Companies that do business with the U.S. Department of Defense (DoD) will soon be required to pass an independent assessment for CMMC requirements to be able to bid on government contracts. Suppliers at all tiers across the Defense Industrial Base (DIB) will be impacted by this mandate, such as prime contractors, subcontractors, commercial item contractors, and foreign suppliers.
While there are many aspects to consider when approaching CMMC certification, one of the most common relates to cost. CMMC certification can be a costly but necessary expense for any business that wishes to continue bidding on projects. Learn more about CMMC, how much CMMC certification costs, and how businesses can avoid the hefty fines and penalties associated with noncompliance.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) was released by the DoD on January 31, 2020. This unified standard applies to more than 300,000 businesses in the supply chain and outlines requirements for implementing cybersecurity across the DIB.
Before the release of the CMMC, contractors were responsible for implementing, monitoring, and certifying the safety and security of their information technology systems and the data they held. The CMMC has changed this by requiring contractors to undergo third-party assessments to ensure compliance with mandatory procedures, practices, and capabilities.
CMMC was recently revamped for the third time in five years. New, comprehensive standards for cybersecurity are now spread over three levels instead of the previous five. The updated three-level model is as follows:
- Level 1 – The first level is the “Foundational” level and features many of the same requirements as the previous model, including annual self-assessments. Level 1 requires 15 controls that are derived from FAR 52.204-21.
- Level 2 – The second level is the “Advanced” level and is based on Level 3 of the old CMMC model. Under Level 2, contractors must undergo an independent third-party assessment every three years from a certified third-party assessing organization (C3PAO).
- Level 3 – The third level is the “Expert” level and replaces Levels 4 and 5 of the previous model. Contractors must have government-led assessments. This level includes the 110 controls required for Level 2, as well as compliance with the controls in NIST SP 800-172.
How Much Does A CMMC Certification Cost?
CMMC certification is a new requirement that is still being finalized, meaning the total cost is yet to be determined. However, CMMC certification cost will vary by tier level and may be recurring. The cost of higher-level certification will likely be higher than lower-level certification.
The reason behind the differences in costs at varying levels is due to the unique activities that each level requires for certification. This expense is also reflected in the amount of financial resources and time that companies must invest to meet the required cybersecurity standards.
Factors that will drive the cost of CMMC include:
- The level of CMMC required. The majority of businesses will require either Level 1 or Level 2 compliance. At Level 1, businesses must meet 17 practices. This number expands to 110 practices at Level 2.
- The amount of Controlled Unclassified Information (CUI) the company handles. Contractors that work with the DoD may be responsible for handling CUI. The amount of CUI that a company handles will have a direct influence on cost.
- IT support resources available. The training and overall capacity of the current IT support will also affect cost. Some businesses may require massive improvements to their internal IT capacity to handle CUI.
- The size and complexity of the network. Companies that have a less complex network will often have lower costs compared to networks that are larger and more complex.
- Age of equipment. Older equipment is typically more costly to secure and maintain which could potentially drive up the cost of CMMC certification.
- Number of facilities. Businesses that have multiple facilities will often face higher costs due to greater complexity.
- Use of cloud-based apps. Although cloud-based apps may not necessarily make CMMC certification more costly, they can cause some companies to overlook important security elements.
According to Katie Arrington, the Chief Information Security Officer (CISO) of the Under Secretary of the Defense Acquisition & Sustainment (OUSD A&S), CMMC assessment for Level 1 will likely cost between $3,000 and $5,000. Costs will progressively increase for higher CMMC levels.
There are some things businesses can do to get ahead of these costs, such as determining the CMMC level necessary for the business and establishing a budget for the costs associated with certification. Contractors should also begin updating existing cybersecurity protocols to meet NIST standards and create a Plan of Actions & Milestones (POA&M).
Schedule A Consultation With SeaGlass Technology
The cost of a CMMC certification is not yet set in stone and may increase as new requirements are introduced. For more information about CMMC certification or to schedule a consultation with an expert NYC IT services provider, contact SeaGlass Technology.