If you’re among the many Connecticut manufacturers within the U.S. Department of Defense's supply chain that are having a difficult time swallowing the substantial cost of meeting CMMC compliance requirements, there is a financial lifeline available.
Manufacturers conducting all or some portion of their operations within the state are eligible to apply for a grant of up to $35,000 from the Connecticut Center For Advanced Technology (CCAT).
The grant is intended to help defray the cost of implementing the required security controls and undergoing an independent assessment to meet compliance and achieve certification with the Cybersecurity Maturity Model Certification (CMMC) 2.0, which went into effect in December.
Readiness costs for CMMC 2.0—including identifying the type of federal data you have, performing a gap analysis, implementing remediation controls, finalizing security control documentation, and getting assessed—can vary widely.
Most small to mid-sized organizations can expect to pay anywhere from $35,000 to upwards of $100,000 or more, depending on the size and complexity of the business and their required CMMC level.
In this article, we’ll explore how manufacturing companies conducting some part of their business in Connecticut can potentially shave tens of thousands of dollars off of their compliance readiness expenses.
After reading this article, you will understand how you can qualify for the grant and what could potentially disqualify you.
What Is The CAP Grant In Connecticut?
Funding for the Cybersecurity Adoption Program (CAP) is made available largely through the Connecticut Department of Economic and Community Development's (DECD) Manufacturing Innovation Fund (MIF).
The Connecticut Center for Advanced Technology (CCAT) administers the CAP program.
CCAT is a nonprofit organization that serves as a central hub to support the state’s strong industrial base. The organization provides training and demonstrations to help manufacturers learn and adopt cutting-edge technologies.
Why Is CT Specifically Targeting Manufacturers For CAP Assistance?
Despite being one of the nation’s smallest states, Connecticut has a thriving industrial base that contributes significantly to the state’s economy.
In fact, manufacturing accounts for an estimated 11 percent of the state’s GDP, equaling that of Texas and Pennsylvania, and rivaling that of California, Georgia, and Utah (each at 10 percent GDP), according to research by media and data company Visual Capitalist.
The state boasts some of the nation’s manufacturing giants, including major submarine manufacturer Electric Boat (General Dynamics), Black Hawk helicopter manufacturer Sikorsky (Lockheed Martin), aerospace parts manufacturer Kaman Corporation, FuelCell Energy, and Stanley Black & Decker.
In fact, nearly 4,600 manufacturers call the state home, employing over 153,000 people, according to the Connecticut Business & Industry Association (CBIA). The state’s coffers rely heavily on these manufacturers, which generate a GDP of $41.7 billion for Connecticut, according to CBIA estimates.
Many of these businesses are also small and medium-sized contractors and subcontractors within the DoD's supply chain.
Related Article: CMMC Step 3: How Defect Implementation Support Can Fix Security Gaps
Because of the sector’s critical role in the state economy, Connecticut is offering grant funding to give these businesses, particularly those within the Defense Industrial Base (DIB), some financial relief for achieving CMMC 2.0 compliance.
What Are The Eligibility Requirements To Receive A CAP Grant?
The CAP grant is open to state manufacturing companies or related business that need to meet CMMC 2.0 compliance and assessment requirements for CMMC certification.
Eligible businesses with at least some of their operations in the state can apply for grants of up to $35,000 to ease the financial burden of CMMC preparation costs, including remediation, training, and system security plan (SSP) documentation.
Businesses can use the funding to cover half of their total project costs, up to the $35,000; they will be required to pay the other half themselves. Of that total, up to $10,000 can be used to offset the cost of having an independent audit performed by a certified third-party assessor organization (C3PAO).
Related Article: How To Find An Approved C3PAO For Your CMMC Level 2 Assessment
Business can apply more than once for funding as long as the previous funding award was less than the $35,000 grant maximum.
It should be noted the grant eligibility guidelines stipulate that businesses are not eligible for funding if they have already signed a contract or made a deposit for CMMC preparation services.
However, any additional CMMC readiness work or assessments that a manufacturer has not yet signed a contract for would still be eligible for funding, as long as the other requirements are met.
As soon as CCAT receives a CAP application, an automatic email will be sent out to acknowledge receipt. Once that happens, businesses are allowed to proceed with hiring an outside company to guide their compliance journey.
Related Article: What Is CMMC Compliance? 5 Key Steps To Help With CMMC Certification
Other CAP funding eligibility requirements:
- Be registered with the Connecticut Secretary of State as a recognized business for at least 3 years and must be generating manufacturing revenue
- Be located in Connecticut or in the process of moving some or all of your manufacturing operations here
- More than half of your revenue must come from the sale of products that you make or from allied services provided to your business
- Must have no fewer than 3 full-time employees and a maximum of 300 employees in Connecticut
- Total proposed project value must be at least $5,000
- Any previous funding you received from the program must be less than $35,000
- Proposed projects must be completed within a 12-month period
- Must hire a third-party vendor or IT service provider to do the compliance preparation
- Must be in good standing with both the CT Department of Revenue Services and CT Department of Labor and other relevant state or local agencies when you apply
How Much Will It Cost To Become CMMC 2.0 Compliant And Get Certified?
Total costs will depend on a number of different factors. Those factors include an organization’s size and infrastructure complexity, current cybersecurity posture, required CMMC level, and the external third-party IT service providers and assessors hired to assist with meeting compliance.
Contractors and subcontractors at the three CMMC levels must satisfy security and assessment mandates for each level.
Level 1 business that handle federal contract information (FCI) only need to implement foundational cybersecurity measures.
Organizations at Level 2 and Level 3 that handle controlled unclassified information (CUI) data are required to meet the more stringent 110 security controls taken from NIST SP 800-171. Level 3 businesses will have to satisfy up to an additional 24 security controls based on NIST SP 800-172.
Each level also requires different assessment requirements. Level 1 businesses are permitted to perform a self-assessment, while most Level 2 business will be required to undergo an independent assessment by a certified third-party assessor organization (C3PAO).
Related Article: Understanding Your CMMC Audit: Here's What You Can Expect
Level 3 businesses must get assessed by federal auditors through the Department of Defense's (DoD) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
According to the DoD, small to mid-sized Level 1 organizations can expect to spend around $3,000 to $6,000, on average, for their annual self-assessments and self-attestations.
Small to mid-sized Level 2 organizations can expect to spend anywhere from $37,000 to more than $50,000 for their third-party audit.
Total CMMC readiness costs can top $100,000 or more for some businesses. For instance, a gap analysis alone can cost manufacturers with about 250 employees an estimated $15,000 to $35,000.
Large enterprises can expect to pay anywhere from $500,000 to more than $2 million to get CMMC compliant and certified.
Keep in mind that depending on the location of the C3PAO hired to perform the Level 2 audit, businesses may also have to budget for covering travel and accommodation expenses incurred by the assessment team to perform onsite work.
Besides the state grant, there may also be federal grant money available.
Contractors and subcontractors can contact The Cyber AB for information about other potential funding sources. The Cyber AB is the non-government organization chosen to oversee the CMMC program.
The organization’s website also features the official CMMC Marketplace of approved assessors as well as information about other third-party managed IT service providers (MSPs) who are available to provide strategic guidance and readiness support services.
Keep in mind that businesses can not use the same C3PAO doing their assessment to also handle their CMMC readiness process.
The Bottom Line: Financial Help For Manufacturers Seeking CMMC 2.0 Compliance
Becoming CMMC 2.0 compliant is mandatory in order to maintain your DoD standing, existing contracts, and eligibility for future DoD contracts.
After reading this article, you now know what the parameters are to qualify for a CAP grant with the state and what to be aware of before signing on with any external IT service provider to begin any CMMC compliance-related work.
We write articles like this to provide useful information to help you make the best IT decisions for your business.
Kelser has decades of experience helping small and medium-sized business become compliant with various regulations, including HIPAA, NIST, and DFARS.
If you haven’t started on your CMMC compliance journey, or you’re unsure how to begin, we’re here to help.
