The latest release of the Cybersecurity Maturity Model Certification (CMMC) has many manufactures who do business either directly or downstream with the Department of Defense reeling with questions and concerns. We hear questions such as:
- Do I need to be CMMC compliant?
- What level of CMMC applies to me?
- What if I do not comply?
- Does it apply to my whole organization or only the people who touch the CMMC protected information?
- How long does it take to become CMMC Compliant?
- And the list goes on…
The most common question that we hear however is “What does it cost to become CMMC compliant?”. This is a difficult question to answer as every organization is different and have different levels of security controls in place, however, we will attempt here to help you understand the different phases of becoming compliant and approximately what your investment would be for each.
Phase 1 – Assessment
To begin to understand what the cost for becoming CMMC compliant will be, you must undergo a CMMC Gap Assessment. This process will take your organization through the controls that apply to your organization based upon your required level of compliance (See What level of CMMC applies to me?). The majority of manufacturers that we work with need to be Level 2 compliant because they consume, create or transmit Controlled Unclassified Information (CUI) so we will focus on Level 2 for this analysis.
A gap assessment project is a personalized process that will help you understand where your gaps are and include recommended solutions (remediations) for each gap. The project to review the 110+ controls of CMMC Level 2 usually takes between 60 and 90 days and costs between $15k-20k. The results of such an assessment will give you the tools you need to move forward in remediating your gaps and becoming compliant.
Phase 2 – Remediation
This phase varies the most from organization to organization because the results of the gap analysis will depend upon the current maturity level in your organization from a cyber security standpoint and whether or not you have been following NIST 800-171, the predecessor to CMMC. During this phase you will need to implement technical controls that are missing, write polices for those missing from the required 35 policies in CMMC Level 2, and implement other processes that are required for the program.
Depending upon where you are starting from, this could cost from $20k to $100k+ if you are starting from scratch. The real sticking point in this phase is the timeline. Again, depending upon what needs to be done, this could take from 6-18 months to complete depending upon your starting point, your internal resources, and your budget.
Phase 3 – Operationalization
The key to CMMC, or any compliance, is that it is not a “one-time” event. Becoming compliant is only half of the battle. Staying compliant is the other half. Many of the controls for CMMC Level 2 require ongoing services to ensure that the CUI is being kept safe. Items such as 24/7/365 threat monitoring, regular vulnerability scanning, regular penetration testing, employee awareness training, etc. require you to show that you not only have done them once, but that you are doing them regularly and acting upon the results. Additionally, many of the controls require that you are staying up to date on network controls and adherence to policies. Often a manufacturer will rely upon a managed security services provider (MSSP) to do these things by managing their network and performing the regular ongoing tasks. While all of this will depend upon many factors that would go into a comprehensive managed security program, you can expect to invest between $250-$350 per employee per month to deploy a program that would include these controls and services.
While there is significant investment to becoming CMMC compliant, if you do business directly or downstream with the Department of Defense (DoD), there are no options.
Hopefully, understanding the approximate investment to becoming compliant will give you enough information to determine if it is worth it for your organization. We have found that some manufacturers who only get spotty work from the DoD and it is not a regular part of their revenue decide to jettison that business to focus on other clients. However, if your DoD work makes up an important percentage of your revenue and enables our organization to succeed, you must find a way to make it work.
If you would like to speak with one of our CMMC experts to help determine the right path for your organization, request a consult today.