CMMC (Cybersecurity Maturity Model Certification) Assessment Pricing and The Levers Involved.

Many of you might be asking yourself, “How expensive is getting CMMC level 3 certified going to be”? This blog is dedicated to helping you understand the many different factors that go into pricing. But first, please remember that the DoD (Department of Defense) has now added cyber security as a 4th pillar to the requirements for contracting organizations. They are now allowing the cost of compliance to be factored into the quote. Because all contractors will be required to do this same scope of work, their costs for competitive bids should neutralize each other. No longer incentivizing a lower cost bidder not adhering to the same security standards as others. The CMMC AB does not control pricing in any way. 

Now here is the kicker, this is going to be expensive people. There is no getting around it and no, I cannot give an accurate price at this time. It could be $30,000, $50,000, or north of $100,000 depending on scoping factors. I do not believe anyone has done an excellent job at explaining the “why” behind this. So, allow me to try as plainly as I can:

1. There will be an incredibly small pool of certified assessors to service the over 300,000 contractors in search of CMMC certification (thus driving costs up due to supply and demand constraints).
2. There is a monetary cost to all assessing persons and organizations that get certified by the CMMC AB board. To register as a C3PAO (Certified Third-Party Organization) or an RPO (Registered Provider organization) a company must spend thousands of dollars to register in the marketplace, including sponsoring each one of their appropriate staff members to get each one of the certification levels on the way to level 3. This cost to the assessment company will be tens of thousands of dollars for all the appropriate credentialing when all is said and done. 
3. Security assessment professionals are also expensive Individuals to employ. You may have multiple people on your team which equals multiple expensive people. 
4. Travel is a bear. All CMMC assessments will have some onsite components to assess physical controls as well as conduct interviews and shoulder surf employees of the government contract in question. 
5. Travel is still a bear. If you have a few findings that are agreed upon by the assessor that could be remediated in 90 days , then a second Delta Assessment would need to be performed thus creating a second travel event and cost therein.
6. If your CUI (Controlled Unclassified Information) or FCI (Federal Contract Information) is everywhere, this will make what the auditor must look at more expansive. 
   1. They say there are only 130 controls for level 3, right? Well, that can be misleading. Let’s look at all the points an auditor will have to look at for level 3.
      1. 130 controls
      2. Plus 3 different practices, performed, documented, and managed = 390 points of interest to look at
      3. Plus, an auditor will need to look at 2 different types of objective evidence. That is 780 items for an auditor to look at and record. This is going to take some time, people.
7. A Certified Level 3 Assessor will have to gather at least 2 pieces of evidence supporting the “pass” status for the process and practice of each of the 130 practices for level 3. This is 780 pieces of evidence that will need to be viewed, gathered, and cataloged. Very time consuming for sure. They can use interviews, evidence like screenshots, and testing as a form of evidence, any 2 will suffice.
8. Assessing organizations will be upping their insurance coverage, upping their own security practices, investing in tools and products to help facilitate this process. That comes at a cost.
9. The larger the organization that is being assessed, the larger the cost will be.

Taking the CMMC Level 3 certification engagement is like taking your ACT for College. You want the best score possible, so you study and fix as much as possible before you actually sit down (when it counts). The CMMC AB recommends that you have a pre-audit. There are no minimum requirements for training but a RP (Registered Practitioner) or CA (Certified Auditor) are preferred. This practice run should do three things. 

1. Lay out the data mapping and scope of the CUI or FCI environment.
2. Perform a gap analysis against CMMC certification level 3 controls and identify what needs to be addressed and then address it. 
3. Gather certain evidence for compliance for each practice and process. The more you gather upfront to make your auditors' life easier, the less time they will need to take up. 

I am trying to lay out a realistic expectation here. The days of assessments being under $10,000 are over. It is as simple as that. Although it is supposed to be recouped in your reply to the RFP, it is important for you to realize all the minutiae details that go into costing these assessments out. As far is how a contractor should plan for budgeting… I can give you the categories, just not the amounts because pricing will vary.

$  Pre-Gap analysis of all 130 practices and processes

$  Implement remediation's and fixes for all the gaps identified in Plan of Actions and Milestones. All must be fully addressed before the actual audit occurs.

$  CMMC Third- Party Audit based on Scoping and Work plan (looks at over 780 items).

We hope this helps you to understand some of the costs associated with CMMC compliance and we are here to help! If you have any further questions please feel free to contact us.

F1 Solutions: https://www.f1networks.com/

Jennifer VanderWier/CISO