The Department of Defense provided new projections for how much money contractors and other organizations will have to spend to implement the Pentagon’s Cybersecurity Maturity Model Certification program (CMMC).
The updated estimates were included in a proposed rule for CMMC 2.0 that was published December 26,2023 in the Federal Register.
The program would mandate that defense contractors and subcontractors through the entire supply chain who handle federal contract information and controlled unclassified information (CUI) implement cybersecurity standards and assess their compliance.
“The CMMC Program is designed to provide increased assurance to the DoD that defense contractors and subcontractors are compliant with information protection requirements for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and are protecting such information at a level commensurate with risk from cybersecurity threats, including Advanced Persistent Threats (APTs).” the proposed rule explains.
It is projected that more than 200,000 companies in the Defense Industrial Base (DIB) will need to pass CMMC by Oct 2025.
The Pentagon is planning for a phased implementation. It intends to include CMMC requirements in all solicitations issued on or after Oct. 1, 2026, when applicable, although waivers could be issued in certain cases before solicitations are issued.
Depending on the required security level, contractors and subcontractors will have to do self-assessments or be evaluated by a third-party organization (C3PAO), or government assessors.
The annualized costs for contractors and other non-government entities to implement CMMC 2.0 will be about $4 billion, calculated over a 20-year horizon. For the government, they will be approximately $10 million, according to the projections.
Costs would be incurred for related activities such as planning and preparing for the assessment, conducting the assessment, and reporting the results.
“In estimating the Public costs, DoD considered applicable nonrecurring engineering costs, recurring engineering costs, assessment costs, and affirmation costs for each CMMC Level,” per the proposed rule.
“For CMMC Levels 1 and 2, the cost estimates are based only upon the assessment, certification, and affirmation activities that a defense contractor, subcontractor, or ecosystem member must take to allow DoD to verify implementation of the relevant underlying security requirements,”
An important caveat is that the “DoD did not consider the cost of implementing the security requirements themselves because implementation is already required by FAR clause 52.204–21, effective June 15, 2016, and by DFARS clause 252.204–7012, requiring implementation by Dec. 31, 2017, respectively; therefore, the costs of implementing the security requirements for CMMC Levels 1 and 2 should already have been incurred and are not attributed to this rule.”
CMMC Level 1
An annual Level 1 self-assessment and affirmation would assert that a company has implemented all the basic safeguarding requirements to protect federal contract information as set forth in 32 CFR 170.14(c)(2).
For Level 1, the Pentagon estimates that the cost to support a self-assessment and affirmation would be nearly $6,000 for a small entity and about $4,000 for a larger entity.
CMMC Level 2
Triennial Level 2 self-assessments and affirmations would attest that a contractor has implemented all the security requirements to protect CUI as specified in 32 CFR 170.14(c)(3). A triennial Level 2 certification assessment conducted by a C3PAO would verify that a contractor is meeting the security requirements.
“A CMMC Level 2 assessment must be conducted for each [organization seeking certification] information system that will be used in the execution of the contract that will process, store, or transmit CUI,” the proposed rule notes.
A Level 2 self-assessment and related affirmations are estimated to cost over $37,000 for small entities and nearly $49,000 for larger entities
“Receipt of a CMMC Level 2 Final Certification Assessment for information systems within the Level 3 CMMC Assessment Scope is a prerequisite for a CMMC Level 3 Certification Assessment. A CMMC Level 3 Certification Assessment, conducted by [the Defense Contract Management Agency] Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), verifies that an [organization seeking certification] has implemented the CMMC Level 3 security requirements to protect CUI as specified in 32 CFR 170.14(c)(4),” per the proposed rule.
A Level 2 certification assessment is projected to cost nearly $105,000 for small entities and approximately $118,000 for larger entities.
CMMC Level 3
A triennial Level 3 certification assessment would have to be conducted for each company information system that will process, store, or transmit CUI, in the execution of the contract.
Level 3 certification would require “implementation of selected security requirements from NIST SP 800–172 not required in prior rules. Therefore, the Nonrecurring Engineering and Recurring Engineering cost estimates have been included for the initial implementation and maintenance of the required selected NIST SP 800–172 requirements,” according to the proposed rule.
Level 3 standards are expected to apply only to a “small subset” of defense contractors and subcontractors, the proposed rule states.
The total cost of a Level 3 certification assessment includes the expenses associated with a Level 2 certification assessment as well as the outlays for implementing and assessing the security requirements specific to Level 3.
Small Organizations
For a small organization, the estimated recurring and nonrecurring engineering costs associated with meeting the security mandates for Level 3 are $490,000 and $2.7 million, respectively. The projected cost of a certification assessment is more than $10,000.
Larger Organizations
For a larger organization, the estimated recurring and nonrecurring engineering costs associated with Level 3 safeguards are $4.1 million and $21.1 million, respectively. The projected cost of a certification assessment and related affirmations is more than $41,000.
Getting Started
For more information on how Jivoo can help your organization prepare for a CMMC audit and maintain CMMC compliance over time, along with the changes in NIST 800-171 r2 to r3, download Our CMMC Report.
