The Cybersecurity Maturity Model Certification (CMMC) framework, developed by the Department of Defense (DoD), is designed to enhance the protection of controlled unclassified information (CUI) within the Defense Industrial Base (DIB) sector. This requirement is expected to be enforced starting in Quarter 1 of 2025, with a roll out of 5 years and having one-fifth of all DoD contacts requiring CMMC each year. We will explore the various facets of how CMMC compliance can impactyour company's economic health. 

How do I know if I need CMMC? 

All DoD contractors, sub-contractors, and support companies will be required to be at least CMMC level one. This isdetermined if the company has any Federal Contract Information (FCI). Then most contractors, sub-contractor, and support companies that have access to Controlled Unclassified Information (CUI)are requiredto be CMMC level 2. There is also level 3 compliance, but this is more limited and has much higher security and data control requirements.  

The Cost of CMMC 

Achieving CMMC compliance involves significant upfront investments. Companies need to assess their current cybersecurity posture, identify gaps, and implement necessary controls. This may include upgrading IT infrastructure, purchasing new security software, changing current corporate culture, and hiring cybersecurity experts. These expenses can be substantial, especially for small and medium-sized enterprises (SMEs). In addition, any company that is supporting a DoD contractor or subcontractor needs to be CMMC compliant. This includes Managed Service Providers that support the companies.  

The cost to be prepared for a CMMC assessment can range anywhere from $20,000 up to the $100,000s, depending on the scope of the project. This is why it is critical to have a good scope of what is required to be protected. Such scoping projects need to be the first step to compliance and cost management.  

In addition to the upfront cost, there is the cost of the assessment itself. This needs to be done by an independent third party known as a C3PAO (Certified Third-Party Assessor Organization). These costs can range from $15,000 up to the $100,000s depending on the scope and size of the company being assessed. The larger the scope, the greater the expected cost.  

Then there is the ongoing cost of compliance. A company should expect ongoing costs of CMMC. These costs include maintenance of security environments, any secure cloud environments, and physical environments. These costs should be expected to be anywhere from $1,000 to $5,000 per month per user depending on needs, scope, and amount of CUI (Controlled Unclassified Information) being protected.  

The Cost of Non-Compliance 

If a company decides not to go after a CMMC compliance, they will not be able to go after DoD contracts in the future. It will also remove sub-contractors and support companies from being able to service those contracts and companies. For companies heavily reliant on defense contracts, failing to achieve CMMC certification can be economically devastating.  

If you are an MSP or IT service provider to DoD-contracted companies, DoD rule 32, CFR 170, Section 170.19,paragraph 5 states, “If an OSA (Organization Seeking Assessment) utilizes an ESP(External Service Provider), other than a Cloud Service Provider (CSP), the ESP must have a CMMC certification level equal to or greater than the certification level the OSA is seeking.” The Cyber AB has confirmed that MSPs do fall under the ESP standard.  

The Value of CMMC 

Though CMMC has a high initial investment cost and a substantial continuation cost, there are many advantages to having a CMMC certification. Because of its high cost,it creates a barrier to entry for competitors, giving your company an advantage in the marketplace. It is also possible to increase your costs to the government at a rate that is reasonable to the increased burden on your company.