Since the U.S. Department of Defense (DOD) decided to implement the Cybersecurity Maturity Model Certification (CMMC) as its latest verification method for contractors and subcontractors, a lot of companies have been considering the cost estimate of the CMMC and the various cost points associated with its standard and certification. The CMMC framework, as an evolution of DFARS 252.204-7012 (NIST SP 800-171), requires attestation by an independent Certified 3rd-Party Assessment Organization (C3PAO).

The CMMC aims to address the need for improved cybersecurity within the Defense Industrial Base (DIB) supply chain infrastructure, by adopting stronger cybersecurity practices. What, then, would be the cost of the CMMC compliance for small and midsize businesses?

In this article, we will address the cost points associated with CMMC compliance and other variables like the size and locations of your business, CMMC level being assessed, and other factors that can influence these costs. We will also cover how you can manage your CMMC certification costs effectively. 

The Cost Points for CMMC Certification and Compliance

Below are the three main types of costs associated with DoD CMMC certification and compliance:

• Soft costs associated with preparing for the audit.
• Hard costs associated with preparing for the audit.
• Hard costs associated with the audit process.

Soft Costs Associated with Preparing for the Audit

The internal expenses and resources incurred during external consulting for Risk and Readiness Assessment are referred to as Soft Costs. Variables like the size of your business, the total number of locations, the CMMC level needed for the certification of your business, your company’s level of compliance with NIST 800-171 regulation, and the extent to which your company handles or processes Controlled Unclassified Information (CUI) all influences the total soft costs for CMMC certification and compliance.

For example, $0-10,000 is a reasonable estimate for soft costs if you have an up-to-date Risk Assessment and System Security Plan (a requirement of CMMC), which is a reasonably mature NIST SP 800-171 compliant environment. But you may require $10,000-$40,000 if you are in a less mature environment. . However, the overall soft costs estimate for CMMC depends on if your business model can conduct gap assessment services or if you need to outsource them.

Hard Costs Associated with Preparing for the Audit

The hard costs of CMMC certification may be reasonably low if your business operates in a mature NIST SP 800-171 compliant environment. You can be regarded as ‘reasonably mature’ if you have made substantial investments within the past five years in multi-factor authentication (MFA), endpoint protection, log monitoring/SIEM tools, etc.

If your business maturity is not up-to-date with NIST SP 800-171 compliance, there is a need to invest in technologies and different processes needed to meet the requirements and comply with the above maturity conditions. For example, you may need to spend very little on hard costs to get prepped if your business is reasonably mature and in need of CMMC level 3 certification.

But if your business isn’t reasonably mature and in need of CMMC level 3 certification, the hard cost here will depend on technologies to be implemented in your environment which may require mobile device management, log monitoring/SIEM,  multi-factor authentication, data backups, code review, and advanced email protection, etc. A fair hard cost estimate for a business that isn’t in a reasonably mature NIST SP 800-171 compliant environment is $20,000-$60,000.

Hard Costs Associated with the Audit Process

There are no official guidelines on how contractors and subcontractors should approach the audit process and complete the CMMC compliance process. This makes it difficult to estimate the hard costs associated with the audit process. We recommend a fully defined audit program with questionnaires for gathering facts, sampling rates, and a prescribed reporting format. The pricing for a typical standardized control assessment audit program is fairly consistent across certified 3rd-party auditors and may cost $20,000-$40,000.

Conclusion

The CMMC certification is a new requirement, the prices are high, and the total cost estimates for small and midsize businesses are yet to be specifically determined. However, it’s worth noting that a portion of the CMMC certification cost can be attributed to allowable costs which are reimbursable under the DFARS rules – collaborating with competent CMMC security experts will help to highlight several cost-effective and beneficial steps for the CMMC compliance process.

According to the Defense Acquisition Regulations System, the CMMC framework is designed to assess contractor implementation of cybersecurity requirements and to enhance the protection of unclassified information within the DOD supply chain. This implies that contractors must comply with the CMMC certification requirements or face civil and criminal litigations, and other penalties and fines levied against them.

To get ahead and effectively manage your CMMC certification costs, you need to first identify and decide what CMMC level is necessary for your business requirements; develop a fair estimate for your CMMC certification cost; and start updating your current cybersecurity maturity program to NIST-recommended standards. With a well-developed action plan and milestones that will ensure your business’ continued compliance to other cybersecurity requirements and CMMC certification, you can begin to make plans for the arrival of an independently certified 3rd-party auditor.

GoldSky Webinar touching on the Financial Considerations for CMMC

Financial Considerations for CMMC from GoldSky Security on Vimeo.