How Much Will CMMC Certification Cost My Business?
The Department of Defense (DoD) is migrating to a new cybersecurity model designed to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) and its supply chain. The DoD’s Cybersecurity Maturity Model Certification (CMMC) will serve as the verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place across the DoD’s thousands of industry partners and suppliers.
CMMC is a new certification process designed to certify that contractors have the proper controls in place to protect sensitive data including Federal Contract Information and Controlled Unclassified Information (CUI). The CMMC Model is based on the best-practices of different cybersecurity standards including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others into one cohesive standard for cybersecurity.
CMMC contains five levels ranging from basic hygiene controls to state-of-the-art controls, but unlike NIST 800-171, the CMMC will not contain a self-assessment component. Every organization that plans to conduct business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.
For most organizations, there are likely going to be three primary costs to getting CMMC certified:
Soft costs to get prepared for the audit. This would include internal resourcing or external consulting costs.
Hard costs to get prepared for the audit. Here, suppliers would likely have expenditures to achieve a particular requirement such as a SIEM or two-factor authentication.
Hard costs for the CMMC Audit itself. These costs would be for the Certified Auditor, which potentially will be an “allowable expense”
Below the costs are broken down in more detail.
Soft costs for getting prepared for the audit
Your actual costs will depend on a number of factors, including but not limited to the maturity of your current NIST SP 800-171 program, the size of your organization, whether you require external support, how many locations are involved, the CMMC Level you’re going for, and the scope of your Controlled Unclassified Information (CUI). CUI scope is how many geographic locations, systems, databases, applications, and networks store, process, or transmit CUI. To simplify, let's break the above into two buckets and assume CMMC Level 3, which is likely to be the most common target:
1. Organizations that have a reasonably mature SP 800-171 compliant environment
Consulting Costs: You will likely want to do a CMMC Gap Assessment or what is also called a Readiness Assessment. For a typical 250-person engineering/manufacturing firm with several locations whose 800-171 program is managed centrally, a reasonable estimate is $15,000-$35,000. That pricing is comparable to an ISO 27002 Gap Assessment, which is a reasonable proxy in terms of size and approach to CMMC Level 3 (130 controls), as ISO 27002 covers 114 controls. Differences between the upper and lower ends of the range have to do with sampling rates and whether technical testing is included in the work effort. If you require support for Gap Remediation, that can range considerably based on the findings. In a more mature environment, up to $10,000 is a reasonable estimate. If you are less mature than you thought, $10,000-25,000 is a reasonable estimate. If you don’t have an up-to-date Risk Assessment and System Security Plan, you don’t have a reasonably mature environment.
Hard Costs for Prep: If you are reasonably mature, you likely will need to spend very little on hard costs to get prepared. It’s entirely reasonable to assume a few thousand dollars. You are not reasonably mature if you have not made notable investments in the last five years for items like endpoint protection, multi-factor authentication, log monitoring/SIEM, etc.
Hard Costs for Audit: This one is a bit harder because there is not yet any guidance for the audit process. One could assume that it will be set up like the Standardized Control Assessment from Shared Assessments, where It is essentially a fully defined audit program including the questions to ask, artifacts to gather, sampling rates, and a prescribed reporting format. Assuming the audit program follows a model of this nature, the pricing across auditors should be fairly consistent. Estimate: $20,000-$40,000.
2. Organizations that don’t have a mature SP 800-171 compliant environment
Consulting Costs: You will likely want to start with a CUI Scoping exercise to try to minimize the scope and associated costs, as well as a Risk Assessment which is one of the requirements of CMMC first. This will ensure you have the proper context for the Gap Assessment. For a typical 250-person engineering/manufacturing firm with several locations, a good estimate is $30,000-$50,000. That pricing is comparable to establishing the foundation of an ISO 27001 or SOC 2 information security program, which is a reasonable proxy in terms of size and approach. Differences between the upper and lower ends of the range have to do with current maturity, CUI scope, and project approach. If you require support for Gap Remediation, that can range considerably based on the findings. In a less mature environment $10,000-$40,000 is a reasonable estimate. Taking this approach generates the required Risk Assessment and builds the foundational scope statement that is integral to the required System Security Plan.
Hard Costs for Prep: Cost here depends on what technology you have implemented in your environment. CMMC level 3 requires mobile device management, log monitoring/SIEM, security awareness training, multi-factor authentication, data backups, code review and advanced email protection. Most viable organizations are going to have a fair number of these tools in place. Best case: $1,000-$5,000. Typical case: $20,000-$60,000. Worst case: $100,000. As an example, we spoke with a client at a 100-person firm that has a very mature NIST SP 800-171 compliant environment, which cost about $170,000 to achieve from scratch. This is consistent with the ranges discussed.
Hard Costs for Audit: As above, best guess: $20,000-$40,000.
The DOD did however announce that the costs to prepare for CMMC certification will be considered an “allowable cost.”
"Allowable cost are the expenses specified in a contract that can be billed back to the DoD for reimbursement."
The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. This means that DoD contractors will now be able to get reimbursement for CMMC Assessment and Preparation Services as well as the remediation work that needs to be done to meet the appropriate level of cybersecurity controls specified in each contract.
The requirement for compliance will begin rolling out in the DoD acquisition strategy as early as June of 2020. At this time, CMMC is not expected to be retroactively required for existing contracts or their option years. It will, however, apply to not only prime contract awardees but also to all subcontractors and, eventually, all solicitations including Requests for Information (RFIs) and Requests for Proposals (RFPs). The CMMC Level will be outlined in either Section L or M and will be a Pass/Fail compliance requirement.
Re-certification will be required at least every three years, and it could be determined in future guidance that re-certification is required more frequently at Maturity Levels 4 and 5. Previously, compliance requirements related to DFARS 252.204-7012 and NIST SP 800-171 were only required for those who stored and/or processed CUI. As CMMC is rolled out to new contracts, every contractor, subcontractor, and/or supplier for the DoD will eventually be expected to receive a certification at one of the five levels outlined in the model. Higher risk contracts/programs will require a higher level of CMMC Maturity (Levels 4 and 5), with Level 3 being the minimum for any organization storing and/or processing CUI. Without the required level of certification for a particular solicitation, organizations will be deemed non-compliant and therefore not eligible to compete.
The most crucial step is to become familiar with the security requirements outlined in the model. The specific level to which a company is expected to comply will only be released in the contract solicitation process. Although some general preliminary guidelines have been disclosed publicly, they may be subject to change in the final version.
The CMMC effort is a significant change in the DoD acquisition process and will provide an overall improvement in securing the DIB and its supply chain. Interpreting and implementing the requirements may seem daunting but should be achievable with enough planning and preparation, especially for organizations that have already undertaken efforts to be in compliance with DFARS 252.204-7012. All organizations working for and with the DoD will need to gain an understanding of the new security
requirements and evaluate their strategy to comply. For organizations to begin or continue to do business with the DoD, it will be critical for them to identify potential gaps, establish a timeline for completion, and secure the right organizational resources to enable rapid implementation of the new model.
Acquiring CMMC certification is a critical factor for DoD contractors. Failure to become CMMC compliant will result in failure to obtain contracts. For many government contractors, the best way to meet the CMMC cybersecurity standards is to outsource the task to a qualified team. Keep in mind that contractors are required to obtain CMMC certification to hold any contracts with the DoD so it is important to choose a service provider you can trust. By outsourcing your security framework to an experienced team, you will ultimately be more efficient, and you can focus on what you do best with less downtime.