Cost of Compliance with CMMC and NIST-171

The Cybersecurity Maturity Model Certification (CMMC) is a new initiative by the US Department of Defense (DoD) to raise the security maturity of the Defense Industrial Base (DIB). Historically, compliance with NIST 800-171 has been low, so the DoD introduced the CMMC, which requires third-party audits for certification, to address this issue.

While the CMMC is still in the early stages and no defense contracts require CMMC compliance, many organizations are looking to start the compliance process to be ready for when CMMC compliance becomes mandatory. A critical part of this process is identifying CMMC costs.

What Dictates the Cost of Compliance?

The CMMC is not a “one size fits all” compliance certification. Every organization is unique and can expect to have different costs for compliance. Some of the main factors that impact CMMC’s cost include:

• Size of the Organization: CMMC affects all contractors on a defense contract, meaning that even small organizations may be forced to achieve CMMC compliance. In general, the larger the organization, the more it will cost to achieve and maintain CMMC compliance.
• Compliance Targets: CMMC defines five compliance levels (with Level 1 being the easiest). Level 3 CMMC compliance is roughly equivalent to full NIST 800-171 compliance. According to Katie Arrington, Chief Information Security Officer for the Office of the Under Secretary of Defense Acquisition and Sustainment (OUSD A&S), the cost of Level 1 compliance is estimated to be between $3,000 and $5,000, and higher levels will cost more.
• Scope of CUI Access: CMMC is designed to protect confidential unclassified information (CUI). While an organization’s exposure to CUI dictates the required level of CMMC compliance, the number of users, systems, etc. with access to CUI also has an impact. The more widely CUI is used in the organization, the greater the cost of compliance will be.
• Current Security Maturity: CMMC was created to address lagging compliance with NIST 800-171, which allowed organizations to self-certify their compliance. Defense contractors that are largely compliant with NIST 800-171 can expect to have lower CMMC adoption costs than non-compliant organizations seeking CMMC certification.

How Much Will CMMC Cost?

With all of these factors, setting a price tag on CMMC compliance is difficult. One estimate assumes a 250-person organization with multiple sites and a centrally-managed CMMC program targeting Level 3 CMMC compliance (which the DoD wants most contractors to achieve in the long run).

Under these assumptions, an organization that is largely compliant with NIST 800-171 can expect to spend $35,000-$100,000 for consulting and auditing plus the cost of fixing any compliance issues. A less mature organization could expect to spend $40,000-$130,000 in consulting and auditing plus as much as $100,000 to remediate compliance gaps.

These numbers are estimates and can vary greatly depending on an organization’s unique situation. However, it is important to note that CMMC states that “allowable costs’ for compliance may be billed to the DoD. While the precise definition of “allowable costs” is not yet defined, this may help to offset some of the costs of compliance (such as the cost of engaging a CMMC auditor).

How Can I Get Started With Getting Compliant With NIST-171 and CMMC?

To achieve CMMC compliance, an organization first needs to have a clear understanding of its current compliance status and what it needs to do to achieve full compliance. This means that the first step in the process of achieving CMMC compliance is to undergo a compliance readiness inspection.

This gap assessment identifies where an organization’s current compliance strategy and security controls are falling short and develops a remediation strategy. To get started with CMMC compliance, contact us.