Cybersecurity Maturity Model Certification (CMMC) costs can be expensive. However, if your business has a contract with the Department of Defense (DoD), certification is a must. This applies to Prime and subcontractors of both large and small companies.
Previously, businesses could perform a self-certification assessment, but this is ending with the advent of CMMC. Beginning in January of 2020, DoD contractors will start going through their third-party assessments for certification. By September of the same year, all DoD contractors will need to be certified to bid on any projects.
However, what does this mean for your business? In this article, we’ll cover what CMMC means for your company, along with the cost of being CMMC certified.
What is CMMC
CMMC is the standard all companies with DoD contracts need to meet in order to bid on and accept projects from the Department of Defense. It affects over 300,000 companies across the DoD supply chain.
The DoD created the CMMC framework to prevent cybersecurity breaches and protect both sensitive and non-sensitive data. Before the introduction of CMMC, contractors were responsible for implementing and monitoring security protocols, along with performing annual self-assessments.
The introduction of the Cybersecurity Maturity Model Certification changed these steps to require DoD contractors to comply with specific cybersecurity practices and for an independent third-party to perform the assessment.
The timeline for CMMC is as follows,
- January 2020: Requirements are made public for CMMC levels 1 – 5.
- January 2020: Third-party assessments will begin for DoD contractors.
- June 2020: CMMC requirements will begin being added in Requests for Information (RFIs).
- September 2020: All DoD requests for proposals (RFPs) will include CMMC requirements.
This means that by September 2020, all DoD contractors must be at least certified at Level 1 to continue working on contracts.
What Are the CMMC Levels
There are five maturity levels that businesses must meet. These levels build off of each other’s cybersecurity requirements. For example, a company must meet all the requirements in level one before advancing to the second tier. When a business is at level five, all the requirements of certification are being met.
The purpose of the levels is to show the company’s ability to protect sensitive information contained in government contracts.
Level 1: Performing cybersecurity practices.
Companies must have basic cybersecurity protocols in place that protect Federal Contract Information (FCI). In general terms, this is information that was generated or provided by the government but is not intended for public release.
Basic cybersecurity protocols include regularly changing employee passwords and constantly updating antivirus software. Information that is already public does not have to meet these security regulations.
Level 2: Documenting cybersecurity practices
Once basic protocols are established, the company must implement intermediate cybersecurity practices that are designed to protect Controlled Unclassified Information (CUI). These protocols are outlined in the US Department of Commerce National Institute of Standards and Technology (NIST) Special Publication. (NIST 800-171). These protocols require businesses to establish documentation policies that help employees reliably perform cybersecurity practices.
This is considered a transitional level, primarily to help businesses get started implementing NIST security controls that pertain specifically to protecting CUI from cyber breaches.
Level 3: Manage cybersecurity practices
Good cybersecurity practices are the focus of level 3, which expands on implementing additional NIST controls. The level also goes beyond NIST protocols to include incident reporting.
A business must develop and maintain a plan that demonstrates the activities needed to implement the protocols The plan can be expanded to include information on employee training, along with resources, and company cybersecurity goals.
Level 4: Review cybersecurity practices.
Organizations are required to review cybersecurity practices and measure their effectiveness. When a business reaches this level they can take corrective steps to fix a weakness in the system, along with reporting to higher-level management if there is a recurring issue and its status.
Additional NIST controls are also required, along with other cybersecurity best practices.
Level 5: Optimizing cybersecurity practices
When a business reaches level 5,the cybersecurity practices must be implemented across the network and systems. Like the other levels, this one also focuses on protecting CUI. Additional cybersecurity measures might also need to be implemented.
Key Points to Remember
There are a few things businesses will want to remember about these levels.
- The levels build on each other. Every business starts at level one and works up the tier.
- Organizations must meet the level requirements in practice and process. A business with level 3 implementation but level two process will be certified at the lower level.
- DoD prime contractors are responsible for requiring their third-party vendors to meet the standards for a specific CMMC level.
- Not all DoD contractors need to meet level 5 requirements. However, the level does affect the type of projects a contractor is permitted to bid on.
What Will CMMC Certification Cost
Since CMMC certification is a new requirement the total costs businesses could face are still being determined. What is known is that the CMMC cost will vary by tier level certification and could be recurring. Higher-level certification will cost more than lower ones.
Chief Information Security Officer (CISO) Katie Arrington, at the Office of the Under Secretary of Defense Acquisition & Sustainment, estimates that a company should expect to pay between $3,000 – $5,000 for CMMC level one certification. The costs will increase as the levels go up.
The reason for the discrepancy in costs is due to the range of activities each level requires for certification. This cost is also reflected in the amount of time and financial resources companies may need to invest to implement the required cybersecurity protocols. For example, level 3 requires a business to meet 20 practices and three processes.
Businesses certified at levels 1 and 2 will be required to be recertified every three years. However, level three certification will be required biennially, and levels 4 – 5 will need to be certified every year. For some businesses, the annual CMMC costs can be prohibitive.
It is important for DoD contractors to realize that these costs are estimates. The final guidelines for the CMMC certification costs are still being decided. The good news for contractors is that the cost for CMMC certification is reimbursable, not prohibitive. It is considered an “allowable cost” which is an expense that can be billed to the DoD.
For companies that are struggling to meet compliance standards, this is also good news since remediation costs are also considered “allowable expenses”. However, this does not cover the initial cost of meeting the compliance standards for the CMMC level.
The Cost of Ignoring CMMC Certification
While you might not know the exact CMMC cost, it’s easier to figure out the price of non-certification. CMMC guidelines incorporate NIST and the Defense Federal Acquisition Regulation (DFARS) cybersecurity protocols into its tiers, requiring contractors to meet these standards.
The penalties for not complying with these standards are set down and may apply to CMMC non-compliance.
Currently, non-compliance can result in criminal and civil litigation, along with fines and other penalties being levied against the business. If CUI is breached and the contractor is found to be out-of-compliance, it can result in the termination of the contract and the company is restricted from bidding on additional projects.
Some of the other penalties that businesses could face include,
- Loss of federal funding. Depending on the business this can be a small amount or the majority of the company’s income.
- Depending on the severity of the cybersecurity breach, a company could face government hearings.
- A company’s reputation can be damaged, sometimes beyond repair, when news of the cyber breach is made public.
- Restricted from future government contracts.
Some of these penalties directly affect your business and others more indirectly. However, whether you are required to pay a monetary fine, lose federal funding, or experience a negative impact on the company’s reputation, the business’s bottom line will suffer. Some smaller companies might not be able to survive the financial impact of a cybersecurity breach.
Getting Ahead of CMMC Costs
Businesses can avoid the fines and penalties associated with non-compliance simply by implementing and maintaining good cybersecurity protocols. While this will prevent one set of costs, there’s still the expense of meeting the CMMC standards.
However, there are some steps companies can take to help reduce the CMMC certification cost.
- Decide on the CMMC level necessary for the business. Remember, the level determines which contracts you can bid and work on. Familiarize yourself with the cybersecurity standards required for compliance.
- Create an estimate of the CMMC certification cost. The budget should include the costs for updating security policies, enhancing cybersecurity protocols, contacting a third-party assessor, leveraging applications, and other measures that apply to your business.
- Begin updating existing cybersecurity protocols to NIST standards. This is often the step that is the most expensive for contractors in terms of time and money. However, once the protocols are in place, the contractor can be certified for level three compliance.
- Create a Plan of Action & Milestones (POA&M). This will help ensure continued compliance once CMMC certification is achieved, along with meeting other cybersecurity requirements.
- Begin planning for an assessment. Under CMMC guidelines, businesses can no longer perform self-assessments for certification. However, you can still perform one to check for any vulnerabilities before the third-party auditor arrives.
It is also recommended that companies stay up-to-date with the latest information about CMMC costs and guidelines.
Even if third-party technical assistance is needed to implement the necessary cybersecurity protocols, completing the steps within your skillset can reduce the cost of hiring outside technical help.
The bottom line is that companies with current security protocols in place will probably find it easier and less expensive to meet the new CMMC standards.
If you are a DoD contractor, CMMC certification is now a requirement to continue working and bidding on government projects. The maturity model is designed to build on each tier’s security requirements to protect CUI.
Each year the federal government estimates $6 billion in losses due to compromised CUI. CMMC certification is designed to prevent this.
While businesses understand the need for stronger cybersecurity measures, it’s the cost of meeting these protocols that has them worried. This is true even though the cost of the certification audit and any remedial steps that might need to be taken are considered allowable expenses and billable to the DoD.
It’s the cost of implementing the protocols required for the CMMC level that has businesses concerned about their financial bottom line.
There are steps businesses can take to help reduce the timeframe and cost. One of these is contacting the experts at RSI Security. They are ready to answer any questions or help you get ready for an upcoming CMMC audit.