CMMC Costs Explained: What Your Business Will Spend

One of the most frequent questions I hear from our clients about the new Cybersecurity Maturity Model Certification, after a few choice words, is: "How much is this going to cost me?" It's a great question, and one I can't fully answer because, unfortunately, they haven't even rolled out the auditor program yet!! That being said, it does appear that the Office of the Under Secretary of Defense for Acquisition & Sustainment is wiling to foot the bill... Kind of.  Because according to their FAQ page:

"The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive..."

Which is great, isn't it?  But there are no further details mentioned, and it is followed by this caveat,

"For contracts that require CMMC you may be disqualified from participating if your organization is not certified."

But, as you can probably imagine, there are going to be other costs besides just auditing. That said, if you actually have all the NIST  SP 800-171 security controls in place (which, of course you do! I mean, doesn't everyone?) like you are supposed to have before you won any contracts in the first place, then they shouldn't be significant.  I will go ahead and take a stab at calculating the costs, outside of auditing, but since there are no concrete answers yet, I'm just making educated guesses and these costs are, of course, subject to change. I've broken down the expected costs into three categories:

1. Preparation costs
2. Security Control costs
3. Audit costs

Naturally, the total cost to your company is going to vary, based on a multitude of factors, such as:

• Just how far along you've come with the NIST SP 800-171 security controls (is that nervous laughter I hear?)
• The size and scope of your business (number of employees, locations, devices/stations, networks, etc...)
• Your current IT situation  (do you have an internal department or do you outsource?)
• Target CMMC Level
• The scope of your data (is it CUI or just FCI?)

I know those are a lot of unknown variables, but it's reasonably safe to assume that your goal, at least initially, will be CMMC Maturity Level (ML) 3, so to not overwhelm you, let's go with that. From here, to figure out your preparation costs, we are going to look at the costs of those who have most of the NIST SP 800-171 security controls in place (like you, right?) and those who don't...

Security Controls Implemented: $35,000 to $100,000

1. Preparation Costs
   • CMMC Readiness Assessment: $15,000 to $35,000
     • This is the cost for medium-sized, 250-person firm with multiple locations and whose security controls were handled in-house.
     • We got this by comparing it to an ISO 27002 Gap Assessment, which has a similar number of controls.
   • CMMC Gap Remediation to fix any lapses found in the Readiness Assessment
     • Prepared: $0-$10,000
     • Less Prepared: $0-25,000
     • This is dependent on the findings and what it will take to make your company ready.
2. Security Control Costs: $0
   • If you have stayed on top of your security controls over the last five years, it is likely this will cost you nothing.
   • It pays to stay up-to-date!
3. Audit Costs:  $20,000-$40,000 (but possibly reimbursable)
   • • We are pretty much just guessing here because nothing has been released.
     • Based on other similar auditing costs, it's assume the CMMC Audit will be in a similar price range. to

Security Controls NOT Implemented: $80,000 to $190,000

1. Preparation Costs: $40,000 to $90,000
   • CUI Scoping Exercise (recommended) & Risk Assessment (CMMC requirement): $30,000-$50,000
     • This is the cost for medium-sized, 250-person firm with multiple locations and whose security controls were handled in-house.
     • We got this by comparing it to an ISO 27002 Gap Assessment, which has a similar number of controls.
   • Gap Remediation: $10,000-$40,000
     • Covers issues found in the Risk Assessment.
     • Builds a foundation for the System Security Plan.
2. Security Control Costs: $20,000 - $60,000
   • This costs is going to vary greatly depending on what technology your company has implemented.
   • CMMC ML 3 requires pretty common sense controls that most businesses will have in place already, such as:
     • Data backup
     • Advanced email protection
     • Mobile device management
     • multifactor authentication
     • Logging and monitoring
     • Security training
3. Audit Costs:  $20,000-$40,000 (initial preparedness is irrelevant)

Please keep in mind that the costs I'm estimating above are just that... ESTIMATES.  Even though the first version of the CMMC has been released, it is subject to change.  Sometimes I wish I could read the future, but alas.... I cannot. However, if you have any other questions and would like us to go over your particular situation, feel free to schedule a free consultation online, or give us a call at 919-348-4912, and we will be more than happy to answer your questions!