Pentagon reveals updated cost estimates for CMMC implementation
The Department of Defense provided new projections for how much money contractors and other organizations will have to spend to implement the Pentagon’s Cybersecurity Maturity Model Certification program.
The updated estimates were included in a proposed rule for CMMC 2.0 that was published Tuesday in the Federal Register.
The program would mandate that defense contractors and subcontractors who handle federal contract information and controlled unclassified information (CUI) implement cybersecurity standards at various levels — depending on the type and sensitivity of the information — and assess their compliance.
“The CMMC initiative will require the Department of Defense to identify CMMC Level 1, 2, or 3 as a solicitation requirement for any effort that will cause a contractor or subcontractor to process, store, or transmit FCI or CUI on its unclassified information system(s). Once CMMC is implemented in 48 CFR, DoD will specify the required CMMC Level in the solicitation and the resulting contract,” the proposed rule explains.
More than 200,000 companies in the defense industrial base could be affected by the rule.
The Pentagon is planning for a phased implementation. It intends to include CMMC requirements in all solicitations issued on or after Oct. 1, 2026, when applicable, although waivers could be issued in certain cases before solicitations are issued.
Depending on the required security level, contractors and subcontractors will have to do self-assessments or be evaluated by a third-party organization — known as a C3PAO — or government assessors.
Costs would be incurred for related activities such as planning and preparing for the assessment, conducting the assessment and reporting the results.
“In estimating the Public costs, DoD considered applicable nonrecurring engineering costs, recurring engineering costs, assessment costs, and affirmation costs for each CMMC Level,” per the proposed rule.
“For CMMC Levels 1 and 2, the cost estimates are based only upon the assessment, certification, and affirmation activities that a defense contractor, subcontractor, or ecosystem member must take to allow DoD to verify implementation of the relevant underlying security requirements,” it notes. “DoD did not consider the cost of implementing the security requirements themselves because implementation is already required by FAR clause 52.204–21, effective June 15, 2016, and by DFARS clause 252.204–7012, requiring implementation by Dec. 31, 2017, respectively; therefore, the costs of implementing the security requirements for CMMC Levels 1 and 2 should already have been incurred and are not attributed to this rule.”
An annual Level 1 self-assessment and affirmation would assert that a company has implemented all the basic safeguarding requirements to protect federal contract information as set forth in 32 CFR 170.14(c)(2).
For Level 1, the Pentagon estimates that the cost to support a self-assessment and affirmation would be nearly $6,000 for a small entity and about $4,000 for a larger entity.
Triennial Level 2 self-assessments and affirmations would attest that a contractor has implemented all the security requirements to protect CUI as specified in 32 CFR 170.14(c)(3). A triennial Level 2 certification assessment conducted by a C3PAO would verify that a contractor is meeting the security requirements.
“A CMMC Level 2 assessment must be conducted for each [organization seeking certification] information system that will be used in the execution of the contract that will process, store, or transmit CUI,” the proposed rule notes.
A Level 2 self-assessment and related affirmations are estimated to cost over $37,000 for small entities and nearly $49,000 for larger entities (including the triennial assessment and affirmation and two additional annual affirmations). A Level 2 certification assessment is projected to cost nearly $105,000 for small entities and approximately $118,000 for larger entities (including the triennial assessment and affirmation and two additional annual affirmations).
“Receipt of a CMMC Level 2 Final Certification Assessment for information systems within the Level 3 CMMC Assessment Scope is a prerequisite for a CMMC Level 3 Certification Assessment. A CMMC Level 3 Certification Assessment, conducted by [the Defense Contract Management Agency] Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), verifies that an [organization seeking certification] has implemented the CMMC Level 3 security requirements to protect CUI as specified in 32 CFR 170.14(c)(4),” per the proposed rule.
A triennial Level 3 certification assessment would have to be conducted for each company information system that will process, store, or transmit CUI, in the execution of the contract.
Level 3 certification would require “implementation of selected security requirements from NIST SP 800–172 not required in prior rules. Therefore, the Nonrecurring Engineering and Recurring Engineering cost estimates have been included for the initial implementation and maintenance of the required selected NIST SP 800–172 requirements,” according to the proposed rule.
The total cost of a Level 3 certification assessment includes the expenses associated with a Level 2 certification assessment as well as the outlays for implementing and assessing the security requirements specific to Level 3.
For a small organization, the estimated recurring and nonrecurring engineering costs associated with meeting the security mandates for Level 3 are $490,000 and $2.7 million, respectively. The projected cost of a certification assessment is more than $10,000 (including the triennial assessment and affirmation and two additional annual affirmations).
For a larger organization, the estimated recurring and nonrecurring engineering costs associated with Level 3 safeguards are $4.1 million and $21.1 million, respectively. The projected cost of a certification assessment and related affirmations is more than $41,000 (including the triennial assessment and affirmation and two additional annual affirmations).
Level 3 standards are expected to apply only to a “small subset” of defense contractors and subcontractors, the proposed rule states.
For the calculations, officials tried to account for organizational differences between small companies and larger defense contractors. For example, small firms are generally expected to have less complex, less expansive IT and cybersecurity infrastructures and operating environments. They are also more likely to outsource IT and cybersecurity to an external service provider, according to the proposed rule.
Additionally, officials anticipate that organizations pursuing Level 2 assessments will seek consulting or implementation assistance from an external service provider to help them get ready for assessments or to participate in assessments with the C3PAOs.
The annualized costs for contractors and other non-government entities to implement CMMC 2.0 will be about $4 billion, calculated for a 20-year horizon. For the government, they will be approximately $10 million, according to the projections.
The Pentagon is seeking public feedback on the proposed rule. Comments are due by Feb. 26, 2024.
The costs and procedural requirements associated with implementing CMMC have been a major concern for defense contractors and trade associations.
“Burdensome regulation has long been a hurdle, particularly for small and medium-sized businesses that contribute to the defense industrial base. It’s critical for defense companies to have the tools — and the standards — to keep our nation’s sensitive unclassified material secure while not deterring companies from contributing to the defense industrial base,” Eric Fanning, president and CEO of the Aerospace Industries Association, said in a statement Tuesday. “We look forward to reviewing the proposed rule and providing full feedback to ensure the Department has what it needs to implement a final rule that accounts for the complexities within the defense industrial base.”
