The requirement to implement the 110 cybersecurity controls in NIST SP 800-171 has been in place since the end of 2017. Because the DoD wasn’t aggressive in enforcing it, most contractors need to catch up to where they should have already been by 2017, plus the additional requirements that have been added to CMMC. There is no leeway in CMMC—a perfect assessment result is required for certification.
When CMMC was published in the Federal Register, it was stated that organizations that process CUI and are therefore required to pass a CMMC Level 3 assessment, would pay $51,095.60 in TOTAL costs to cover BOTH the CMMC assessment AND the anticipated remediations. This amount was reached based on the assumption that “Contractors pursuing a Level 3 Certification should have already implemented the 110 existing NIST SP 800-171 security requirements” as was required, meaning that the incremental steps to CMMC would not cost much. That ignored the 2019 DoD Inspector General audit of defense contractors showing that a whopping 90% of the contractors that had self-assessed their NIST 800-171 implementation failed the audit.
Recent proposals for CMMC Level 3 assessments for two small companies, with fewer than 50 employees each, have averaged $155,000, not counting the costs of any remediation. At a recent IT security conference where I spoke, MSPs said they were seeing the need for over $100,000 in remediation costs alone for small clients to comply with CMMC.
One reason for higher assessment costs may be the CMMC-AB’s position that CMMC assessments will include home inspections for any employees working remotely, which the DoD subsequently said had not yet been decided.
CMMC board member Regan Edens said in a CMMC Town Hall that “[You] should be prepared for some sort of sampling of an organization that is doing distributed workforce for remote reasons will also have to be inspected in their work environment, whether that’s home or a rented office or any other facility.” This was soon countered by the head of the DoD’s Project Management Office, Stacy Bostjanick, who said, “We are in the process of clarifying the requirements for telework through the CIO’s office and will publish the clarification through the DoD website. The DoD is the responsible authority for setting cybersecurity requirements for the DIB sector and responsible for providing clarification and responses.”
When the CMMC-AB announced its participation levels, I signed up and sent $1,000 to get in line to become a C3PAO, plus an additional fee to become a CMMC-AB Registered Practitioner. I had budgeted the costs of training and certification for me, along with the fees and costs for our small organization to become accredited. The CMMC-AB said in its most recent Town Hall that the DoD is now likely to require that C3PAOs employ at least four assessors to qualify for the program. Talk about moving the goalposts! There was no mention of returning application fees for smaller organizations that cannot meet that new requirement.
How many small businesses can afford a quarter-million dollars for an assessment and remediation to qualify themselves for defense contracts? Small business owners may simply decide it is not worth the expense based on the revenue they earn from defense contracts, meaning that the defense industry will lose critical suppliers.
The CMMC: Not the Right Way to Fix the DIB Security Crisis, a white paper co-authored by Chris Golden, a founding board member of the CMMC-AB, wrote, “The current course of action is not only unsustainable but also not cost effective for the DIB. And if not quickly given other alternatives and/or support, many thousands of smaller companies will be forced to leave the DIB because they will be unable to comply with CMMC requirements.” The authors recommend that a more effective and cheaper solution would be a secure centralized cloud environment to house all CUI, rather than requiring over 300,000 defense contractors to individually implement separate secure environments.
I am currently working with a defense contractor that is very frustrated with the amount he is investing to implement NIST 800-171 to qualify for new contracts, even though he is just catching up to where he was supposed to be in 2017. He has been surprised to learn that the cloud services and security tools he has been using must be replaced with more expensive solutions that meet federal government standards.