The Cybersecurity Maturity Model Certification (CMMC) will soon be required if your company has a contract with the Department of Defense (DoD). As the CMMC evolves, primary and sub-contractors, need to plan accordingly and begin to execute their strategic planning. Contractors have been able to self-assess their own security posture prior to CMMC, but that privilege is coming to an end.
Once the CMMC begins to show up in contract requirements, contractors of the DoD will be required to use a CMMC Third-Party Assessor Organization (C3PAO) to assess their security program implementation. All contractors will eventually need CMMC certification to be awarded new DoD contracts, once CMMC is fully in place across the Defense Supply Chain.
The cost of obtaining CMMC certification can be quite high, based on a few specific scenarios, for many organizations who make up the Defense Industrial Base (DIB). Specifically, the level of CMMC that is required, will have a significant impact on the costs to comply for organizations within the DIB.
Failure to achieve the required CMMC level also has its own costs for DoD contractors, including fines, loss of current contracts or not being allowed to bid on future contracts. But for this article, we’re going to dive into a few specific areas that contractors should be aware of.
Beryllium InfoSec Collaborative can help you reduce those costs with a free consultation and demonstration of services. Contact us today by filling out our online form or call 763-546-8354 to speak with a CMMC advisor today.
CMMC is a cybersecurity standard that all members of the Defense Industrial Base (DIB) and defense supply chain must meet in the near future, to be awarded new contracts from the DoD. It’s designed to protect DoD information and prevent security breaches and is strongly based on NIST 800-171, the current standard for the defense contractors who hand Controlled Unclassified Information (CUI).
The change from self-assessment to 3rd party assessment by a C3PAO is one of the biggest differences between the two standards and the main reason that cost of CMMC certification, is more likely to be more expensive to obtain than NIST-800-171. The cost of CMMC compliance is a separate cost that the DoD expects its supply chain to comply with.
The CMMC framework consists of five maturity levels in a hierarchical structure such that Level 1 is the lowest level, and Level 5 contains the complete set of CMMC requirements. Each level has the preceding level’s requirements, in addition to new requirements. Furthermore, an organization must meet the requirements of each level before it can advance to the next level.
This structure of CMMC levels provides a qualitative measurement of a contractor’s ability to protect sensitive government information resulting from its DoD (and likely all government) contract. The cost of complying with CMMC also increases significantly with higher maturity levels.
The three main factors in determining the cost of CMMC certification, include; non-recurring engineering costs, recurring engineering costs, and average assessment costs. The total assessment cost is the sum of these three costs and is usually measured on an annual basis. Additional costs of CMMC compliance implementation include consulting costs, costs of preparing for the CMMC audit before the costs of the audit itself can be factored into the overall costs an organization can prepare for.
The actual cost of CMMC depends on a number of factors such as the current maturity of your NIST 800-171 compliance and the CMMC maturity level you need. The DoD expects compliance with NIST 800-171 to already be fully in place, as it’s a current requirement. So, when looking at the costs of CMMC specifically, the costs of NIST 800-171 aren’t factored in when the DoD provides cost “estimates,” because those requirements should be in place today, per DFARS 252.204-7012. Due to the lack of compliance across the DIB, CMMC is the DoD's way of verifying that cybersecurity becomes foundational to organizations making up the defense supply chain.
Other factors, such as your organization’s size, number of geographic locations, and whether it requires external support are also significant cost factors. The scope of your Controlled Unclassified Information (CUI) is another driving factor for cost, including the applications, databases, and locations that process and store CUI. It’s also strongly influenced by the number of people in your organization who need to handle CUI.
As mentioned above, these factors are highly dependent on whether your organization is reasonably compliant with NIST 800-171. This discussion can be further simplified by assuming your organization needs CMMC Level 3, due to currently having DFARS 252.204-7012, 7019 or 7020 in your contract, which will initially be the most common maturity level across the defense supply chain.
Most contractors will want to conduct a CMMC gap assessment and compare it to their NIST 800-171 gap assessment, followed by a true CMMC readiness assessment, before the audit by a C3PAO. A gap assessment is different from a readiness assessment, as a readiness assessment is where your company would be extremely confident that everything is in place from a CMMC perspective.
A typical engineering or manufacturing contractor with 250 employees in several locations will manage its NIST 800-171 program from a central location. A gap assessment for such an organization can cost, approximately, between $15,000 and $35,000, which is often comparable to the cost of an ISO 27002 gap assessment.
A gap assessment will cost more for contractors that require support for gap remediation. In the case of a mature organization, this cost can be less than $15,000. However, a contractor with a low level of maturity can expect a gap assessment to cost more than $25,000.
This cost is most likely to apply to contractors that don't have a current Risk Assessment and System Security Plan, as additional efforts will be identified from the assessment results. Additional reasons for the significant price range of the CMMC gap assessment is due to the level of depth needed to interview, demonstrate, and provide audit artifacts in order to comply with CMMC Assessment Objectives.
A reasonably mature organization, with respect to preparation for a C3PAO assessment, would have made significant investments in security, including endpoint protection, multi-factor authentication (MFA), and log monitoring (to name a few).
Mature organizations may need to invest much less to prepare for a C3PAO assessment, depending on their current environment. However, if they are using traditional cloud environments like G-Suite or Office 365, the cost of implementation, documentation, and validating can greatly increase based on initial configurations.
Many contractors with a perceived sense of high maturity level, who use commercial versions of G-Suite or Office 365, will not achieve the level of maturity needed for CMMC Level 3. Contractors using these services will need to migrate to the government cloud versions, which could cost anywhere from $50,000 to $250,000 before costs of documentation and configuration are factored in. Furthermore, the monthly fees for these services can be double or even triple that of their commercial versions.
The hard costs of a CMMC audit are more difficult to estimate than the other CMMC costs because the audit process doesn't have formal guidance yet. However, it's a fairly safe guess to assume that this process will be a fully defined audit program that includes components such as questions to ask, information to gather, standard sampling rates and a specified reporting format.
Assuming this to be the case, the hard costs of an audit hopefully will be consistent across C3PAOs, with a range between $20,000 and $60,000. Since C3PAOs will dictate pricing across the industry, the hope is Organizations Seeking Certification (OSCs) will be more prepared, vs not, thus making the actual certification audit process as efficient as possible.
Time will tell as more C3PAOs are authorized and certification audits become readily available.
Organizations that lack maturity for NIST SP 800-171 compliance will need to begin their journey towards CMMC compliance with a CUI scoping exercise and risk assessment. The purpose of these tasks is to minimize the scope of changes and associated costs by providing a gap assessment with the proper context.
Each CMMC maturity level has many new cybersecurity requirements when it comes to showing process objectives (along with some new practice objectives at level 3 and above). These are in addition to NIST SP 800-171, which make up the majority of the practice objectives. The cost of obtaining a particular level is significantly greater than that of the levels below it, based on these differences.
CMMC Level 1 requires organizations to implement basic security protocols to protect Federal Contract Information (FCI). This type of information is generated or provided by the government but isn't intended for public release. The protocols at this level include standard password protection and regularly updating antivirus software.
The next step after establishing basic protocols is to implement practices that protect CUI. NIST 800-171 outlines these practices, which generally require contractors to establish documentation policies that assist employees in complying with required security practices. CMMC Level 2 is a transitional level, meaning that organizations typically obtain this level solely for the purpose of advancing to CMMC Level 3.
CMMC Level 3 focuses on implementing all the NIST 800-171 controls. It also adds incident reporting as a requirement, so contractors must develop and maintain a plan for implementing these protocols. In addition to describing an organization's cybersecurity goals, this plan may also include information on training employees and the resources that such a program requires.
Contractors seeking to obtain CMMC Level 4 must review their cybersecurity practices and measure their effectiveness. This process allows contractors to identify vulnerabilities in their systems and take appropriate corrective action.
Contractors at this maturity level also report recurring issues and their status to higher levels of management. Level 4 also adds additional controls and implements more best practices.
Level 5 requires organizations to implement their security practices across their entire infrastructure, including networks and connected systems. It also implements more measures for protecting CUI.
It's only possible to roughly estimate the total cost of CMMC at this time because the final guidelines for this process are still being developed. As mentioned at the beginning of this article, there’s a difference between “the cost of CMMC compliance” and “the cost of CMMC Certification.”
However, it's already clear that maturity level will directly affect the cost. Katie Arrington, Chief Information Security Officer (CISO) for the Office of the Under Secretary of Defense Acquisition & Sustainment, estimates the cost for CMMC Level 1 to be between $3,000 and $5,000. These costs are with the assumption that previous requirements are already in place, such as FAR 52.204-21.
Higher maturity levels will cost more due to the additional activities required for each level. The time and other resources that contractors will need to invest in the implementation of required protocols is a major reason for the cost increase for each level. For example, Level 3 requires 20 new practices and 3 new processes over Level 2.
CMMC compliance will also include recurring costs because contractors must be re-certified at regular intervals, depending on the maturity level. As it stands today, in general, CMMC certifications will be valid for 3 years. Fortunately for contractors, the cost of the initial certification may be reimbursable, as DoD has discussed making it an “allowable cost” that the contractor can bill to the DoD.
Remediation costs, however, are likely not going to be allowable expenses. The costs of meeting the current requirements and standards aren't allowable expenses. There’s still some grey area, which we expect the DoD to formally address in the near future.
The following chart from National Defense Magazine estimates the annual CMMC costs for each maturity level:
The total annual assessment costs for each maturity level are as follows:
These are very rough estimates, again, based on OSC’s being prepared by having NIST 800-171 fully implemented, as well as having met the additional CMMC requirements, making the audit process far more efficient.
CMMC can be an expensive process, albeit a necessary one if a contractor wants to continue doing business with the DoD. That said, it doesn’t need to be as expensive if OSCs takes proper planning and preparation measures and implement the requirements correctly.
The specific maturity level that a contract requires is one of the biggest cost factors, but a contractor’s existing security posture will also have a great effect on the total cost of obtaining CMMC success. In addition to the initial cost of certification, contractors must also consider its recurring costs for the future, when bidding on a contract.
Beryllium can help your organization reduce its CMMC costs by providing a free consultation with our cybersecurity experts. We can also help you avoid fines or the loss of a contract by implementing all the NIST 800-171 controls. Contact us online or call 763-546-8354 today to learn how we can help.