CMMC: Costs Are Going Up
Posted on December 6, 2019 by Nicholas Bukowski
The Impending Cost of CMMC Compliance for DoD Contractors
As many in the Department of Defense (DoD) Contractor community have already heard, Uncle Sam is rolling out cybersecurity requirements for all DoD Contractors, whether you’re a Prime or Subcontractor, a Large or Small business. If you plan to do business with the DoD, you must go through a cybersecurity assessment and become certified. The days of self-certification are coming to an end. This soon-to-be-codified requirement is known as the Cybersecurity Maturity Model Certification (CMMC). As the Federal Government attempts to curb the ever-growing cost of cyber-crime, it wants to better protect, not just classified information within the Government and the DoD Contractor community, but also the Controlled Unclassified Information (CUI) contained therein. You can get an in depth look at the background and history of protecting CUI and the subsequent advent of CMMC here:
Timeline for the CMMC Rollout
Beginning September 2020 and going forward, all DoD contractors will be required to become certified to at least CMMC Level 1 (basic cybersecurity hygiene), with many contractors having higher level requirements, depending on the contract and the amount of CUI a company handles. The Government has indicated that: “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified” (www.acq.osd.mil/cmmc/faq.html). Being an “allowable cost” doesn’t equate to being free. Simply put, this means that if a contractor only has cost reimbursable contracts, then the cost of the assessment will likely be recorded in their General & Administrative (G&A) or Overhead cost pool and reimbursed by the Government through invoicing for their indirect rates. However, for contractors with mainly Time and Materials (T&M) or Firm Fixed Price (FFP) contracts, the additional cost for certification will not be reimbursable/recoverable.
So how much is this certification going to cost DoD Contractors?
According to Ms. Katie Arrington, Chief Information Security Officer (CISO) for the Office of the Under Secretary of Defense Acquisition & Sustainment (OUSD A&S), a Level 1 CMMC Assessment will likely cost in the range of $3000 – $5000, and the costs will progressively increase for higher CMMC levels. CMMC certification is not going to be a “one-and-done” certification process, but rather a recurring requirement. While not entirely codified, Arrington also mentioned at the October 16th Cyber Resilience Summit, that certifications will be required every 3 years for CMMC Levels 1&2 whereas CMMC Levels 4&5 will require annual certifications. Certification for CMMC Level 3 will likely be biennial, although this is still being determined.
Regardless of DoD Contractor size, there’s no question that CMMC is going to make doing business with the DoD more expensive. These additional costs will likely show up in the form of higher prices in proposals going forward, since RFPs will specify the minimum CMMC level required even to propose. That said, at least the certification costs incurred will be shared uniformly among contractors, as all will have to be certified. So far, though, we’ve only discussed the cost of the certification itself, and with the assumption that a contractor will easily pass the CMMC level that is required of them.
But what if a DoD Contractor fails its required certification level?
How much would it cost to remediate any cyber deficiencies? I believe the real burden of this upcoming requirement will fall on those companies that have inadequate cyber hygiene, as compared to their required CMMC Level. Not only could it become quite costly for those contractors to fill any cybersecurity gaps, but it could also take a prolonged amount of time to implement necessary changes, as the CMMC will effectively eliminate the practice of maintaining compliance utilizing a Plan of Actions & Milestones (POA&M). POA&Ms have been used to document a company’s cyber security vulnerabilities and create a detailed plan of steps to fix those vulnerabilities. Under the new CMMC framework, any noncompliance will have to be fixed prior to certification with POA&Ms no longer sufficing. I foresee this being a heavy burden, especially for smaller DoD contractors who lack the resources and/or knowledge to become compliant on their own. These contractors should be examining their cybersecurity posture now to prepare for CMMC. If gaps exist in their cybersecurity, they will need to find those gaps, implement changes and then get certified to the appropriate CMMC Level, all prior to being able to bid on any new RFPs that drop after September 2020.
At Blue Mantle Technology, we have extensive experience implementing cyber security compliance on large Government programs. We have cyber professionals with a wealth of knowledge regarding NIST 800-171 (the core of the CMMC framework) and would love to be a resource for you. We bring military-grade cybersecurity expertise to the small business while helping you control your CMMC compliance related costs. Schedule a free consultation today!