If your company does business with the US Department of Defense (DoD), you will soon need to pass an independent assessment against Cybersecurity Maturity Model Certification (CMMC) requirements to bid on contracts. This mandate impacts all suppliers at all tiers across the Defense Industrial Base (DIB), from prime contractors to SMB subcontractors, as well as commercial item contractors and foreign suppliers.
First released in January 2020, the CMMC is the DoD’s response to significant and ongoing exfiltration of sensitive defense information from suppliers’ systems. CMMC compliance will gradually be incorporated into Defense Federal Acquisition Regulation Supplement (DFARS) as a requirement for contract award, replacing the current NIST SP 800-171 cybersecurity guidance.
The CMMC’s purpose is to verify appropriate cybersecurity controls to ensure basic “cyber hygiene” for all DIB suppliers, and to protect Controlled Unclassified Information (CUI) on the systems of suppliers authorized to handle CUI. By defining five compliance levels to better match a supplier’s actual risk profile and the data it handles, the CMMC also “right-sizes” SMB cybersecurity requirements.
Why is CMMC important for Primes and Subcontractors?
The CMMC is vitally important to all DoD contractors for two major reasons:
- Your company will not be able to participate in DoD contracts that mandate CMMC compliance unless it is certified to the CMMC level specified in the DFARS associated with the contract. While the CMMC rollout will be gradual, starting in early 2021, many DoD suppliers will want to be “provably compliant”—if not formally certified—as soon as possible. Proactive CMMC compliance will confer significant competitive advantage as prime contractors will be looking very closely at partners’ security postures as they assemble capture teams.
- The DoD considers that a state of cyber warfare exists between the US and nation state adversaries. By compromising key systems and exfiltrating sensitive intellectual property, CUI, and other data, adversaries have significantly reduced US military-technical superiority on the battlefield. Thus, the extent to which the DIB can protect sensitive data directly impacts US national security and its warfighting capability.
CMMC framework overview
The DoD’s current cybersecurity regime, which allows suppliers to self-attest to compliance with the NIST SP 800-171 standard, has proven ineffective. This is why the CMMC requires DoD prime contractors and their subcontractors to undergo third-party assessments to verify compliance.
The five CMMC levels go from Level 1 (Basic Cyber Hygiene—the minimum requirement for any firm participating in DoD contracts) up to Level 5 (Advanced, designed to protect high-value data from advanced persistent threats (APTs)). CMMC Level 3, “Good Cyber Hygiene,” parallels NIST 800-171 compliance but includes about 20 additional controls.
Each of the five CMMC levels also defines a set of processes and practices that relate to all the CMMC domains (equivalent to “control families” in NIST 800-171) at that level. To successfully pass an assessment for certification at a given level, a supplier must show that it has operationalized the processes up to and including that level, and has also put into place the corresponding practices.
How Much Will CMMC Certification Cost?
CMMC assessment costs will vary with a range of factors, including:
- The CMMC level specified in the contract(s) you want to pursue
- The maturity of your current IT and cybersecurity infrastructure in relation to your desired CMMC level
- The size and complexity of your organization (number of locations, etc.)
- The volume and scope of the CUI you handle (how many people handle CUI, how much CUI you exchange with other DIB companies or government agencies, how many databases store CUI, etc.)
- Any consulting costs and other hiring/outsourcing costs associated with preparing for the CMMC assessment
- Expenses to meet specific CMMC requirements; e.g., the costs to make your email and file sharing systems CMMC compliant or move to “government cloud” versions
- The cost of engaging a Certified Assessor, which will be driven largely by market forces
Of course, what the DoD considers “allowable expenses”—which could include the audit costs plus many of the above preparatory costs—will be a big factor in final costs. Allowable costs are expenses specified in a contract as being billable back to the DoD. Further, the Office of the Under Secretary of Defense for Acquisition & Sustainment has stated that “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” This should include assessment and preparation services, remediation efforts, etc.
Based on well-informed estimates, a “typical 250-person engineering/manufacturing firm” that has “a reasonably mature, NIST SP 800-171 compliant” environment today and is pursuing CMMC Level 3 certification can expect to pay $15,000 to $35,000 in consulting costs for a CMMC gap/readiness assessment, plus up to $10,000 for gap remediation support.
Hard costs to meet requirements can vary widely. For example, the cost to migrate from the commercial version of Office 365 to an Office 365 for Government plan could be $50,000 or more in consulting costs alone, while the cost to add end-to-end encryption to an existing O365 environment could be much less.
As noted above, market forces will effectively set audit costs. However, the DoD has asserted that it wants CMMC certification to be affordable to SMBs. An educated estimate on audit costs for a company similar to the above would be in the $20,000-$30,000 range.
Companies that have less mature environments and are further from NIST SP 800-171 compliance today will need to spend more on consulting and on investments to prepare for certification (e.g., multifactor authentication, mobile device management, log monitoring, security awareness training, etc.) Cost could vary widely, from $20,000 up to $60,000 or even $100,000.