As we draw nearer to the new DoD compliance deadline, many people are asking the same question: What is the Cost of CMMC? In short, there are three cost components associated with becoming CMMC compliant: soft costs to prepare for the audit, hard costs to prepare for the audit, and hard costs associated with the audit itself. Let’s expand upon each of these.
Soft Costs to Prepare for the Audit
Soft costs include things like internal resourcing and/or expenses incurred from external consulting. Many variables can influence these costs. For example, your organization’s size, how many locations are involved, if you require external consulting services, your current NIST 800-171 program, the CMMC level you wish to be certified in, and the extent to which you handle Controlled Unclassified Information (CUI). These soft costs can range anywhere from $15,000 to $100,000, depending on whether you choose to outsource things like a gap assessment and remediation or conduct them in-house.
Hard Costs to Prepare for the Audit
Depending on your SP 800-171 maturity, these costs may be reasonably low. To consider yourself mature, you have to have made substantial investments in multi-factor authentication (MFA), endpoint protection, and log monitoring within the past five years. This could put you around a few thousand dollars. Otherwise, the cost may be a bit higher. If your maturity isn’t up to par, you’ll also have to consider the technology and different processes you’d have to implement in order to comply with the aforementioned elements. If this is the case, you’re looking at around $20,000 to $60,000, on average to go towards your overall CMMC costs.
Hard Costs Associated with the Audit
Since there are no firm guidelines for the audit process yet, it’s challenging to ballpark how much this may be. However, this will most likely be considered an “allowable expense,” meaning that they can be included in the costs shown on contracts and billed directly to the DoD. A rough estimate of these costs can be anywhere between $10,000 and $40,000.
You will be required to be recertified for CMMC every three years, and changes may be made in the near future that will obligate Level 4 and Level 5 contractors and suppliers to become recertified more often. Level 3 certification will be the lowest level considered for any contract entailing CUI’s use or handling.
Though the costs of CMMC may be disheartening, especially for small and medium-sized businesses, the silver lining is that a portion can be attributed to allowable costs. Additionally, this is an excellent opportunity to use CMMC as a holistic approach to improve your organization’s cybersecurity posture. It’s important to note that without getting CMMC certified, your business will be ineligible to compete for DoD contracts in the future.