Site icon

Cutting the Costs of CMMC with Lazarus Alliance

The new CMMC rule proposal is out, and some organizations are getting their first introductions to the cost of doing business in the federal sector. This new rule includes several estimates for the total costs of adopting the framework for small and larger businesses. 

But is this the final word? We break down some of these costs, where they come from, and how we can help you reduce expenses on CMMC.

 

The New CMMC Rule (CMMC 2.0)

The proposed Cybersecurity Maturity Model Certification (CMMC) rule released by the Department of Defense in December 2023 aims to ensure that defense contractors and subcontractors comply with existing information protection requirements for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The key aspects of the CMMC 2.0 program include:

The CMMC 2.0 framework has been streamlined to allow for self-assessment at some levels. Specifically, contractors handling FCI at CMMC Level 1 can perform self-assessments annually, as can some (very limited) Level 2 contractors.

CMMC also crystallized the three levels of maturity that make up the standard:

Flexibility and Cost Reduction: Self-assessments for Levels 1 and some Level 2 contracts are intended to reduce overall program costs. For Level 3, government assessors will conduct assessments to minimize costs to the industry.

 

The Ongoing Costs of CMMC Compliance

Costs will be one of the more important aspects of working toward CMMC compliance. As part of the new proposed rule, the Department of Defense provides several estimates for ongoing costs for small and larger businesses. For this report, these designations follow the Small Business Administration’s definition of a “small business” as one with 500 or less falling under particular revenue requirements. 

These estimates reflect feedback received during the CMMC 1.0 cycle when contractors reported that original estimates were significantly underestimated.

The numbers here are revealing:

These estimates aren’t particularly surprising. Organizations cannot handle Controlled Unclassified Information (the primary goal of CMMC) until they reach Level 2. While self-assessments are allowed under certain circumstances, most businesses entering Level 2 will work with a C3PAO of certification. The massive jump in costs for a Level 2 certification reflects these facts and the leap in requirements (an almost tenfold increase from Level 1). 

Estimated Number of Entities Seeking Compliance
Assessment Context Small Other than Small Total Percent
Total, Small Entities 103,010 36,191  139,201  63%
Level 2 Self-Assessment 2,961 1,039 4,000 2%
Level 2 Certification Assessment 56,689 19,909 76,598 35%
Level 3 Certification Assessment 1,327 160 1,487 1%
Total  163,987 57,299 221,286 100%
Percent 74% 26% 100%

 

CMMC Certification Costs
Level 1 Self-Assessment (Annual) Level 2 Self-Assessment (Triennial) Level 2 Certification (Triennial) Level 3 Certification (Triennial)
Total Estimated Cost, Small Entities $5,977  $37,196  $104,670  $12,802
Total Estimated Cost, Larger Entities $4,042 $48,827 $117,768 $44,444

 

Revising the Cost of Compliance

Are These Final Costs that every business should expect? No.

These costs reflect several different issues that the DoD recognizes as challenges for compliance: 

By incorporating these elements, the CMMC 2.0 cost estimates aim to provide a more accurate and realistic picture of the financial impact on organizations seeking certification. 

 

Cutting CMMC Certification Costs in Half with Lazarus Alliance 

That being said, we understand that seeing the hard numbers can raise some eyebrows. Even as the DoD estimates an explosion of small businesses adopting CMMC requirements, these businesses may see these costs as too high, too much, or not worth the cost of doing business. 

These costs don’t reflect modernization in compliance, innovations that will save time and money. Cloud compliance and managed security are the cornerstones of modern CMMC alignment, and organizations looking at the DoD figures would do well to understand the landscape. 

Lazarus Alliance and Continuum GRC lead the industry in expert, streamlined services, including:

To learn more, contact us

[wpforms id=”137574″]

Exit mobile version