CMMC is an enterprise challenge — not just an IT challenge.
This is a platitude many in the CMMC ecosystem have preached for some time. However, it is also a statement that's typically made in the context of implementing CMMC-compliant processes, such as documentation upkeep or shop-floor operational changes.
Rarely do we as consultants expound on why we view CMMC as an enterprise-wide undertaking beyond the scope of the departments actively implementing compliance activities. To this end, this blog will focus on efforts required to effectively negotiate contract specificity and cost compensation. Few, if any, assessment objectives are truly actionable by a contracts department; but a contracts arm well-versed in the CMMC framework (and its many governing regulations) presents a crucial gatekeeping mechanism with the potential to impact operations for years to come.
As the DoD’s mechanism to safeguard CUI in contractor information systems, CMMC has made waves in the DIB. In some cases, those waves may be large enough to sink the contractor ship. However, the DoD expects all contractors processing, storing, or handling CUI to weather stormy seas, whether your company is a kayak or a super-freighter. While opting out of contract clauses is not an option, and ignoring them presents a ship-sinking risk, it is possible — and necessary — to adapt smartly with an understanding of the regulations.
In order to do so, companies must come to a mutually acceptable understanding of what it takes to be CMMC compliant, operationally efficient, and financially successful — and to write contracts that reflect this understanding.
Negotiate Timing
On December 16, 2024, 32 CFR 170 became effective. This rule provides all the details of the DoD’s CMMC program — except the wording of the contract provisions, clauses, and associated regulation detailing how CMMC is to be executed within DoD acquisitions. All of this information will be contained in the complementary 48 CFR Rule. 48 CFR 204.75 and associated updates are expected to be published and effective by mid 2025.
What does this mean? It means that as soon as January 6, 2025, contractors who choose to become certified may begin assessments conducted by Certified Third Party Assessment Organizations (C3PAOs) and — if found compliant — receive official CMMC certification.
What does it not mean? It does not mean that CMMC requirements showed up in contracts on Dec 16. In fact, it should be somewhat rare, because the 32 CFR Rule section 170(e)(1) states:
"Phase 1. Begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule. DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include the requirement for CMMC Status of Level 1 (Self) or Level 2 (Self) for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status for applicable DoD solicitations and contracts."
A conversation with the Contracting Officer (KO) is needed to sort out the details of timing and implementation. If the inclusion of the clause is a mistake, dig in and lean on 32 CFR 170 to support your right to only self-report until certification requirements are recommended in contracts. If it is not a mistake, awareness of your company’s progress toward assessment readiness is highly advisable, as is awareness of your ability to actually schedule a C3PAO assessment. If the KO says you will eventually need to obtain a certification, ensure the language does not prevent award or threaten your contract post-award.
Key negotiating points on timing are the phased rollout from the regulation, limitations on the availability of assessors and assessments, and potentially allowing for self-assessment at Level 1 or 2 over the long haul.
Negotiate to Address Level-of-Effort and Cost
Imagine a customer sends you a contract for a few widgets. You could easily make these objects in your shop with standard tools, but the contract states you need to make them using multi-million dollar dedicated machines, which may require you to lease a new facility.
What would you do? What questions would you ask? Before agreeing to the requirements and potentially making such an investment, you would want to negotiate terms that reflect a level of effort and cost commensurate with the value of the contract, taking into consideration the value of future contracts, as well as the customer’s willingness to share the investment. This could also result in more clearly defining your capability and growth limitations for your customer.
In this example, the negotiation of seemingly overbearing contract requirements requires insight, communication and caution. The same is true with CMMC. No company should agree to fulfill requirements without clarity and commensurate compensation. Information Security requirements including CMMC now mean real money. The historical contracting practice of just saying, “we have IT, I am sure we are good,” is not going to work. Worse, it will set your company up for significant risk and potential financial liabilities.
A cautionary note: many factors impact level of effort and thus cost, including the clarity and specificity of your contract. Qualifying and quantifying your organization’s effort and costs will require - at a minimum:
specific knowledge of the CUI your contract will require;
This should be specified in your solicitation and contract documents — an actual list and description of CUI documents, data and information, as well as how to obtain or deliver it.
an understanding of CUI flow into, through and from your organization;
Your organization’s IT and operations folks must be made aware of contract requirements to determine this complex flow, including the people and technology encountering CUI.
Typically, a CUI Flow graphic and/or procedure is created to support this understanding.
In negotiations you might limit how the government or a prime contractor would send you CUI. Often this takes the form of only sending CUI to a specific, compliantly configured email address, or through a specified portal so that it can be properly secured.
an understanding of CMMC requirements and implementation options;
Your organization’s ability to limit effort and cost relies most heavily on understanding — in detail — what needs to be done and who needs to do it.
an understanding of cybersecurity regulations and frameworks;
Do not agree to a contract clause that contains more than law allows, or that is far from industry standards. Contracting Officers and Program Managers are not typically IT or cybersecurity experts, and occasionally include frameworks and references that are completely irrelevant. For example, an 800-53 clause would not apply to a civilian contractor, but we have seen it mistakenly make its way into DIB contracts before.
Every organization’s goal should be to match the level of effort to clearly detailed contract requirements. Doing more than necessary is inefficient, and doing less is risky. However, handling costs — even for the appropriate level of effort — may require a balancing act. Implementation and assessment options also come with varying cost structures and their own efficiencies. Initial demand for certification assessments will drive costs higher in 2025. Whether your organization seeks to recover these costs on a per-contract basis, or in longer term overhead and price adjustments, depends on all the typical inputs to your government pricing model and your competitive strategy.
The DoD needs the DIB to stay in business for many reasons and expects organizations to respond when necessary. As this new framework finally makes its way out to sea, it is in your best interest to hold KOs accountable for contract clarity and specificity. They shouldn’t be surprised to see higher prices, particularly for lower-value awards, where staying afloat is an issue.