With CMMC (Cybersecurity Maturity Model Certification) 2.0 rulemaking in progress, contractors should soon be finalizing a budget for CMMC preparation and assessment (if necessary). Although the rulemaking process could take anywhere from nine to twenty-four months, waiting until the last-minute may cause delays to getting certified and being eligible to bid on specific contracts.
The CMMC 2.0 update has left many people wondering, what is the cost of CMMC? One of the main drivers for the update was SMBs’ concern of costly assessments. Overall, CMMC 2.0 will be more cost-effective, especially for SMBs due to the changes around control numbers and self-attestation options for level 1.
For contractors achieving Level 1 certification, there will be no third-party assessment required. However, if achieving Level 2 or Level 3 compliance, a third-party assessment is required and valid for three years; a Level 2 third-party assessment is handled by a C3PAO, and Level 3 requires a government-led third-party assessment. Level 2 certification will be the lowest level considered for any contract entailing use or handling of CUI.
With the new CMMC 2.0 update, Level 1 no longer requires a third-party assessment. This means there will be no costs for the assessment itself, but costs ensuring your maturity is up to par may cost thousands of dollars depending on the complexity of your environment.
In short, there are three cost components associated with becoming CMMC compliant: soft costs to prepare for the assessment, hard costs to prepare for the assessment, and hard costs associated with the formal assessment itself. Let us expand upon each of these.
Soft Costs to Prepare for the Audit
Soft costs include things like internal resourcing and/or expenses incurred from external consulting. Many variables can influence these costs. For example, your organization’s size, how many locations are involved, if you require external consulting services, your current NIST 800-171 program, the CMMC level you wish to be certified in, and the extent to which you handle Controlled Unclassified Information (CUI). These soft costs can range anywhere from $15,000 to $100,000, depending on whether you choose to outsource things like a gap assessment and remediation or conduct them in-house.
Hard Costs to Prepare for the Audit
Depending on your SP 800-171 maturity, these costs may be reasonably low. To consider yourself mature, you must have made substantial investments in environment hardening, endpoint protection, and log monitoring within the past five years. If your maturity is not up to par, you will also have to consider the technology and different processes you would have to implement to comply with the aforementioned elements. If this is the case, you are looking at around $20,000- $60,000 on average to go towards your overall CMMC costs. This is highly dependent on the size of your organization and your technology stack. You may need to upgrade hardware and/or migrate to the cloud.
Hard Costs Associated with the Audit
Since the assessment process is still being determined, it is challenging to ballpark how much this may be. The ultimate price of an assessment depends on how long it takes to complete and how well you documented your environment, policies, and procedures during preparation. It is also reasonable to say that the higher level of certification, the higher it will cost.
However, this will most likely be considered an “allowable expense,” meaning that they can be included in the costs shown on contracts and billed directly to the DoD. A rough estimate of these costs can be anywhere between $20,000 and $40,000.
Achieving compliance is an excellent opportunity to use CMMC as a holistic approach to improve your organization’s cybersecurity posture. It is important to note that without getting CMMC certified, your business will be ineligible to compete on specific DoD contracts in the future.
Check out our CMMC 2.0 Most Common Questions for more information on CMMC 2.0.
Bravo offers the easiest, most affordable way to tackle CMMC compliance. Contact us today to speak with our experts: