In November 2020, the US Department of Defense (DoD) implemented the Cybersecurity Maturity Model Certification, a new security requirement for their contractors and subcontractors. As we covered in the previous blog, CMMC unifies, expands, and replaces the existing cybersecurity requirements defined under NIST (the National Institute of Standards and Technology) and will be rolled out in phases between now and 2025.
The first thought of most contractors is likely to be “What will CMMC cost?” One of the key cost differentiators between the former NIST requirements and CMMC is the change from self-certification to mandatory third-party audit and accreditation. These audits will be carried out by certified CMMC Third Party Assessment Organizations (C3PAOs). When budgeting for the CMMC, businesses must account for the effort necessary to prepare for accreditation.
CMMC cost categories and factors
The main CMMC expenses fall into three categories: preparing for the audit, the audit itself, and maintaining standards. The amount of preparation necessary will depend on the CMMC level an organization needs to achieve, the scope of operations, and their current risk level and readiness.
Through scoping, risk assessments, and gap assessments, defense contractors can identify what needs to be done to attain CMMC and where costs can be saved. Following these procedures can prevent an expensive failed audit. They can be carried out via an in-house self-assessment or outsourced at a cost of between $15,000 and $45,000.
Assuming the organization is already meeting the NIST requirements and has kept up with risk assessments and system security plans, the costs to reach CMMC Level 3 — the minimum level required to handle CUI (Controlled Unclassified Information) — should be relatively low ($0-10,000). If this isn’t the case, costs could lie anywhere between $20,000 and 100,000, or more.
Following a gap assessment, vendors can categorize the hard and soft costs necessary to prepare for their audit. Soft costs may include internal resourcing and external consulting, while hard costs include security hardware and software.
In cases where only part of a company deals with the DoD, data can be segregated to avoid having to apply and pay for CMMC controls company-wide.
CMMC certification cost
Although the CMMC certification cost is still undefined, estimates range from $3,000 to $6,000 for Level 1, and $15,000 to $40,000 for Levels 3-5. There has been conjecture that the cost of the CMMC audit may be classed as an allowable expense, meaning it can be billed to the DoD. Note that defense contractors will be re-audited for CMMC every three years, meaning resources must be dedicated to maintain standards in the interim.
How to get ahead of CMMC costs
Though costs remain vague, it’s important for SMBs to prepare for the upcoming changes. Steps to take include:
- Level determination
Before anything else, defense contractors need to determine which CMMC level is appropriate for their business. This will be affected by the type of contracts they wish to bid on.
Level 1 applies to contractors who deal with FCI (Federal Contract Information) on an ad hoc basis. With only 17 basic safeguarding controls to comply with and no requirement for documentation of processes, most contractors at this level will require little preparation for audit. Level 2 introduces strict process-documenting and is considered a transition level between 1 and 3.
Level 3 will be the likely target for most small-to-medium-sized vendors. This level focuses on the protection of CUI and requires contractors to meet, document, and manage all of the security requirements previously specified by NIST, plus 20 additional controls.
Levels 4 and 5 focus on the protection of CUI from APTs (Advanced Persistent Threats) and demand more sophisticated cybersecurity protocols.
- Budgeting and planning
After establishing their level, DoD contractors can begin budgeting for CMMC accreditation. This should include costs for preparation, auditing, and maintenance as discussed above. After carrying out a gap assessment, they can develop a timeline for bridging the gaps in their security and begin planning for their audit.
- Improving security controls
To avoid a failed audit, security controls should be established well in advance. Organizations may need to implement numerous security measures, such as advanced threat protection, end-to-end encryption, process documentation, SIEM (security information and event management), mobile device management, MFA (multi-factor authentication), log monitoring, and employee security awareness training.
Businesses using the commercial version of Microsoft 365 will also need to transition to GCC-High (Microsoft Government Community Cloud-High). For many, GCC-High will require a significant investment (expect to pay $30,000 just to set up the account). Alternatively, small contractors and sub-contractors can use end-to-end encryption services from PreVeil as a more pocket-friendly alternative for storing and sharing CUI.
Get help with CMMC
As an expert in regulatory compliance, Zeta Sky helps contractors prepare for the CMMC. For security and vulnerability testing, or guidance on CMMC self-assessment, Schedule a Discovery Session. Also, sign up to our newsletter for CMMC and general cybersecurity updates.