With the release of CMMC 2.0, and the significant changes that come with it, we have to update our cost expectations.
This post covers whether CMMC is appropriate for your business, provides a cost breakdown of the 3 major effort areas, offers a rough estimate of the costs of CMMC compliance, and answers the question of whether an expert can save you time and resources.
7 key takeaways from this post:
- CMMC level 1 is for businesses that possess federal contract information (FCI)
- CMMC level 2 is for businesses that possess controlled unclassified information (CUI)
- CMMC level 3 is for businesses that possess CUI and participate in high priority programs
- The purpose of CMMC is to produce environments capable of safeguarding government information
- CMMC will be, and in some cases already is, a requirement for contract award
- CMMC compliance involves Program Development, Technology, and Audit and Certification efforts
- Depending on several factors, the total cost of a CMMC implementation and certification can range between $30,000 and $200,000.
As a quick recap, there are now 3 levels in CMMC 2.0 as opposed to 5 levels in version 1.0. The purpose of all 3 levels of CMMC is to produce environments capable of safeguarding information the Federal Government does not intend to release to the public.
Level 1: Foundational
This level is for businesses who possess federal contract information (FCI). Level 1 requires 17 practices (i.e., controls) that cover domains such as Access Control, Identification and Authentication, Media Protection, Physical Protection, Systems and Communication Protection, and System and Information Integrity.
A practice is an activity or set of activities that are performed to meet the defined CMMC objectives.
Level 2: Advanced
This level is for businesses that possess controlled unclassified information (CUI). Level 2 is equivalent to NIST Special Publication (SP) 800-171 Revision 2 (2021) which includes 110 practices. This is a significant increase in scope, effort, and cost from level 1. If your organization needs a certification at this level, you’ll likely have to engage with a CMMC auditor like Ignyte to perform an assessment.
Level 3: Expert
This level is for businesses that possess CUI and find themselves participating in a high-priority program. As of this writing, the official publications for CMMC 2.0 state “level 3 will be based on a subset of NIST SP 800-172, and more detailed information will be released at a later date.”
In reality, 800-172 includes “enhanced security requirements” that are intended to protect CUI against advanced persistent threats (APTs).
Is a CMMC certification right for my business?
If your business is part of the defense industrial base (DIB – i.e., a government contractor), then CMMC is not only right for your business, but it will likely be a requirement in the near future. In some cases, it may already be a requirement depending on the contract your business is pursuing or already hold.
As with most compliance or regulatory obligations, the question of proactive certification in anticipation of contract award versus a just-in-time build out hinges on cost.
Ignyte typically breaks the cost of CMMC certification into 3 distinct areas: program development, technology costs, and audit and certification.
Also, because of the relatively limited, self-assessment scope of level 1, the following breakdown is most applicable to level 2 and level 3.
This area covers the people and processes that are required by the CMMC framework such as regular security awareness and training, incident response planning, and periodic risk assessments. It also includes the documentation requirements such as policies and procedures that must be created, reviewed regularly, and updated as necessary.
This area covers the technology practices that are required by the CMMC framework such as access control, audit and logging that includes correlation, physical and logical separations, and Federal Information Processing Standard (FIPS) validated cryptography.
Because levels 2 and 3 are intended to broadly protect CUI and reduce the risk of APTs, the implementation of these various technologies can be expensive and require a lot of time and effort. That said, Ignyte does not recommend businesses purchase any software or hardware until its environment has been properly scoped. Moreover, spending on technology is best done closer to the audit.
Audit and Certification
If you’re unfamiliar with the basics of a CMMC audit, be sure to take a look at this post. It covers the who and what in about 5 sentences and offers an overview of Ignyte’s proven approach that uses our proprietary compliance tool.
This audit and certification area covers business and technical scoping, reviewing existing cybersecurity programs, and verifying the implementation of controls and practices.
As you would expect, the cost of each area depends on a business’ maturity. A business that has already implemented a regulatory framework like ITAR or even nongovernmental standards like ISO 27001 and PCI-DSS will require less time and resources to implement CMMC.
Additionally, the costs of CMMC implementation and certification are not completely understood due to changing requirements and their various interpretations. That said, we can offer approximations.
Program development and technology costs can range between $20,000 and $60,000.
The actual audit and certification costs can range between $10,000 and $40,000.
Depending on several factors, the total cost of a CMMC implementation and certification can range between $30,000 and $200,000.
Can an expert save me time and money?
Absolutely. But it depends on the expert.
An organization that gives you an exact number on the cost of CMMC without doing any due diligence is doing you a disservice. That’s why we only offer ranges in this post because the cost of CMMC is entirely dependent on your business’ security posture and organizational maturity.
We know this can be frustrating for a business trying to build a budget, but careful, precise, and proven expertise is what Ignyte prides itself on. Offering inaccurate numbers would go against these values.
If you want a careful, precise, and proven expertise to guide you through CMMC certification, contact us.