CMMC shook the ground for DoD contractors and members of the defense industrial base (DIB). Even under the recently released 2.0 guidance, it will require that all 300,000 perform varying levels of cybersecurity safeguards based on the type of sensitive information they utilize in the performance of work for the DoD.

The rulemaking process is still underway to bring CMMC 2.0 into the code of federal regulations. It isn’t expected to be complete until some time between July 2022 and December 2023. But, CMMC 2.0 doesn’t add any new requirements. It merely supplements the validation process that the existing requirements are being performed.

If a DIB supplier isn’t performing the required safeguards that exist today, they're in trouble. They risk liability for misrepresenting their cybersecurity protocols under the False Claims Act (FCA) for failing to adhere to FAR 52.204-21 or DFARS 252.204-7012 (if applicable).

A month prior to the release of CMMC 2.0, the Department of Justice announced a new Civil Cyber-Fraud Initiative. It exists to pursue companies that receive federal funds but fail to follow cybersecurity standards.

Failure to self-attest to CMMC 2.0's standards or pass a third-party audit isn't good. Doing so prevents DIB companies from being able to take part in future DoD solicitations as a prime, subcontractor or supplier.

So, many companies have asked, “How much is the CMMC 2.0 certification going to cost?”

• Where You Fall Matters for Budgeting

• Factors That Justify Certification Costs

• Self-Attestation vs. Third-Party Assessments

• Budgeting Guidance Provided by DoD

• DoD Estimates for Third-Party Assessment Costs

• Real World Prices Quoted to DIB Companies

• The Marketplace for Cost Evaluation

• Conclusion

The DoD classified three levels of CMMC 2.0.

In the original CMMC Model, the Accreditation Body noted, "The CMMC model, in effect, provides a means of improving the alignment of cybersecurity practices with the type and sensitivity of the information and the range of threats".

To put it more simply, the designation of sensitive information utilized in the performance of a contract will dictate the level of certification required.

• Federal Contract Information (FCI) will require a baseline of Level 1 certification

• Controlled Unclassified Information (CUI) will require a baseline of Level 2 certification

• Level 3 is for large prime contractors but guidance is still forthcoming

CMMC’s goal is to ensure compliance across every 300,000 subcontractors that the DoD conducts business with. Level 1 and a portion of Level 2 certifications will continue to rely on self-assessment and self-attestation.

Most may continue to self-attest their adherence to these requirements. Less than 15% will be subject to a new triennial third party assessment for verification under the proposed CMMC requirements.

David McKeown, the DoD Chief Information Security Officer, recently told FedScoop that he estimates 40,000 DIB companies will still require a third-party assessment for Level 2 certification.  If true, that would be about 80% of the initial estimate of 48,999 companies that would seek a Maturity Level 3 certification under CMMC v1.02.

Companies seeking a Level 3 certification existed under Level 4 and 5 under the original model. These entities will now have to pass a government assessment. Most likely the Defense Industrial Base Cybersecurity Assessment Center will provide it.

The DFARS Interim Rule published on September 29, 2020 provided guidance on estimated costs for the original CMMC model.  Based on what we know with CMMC 2.0, we can make some adjustments to these figures to calculate the new certification costs.

Before we start looking at the original cost projections, it is important to note that DoD broke down costs into three categories…

• Average nonrecurring engineering costs

• Recurring engineering costs

• Average assessment costs

Adding up all three of those equals a total annual assessment cost. The higher level of certification you’re seeking comes with a higher annual assessment cost.

We can further simplify these estimates by aligning the chart estimates to the streamlined CMMC 2.0 levels. With some of the other changes discussed in CMMC 2.0, we can remove the assessment costs from Level 1, as these contractors will now self-assess.

The DoD Guidance doesn't permit any new engineering costs for CMMC 2.0 Level 2. This is the case because of the similarities that exist under the previous Maturity Level 3 and DFARS 252.204-7012.

The remaining cost assumes that your firm handles CUI on contracts deemed critical to national security. Thus, you're subject to a triennial third-party assessment for Level 2 certification.

The DoD estimated that for a C3PAO certification (now CMMC 2.0 Level 2), one senior-level-1 employee and three journeyman-level-2 employees would each would have 5 days of per diem for travel and dedicate 57 hours each to conduct the assessment. Those hours break down into the following…

• 24 hours for pre and post-assessment support

• 32 hours for the assessment

• 5 hours for travel

The first adjustment we need to make with CMMC 2.0 is the assessment team. During the CMMC-AB October Town Hall, the Vice-Chairman, Jeff Dalton, noted that DoD informed them in August of 2021 that assessment teams would likely consist of four certified assessors. This was a pivot from the initial guidance of one certified assessor and three certified professionals.

Assuming the same number of hours but using the senior-level-1 rate of $117.08 allows us to recalculate the assessment cost using this new guidance. The new estimated C3PAO Assessment cost would be $31,694.24 ((4 senior * $117.08/hour * 57 hours = $26,694.24 + (4 employees * 5 days *250/day = $5,000 travel costs)).

The Interim Rule estimate also included the Contractor Support of the assessment.  They estimated that three senior-level-1 employees would dedicate 64 hours each to support the assessment, at a rate of $117.08 per hour, totaling $22,479.36.

Let's keep this math going. Add both the cost of the C3PAO Assessment and Contractor Support costs for the assessment. Take that number and divide it by three to annualized the triennial assessment. That final number gives you the adjusted Level 2 certification costs for CMMC 2.0. Of course, we don’t know enough about Level 3 to speculate. Thus, we will defer to the previous DoD guidance for the original Maturity Levels 4 and 5 projected costs.

• Level 1: $0

• Level 2: $18,058

• Level 3: $371,786 - $482,874

It's also important to note that the DoD estimate based their hourly assumptions on a small business. More specifically, those with limited IT personnel may not have complex information systems to manage. This assumption is key as it relates to the estimated hours a C3PAO would bill to complete the assessment.

Looking at available real world scenarios, a recent thread on Reddit disclosed quotes received by C3PAOs. These quotes ranged from $30,000 to $381,000 for a Level 2 assessment (under the new CMMC 2.0).

In the higher range, the contractor had five environments to assess independently. The key takeaway is the number of billable hours. Those are what ultimately determine price. And, the DoD figures likely understand the actual costs.

An organization seeking certification can mitigate the costs. It can do so by minimizing the number of hours the C3PAO estimates it will take them to complete the assessment. Before quoting a final price, a C3PAO will ask to review all documentation. This will allow them to accurately quote the number of hours it will take them to review the information and conduct the assessment.

To minimize billable hours, you'll need to pair your documentation. Specifically, it needs to link to scoped information systems and assessment objectives.

Etactics provides an easy-to-use solution that tracks required practice performance and stores evidence. Sign up for a free 30-day trial of our CMMC 2.0 Compliance Management solution below.

The CMMC Accreditation Body (CMMC-AB) exists to manage accreditation and certification on behalf of the DoD. In fact, much of the content I’ve referenced throughout this blog post thus far came from it.

Beyond the content aspect, though, they’re also taking their efforts a step forward by providing a marketplace.

The CMMC-AB Marketplace is a web page for DIB companies to find third-party assessors and consultants to help.

Registered Practitioners (RPs) are consultants. They paid dues to have their contact information listed in the marketplace. Aside from passing a short quiz and background check, they're not accredited by the CMMC-AB.

Certified CMMC Professionals (CCPs) are consultants that have undergone further training. Licensed Training Partners vet these individuals and the CMMC-AB grants their certification.

Subcontractors may visit the Marketplace to search for and find the following organizations…

• Authorized C3PAOs - Assessment firms that have passed a DIBCAC assessment 

• C3PAO Candidates - have not yet completed a DIBCAC assessment

• Licensed Partner Publishers (LPPs) - produce training content for LTPs

• Licensed Training Providers (LTPs) - deliver training to individuals performing services

• Registered Provider Organizations (RPOs) - consulting firms not accredited by the AB

At the time of writing, the marketplace lists well over 800 different CMMC-AB approved organizations.

Upon clicking on a listed entity, the website navigates the user to an overview page that provides contact information.

The CMMC-AB Marketplace makes it easy for subcontractors to take a look at registered entities that can help them. This centralized location is especially helpful since third-party assessments are a requirement.

In other words, the Marketplace helps evaluate each listed entity to find the right fit from a budget perspective.

There are many factors that affect the cost of a CMMC certification. The biggest factors that determine the costs associated are…

• What level you’re trying to achieve

• The complexity of your organization

• Where your cybersecurity environment currently stands

On top of the upfront costs associated with becoming CMMC certified, there are also ongoing maintenance costs. Luckily, that investment is much lower on an annual basis in comparison.