The true costs of CMMC Level 2 certification go beyond what meets the eye. From technological upgrades to human resource expenses, administrative tasks to third-party assessments, the financial implications are far-reaching. This article digs into why government estimates underestimate these costs, breaking down the often-overlooked aspects of compliance. It sheds light on the long-term maintenance expenses and the hidden challenges that CISOs face when implementing NIST SP800-171 requirements across various endpoints, including platforms like Azure GCC High.
Overview of CMMC Level 2 Certification
The Cybersecurity Maturity Model Certification (CMMC) Level 2 represents a significant step in safeguarding sensitive information within the Department of Defense (DoD) supply chain. This level focuses on advanced cyber hygiene, creating a logical progression from Level 1 to Level 3. It encompasses the protection of both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) [1].
Key Requirements
CMMC Level 2 compliance involves implementing 110 controls across 15 domains, all derived from NIST 800-171 [1]. These controls are distributed as follows:
- Access Control (AC): 22 controls
- Audit and Accountability (AU): 9 controls
- Awareness and Training (AT): 3 controls
- Configuration Management (CM): 9 controls
- Identification and Authentication (IA): 11 controls
- Incident Response (IR): 3 controls
- Maintenance (MA): 6 controls
- Media Protection (MP): 9 controls
- Personnel Security (PS): 2 controls
- Physical Protection (PE): 6 controls
- Recovery (RE): 2 controls
- Risk Management (RM): 3 controls
- Security Assessment (CA): 4 controls
- System and Communications Protection (SC): 16 controls
- System and Information Integrity (SI): 7 controls
Achieving compliance requires a comprehensive approach, including the implementation of policies and procedures, technical controls, and robust education and training channels [1].
Assessment Process
The assessment process for CMMC Level 2 involves Third Party Assessor Organizations (C3PAOs) accredited by the CMMC Accreditation Body (CMMC-AB) [1]. These organizations employ certified assessors to evaluate an organization’s cybersecurity practices and controls against the CMMC framework.
The assessment includes:
- Review of existing security documentation
- Interviews with key personnel
- On-site inspections of systems and physical security
After the assessment, the C3PAO provides a report on their findings, which is then submitted to the CMMC Accreditation Body for review, evaluation, and certification [1]. The Department of Defense will have access to the assessment results and final report, but these detailed results will not be made public [2].
Timeline for Implementation
While the exact implementation timeline for CMMC 2.0 is still evolving, it’s expected to be codified by the end of 2024 and incorporated into contracts in Q1 2025 [3]. However, it’s crucial to note that NIST 800-171, which forms the basis of CMMC, is already a requirement today.
Organizations should not wait to begin their CMMC implementation plan. The path to compliance can be lengthy, involving several steps:
- Familiarizing with CMMC Level 2 requirements
- Conducting a comprehensive gap analysis
- Developing and implementing a remediation plan
- Allocating necessary resources
- Training staff on CMMC requirements and cybersecurity best practices
- Implementing required policies, procedures, and documentation
- Regularly reviewing and updating cybersecurity practices
- Engaging with CMMC consultants or C3PAOs for guidance
- Performing a self-assessment before the official CMMC assessment
- Scheduling the CMMC assessment with an accredited C3PAO [1]
It’s important to note that while the DoD intends to allow companies to receive contract awards with a Plan of Actions and Milestones (POA&M) in place, there will be a baseline number of requirements that must be achieved prior to contract award [4]. Therefore, organizations should prioritize closing any security gaps to ensure they meet the minimum compliance requirements.
Breaking Down the Government’s Cost Estimates
The Department of Defense (DoD) has provided cost estimates for CMMC compliance, but these figures often fall short of the true expenses organizations face. To understand why, it’s crucial to examine the components included, calculation methods, and underlying assumptions in these estimates.
Components Included
The DoD’s cost estimates for CMMC compliance encompass several key components:
- Assessment Costs: These include initial assessments and recurring evaluations every three years.
- Affirmation Costs: Annual costs associated with affirming compliance.
- Implementation Costs: Expenses related to technical changes required to meet CMMC standards.
- Support Costs: Ongoing expenses for maintaining compliance, including staff and external service providers.
For a Level 2 CMMC assessment, the DoD estimates the combined cost of assessment and affirmation to be around $104,670 [5]. This figure, however, doesn’t paint the full picture of compliance expenses.
Calculation Methods
The DoD’s calculation methods for CMMC costs vary based on the certification level and organization size:
- Level 1 Costs:
- Small entities: Estimated at nearly $6,000
- Larger entities: Approximately $4,000
- Level 2 Costs:
- Small entities: Over $37,000 for self-assessment and affirmations
- Larger entities: Nearly $49,000 for self-assessment and affirmations
- Certification assessment: $104,670 for small entities, $118,000 for larger entities [5]
- Level 3 Costs:
- Small organizations: $490,000 in recurring engineering costs, $2.7 million in non-recurring engineering costs
- Larger organizations: $4.1 million in recurring engineering costs, $21.1 million in non-recurring engineering costs [5]
These calculations attempt to account for organizational differences, such as IT infrastructure complexity and the likelihood of outsourcing cybersecurity services.
Underlying Assumptions
The government’s cost estimates are based on several key assumptions:
- Pre-existing Compliance: The DoD assumes that organizations have already implemented the security requirements mandated by FAR clause 52.204-21 and DFARS clause 252.204-7012 [5]. This assumption significantly impacts the estimated costs, as it doesn’t account for expenses related to achieving baseline compliance.
- Organizational Differences: The estimates consider that smaller firms generally have less complex IT and cybersecurity infrastructures and are more likely to outsource these services [5].
- External Support: The calculations anticipate that organizations pursuing Level 2 assessments will seek consulting or implementation assistance from external service providers [5].
- Hourly Rates: The DoD estimates that an experienced IT professional capable of supporting CMMC compliance efforts would cost around $86 per hour [6].
- Implementation Timeframe: The estimates assume that implementation could consume at least one person’s full-time job for 12-18 months [6].
It’s important to note that these assumptions may not hold true for all organizations, leading to potential underestimation of actual costs. For instance, the annual full-time salary of an employee being paid $86.24 per hour would be around $179,000 [6], which is not explicitly factored into the government’s estimates.
Technological Costs Often Overlooked
When organizations pursue CMMC Level 2 certification, they often underestimate the technological costs involved. These expenses can significantly impact the overall budget and are frequently overlooked in initial assessments. Let’s delve into the key areas where technological costs tend to accumulate.
Hardware Upgrades
Many businesses find themselves needing to upgrade their infrastructure to meet the required security protocols set forth by CMMC 2.0 [7]. This can involve replacing outdated hardware that may not support the latest security features or adding new components to enhance system protection. The cost of these upgrades can vary widely depending on the organization’s current setup and the extent of changes needed.
Software Licenses
Implementing CMMC Level 2 requirements often necessitates the adoption of new software solutions or the upgrade of existing ones. This may include:
- Multi-factor authentication systems
- Encryption tools
- Vulnerability scanning software
- Incident response management platforms
It’s crucial to ensure that any encryption software used is FIPS 140-2 compliant, as this is a specific requirement for handling Controlled Unclassified Information (CUI) [8]. The licensing costs for these software solutions can add up quickly, especially for larger organizations.
Cloud Services
Cloud services play a significant role in CMMC compliance, but they come with their own set of costs and considerations. For instance, many organizations consider using Microsoft’s Government Community Cloud (GCC) or GCC High for CMMC compliance. However, these solutions can be expensive and often require deployment across the entire organization [9].
An alternative approach is to use cloud platforms specifically designed for CMMC compliance. For example, some solutions can be layered over existing systems like Microsoft 365, allowing organizations to protect CUI without a complete infrastructure overhaul [9]. This approach can be more cost-effective, especially for small and medium-sized businesses.
It’s worth noting that the Department of Defense (DoD) estimates for CMMC compliance costs don’t fully account for these technological expenses. For instance, the DoD projects that a Level 2 certification assessment would cost nearly $105,000 for small entities and approximately $118,000 for larger entities [5]. However, these figures primarily cover assessment and affirmation activities, not the implementation of security requirements themselves [5].
In reality, the technological costs can be substantial. For a small organization pursuing CMMC Level 3 (which builds upon Level 2), the estimated recurring and non-recurring engineering costs associated with meeting the security mandates are $490,000 and $2.7 million, respectively [5]. For larger organizations, these figures jump to $4.1 million and $21.1 million [5].
While these numbers are for Level 3, they give an indication of the significant technological investments required even at Level 2. Organizations must carefully consider these often-overlooked technological costs when budgeting for CMMC compliance to avoid unexpected financial strain.
Human Resource Expenses
Human resource expenses often constitute a significant portion of the costs associated with achieving CMMC Level 2 compliance. These expenses encompass various aspects, including hiring cybersecurity experts, training existing staff, and providing ongoing education.
Hiring Cybersecurity Experts
Organizations pursuing CMMC Level 2 certification may find themselves in need of specialized cybersecurity expertise. The Department of Defense (DoD) estimates that small defense contractors will need to spend $104,670 to achieve CMMC Level 2 with a C3PAO assessment and submit annual affirmations of compliance [10]. This figure includes the costs associated with hiring cybersecurity professionals or consultants to guide the compliance process.
For organizations lacking internal security expertise, outside partners can save time and money [11]. These experts can provide valuable assistance in conducting gap assessments, implementing necessary controls, and preparing for the CMMC audit. A gap assessment for an organization can cost approximately between $15,000 and $35,000 [10].
Training Existing Staff
Training existing staff is a crucial component of CMMC Level 2 compliance. The CMMC Assessment Guide emphasizes the importance of security awareness and training for all employees [12]. However, the extent of training may vary depending on the organization’s strategy for segmenting the Controlled Unclassified Information (CUI) scope.
Organizations must implement a comprehensive training program that covers:
- Security awareness training for all users
- Cybersecurity essentials for all users of IT systems
- Role-based training for specific positions
The training should encompass various topics, including:
- Cybersecurity terms and concepts
- Threats and vulnerabilities in the work environment
- Policies and procedures to follow
- Rules of acceptable use of information and information systems
It’s important to note that awareness is not the same as training. While awareness presentations focus on broad topics, training involves a more active learner and focuses on building knowledge and skills to perform specific jobs [12].
Ongoing Education
CMMC Level 2 compliance requires ongoing education to maintain the organization’s cybersecurity posture. This includes:
- Regular cybersecurity audits
- Periodic network upgrades
- Continuous employee training to stay ahead of emerging threats [13]
Organizations must establish a robust education and training channel to ensure personnel with appropriate clearances adequately understand their role in protecting the environment [1]. This ongoing education is crucial for maintaining compliance and adapting to evolving cybersecurity threats.
The NICE Framework can be a valuable resource for organizations in structuring their ongoing education programs. It helps in describing the tasks performed, the people who carry them out, and the relevant training needed [12]. Organizations can use this framework to identify the knowledge, skills, and tasks associated with specific work roles, ensuring that their training programs are comprehensive and tailored to their needs.
By investing in human resource expenses related to cybersecurity expertise, training, and ongoing education, organizations can build a strong foundation for CMMC Level 2 compliance. While these costs may be significant, they are essential for creating a robust cybersecurity posture and meeting the stringent requirements of the CMMC framework.
Administrative and Documentation Costs
Policy Development
Organizations pursuing CMMC Level 2 certification must invest significant time and resources in developing comprehensive policies and procedures. These policies need to address the management of Contractor Risk Managed Assets, which are part of the CMMC Assessment Scope but are not required to be physically or logically separated from CUI Assets [14]. The development of risk-based information security policies, procedures, and practices for these assets is crucial, as they will be reviewed by assessors to ensure compliance [14].
Record Keeping
Proper documentation is a critical aspect of CMMC compliance and contributes significantly to administrative costs. Organizations are required to maintain detailed records, including:
- Asset inventory documentation
- System Security Plan (SSP) documentation
- Network diagrams of the assessment scope
These documents must clearly show how Contractor Risk Managed Assets are managed using the organization’s risk-based security policies, procedures, and practices [14]. The cost of maintaining these records can be substantial, as it often requires dedicated personnel or external consultants.
Audit Preparation
Preparing for a CMMC audit involves considerable time and financial investment. For a Level 2 CMMC assessment, the Department of Defense estimates that the combined cost of assessment and affirmation will be around $104,670 [6]. This figure includes expenses related to planning and preparing for the assessment, conducting the assessment, and reporting the results [5].
Organizations should anticipate the following costs associated with audit preparation:
- Gap assessments: A typical gap assessment for an organization with 250 employees can cost between $15,000 and $35,000 [10].
- Readiness assessments: These are more comprehensive than gap assessments and ensure that everything is in place from a CMMC perspective [10].
- Consulting costs: External expertise may be required to guide the compliance process [6].
- Internal resource allocation: Preparing for CMMC compliance can consume at least one person’s full-time job for 12-18 months, with an estimated annual salary of around $179,000 for an experienced IT professional [6].
The actual CMMC audit costs, while not yet formally defined, are estimated to range between $20,000 and $60,000 [10]. This estimate assumes a fully defined audit program with standardized components such as questionnaires, information gathering processes, and specified reporting formats.
It’s important to note that these administrative and documentation costs are ongoing. Organizations must factor in maintenance expenses, which include active monitoring, threat detection, and incident reporting between CMMC assessments [6]. The Department of Defense projects that the annualized costs for contractors and other non-government entities to implement CMMC 2.0 will be about $4 billion, calculated over a 20-year horizon [5].
Third-Party Assessment Organization (C3PAO) Fees
Initial Assessment Costs
The implementation of CMMC Level 2 certification brings with it significant financial considerations, particularly in the realm of Third-Party Assessment Organization (C3PAO) fees. The Department of Defense (DoD) has estimated that small defense contractors will need to spend approximately $104,670 to achieve CMMC Level 2 with a C3PAO assessment and submit annual affirmations of compliance [11]. This figure encompasses various components of the assessment process, including planning and preparation, conducting the assessment, and reporting the results.
Breaking down the costs, the DoD estimates that conducting the assessment itself accounts for the largest portion at $76,743. Planning and preparing for the C3PAO assessment is projected to cost $20,699, while reporting the assessment results is estimated at $2,851 [11]. It’s important to note that these figures include time spent by both in-house IT specialists and External Service Providers (ESPs) such as Registered Practitioners (RPs), Certified CMMC Assessors (CCAs), and C3PAOs.
However, real-world scenarios suggest that the actual costs may vary significantly. Recent reports from contractors reveal that quotes received from C3PAOs for a Level 2 assessment under CMMC 2.0 ranged from $30,000 to $381,000 [15]. The wide range in pricing is largely attributed to the number of environments that need to be assessed independently, with the higher end of the spectrum involving five separate environments.
Re-certification Expenses
CMMC compliance is not a one-time expense. Contractors must be re-certified at regular intervals, adding to the long-term financial commitment. As it stands currently, CMMC certifications are generally valid for 3 years [10]. This means that organizations must factor in the costs of re-certification into their long-term budgeting.
The DoD’s cost estimates include provisions for annual affirmations of compliance. Over a three-year period, these affirmations are expected to cost $4,377, or $1,459 per year [11]. These ongoing expenses are crucial for maintaining compliance and ensuring that an organization’s cybersecurity posture remains up to date with evolving threats and standards.
Preparation Assistance
Given the complexity and importance of CMMC certification, many organizations seek external assistance in preparing for their assessments. The DoD anticipates that organizations pursuing Level 2 assessments will often seek consulting or implementation assistance from external service providers [5]. This additional support can help organizations get ready for assessments and participate effectively in the process with C3PAOs.
While this preparation assistance represents an additional cost, it can be a valuable investment. Proper preparation can help minimize billable hours during the actual assessment, which ultimately determines the final price. To this end, organizations are advised to pair their documentation carefully, linking it to scoped information systems and assessment objectives [15]. Utilizing solutions that track required practice performance and store evidence can streamline this process and potentially reduce overall costs.
Long-Term Compliance Maintenance Expenses
Maintaining CMMC Level 2 compliance is an ongoing process that requires significant long-term investment. Organizations must factor in recurring costs to ensure their cybersecurity posture remains up to date with evolving threats and standards. The Department of Defense projects that the annualized costs for contractors and other non-government entities to implement CMMC 2.0 will be about $4 billion, calculated over a 20-year horizon [5].
Continuous Monitoring Tools
Implementing and maintaining continuous monitoring tools is a crucial aspect of long-term compliance. These tools help organizations detect vulnerabilities in real-time, collect evidence for corrective actions, and offer ready-to-use security policies [16]. Continuous monitoring is essential for maintaining a robust security posture and ensuring ongoing compliance with CMMC Level 2 requirements.
Regular System Updates
Regular system updates and patching are critical components of long-term compliance maintenance. Organizations must factor in the costs associated with:
- Upgrading existing systems
- Patching vulnerabilities
- Implementing new tools as required [16]
These ongoing maintenance activities are essential for addressing new security threats and ensuring that the organization’s cybersecurity measures remain effective over time.
Incident Response Planning
Developing and maintaining an incident response plan is a key requirement for CMMC Level 2 compliance. Organizations must have procedures in place for:
- Monitoring and promptly acting on security alerts indicating unauthorized use of IT systems
- Performing periodic scans of IT systems
- Scanning files from external sources when they are downloaded or acted upon
- Updating malicious code protection mechanisms as soon as new versions are available [1]
The costs associated with maintaining an effective incident response capability, including regular testing and updates to the plan, must be factored into long-term compliance expenses.
It’s important to note that while the initial certification costs for CMMC Level 2 are significant, with the Department of Defense estimating around $104,670 for small defense contractors [11], the long-term maintenance expenses can be even more substantial. Organizations must budget for recurring costs, as CMMC certifications are generally valid for 3 years [10]. This means that companies must plan for re-certification expenses every three years, in addition to the ongoing costs of maintaining compliance.
To optimize long-term compliance costs, organizations should consider:
- Establishing clear communication and project scopes with consultants
- Negotiating fee structures for ongoing support
- Researching and selecting cost-effective technology solutions that fulfill CMMC requirements without exerting undue strain on the budget [17]
By taking a strategic approach to long-term compliance maintenance, organizations can better manage the ongoing expenses associated with CMMC Level 2 certification while ensuring they maintain a robust cybersecurity posture.
Conclusion
The journey to achieve CMMC Level 2 certification has a significant impact on organizations, both financially and operationally. Government estimates often fall short of capturing the true costs, which encompass not only initial assessments but also ongoing expenses for technology upgrades, staff training, and long-term compliance maintenance. These hidden costs can put a strain on businesses, especially smaller contractors, as they work to meet the stringent cybersecurity requirements.
To wrap up, while CMMC Level 2 certification is crucial to protect sensitive information, organizations need to plan carefully to manage the associated expenses. This means looking beyond the initial certification costs to consider the long-term investment in cybersecurity infrastructure, human resources, and continuous improvement. By taking a comprehensive approach to budgeting and implementation, businesses can better prepare themselves to meet the challenges of CMMC compliance while maintaining their competitive edge in the defense contracting landscape.