Last Updated on July 16, 2021
Cybersecurity Maturity Model Certification (CMMC) Level 3 assessments will be starting any time. Many of the thousands of SMBs that will seek CMMC certification are concerned about assessment costs.
What are the costs for a CMMC Level 3 assessment likely to be? And what key factors could swing your costs up or down?
To share all the latest inside information on CMMC assessments, including cost factors, Stacy High-Brinkley, VP of Compliance Solutions at Cask, a candidate C3PAO, was featured on a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosted the show as always.
Ballpark per-day costs
John admits he’s heard “some interesting numbers” regarding CMMC assessment costs: “You know the game. There’s the low-ball people and then there’s the high-ball people, and then there’s the bulk of us. But I’ve heard the minimal cost you could ever see would be like $2,000 per day, and then I’ve heard people go as high as $3,000 or $4,000 a day. And if we’re talking 35 days, let’s say as an example, it gets kind of expensive. What are you seeing, or what are you thinking might be the ranges that we’re going to see across the industry?”
Assessor cost unknowns
“Well, if we have to leverage three Provisional Assessors (PAs), that is definitely going to drive the cost up. Now, does that mean that all three are 100% on for all those days? No. You just need a lead assessor and two others. Right off the bat, it’s going to be expensive until we get those other folks trained because the Certified CMMC Professionals (CCPs) are going to come in at a much lower level than a PA, for instance. I mean, someone in the field 25 years, $250/hour and up is it for them. For a CP, a lot less, and that’s going to drive it. If we can have RPs help us, that’ll drive it [down].”
“So, it’s really hard to talk cost when you don’t know who’s going to be allowed on the assessment,” Stacy offers. “You can put hourly rates to it, and say, ‘Hey, if you have provisional assessors, $250 and up an hour. If you have CPs, a lot less.’”
Added costs for multiple applications or business units
“Do you anticipate if I have multiple system security plans (SSPs), will I get multiple CMMC certifications?” asks John. “Or will I have one umbrella certification with multiple SSPs under it, and will that influence significantly cost?”
“What we were taught that you go by CAGE code [five-digit Commercial And Government Entity Code],” Stacy explains. “So, if you have 10 CAGE codes, then I’ll be giving you 10 different proposals. Could I put into one big proposal? Sure, sure. You can do it any way you want. The assessor can actually put them all together and give them one big, huge proposal and ROM [Rough Order of Magnitude Estimate]. But basically, you’re going to get a number based on your CAGE code. So when you actually start an assessment, the CMMC-AB gives you a number, and that will be your number all along.”
“How do you see multiple locations influencing levels?” John asks next. “How will multiple locations influence a CMMC scope?”
Stacy indicates that the cost impact could be significant, especially because auditors will need to visit multiple locations to verify physical security, potentially conduct in-person interviews, etc. Multiple locations could also impact costs for reassessments, though reporting requirements have still not been officially announced.
Added costs for multiple CUI enclaves
Another major cost/effort factor could be multiple lines of service, products or business units that result in an organization creating multiple “enclaves” for Controlled Unclassified Information (CUI) and potentially multiple SSPs.
“The more assets, people, processes, technologies you have, the more folks we need in there to assess it,” clarifies Stacy. “And you want it done as quick as possible to bring that budget line down. But you want to be prepared, right? And it might behoove you to hire some good cyber folks, folks who are really good at compliance and security… We’re in a moving world now. You’ve got to secure everything.”
As John points out, if your company had multiple CUI enclaves but the security implementations and SSPs were similar, the overall cost impact would be less.
“Anything to speed it up is going to help,” emphasizes Stacy.
If you need to help prepare your DIB org for a successful CMMC audit, you’ll definitely want to catch this podcast episode with Stacy High-Brinkley.