver. But we must facilitate a means by which small businesses can accomplish security economically.”

With the mandate fast approaching, small businesses would be well-served to take proactive steps in preparation for CMMC 2.0, such as scheduling a cybersecurity gap assessment. A managed IT firm with CMMC 2.0 expertise can provide scalable support. These are things small business contractors need to know about the mandate and why they would be wise to act with a sense of urgency.

How Do CMMC 2.0 Levels Apply to Small Businesses?

There are reportedly more than 300,000 organizations that benefit from lucrative DoD contracts. The bulk of these companies provides materials and services in support of direct military defense contractors that design and build equipment and technologies.

The enemies of Democracy finance some of the world’s most notorious hackers to breach systems at every level. Even the most determined advanced persistent threats understand few cybersecurity gaps persist among corporations that handle top-secret information. That’s why they target small and mid-sized outfits — “low-hanging fruit,” as Metzger stated — in hopes of uncovering scraps of information that expose the greater national security picture. These are the types of digital information they are trying to steal.

  • FCI: Federal Contract Information is not intended for public disclosure. Although not necessarily a danger itself, FCI can be used as a piece of the national security puzzle. It may provide clues for rogue nations to discover significant policies and initiatives.
  • CUI: Controlled Unclassified Information is created by the government. It may have been linked to the DoD, making it essential to protect. Stolen CUI can be used to learn military activities and potentially place the men and women who serve in harm’s way.

Of the three CMMC 2.0 levels, small businesses must comply based on the type of FCI or CUI the operation stores and transmits. A small technology company with five employees may need to meet the expert cyber hygiene requirements of Level 3. By that same token, a small business of 100 employees could fall under the basic cyber hygiene of Level 1. Business professionals who are unsure about the requirements are advised to contact an accredited CMMC Third Party Assessment Organization (C3PAO) to conduct an audit.

What are CMMC 2.0 Benefits for Small Businesses?

Even when a government mandate is well-intentioned, there’s a tendency to view it as just another expense or, well, a hassle. This holds particularly true of small business leaders who consider their seemingly peripheral contributions inconsequential.

We know that advanced persistent threats do target companies on the outskirts of the military supply chain to infiltrate federal agencies. The SolarWinds software breach of 2020 proved skilled hackers could penetrate thousands of organizations in this fashion, including the U.S Treasury Department. But to hit a little closer to home, small businesses may want to consider CMMC 2.0 as a way to harden their posture for the following reasons.

  • Forty-six percent of all breaches affect businesses with fewer than 1,000 employees.
  • More than 60 percent of small and mid-sized businesses were targeted in 2021.
  • Upwards of 82 percent of ransomware attacks were leveled against small and mid-sized companies in 2021.
  • More than one-third of ransomware victims employed fewer than 100 people.
  • Small business employees experience social engineering attacks 350 percent more than big corporations.

Verizon’s 2021 Data Breach Investigations Report indicated that even garden variety hackers are targeting small businesses at an increased rate of 61 percent. Symantec’s 2016 Internet Security Threat Report indicated that the number was only 34 percent in 2014 and 18 percent in 2011. It’s easy to see which way the cyberattack trend is heading.

Should your operation get plucked like the “low-hanging fruit,” small business losses typically range from $120,000 o $1.24 million. Needless to say, an organization compromised by hackers will likely lose profitable DoD contract work. And the reputational damage drives companies into bankruptcy.

“The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business,” Metzger reportedly said. “Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors.”

The good news is that CMMC 2.0 delivers the hardened defense small businesses need to deter low-level hackers and advanced persistent threats alike.

How to Get Started with CMMC 2.0

The first step toward robust cybersecurity calls for a gap assessment. An accredited C3PAO reviews best practices and internal cybersecurity policies and thoroughly vets the small business network for vulnerabilities. Once the data has been analyzed, company leaders receive a report highlighting weaknesses and offering solutions. Not only will you possess a roadmap to CMMC 2.0 compliance, but you can stop being an easy target.

Sedulous Consulting Services is an Approved C3PAO Candidate firm. We perform gap assessments and can help you harden your cybersecurity posture. Contact Sedulous Consulting Services today.

Who Needs A Gap Assessment To Earn CMMC Certification?

More than 300,000 organizations that do business in the military-industrial base must implement heightened cybersecurity safeguards in compliance with newly-minted federal regulations.

The U.S. Department of Defense (DoD) has mandated that companies handling varying levels of information must harden their defensive posture to meet the guidelines established by the Cybersecurity Maturity Model Certification 2.0, known as CMMC 2.0. Impacted enterprises range from direct DoD contractors to subcontractors, and even small and mid-sized outfits that handle deliveries and basic services are required to earn CMMC certification.

The challenges ahead for business professionals outside the managed IT, and cybersecurity sector will likely require the support of a CMMC Third Party Assessment Organization (C3PAO). The two critical issues facing businesses involve determining which of the three CMMC certification levels apply to their organization and scheduling a gap assessment to identify cybersecurity weaknesses.

What Sensitive DoD Information Must Be Protected?

American business leaders need to understand that garden variety hackers and advanced persistent threats funded by rival nations are dangerous to national security. But, unfortunately, some mom-and-pop operations may believe they are relatively inconsequential. Unfortunately, nothing could be further from the truth.

The cybercriminals funded by rogue countries, such as Iran, Russia, and China, are determined and patient. They are not uncommon to target military supply chain companies and steal invoices, locations, and electronic messages. This data may be used in conjunction with other stolen information to conclude America’s defensive strategies. The following are the types of data the DoD has deemed necessary to protect against prying foreign eyes.

  • Controlled Unclassified Information: Commonly referred to as CUI, this entails information created or controlled by the government. Although not considered secret, per se, it can be used as a piece of the national security puzzle. Examples include personal identity records, proprietary business information, and communication for official use only.
  • Federal Contract Information: Generally called FCI by industry insiders, this information is linked to government contracts. It defines how a business creates or supplies products to the federal government. In other cases, it outlines a service or payment process that is not necessarily disclosed to the public.

When America’s enemies gain access to this information, it can be used like breadcrumbs, leading to highly classified plans and processes. Every business leader’s patriotic duty is to protect the men and women who serve in the military and ensure domestic tranquility. Gaining CMMC certification is effectively doing your part.

What are the CMMC Certification Levels?

An organization’s level of compliance is dictated mainly by the type of information it stores and transmits. This facet of CMMC certification can prove elusive to some business leaders who might assume cybersecurity involves a relationship with the DoD. That is not the case because a seemingly small business could handle sensitive CUI or FCI requiring advanced protections. These are the three levels of CMMC certification.

  • Level 1 (Foundational): The DoD requires basic cyber hygiene based on implementing 17 defensive practices. Foundational cybersecurity focuses primarily on the storage or transmission of FCI.
  • Level 2 (Advanced): Designed to protect CUI, the DoD requires companies to implement and maintain 110 security controls. These are aligned with the National Institute of Standards and Technology Special Publication on cybersecurity or NIST SP 800-171. Significant differences persist for outfits that fall into the Advanced category regarding CMMC certification requirements.
  • Level 3 (Expert): The CUI housed and transmitted from organizations tasked with Expert-level CMMC certification are considered high-value targets. Sophisticated hackers, backed by enemy states, work tirelessly to breach these networks. Achieving CMMC certification calls for 13410 NIST SP 800-171 controls and NIST SP 800-172 requirements.

Determining which CMMC certification level an enterprise is mandated to meet typically requires an assessment of CUI or FCI by a C3PAO. Once that has been established, a deep penetration into the organization’s cybersecurity capabilities is needed to identify weaknesses and close gaps.

A Cybersecurity Gap Assessment Can Help Achieve CMMC Certification

A cybersecurity gap assessment aims to identify exploitable weaknesses and craft a plan to secure your assets with best-practice mitigation or remediation mechanisms. This process is widely used by small, mid-sized, and large corporations to protect sensitive and valuable digital assets from theft. However, a gap assessment can also highlight subpar practices that invite hackers to target companies with malicious software, particularly ransomware. In terms of achieving CMMC certification, the following gap assessment steps prove invaluable.

  • Evaluate network security in light of CMMC protocols
  • Evaluate best practices by staff members and network users
  • Gather data regarding information and cybersecurity controls
  • Analyze the findings to determine inherent weakness

Business leaders receive a detailed gap assessment report that highlights cybersecurity deficiencies and a Remediation & Mitigation Strategy. Regarding achieving CMMC certification, the information speaks directly to the vulnerabilities that would otherwise disqualify an operation from working within the military-industrial base. Fortunately, gaps in cybersecurity are correctable and can be closed before a CMMC review.

Sedulous Provides Gap Assessments to Achieve CMMC Certification

The need to meet the CMMC 2.0 mandate has taken on a sense of urgency. Businesses must comply to avoid being sidelined and losing otherwise lucrative DoD work. Sedulous Consulting Services is a trusted and vetted authorized C3PAO candidate, and our experienced cybersecurity professionals perform gap assessments tailored to your business. 

If you need to earn CMMC certification, contact Sedulous Consulting Services today.

Sedulous’ Toys for Tots Drive

We are proud to announce we are teaming with the US Marine Corps this holiday season supporting Toys for Tots!

The mission of the Marine Corps Toys for Tots Program is to collect new unwrapped toys and distribute those toys to less fortunate children at Christmas. The primary goal of the Marine Corps Toys for Tots is, through the gift of a new toy, bring the joy of Christmas and send a message of hope to America’s less fortunate children. In 1991 the Marine Corps. Toys for Tots Foundation was created at the behest of the Marine Corps in order to better execute the program.

We have Toys for Tots boxes at our corporate office located at 18300 Quantico Gateway Drive in Suite 201. One box is in the lobby of the building (on the 2nd Floor) and the other box is located in our office reception area. If you would like to donate a toy, please visit our office by Thursday, December 8th, 2022. We will have the donated toys picked up by Marine Corps Reserve members on December 13th.

Top 3 CMMC 2.0 Challenges & How to Achieve Compliance

Identifying the Top 3 CMMC 2.0 Challenges

The Pentagon plans to publish a cybersecurity rule during the first quarter of 2023 that will quickly be inserted into military supply chain contracts. Once the deadline passes, organizations that benefit from lucrative U.S. Department of Defense (DoD) contracts and subcontracts could be sidelined. Unfortunately, that means time is of the essence in terms of Cybersecurity Maturity Model Certification (CMMC 2.0) compliance. Inevitably, there will be some things that are confusing with the CMMC 2.0 release, so to prepare we’ve outlined the Top 3 CMMC 2.0 Challenges. 

Small, mid-sized, and large companies working in the military-industrial base can anticipate some headwinds in meeting the standards set under CMMC 2.0. The federal government has upped the ante, so to speak, because foreign hackers have managed to penetrate systems with the most determined cybersecurity defenses. For example, a Russian-backed hacking group infiltrated the U.S. Treasury and the U.S. Department of Commerce in 2020 through would many consider a backdoor.

Sophisticated and well-funded by rogue nations, hackers work tirelessly to identify vulnerabilities in the military supply chain. By piecing together sensitive data, or planting malicious software, America’s national security policies and procedures can be exploited. That’s why CMMC 2.0 is being implemented, and everyone needs to harden their cybersecurity posture. Organizations that have yet to onboard a CMMC Third Party Assessment Organization (C3PAO) can anticipate challenges resulting from the following.

1: Delaying A CMMC 2.0 Assessment

One of the most significant challenges organizations face is mainly self-inflicted. The notion that the DoD plans to release its rulemaking early in 2023 gives a handful of business leaders a false sense they have plenty of time. Nothing could be further from the truth.

It’s important to understand that some networks require only minor enhancements to achieve CMMC 2.0 compliance. A C3PAO could very quickly vet the system and identify easily correctable vulnerabilities. By that same token, companies tasked with meeting the stringent guidelines outlined in Level 2 and Level 3 of the model could require significant upgrades and a cybersecurity policy that meets DoD standards. Implementation could take months, and staff members may need cybersecurity awareness training.

More business professionals need to realize that a limited number of C3PAOs are available to perform assessments, make recommendations, and help the in-house IT team adjust. As the CMMC 2.0 standards in contracts grow closer, waiting lists are expected, and some companies will miss the deadline. If your organization hasn’t undergone a rigorous cybersecurity assessment, consider yourself tardy.

2: Thinking About CMMC 2.0 Challenges As A Checklist

The federal government continues to change and enhance wide-reaching regulations so often that private-sector people feel they are a nuisance. It’s difficult to disagree with that experience, given CMMC 2.0 comes on the heels of the initial CMMC 1.0 getting scuttled before it was even implemented. It may be human nature to grow weary of changing regulations but treating CMMC 2.0 as a type of checklist will likely lead to failed compliance. Instead, consider what each cyber hygiene level involves.

  • Level 1: This basic cyber hygiene level tasks businesses with implementing 17 controls to protect Federal Contract Information (FCI).
  • Level 2: This advanced cyber hygiene protocol requires organizations to implement and maintain 110 cybersecurity controls to prevent the theft of Controlled Unclassified Information (CUI). These controls were developed by the National Institute of Technology and Standards (NIST).
  • Level 3: Considered expert cybersecurity, companies must meet 110 NIST controls and a subset of enhanced protections. These are subject to regularly scheduled audits by a certified third-party assessment firm.

Despite what some might consider bureaucratic clumsiness, cybersecurity mandates such as the Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act protect everyday people from hackers stealing valuable and sensitive digital information. The rollout of CMMC 2.0 will provide enhanced security for the men and women in the armed forces, as well as everyday civilians.

Few operations can update antivirus software and check the proverbial box for the DoD. The CMMC 2.0 mandate requires regular reviews, recertification, and changes are likely to continue.

‍3: Not Having A Comprehensive Cybersecurity Strategy For CMMC 2.0

To remain in the DoD supply chain, wide-reaching organizations need a System Security Plan (SSP) that meets NIST guidelines. An SSP goes much further than hardening a network’s cybersecurity measures. Instead, it looks at how CMMC-related defenses are implemented and their effect on other systems in their orbit. The basic concept is that a hacker could spend a great deal of time and energy targeting a seemingly peripheral small business because its syncs with a bigger national security fish that houses useful CUI or FCI.

Businesses can expect that CMMC 2.0 auditors will deeply dive into a business’s written SSP and compare it to actual best practices. To say more than a few small and mid-sized companies do not have an up-to-date and fully functioning SSP would be something of an understatement. That’s why SSP development and implementation are significant challenges to meeting the fast-approaching CMMC 2.0 mandate.

Prepare for the CMMC 2.0 Deadline by Scheduling a Gap Assessment

Executing a gap assessment is a crucial step in achieving CMMC 2.0 compliance. This process involves collecting wide-reaching security data regarding your current security posture. Once this data is gathered, an experienced C3PAO firm analyzes every facet of your cybersecurity. Business leaders receive a report and expert advice about curing vulnerabilities and how to mitigate or remediate them. This step can position you for CMMC 2.0 compliance and avoid being sidelined.

Sedulous Consulting Services is an approved C3PAO candidate and managed IT/Cybersecurity firm. Our dedicated and experienced team members can comprehensively conduct a gap assessment and help your business overcome any CMMC 2.0 challenges ahead. Contact Sedulous Consulting Services today.