Last Updated on October 23, 2022
Achieving compliance with the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Level 2 is a big stretch for small contractors that currently have lightweight security programs. Some SMBs in the defense industrial base (DIB) are strongly considering leaving the market rather than make these investments.
Obviously that’s a major business decision—one that DIB orgs would hopefully not make before getting all the facts.
To answer top questions from the DIB on CMMC v2, a recent episode of The Virtual CISO Podcast features George Perezdiaz, NIST/CMMC Consultant at Pivot Point Security and one of the most knowledgeable people in our industry on CMMC. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Never think about exiting the DIB
George feels strongly that most companies that are balking at CMMC investments aren’t seeing the whole picture.
“Never think about exiting the DIB,” George affirms. “Look for your options and opportunities and find a motivation or a path that will allow you to continue to grow in this space. If you right-size [CMMC], it is relatively affordable if you do it correctly.”
One thing to keep in mind is that the DoD has stated for the record that the cost of security is an allowable cost that can and should be accounted for in proposals. Finding ways to recover your security investment is key to making it CMMC work.
John makes another key point: if orgs exit the DIB, the businesses that make the CMMC investment will not only improve their competitiveness but also face fewer competitors. This could result in the ability to drive more favorable pricing, especially factoring in the cost of security.
Further, the need for a CMMC Level 2 certification is a significant barrier to entry for new competitors. As John puts it, “The barrier to entry for some guy in a garage right now to spin up a sheet metal shop or something of that nature is that much higher because he has to bake CMMC certification into his startup cost.”
“Don’t ever think about giving up,” reiterates George. “There are many options out there. Have you explored all of those? At the end of the day, if you need to call PPS so we can explore some opportunities with you, we are happy to do that.”
What is the time and cost for CMMC Level 2 certification?
The inevitable answer to this question is, “It depends.” But within all the variables, George and John have some ballpark numbers.
“I haven’t seen anything go faster than nine months,” George notes. “That has a lot to do with the org’s motivation. They have to be committed and motivated. And have leadership support. That is critical because you definitely are going to make some drastic investments. You probably are going to have to be a champion of change for your business.”
The closer we get to seeing CMMC compliance requirements in DoD contracts, the greater many firms’ motivation is likely to be.
Of course, different company cultures can assimilate new technologies and new business processes at different rates. As a general rule of thumb, George recommends accounting for 1.5 full-time employees (or equivalent third-party costs) at your choice of skill level to implement, manage and maintain your CMMC program.
Looking at a hypothetical 200-person manufacturing company, John puts the cost range for CMMC certification at somewhere between $50,000 and $150,000. At the high end will be orgs that currently lack “serious” security investments like a SIEM solution, MFA, etc. At the low end will be orgs that are close to CMMC conformance and just need to tune a few things up and undergo a certification assessment.
If CMMC is in your future, don’t miss this fast-paced Q&A with George Perezdiaz. Click here.
This post offers more advice on making the investment in CMMC: CMMC 2.0: Is Certification Worth the Cost and Risk?