As your CMMC consultant, we’ll perform a thorough CMMC gap assessment, provide an achievable roadmap to addressing cybersecurity gaps, and support you throughout CMMC implementation.
At Business Transformation Institute (BTI), we understand CMMC can be challenging to implement, but we’re here to support you. With our comprehensive CMMC compliance consulting services and technical expertise, we’ll help you define an actionable, cost-effective path toward compliance.
Whether you’re preparing for a CMMC assessment, are ready for an assessment now, or want to get trained in CMMC, we’ll meet you where you are. We offer CMMC services for every stage of the journey:
As your CMMC consultant, we’ll perform a thorough CMMC gap assessment, provide an achievable roadmap to addressing cybersecurity gaps, and support you throughout CMMC implementation.
As an Approved Training Provider (ATP) recognized by CAICO, we’re qualified to provide CMMC training courses and help your team quickly learn the fundamentals.
We conduct official CMMC assessments as a Certified Third-Party Assessment Organization (C3PAO) authorized by The Cyber AB. Please note that we cannot perform an official assessment if we provide CMMC consulting services due to conflict-of-interest rules.
Finding a trustworthy, qualified partner to lead you to compliance is often the first step of CMMC — and it’s not always easy. While many individuals can provide CMMC services, few are authorized to support the Intelligence Community contractor community at the highest level.
That’s not the case with BTI. Unlike our competitors, we are authorized to conduct business at the highest levels of government information sensitivity. Our team is well-versed in the most stringent security controls. We provide comprehensive services for those who serve our Nation’s most critical national security programs.
No matter your desired CMMC level, we encourage you to contact us for assistance. Here’s why:
Partnering with BTI for CMMC compliance has many advantages for your business:
We get it — CMMC is complex and difficult to navigate without guidance. We assure you that compliance is attainable with a qualified CMMC consultant.
CMMC encompasses security requirements for handling FCI and CUI, structured around different certification levels. It was developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment in partnership with DoD and other stakeholders. The first version featured five CMMC levels, while version 2.0 has three.
In short, if you do business with DoD, you need to comply with CMMC. Specifically, if you store, transmit, or process CUI or FCI on a non-federal system, you will most likely need to achieve compliance with one of its levels.
For most DoD contractors, CMMC will be implemented as new contracts are solicited and awarded after the CMMC and DFARS final rules become effective. CMMC will be required for all prime and subcontractors, so if you are a sub you will need to work with your prime to understand who is responsible for what.
For example, if you have a contract that is currently in place but is up for recompete in 2025, that is when CMMC will likely come into scope for your organization. When you submit your proposal, you will also submit proof of your compliance with CMMC. That means if your organization is not already meeting the standard, you need to begin preparing for implementation now. Preparing for a third-party CMMC assessment can take several months, depending on your organization’s needs. Planning, scheduling, and undergoing the actual assessment also takes time.
Keep in mind that if your organization fails its CMMC assessment, you will not be able to bid on DoD work. Be sure to schedule your assessment far enough in advance, so you have recovery time if you need to plan a second assessment or address CMMC-related minor fixes, called Plan of Actions and Milestones, or POA&Ms.
Phase 1 of CMMC Program implementation begins when the 32 CFR Part 170 rule becomes effective on December 16, 2024. It will end one calendar year later, at which point Phase 2 will begin.
During Phase 1, the DoD can add CMMC requirements to requests for proposals or contracts for any work that will be awarded or begin at the start of Phase 2. In other words, a requirement to have CMMC Level 2 can be added starting December 16, 2024, as long as the requirement isn’t enforced until December 15, 2025.
The DFARS 48 CFR rule, which requires the use of a third-party assessment organization, is anticipated to be published in March 2025. The requirement to use a third-party assessor isn’t yet known but will be either six months or one year after the final 48 CFR rule is published.
The CMMC level you need to achieve depends on the type of information you handle, how sensitive it is, and your contractual clauses. There are three CMMC levels:
If you handle FCI and not CUI, you will require a CMMC Level 1 self-assessment. Remember that FCI is any Federal Contract Information, so if you have a contract with DoD or are a subcontractor to a DoD prime contractor, you are in-scope for CMMC and will need to self-attest that you meet the 15 NIST SP 800-171 practices in CMMC Level 1.
Companies that have a low risk of ever encountering CUI, like those doing landscaping or serving food at a DoD facility, will likely never have to leave CMMC Level 1.
CMMC Level 2 is for any DoD contractor or subcontractor that handles CUI. Level 2 brings all 110 NIST SP 800-171 practices and DFARS 252.204-7012 security requirements into scope. It requires a CMMC Level 2 C3PAO Assessment, which means an accredited outside organization must assess your CMMC Level 2 implementation.
CMMC Level 2 is a prerequisite for Level 3. Contractors needing to achieve CMMC Level 3 must meet all of Level 2’s requirements, plus 24 enhanced security requirements from NIST SP 800-172. The DoD has said that only a small subset of DIB companies will require it, but those that do will need a CMMC Level 2 third-party assessment for the NIST SP 800-171 practices and a direct federal government assessment for the NIST SP 800-172 practices.
Depending on your organization’s size (small, medium, or large) and the required certification level (1 to 3), Defense Industrial Base (DIB) companies should anticipate allocating between $25,000 and $250,000 annually to achieve and maintain the right CMMC level of compliance. Many factors impact the cost of CMMC certification and can lead to significantly higher or lower CMMC-related expenses, including the complexity of IT infrastructure, the need for third-party assessments, and the degree of cybersecurity maturity already in place.
