Last Updated on February 1, 2022
When I originally authored the blog below (left in its original inglorious state), we were in a world where CMMC V1 was the rule of the day, and it was full steam ahead. Fast forward nearly two years, and unfortunately, I will STILL need to channel Nostradamus to answer this very question.
By now, you know that we are waiting for rule-making to make CMMC 2.0 official. That being said, waiting for CMMC 2.0 to be official to start on your getting CMMC 2.0 compliant makes little to no sense. Why? Because CMMC 2.0 and your current DFARS 252.204-7012/NIST 800-171 obligations are exactly what CMMC 2.0 requires. Hence, you really should already be CMMC 2.0 ready, and if you are not, you could (worst case) be subject to the False Claims Act.
The estimates below are pretty solid – with one likely exception – the “Hard Costs for Audit.” Originally, I guesstimated $20 – 40K. When we started getting pricing for CMMC V1 Level 3 Certification Assessments from C3PAO’s, we saw quotes in the $50 – 75K range.
For CMMC 2.0;
- If you are a “prioritized acquisition” (likely relating to weapons, communications, or command & control), you will require a C3PAO assessment. My best guess is that the pricing will be slightly lower than for CMMC V1 L3 as we have 20 fewer controls, and the processes have also been removed. My best guess is that will trim ~20% off the cost, so let’s say $40 – 60K.
- If you are not a “prioritized acquisition,” you are not subject to a C3PAO assessment.
I was tempted to start this blog with a flip comment, like “How the #$%&*@ am I supposed to know? The #$%&*@ auditor program is on hold and the CMMC framework just changed significantly!!!” But our marketing director reminded me that using that kind of language in a blog may be considered inappropriate and that our customers really are looking for at least an estimate. So here goes…
All kidding aside, at this point answering that question requires either time travel or conjecture. Since I am only skilled at the latter let’s go the conjecture route, as I think we can make some pretty good, educated guesses.
For most organizations that will be required to undergo a third-party audit, there are likely going to be three primary costs to getting CMMC certified:
1. Soft costs to get prepared for the audit (e.g., internal resourcing or external consulting costs)
2. Hard costs to get prepared for the audit (e.g., expenditures to achieve a particular requirement such as a SIEM or two-factor authentication)
3. Hard costs for the CMMC audit itself (e.g., the cost for the Certified Auditor, which potentially will be an “allowable expense”)
Let’s examine these costs in a little more detail.
Your actual costs will depend on a number of factors, including but not limited to the maturity of your current NIST SP 800-171 program, the size of your organization, whether you require external support, how many locations are involved, the CMMC level you’re going for, and the scope of your Controlled Unclassified Information (CUI). CUI scope is how many geographic locations, systems, databases, applications, and networks store, process, or transit CUI. CUI scope also is influenced by the number of people in your organization that handle CUI.
To simplify, lets break the above into two buckets and assume CMMC Level 2, which is likely to be the most common target:
Organizations that have a reasonably mature NIST SP 800-171 compliant environment
- Consulting Costs: You will likely want to do a CMMC Gap Assessment (aka a Readiness Assessment). For a typical 250-person engineering/manufacturing firm with several locations whose NIST 800-171 program is managed centrally, a reasonable estimate is $15,000-35,000. That pricing is comparable to an ISO 27002 Gap Assessment, which is a reasonable proxy in terms of size and approach to CMMC Level 2 (110 controls), as ISO 27002 covers 114 controls. Differences between the upper and lower ends of the range have to do with sampling rates and whether technical testing is included in the work effort. If you require support for Gap Remediation, that can range considerably based on the findings. In a more mature environment, $0-10,000 is a reasonable estimate. If you are less mature than you thought, $0-25,000 is a reasonable estimate. Pro-tip – If you don’t have an up-to-date Risk Assessment and System Security Plan, you don’t have a reasonably mature environment.
- Hard Costs for Prep: If your program is reasonably mature, it is possible that you will need to spend very little in hard costs to get prepped. Where it has gotten tricky is many in the DIB are using Office 365 or Google Workspace (formerly G Suite). Unfortunately, the commercial versions of these services are not CMMC 2.0 Level 2 certifiable and you will need to move to their “Government Cloud” versions of the offerings or implement an email encryption solution like PreVeil. “GovCloud” options can potentially result in migration costs (up to $50,000) and/or double (or even triple) your monthly recurring costs for these services. Pro-tip – You are not reasonably mature if you have not made notable investments in the last five years for solutions like endpoint protection, multi-factor authentication, log monitoring/SIEM, etc.
- Hard Costs for Audit: With CMMC 2.0, the audit process will be aligned with NIST 800-171a, “Assessing security requirements for CUI.” So, the pricing across auditors should be fairly consistent. Best guess: $20,000-$40,000. We had folks from the CMMC-AB on the podcast prior to the CMMC 2.0 changes, and based on that discussion I got a sense that the cost may be at the lower to middle end of that scale. Simplifying the CMMC 2.0 framework to remove the “maturity processes” along with some controls should also help keep audit costs in check.
Organizations that don’t have a mature NIST SP 800-171 compliant environment
- Consulting Costs: You will likely want to start with a CUI Scoping exercise (to try to minimize the scope and associated costs) and a Risk Assessment (a requirement of CMMC) first. This will ensure you have the proper context for the Gap Assessment. For a typical 250-person engineering/manufacturing firm with several locations, a good estimate is $30,000-$50,000. That pricing is comparable to establishing the foundation of an ISO 27001 or SOC 2 information security program, which is a reasonable proxy in terms of size and approach. Differences between the upper and lower ends of the range have to do with current maturity, CUI scope, and project approach. If you require support for Gap Remediation, that can range considerably based on the findings. In a less mature environment $10,000-$40,000 is a reasonable estimate. Taking this approach generates the required Risk Assessment and builds the foundational scope statement that is integral to the required System Security Plan.
- Hard Costs for Prep: Cost here depends on what technology you have implemented in your environment. CMMC 2.0 Level 2 ostensibly requires mobile device management, log monitoring/SIEM, security awareness training, multifactor authentication, data backups, code review and advanced email protection. Most viable organizations are going to have a fair number of these tools in place. Best case: $0. Typical case: $20,000-$60,000. Worst case: $100,000. As an example, I spoke with a client at a 100-person firm that has a very mature NIST SP 800-171 compliant environment, which cost about $170,000 to achieve from scratch. This is consistent with the ranges I floated.
- Hard Costs for Audit: As above, best guess: $20,000-$40,000.
So I channeled Nostradamus a bit in this post, which might leave you concerned about the veracity of my estimates. I think I can allay those fears. I dated a girl in college who read Tarot cards, and we all know that is more science than art :>)
I called her to help with the blog and I drew the “Wheel of Fortune” card, which translates pretty positively for my predictions: “Most likely, you will find the events foretold to be positive, but, being aspects of luck, they may also be beyond your control and influence. Tend to the things you can control with care and learn not to agonize over the ones you cannot.”
I think this means I am right. (Fair warning: I always think I am right :>)
However, my friend did caution me not to publish our conversation as, “Most likely the events of the future will be negative, if aspects of luck outside your control intervene, and your wife should happen to read this blog and find out you were in touch with an old flame.” #YOLO