With the release of the Cybersecurity Maturity Model Certification (CMMC), government contractors have asked, “How much will certification cost?”
The Office of the Under Secretary of Defense for Acquisition & Sustainment, Cybersecurity Maturity Model Certification, has published two statements on this, which you can view in their FAQ:
- The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces.
- The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
Here is what we know:
Two CMMC Costs for DoD Contractors
There are two costs that Department of Defense contractors have to be concerned about:
- The cost of the CMMC assessment.
- The cost of becoming compliant.
We do not know what either of those costs will be. The government has said that the cost of certification will be an “allowable, reimbursable cost” and that it will not be “prohibitive,” although what that means is not clear. No range of costs or estimates have been provided. Currently, the CMMC Accreditation Body has published a survey on what people think an assessment should cost a government contractor based on their maturity / practice progression. We highly recommend you view the survey and complete it as soon as possible, as these results may determine the costs of the assessment. Click here for CMMC-AB Pricing Survey (https://cmmcab.formstack.com/forms/pricing)
The cost of becoming compliant, however, could very well be prohibitive.
DoD Contracts Should Get A Preliminary Assessment
Since we still do not know all the details around the assessments, we do know that conducting a self-assessment and developing policies around cybersecurity for your company and for all companies in your supply chain will help you get ahead now. The steps you can take today, will allow your to better spread-out the costs of any supply chain fixes you need to make by the fall. If your company waits until August or September, you will likely have a higher expenses than if you assess your vulnerabilities now and start making improvements.