CMMC: Because the Cost of ‘Just Compliance’ is Too High

Posted by: Tony Farinaro June 04, 2020 CMMC

As the Cybersecurity Maturity Model Certification (CMMC) initiative rolls out over the next several years, all of the 350,000+ vendors in the supply chain to the Department of Defense (DoD) must become accredited at Level 1 or higher.  Companies receive their accreditation after successfully passing an audit administered by a Certified 3rd-Party Assessment Organization (C3PAO).  Many firms, especially small-to-medium sized businesses (SMBs) that reside deep in the DoD supply chain, first ask, “What will a C3PAO audit and CMMC accreditation cost?”

Yes, accreditation will come at a price.  And yes, that cost may be reimbursable under DoD contracts that require CMMC.  But the audit and accreditation are only the tip of the certification cost iceberg.  Companies that myopically focus on the audit process simply miss the point of CMMC.

Like NIST 800-171, the current cybersecurity standard found in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC’s purpose is to mitigate cyber risk across the supply chain to the DoD.  CMMC includes practices akin to, and incorporating, NIST 800-171’s 110 cybersecurity controls.  The DoD created CMMC because unfortunately, NIST 800-171 has proven ineffective, primarily because it’s been treated as a compliance requirement rather than a risk mitigation imperative.

A compliance mindset encourages finding the least cost solution to “check-the-box,” which often means failing to achieve the intended objective of mitigating risk.  Further reducing NIST 800-171’s efficacy are its provisions for suppliers to self-attest their compliance and the equivalence of an implementation plan to having actually implemented a cybersecurity control.  Self-graders may be inclined to give themselves the benefit of the doubt, and a plan to mitigate a risk will never be as effective as actually doing so.

What’s different about CMMC?

CMMC  includes processes, which measure an organization’s cybersecurity maturity and hygiene.  Second, rather than self-attestation, a third-party auditor will verify that the necessary cybersecurity policies and capabilities associated with CMMC practices have been implemented, that they are being used, and that they are effective.  A plan to mitigate a risk, or a Plan of Actions and Milestones (POA&M), will no longer be an acceptable alternative.  To achieve certification all required CMMC practices and processes must be implemented.

So, CMMC cost actually consists of several components, not just the C3PAO audit for accreditation.  Businesses also must account for the effort necessary to prepare for that event, and to remain vigilant in its aftermath.  They will incur hard and soft costs such as dedicating their IT and security personnel (or bringing in consulting experts), acquiring security hardware and software, building policies, and developing and continuously executing the cybersecurity capabilities associated with CMMC’s practices at whichever of the standard’s five levels they seek accreditation.

No company will find these activities and their associated costs trivial.  Many SMBs possess minimal cybersecurity infrastructure or knowledge, which makes even CMMC Level 1 a challenge.  Companies that handle controlled unclassified information (CUI) who already must meet DFARS clause 252.204-7012 also face a significant cost hurdle, even though CMMC Level 3 incorporates the 110 security controls of NIST 800-171, for two reasons:

  • CMMC Level 3 includes twenty additional practices, as well as three new processes.
  • DFARS 7012 considers members of the Defense Industrial Base compliant when they self-attest they comply with all of the 110 NIST 800-171 controls, or have POA&Ms for those with which they do not. To reiterate, CMMC eliminates the relief POA&Ms provide, which for many organizations that handle CUI today represents as much as 25 percent of the 110 controls – raising the accreditation cost bar even higher.

The range of activities required to prepare for CMMC accreditation, and the associated time, effort, and cost of those activities, makes it imperative that members of the DoD supply chain begin their journeys immediately.  Organizations that remain unconvinced should consider an additional, somewhat more opaque cost – the cost of NOT getting started now, and how it affects the CMMC return-on-investment calculation.

The Cost of  Forgoing CMMC Accreditation

Think about the cost of not pursuing CMMC accreditation today that goes above and beyond DoD contractual requirements and cuts to the core of any business.  CMMC is a risk mitigation, and the risk it’s mitigating is yours.  Exfiltration of CUI results in a $600 billion annual loss.  Who paid to develop the stolen intellectual property (IP), and who bears that loss of current and future revenue from compromised IP?  You!  Independent of any DoD requirement, why wouldn’t you protect your organization’s IP, and why would you wait for the DoD to tell you that you should?

If that fact isn’t compelling enough, then remember that by the end of 2026, every DoD request for proposal (RFP) will incorporate CMMC.  Businesses that do not possess the appropriate level of CMMC accreditation identified in the RFP cannot work on the contract and will miss out on revenue opportunities, even if they lie several levels down the winning bid team’s hierarchy.  These same companies may find themselves on the sidelines prior to completion of the CMMC rollout, as primes and other upstream contractors choose to work with partners that have demonstrated a commitment to mitigate cybersecurity risk by proactively investing in CMMC. Can you afford that outcome?

Companies that understand, and take a holistic view of, the true cost of CMMC can plan accordingly, protect their interests, and gain a competitive advantage that will serve them well for years to come.