By Payam Pourkhomami, President & CEO of OSIbeyond
Cybersecurity Maturity Model Certification requirements are here, and the clock is ticking for organizations affected by them. Per the Department of Defense’s estimates, starting in Q1 2025, all new DOD contracts will require self-assessment at CMMC Level 1 or Level 2 before award. By Q3 2027, CMMC requirements will be included in all solicitations and contracts.
As these deadlines approach, all organizations in the defense industrial base should be thinking about CMMC assessment and certificationānot just in terms of technical requirements or implementation timelines but also the associated costs.
After all, the last thing you want is to experience an unpleasant financial surprise on your way to compliance and get stuck between a rock and a hard place. In this article, we break down the costs of CMMC assessment and certification to give you a rough idea of what you may expect depending on where you are right now.
The Potomac Officers Club’s 2024 Intel Summit will go beyond cybersecurity to identify how the DIB can partner with the Intelligence Community for its various security-related missions. Confidentiality is key. Sign up for the Sept. 19 event here! It will be an explosive day of idea formation and networking.
CMMC Assessment Preparation Costs
The total cost of CMMC compliance is determined by two main factors: how much it costs to prepare an organization for a CMMC assessment, and how much a CMMC Third-Party Assessment Organization, or C3PAO, charges for the actual certification.
Let’s start by breaking down the cost factors associated with preparing for an assessment, which might be limited to the low tens of thousands of dollars for confirming that all requirements are already met, but they can also reach into six or even seven-figure sums for large organizations with extensive cybersecurity gaps to fill.
Existing Cybersecurity Posture
Your organization’s current cybersecurity maturity level plays a significant role in determining preparation costs.
Companies with a robust cybersecurity framework already in place, particularly those compliant with NIST SP 800-171, will face lower preparation costs. These organizations may only need to fine-tune their existing practices and documentation.
On the other hand, organizations starting from scratch or with minimal cybersecurity measures in place will incur higher costs. The sources of these costs may include the implementation of new security controls, the development of new policies and procedures and employee training.
The Target CMMC Level
The CMMC level your organization aims to achieve directly impacts preparation costs as higher levels require more security measures (both in terms of quantity and sophistication):
- CMMC Level 1: The first level focuses on basic cybersecurity hygiene and protecting federal contract information, or FCI. It includes 17 practices derived from the Federal Acquisition Regulation 52.204-21.
- CMMC Level 2: The second level introduces more advanced practices to protect controlled unclassified information, or CUI, encompassing all 110 security requirements specified in NIST SP 800-171 Rev 2.
- CMMC Level 3: The third level builds upon Level 2 by requiring full implementation of NIST SP 800-171 Rev 2 controls plus additional practices derived from NIST SP 800-172.
Given the influence of the target CMMC level on preparation costs, it’s in the best interest of every organization to aim for the appropriate level.
To make an informed decision, we highly recommend conducting an internal audit to thoroughly understand what kind of information (FCI or CUI) is being handled, and how it’s processed, stored, and transmitted throughout your systems. This audit should also identify which employees have access to sensitive information and how it flows through your supply chain.
Organization Size and Complexity
The size and complexity of your organization significantly influence preparation costs. Especially important are the following variables:
- Geographic distribution of operations: Organizations with multiple locations or remote workers face additional challenges because they need to implement consistent security measures across all sites.
- Number of employees: A larger workforce typically means more users, devices and data to secure, which can complicate the implementation of CMMC requirements. Training and managing a higher number of personnel to comply with cybersecurity practices also adds to the overall cost.
- Diversity of IT systems and applications: A more varied IT ecosystem leads to greater complexity in implementing uniform security controls, increased potential for security gaps at integration points and higher costs for specialized security solutions for different platforms.
- Relationships with sub-contractors: Contractors that rely on sub-contractors must make sure that these external entities also comply with CMMC requirements, which can add complexity and cost to the preparation process.
Needless to say, larger organizations with more complex operations will typically face higher costs to achieve CMMC compliance. However, the cost doesn’t necessarily scale linearly with size. Economies of scale and efficient internal processes can help larger organizations control and optimize their compliance expenditure.
CMMC Certification Costs
In addition to the costs associated with preparing for a CMMC assessment, organizations must also factor in the actual cost of certification. These costs vary depending on the CMMC level and assessment type required.
CMMC Level 1 Certification Costs
For CMMC Level 1, organizations perform a self-assessment, so there is no direct cost for third-party certification. The main cost is the time required for internal staff to conduct the assessment and submit results. Based on the DOD’s estimates, this amounts to approximately:
- $4,000 per assessment for organizations other than small entities.
- $6,000 per assessment for small entities.
These costs primarily cover staff time for planning, conducting the self-assessment, reporting results and submitting the required affirmation.
CMMC Level 2 Certification Costs
CMMC Level 2 certification costs depend on whether an organization qualifies for self-assessment or requires a third-party assessment.
For organizations eligible to self-assess at Level 2, estimated costs are:
- $43,000 per assessment for organizations other than small entities.
- $34,000 per assessment for small entities.
Again, these costs mainly cover internal staff time across the various assessment phases.
When a third-party assessment is required for Level 2, costs increase dramatically:
- $112,000 per assessment for organizations other than small entities.
- $102,000 per assessment for small entities.
These higher costs account for both internal staff time and the fees charged by the C3PAO to conduct the assessment, which could increase sharply in the future because there’s currently an imbalance between supply and demand for CMMC assessments.
At the time of writing this article, there are only 56 C3PAOs listed by the Cyber AB (formerly the CMMC Accreditation Body), with an additional 243 candidate C3PAOs in the pipeline. However, it’s estimated that over 80,000 organizations will need a CMMC Level 2 certification.
CMMC Level 3 Certification Costs
CMMC Level 3 requires the most rigorous assessment and comes with the highest price tag:
- $39,000 per assessment for organizations other than small entities, plus $21,100,000 in non-recurring engineering costs and $4,120,000 in recurring engineering costs.
- Costs for small entities pursuing Level 3 are not provided, as this level is expected to apply only to a small subset of larger defense contractors.
It’s important to note that Level 3 certification builds upon Level 2, so organizations must factor in the cumulative costs of both levels.
Sustaining Compliance: Ongoing Costs
Obtaining certification for the first time is just the start of any CMMC compliance journey. Sustaining compliance over time is another potentially costly challenge that organizations need to prepare for.
As your IT infrastructure naturally evolves to meet growing and changing business needs, someone has to make sure that it continues to comply with CMMC requirements. Here, you have two main options: in-house employee(s) or a CMMC-certified managed service provider, a.k.a. MSP.
In-house Compliance Management
If you choose to manage CMMC compliance in-house, you’ll need to dedicate significant resources to this task. At a minimum, you’re looking at hiring at least one full-time employee focused on cybersecurity and compliance. Given the specialized skills required, the salary for such a position could easily reach $150,000 per year or more.
Moreover, finding qualified candidates for this role can be challenging due to the ongoing cybersecurity talent shortage. According to the World Economic Forum, the global cybersecurity industry urgently needs four million professionals to plug the talent gap. This shortage not only drives up salaries but also makes it difficult to find and retain skilled cybersecurity professionals.
Partnership With a CMMC-certified MSP
Given the challenges of in-house compliance management, many organizations find it more cost-effective and efficient to partner with a CMMC-certified managed service provider.
This way, you gain access to specialists who stay current with CMMC requirements and best practices, can scale with your business growth without additional hiring and continuously provide you with best-in-class cybersecurity solutions.
At OSIbeyond, we offer comprehensive cybersecurity and compliance services tailored to the needs of organizations in the DIB. As a CMMC registered provider organization, or RPO, authorized by Cyber AB, we have the credentials and expertise to guide your organization in becoming CMMC audit-ready and maintaining compliance post-certification.
Our services include CMMC readiness assessments, gap analysis and remediation planning, implementation of required security controls, documentation and policy development, ongoing compliance management and monitoring, and staff training and awareness programs.
Conclusion
Understanding the costs of CMMC assessment and certification can be a challenge in and of itself, but it’s always much better to be prepared than to face unexpected expenses. If you’re still unsure about how CMMC might impact your organization financially, don’t hesitate to reach out to us at OSIbeyond. Our team of experts can help you assess your specific assessment and certification costs based on your unique situation.
Browse Potomac Officers Club’s full slate of GovCon networking and information events.