The new CMMC rule proposal is out, and some organizations are getting their first introductions to the cost of doing business in the federal sector. This new rule includes several estimates for the total costs of adopting the framework for small and larger businesses.
But is this the final word? We break down some of these costs, where they come from, and how we can help you reduce expenses on CMMC.
The New CMMC Rule (CMMC 2.0)
The proposed Cybersecurity Maturity Model Certification (CMMC) rule released by the Department of Defense in December 2023 aims to ensure that defense contractors and subcontractors comply with existing information protection requirements for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The key aspects of the CMMC 2.0 program include:
The CMMC 2.0 framework has been streamlined to allow for self-assessment at some levels. Specifically, contractors handling FCI at CMMC Level 1 can perform self-assessments annually, as can some (very limited) Level 2 contractors.
CMMC also crystallized the three levels of maturity that make up the standard:
- Level 1: This level requires basic safeguarding of FCI, verified through self-assessment.
- Level 2: This level focuses on protecting CUI and requires adherence to the 110 security requirements of NIST SP 800-171. Depending on the contract, Level 2 compliance can be verified through either self-assessment or certification by a third-party assessment organization (C3PAO), with self-assessments needing to be performed triannually.
- Level 3: This level is for the highest priority CUI and includes the 24 security requirements of NIST SP 800-172 and NIST SP 800-171.
Flexibility and Cost Reduction: Self-assessments for Levels 1 and some Level 2 contracts are intended to reduce overall program costs. For Level 3, government assessors will conduct assessments to minimize costs to the industry.
The Ongoing Costs of CMMC Compliance
Costs will be one of the more important aspects of working toward CMMC compliance. As part of the new proposed rule, the Department of Defense provides several estimates for ongoing costs for small and larger businesses. For this report, these designations follow the Small Business Administration’s definition of a “small business” as one with 500 or less falling under particular revenue requirements.
These estimates reflect feedback received during the CMMC 1.0 cycle when contractors reported that original estimates were significantly underestimated.
The numbers here are revealing:
- The DoD expects most organizations (over 56,000 small entities and over 19,000 larger entities) to enter Level 2 Certification.
- The expected costs for Level 2 Certification (non-self-assessment) are expected to top $100,000 for small businesses and $117,000 for larger businesses.
These estimates aren’t particularly surprising. Organizations cannot handle Controlled Unclassified Information (the primary goal of CMMC) until they reach Level 2. While self-assessments are allowed under certain circumstances, most businesses entering Level 2 will work with a C3PAO of certification. The massive jump in costs for a Level 2 certification reflects these facts and the leap in requirements (an almost tenfold increase from Level 1).
| Estimated Number of Entities Seeking Compliance | ||||
| Assessment Context | Small | Other than Small | Total | Percent |
| Total, Small Entities | 103,010 | 36,191 | 139,201 | 63% |
| Level 2 Self-Assessment | 2,961 | 1,039 | 4,000 | 2% |
| Level 2 Certification Assessment | 56,689 | 19,909 | 76,598 | 35% |
| Level 3 Certification Assessment | 1,327 | 160 | 1,487 | 1% |
| Total | 163,987 | 57,299 | 221,286 | 100% |
| Percent | 74% | 26% | 100% | |
| CMMC Certification Costs | ||||
| Level 1 Self-Assessment (Annual) | Level 2 Self-Assessment (Triennial) | Level 2 Certification (Triennial) | Level 3 Certification (Triennial) | |
| Total Estimated Cost, Small Entities | $5,977 | $37,196 | $104,670 | $12,802 |
| Total Estimated Cost, Larger Entities | $4,042 | $48,827 | $117,768 | $44,444 |
Revising the Cost of Compliance
Are These Final Costs that every business should expect? No.
These costs reflect several different issues that the DoD recognizes as challenges for compliance:
- Outsourced IT Services: External IT service providers are allowed, but depending on the extent of the services required, they can add significant costs.
- Increased Preparation Time: The total time contractors spend preparing for the assessment has increased. This includes time allocated for understanding and learning the reporting and affirmation processes necessary for compliance.
- Consulting Firms Assistance: Provision for consulting firms to assist with the assessment process, including preparation and execution phases.
- Senior Management Review: A senior-level manager will review the assessment and affirmation results before submission, ensuring the findings are accurate and comprehensive.
- Updated Labor Rates: We have updated government and contractor labor rates to include applicable burden costs, reflecting more accurate current market conditions.
By incorporating these elements, the CMMC 2.0 cost estimates aim to provide a more accurate and realistic picture of the financial impact on organizations seeking certification.
Cutting CMMC Certification Costs in Half with Lazarus Alliance
That being said, we understand that seeing the hard numbers can raise some eyebrows. Even as the DoD estimates an explosion of small businesses adopting CMMC requirements, these businesses may see these costs as too high, too much, or not worth the cost of doing business.
These costs don’t reflect modernization in compliance, innovations that will save time and money. Cloud compliance and managed security are the cornerstones of modern CMMC alignment, and organizations looking at the DoD figures would do well to understand the landscape.
Lazarus Alliance and Continuum GRC lead the industry in expert, streamlined services, including:
- Deep Security Expertise: We have decades of collective experience working with cybersecurity and compliance in the federal sector, and we’ve led the way in pursuing our status as a fully automated C3PAO.
- Cloud- and AI-Powered Tools: With the Continuum GRC platform, you can streamline compliance through always-on reporting and monitoring tools and our internal A.ITAMS system that automates technical writing for compliance.
- Competitive Rates: Due to our experience and automation tools, we can significantly cut the estimated prices for CMMC compliance.
To learn more, contact us.
- FedRAMP
- StateRAMP
- NIST 800-53
- FARS NIST 800-171
- CMMC
- SOC 1 & SOC 2
- HIPAA, HITECH, & Meaningful Use
- PCI DSS RoC & SAQ
- IRS 1075 & 4812
- ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
- NIAP Common Criteria – Lazarus Alliance Laboratories
- And dozens more!
[wpforms id=”137574″]