I was tempted to start this blog with a flip comment, like “How the #$%&*@ am I supposed to know? The #$%&*@ auditor program doesn’t even exist yet!!!”
But Jeremy, our fearless Marketing leader, told me that using that kind of language in a blog may be considered inappropriate and that our customers really are looking for at least an estimate. So here goes…
All kidding aside, at this point answering that question requires time travel or conjecture. Since I am only skilled at the latter let’s go the conjecture route, as I think we can take some pretty good educated guesses.
For most organizations, there are likely going to be three primary costs to getting CMMC certified:
- Soft costs to get prepared for the audit (e.g., internal resourcing or external consulting costs)
- Hard costs to get prepared for the audit (e.g., expenditures to achieve a particular requirement such as a SIEM or two-factor authentication)
- Hard costs for the CMMC Audit itself (e.g., the cost for the Certified Auditor, which potentially will be an “allowable expense”)
Let’s examine these costs in a little more detail.
Soft costs for getting prepared for the audit
Your actual costs will depend on a number of factors, including but not limited to the maturity of your current NIST SP 800-171 program, the size of your organization, whether you require external support, how many locations are involved, the CMMC Level you’re going for, and the scope of your Controlled Unclassified Information (CUI). CUI scope is how many geographic locations, systems, databases, applications, and networks store, process or transit CUI. To simplify, lets break the above into two buckets and assume CMMC Level 3, which is likely to be the most common target:
- Organizations that have a reasonably mature SP 800-171 compliant environment
- Consulting Costs: You will likely want to do a CMMC Gap Assessment (may be called a Readiness Assessment). For a typical 250-person engineering/manufacturing firm with several locations whose 800-171 program is managed centrally, a reasonable estimate is $15,000-35,000. That pricing is comparable to an ISO 27002 Gap Assessment, which is a reasonable proxy in terms of size and approach to CMMC Level 3 (130 controls), as ISO 27002 covers 114 controls. Differences between the upper and lower ends of the range have to do with sampling rates and whether technical testing is included in the work effort. If you require support for Gap Remediation, that can range considerably based on the findings. In a more mature environment, $0-10,000 is a reasonable estimate. If you are less mature than you thought, $0-25,000 is a reasonable estimate. Pro-tip – If you don’t have an up-to-date Risk Assessment and System Security Plan, you don’t have a reasonably mature environment.
- Hard Costs for Prep: If you are reasonably mature, you likely will need to spend very little in hard costs to get prepped. It’s entirely reasonable to assume $0. You are not reasonably mature if you have not made notable investments in the last five years for items like endpoint protection, multi-factor authentication, log monitoring/SIEM, etc.
- Hard Costs for Audit: This one is a bit harder because there is not yet any guidance for the audit process. If I were designing the audit program, I would set it up like the Standardized Control Assessment from Shared Assessments. It is essentially a fully defined audit program including the questions to ask, artifacts to gather, sampling rates, and a prescribed reporting format. Assuming the audit program follows a model of this nature, the pricing across auditors should be fairly consistent. Best guess: $20,000-$40,000.
- Organizations that don’t have a mature SP 800-171 compliant environment
- Consulting Costs: You will likely want to start with a CUI Scoping exercise (to try to minimize the scope and associated costs) and a Risk Assessment (a requirement of CMMC) first. This will ensure you have the proper context for the Gap Assessment. For a typical 250-person engineering/manufacturing firm with several locations, a good estimate is $30,000-$50,000. That pricing is comparable to establishing the foundation of an ISO 27001 or SOC 2 information security program, which is a reasonable proxy in terms of size and approach. Differences between the upper and lower ends of the range have to do with current maturity, CUI scope, and project approach. If you require support for Gap Remediation, that can range considerably based on the findings. In a less mature environment $10,000-$40,000 is a reasonable estimate. Taking this approach generates the required Risk Assessment and builds the foundational scope statement that is integral to the required System Security Plan.
- Hard Costs for Prep: Cost here depends on what technology you have implemented in your environment. CMMC level 3 ostensibly requires mobile device management, log monitoring/SIEM, security awareness training, multifactor authentication, data backups, code review and advanced email protection. Most viable organizations are going to have a fair number of these tools in place. Best case: $0. Typical case: $20,000-$60,000. Worst case: $100,000. As an example, I spoke this week with a client at a 100-person firm that has a very mature NIST SP 800-171 compliant environment, which cost about $170,000 to achieve from scratch. This is consistent with the ranges I floated.
- Hard Costs for Audit: As above, best guess: $20,000-$40,000.
So I channeled Nostradamus a bit in this post, which might leave you concerned about the veracity of my estimates. I think I can allay those fears. I dated a girl in college who read Tarot cards, and we all know that is more science than art :>)
I called her to help with the blog and I drew the “Wheel of Fortune” card, which translates pretty positively for my predictions: “Most likely, you will find the events foretold to be positive, but, being aspects of luck, they may also be beyond your control and influence. Tend to the things you can control with care and learn not to agonize over the ones you cannot.”
I think this means I am right. (Fair warning: I always think I am right :>)
However, my friend did caution me not to publish our conversation as, “Most likely the events of the future will be negative, if aspects of luck outside your control intervene, and your wife should happen to read this blog and find out you were in touch with an old flame.” #YOLO