top of page

Recent Posts

CMMC Compliance

  • BAE Networks
  • Jul 7
  • 3 min read

Updated: Sep 4

Explaining the Mandatory Certification to Work with the Government

 

A group of five individuals gathers in a conference room, each on their laptop, for a meeting.
A group of five individuals gathers in a conference room, each on their laptop, for a meeting.

TL;DR: The DoD created extensive cybersecurity rules and processes to protect classified and unclassified information, and we’re breaking down what it means for Government (sub)contractors.

 

Cyber threats are advancing each day. Contractors and subcontractors who work with government entities are often targets for cyberattacks, especially small and mid-sized organizations.

 

These organizations handle Federal Contract Information (“FCI”)1 and Controlled Unclassified Information (“CUI”)2 as part of their contract terms, which the Department of Defense (“DoD”) has become increasingly concerned about protecting.

 

To shield the sensitive information handled within the supply chain, the DoD revamped the Cybersecurity Maturity Model Certification (“CMMC”), which is now mandatory for any business that is part of the Defense Industrial Base (“DIB”).

 

Any contractor or subcontractor that fails to become CMMC compliant will not be able to bid for future DoD contracts.

 

BAE Networks is scheduled to be the first MSP in Michigan with a Level 2 Certification. As a result, we possess thorough knowledge of CMMC, enabling businesses to understand the certification with confidence.


This is Your CMMC Starting Line


CMMC ELIGIBILITY & REQUIREMENTS

How do I know if I need CMMC and at what level?

  • Level 1: Required for businesses that receive payment from or invoice a federal entity

  • Level 2: Reserved for organizations that handle CUI.

  • Level 3: Needed for organizations that work with critical CUI and are most prone to advanced persistent threats (“APTs”).


High-level explanation of the CMMC Certification Levels.
High-level explanation of the CMMC Certification Levels.
When will CMMC be required for DoD contracts?

CMMC will be rolled out in four phases, beginning sixty days after the DoD publishes 48 CFR, with CMMC expected to be fully implemented by Phase 4 (anticipated start of December 2027). It is anticipated that 48 CFR will be finalized in Q3 2025.


High-level overview of the four phases of CMMC rollout.
High-level overview of the four phases of CMMC rollout.

How long does it take to become CMMC compliant?

It varies by level and your business’ current IT posture. At a minimum, you should factor in 12 months for the overall prep work, including initial gap analysis, remediation, document prep, and team training.


Approximate certification timeline for each CMMC level.
Approximate certification timeline for each CMMC level.
Are foreign support vendors eligible?

While foreign vendors may be eligible for CMMC, they’ll need to meet the same requirements as U.S. contractors. They’ll likely have additional requirements depending on data access and geopolitical concerns.


UNDERSTANDING THE CERTIFICATION PROCESS

Does CMMC self-certification exist?

Self-certification is allowed for organizations bidding on Level 1 contracts. Level 2 has the potential possibility for self-certification, but there are many variables to this.

 

Who conducts the assessment?

Certified assessments are conducted by Certified Third-Party Assessor Organizations (“C3PAOs”), which are listed on the CyberAB Marketplace. These organizations employ trained assessors authorized to conduct formal evaluations.


How often are assessments required?

  • Level 1: Self-assessment annually (subject to rule finalization).

  • Level 2: C3PAO assessment every 3 years, with annual affirmations in between.

  • Level 3: Government-led assessment every 3 years.

 

BUDGETING AND PLANNING

How much should we expect to spend?

Costs vary depending on your current maturity level and scope:

  • Gap Analysis & Consulting: $5,000–$25,000+

  • Remediation (tech, process, training): $10,000–$100,000+

  • Assessment Fees (C3PAO): $30,000–$100,000+ depending on complexity


Is there funding available for CMMC compliance?

Yes. BAE Networks is widely connected with organizations helping small and mid-sized businesses receive funding to achieve compliance. The aerospace, defense, and manufacturing industries must stay in Michigan, and working together to secure funding helps that happen.

 

What 5 things can a business do to best prepare for a CMMC assessment?

  1. Identify where FCI/CUI resides in your systems

  2. Conduct a gap analysis vs. CMMC requirements

  3. Remediate technical and policy gaps

  4. Document everything (Standard Operating Procedure [“SOPs”], policies, System Security Plan [“SSP”], Plan of Action and Milestones [“POAM”])

  5. Engage a consultant or C3PAO early for scoping

 

TAKING ACTION

How do I become CMMC compliant?

  1. Gap Assessment – Map current practices to CMMC controls

  2. Remediation – Address deficiencies (tools, processes, training)

  3. Documentation – Create SSP and POAM

  4. C3PAO Engagement – Schedule assessment for Level 2

  5. Ongoing Monitoring – Maintain compliance with continuous improvement

 

Navigating CMMC requirements can be complex, but going at it alone isn’t your only option. Contact BAE Networks today to schedule a consultation so we can begin your CMMC compliance journey with confidence.



RESOURCES:
  1. FCI is any information “provided by or generated for the Government under a contract” that is “not intended for public release”, per FAR 52.204-21.
  2. CUI is defined as information that “an entity creates or possesses for…the Government” that requires the entity to “handle using safeguarding or dissemination controls”, per 32 CFR § 2002.4(h).
PROUD TO BE MICHIGAN'S FIRST CMMC LEVEL 2 MSP. 
bottom of page