The cost of a CMMC Security Certification will vary depending on several criteria, including:
- The specified CMMC level in the contract(s) you intend to pursue
- About your target CMMC level, the maturity of your current IT and cybersecurity infrastructure.
- Your organization’s size and complexity (number of locations, etc.)
- The size and scope of the CUI you deal with (how many people handle CUI, how much CUI you exchange with other DIB companies or government agencies, how many databases store CUI, etc.)
- Costs of consultation and other hiring/outsourcing expenses incurred in preparation for the CMMC assessment
- Expenses associated with meeting specific CMMC standards, such as the costs of making your email and file-sharing services CMMC compliant or migrating to “government cloud” versions.
- The cost of hiring a Certified Assessor will be largely determined by market forces.
Of course, what the Department of Defense considers “allowable expenses,” which might include audit charges as well as many of the above preparatory costs, would play a significant role in ultimate costs. Allowable costs are expenses that are defined in a contract as chargeable to the Department of Defense. “The cost of certification will be deemed an admissible, reimbursable cost and will not be prohibitive,” according to the Office of the Under Secretary of Defense for Acquisition and Sustainment. This should include services such as assessment and preparedness, as well as rehabilitation initiatives.
A “typical 250-person engineering/manufacturing firm” with “a reasonably mature, NIST SP 800-171 compliant” environment today and pursuing CMMC Level 3 certification can expect to pay $15,000 to $35,000 in consulting costs for a CMMC gap/readiness assessment, plus up to $10,000 for gap remediation support, according to well-informed estimates.
The hard expenses of meeting the criteria might be somewhat varied. The cost of migrating from the commercial edition of Office 365 to an Office 365 for Government subscription, for example, might be $50,000 or more in consultancy fees alone, but adding end-to-end encryption to an existing O365 environment could be significantly less.
Companies with less mature environments that are currently outside of NIST SP 800-171 compliance will need to spend more on consultancy and investments to prepare for certification (e.g., multifactor authentication, mobile device management, log monitoring, security awareness training, etc.) The price could range from $20,000 to $60,000 or even $100,000.