CMMC Audits Are Not a Suit of Armor

By Jeffery Mayger

iStock illustration

Phishing is one of the easiest forms of cyberattack. With 3.4 percent successful phishing click rates, at least one person will click on anything. Eighty-one percent of hacking-related breaches leverage stolen or compromised passwords, according to Verizon’s latest cyber statistics.

Cyber immunity does not exist. How badly a company gets hacked depends on preparation, adoption of a security framework, and following best practices. A cybersecurity framework also provides a common language to discuss cybersecurity with all employees including those who are non-security versed.

While excellent frameworks exist, a recent addition will have a significant impact — the Cybersecurity Maturity Model Certification (CMMC).

Granted, an audit spotlights compliance with internal controls and acts as a checklist to validate cyber policies an organization states are actually in place, but audits also assesses that proper security mechanisms are in place and that they comply with relevant regulations. Audits should not be confused with assessments. While audits check to see whether certain controls are in place, cybersecurity assessments evaluate how well controls manage risk.

Since audits check controls, organizations need to ensure that their controls reflect best practices. From a security perspective, controls are the countermeasures that companies implement to detect, prevent and mitigate security risks.

Requests for proposals later this year will gradually mandate audit requirements and certifications. RFPs will specify CMMC requirements and compliance will be a prerequisite to enter the bidding process. Information sensitivity exposure in the engagement, federal contract information (FCI) or controlled unclassified information (CUI), will drive the level of CMMC compliance.

Level 1: Safeguard FCI.

Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI.

Level 3: Protect CUI.

Levels 4-5: Protect CUI and reduce risk of advanced persistent threats.

Depending on the anticipated information exposure, the RFP will point to a specific level. Organizations at Levels 4 and 5 have higher cybersecurity maturity requirements and therefore should be better able to protect information than organizations at Level 2. That is the intent.

Level requirements are cumulative, that is, Level 3 also requires compliance with Level 1 and Level 2 control requirements.

CMMC groups the controls into domains. For example, the domain “Access Control” contains 22 controls for Level 3 compliance, four in Level 1, 10 in Level 2, and eight in Level 3. In total, there are 130 Level 3 controls across the 17 CMMC domains. It is anticipated most contracts will require up to Level 3 compliance; less than 1 percent of RFPs are projected to require Level 4 or 5 certification.

A CMMC audit attests whether an organization meets specified level requirements. Organizations seeking certification must engage a Third Party Assessment Organization (C3PAO) to perform a formal audit. Upon completion of the audit the C3PAO issues a level certification based on the audit results.

A number of unresolved issues are making CMMC planning problematic for members of the defense industrial base.

For one, there are insufficient auditors for a base potentially exceeding 300,000 companies. The CMMC Accreditation Body has been slow to train and certify C3PAOs and CMMC assessors.

There are questions remaining about CMMC applicability to commercial-off-the-shelf products as well as applicability to subcontractors.

And there is confusion about reciprocity with other frameworks/standards such as FedRAMP or existing audits such as those from the Defense Contract Management Agency.

Winston Churchill quipped that an optimist sees opportunity in every difficulty, a pessimist sees difficulty in every opportunity.

One path forward is to incorporate CMMC now. The framework is readily available. While there are currently very few C3PAOs and certified assessors, many non-certified cybersecurity professionals are already familiar with CMMC and available to assist with its implementation, potentially accelerating eventual certification.

Under normal supply/demand conditions and for a typical Level 3 certification, organizations would incur certain CMMC-related costs.
Consulting costs to perform a CMMC Gap Assessment are estimated at $15,000 to $30,000; the pricing is equivalent in scope to performing an ISO 27002 Gap Assessment — 130 controls in scope to achieve CMMC Level 3 vs. 114 controls for ISO 27002.

There are also costs for audit preparation. Estimates vary considerably depending on the organization’s cyber maturity and investments made in encryption, endpoint security, SIEM/log monitoring and other foundational cybersecurity capabilities.

And then there are audit costs, which are estimated at $40,000 to $60,000. However, this estimate reflects considerable uncertainty as guidance on performing an audit is preliminary at best.

Expenses should be recoverable based on contract type. For fixed-price contracts, indirect costs would be a part of the fixed price amount charged to the government. Cyber expenses may also qualify for the Research and Development Tax Credit, which supports companies integrating new cybersecurity technology. However, seek professional tax counsel on whether costs comply with the four-part criteria of the R&D Tax Credit.

Will CMMC help? It is likely to be effective against some but not all threats. Even amateur hackers with rudimentary skills can wreak havoc using readily available attack tools.

By following the CMMC framework, a collection of cybersecurity best practices, organizations can reduce exploitable vulnerabilities.

Jeffery Mayger provides cyber security advisory services at Concord, a consultancy for information technology integration and security services. He can be contacted at

Topics: Defense Contracting, Defense Department, Cybersecurity, Infotech

Comments (1)

Re: CMMC Audits Are Not a Suit of Armor

Jeffery. The CMMC Accrediting Body has been extremely consistent in declaring that they are doing assessments not audits. I agree with you that the C3PAO reviews seem more audit like than assessment like, but they have been very specific in their outlook. I was calibrated for saying audit in a webinar and after that had to become more educated on the difference.

In this article you take the opposite stance. What are your thoughts on the AB's outlook? Vince

Vincent Scott at 10:18 AM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.