The long-anticipated CMMC Proposed Rule was released in late 2023 with the expectation that CMMC will appear in DoD contracts by late 2024 or early 2025. As expected, CMMC will require organizations handling CUI to comply with the 110 NIST 800-171 controls to achieve Level 2 and be eligible to do work for the DoD. For the vast majority of organizations seeking Level 2 certification, compliance will also require having an independent assessment of compliance done once every three years by a C3PAO (Certified Third-Party Assessment Organization).
 
DoD estimates that the cost of CMMC Level 2 assessments and required affirmations of compliance will exceed $100,000. However, this cost estimate doesn’t include the costs organizations will need to take on to get ready for their C3PAO assessment. Those costs are not insignificant. This blog is designed to help you understand what your organization can do to better manage and reduce the cost burden.

DoD CMMC Level 2 certification cost estimates

DoD estimates that small defense contractors will need to spend $104,670 to achieve CMMC Level 2 with a C3PAO assessment, and submit annual affirmations of compliance, as shown below.

DoD CMMC Level 2 Certification and Cost Estimates
(for small defense contractors)*

*According to the DoD, small defense contractors are those with less than 500 employees or revenues less than $7.5 million.
 
These cost estimates include time spent by both in-house IT specialists and External Service Providers (ESPs) such as Registered Practitioners (RPs), Certified CMMC Assessors (CCAs), and C3PAOs.
 
Note, however, that the estimates start at the C3PAO assessment phase and do not include any costs up to that point. That’s because defense contractors have been required to comply with NIST SP 800-171—which CMMC Level 2 requirements mirror—since 2017. Therefore, DoD doesn’t consider NIST SP 800-171 compliance technologies or necessary documentation a new expense and so starts its CMMC cost estimates with the assessment phase.

7 ways to lower CMMC Level 2 certification costs

Understandably, it’s a safe bet that a large portion of the small defense contractors required to achieve CMMC Level 2 certification will need to spend time and money to comply with NIST SP 800-171 before they start to plan and prepare for their C3PAO assessment.
 
To help you better estimate the costs of CMMC Level 2 certification for your organization, we’ve developed a more realistic and complete CMMC Level 2 checklist than that presented in the DoD’s cost estimates. And we offer tips on how to achieve CMMC Level 2 certification faster and more affordably.

Cutting costs: CMMC Level 2 checklist

Scope your compliance boundary. If only a portion of your organization handles CUI, then it makes sense to narrow the scope of the security requirements as much as is reasonable by creating a separate enclave. A smaller compliance scope means a simpler assessment process that saves you time and money. If your organization has migrated to the cloud, know that standard commercial cloud services such as Microsoft 365 Commercial for storing, processing and transmitting CUI are not CMMC compliant. Instead, Microsoft offers GCC High, but that most often needs to be deployed across entire organizations rather than just to carved-out CUI enclaves, adding significant costs and complexity.

Deploy a software platform that secures CUI as required in your defense contracts. CUI is most frequently exchanged in files and emails, which must be protected. PreVeil’s Drive and Email platform protects CUI and supports compliance with 102 of the 110 NIST SP 800-171 security controls—and it can be deployed to an enclave created just for users who handle CUI. Moreover, PreVeil is easy to deploy and has no impact on existing file and email such as Outlook and Gmail or File Explorer and MacFinder . It’s also easy to use, so time spent on employee training is minimal.

Develop documentation that demonstrates compliance. This can be a daunting, time-consuming and costly task. In addition to showing evidence of protecting CUI, organizations also must demonstrate mature cybersecurity policies and procedures. PreVeil offers its customers a compliance documentation package that gives them a huge head start on this essential documentation. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; a Customer Responsibility Matrix (CRM); POA&M templates; and more. (Note that your SSP will be the first document that your C3PAO will ask for later, as you kick off your C3PAO Level 2 assessment).

Conduct a NIST SP 800-171 self-assessment. If you deploy a DoD-compliant platform to secure CUI, you’ll be in an excellent position to cut costs by conducting your own self-assessment to determine where you are on the road to CMMC Level 2 certification. PreVeil supports more than 90% of the security controls required for CMMC Level 2 certification. This includes 260 of the 320 assessment objectives specified in NIST SP 800-171A and 102 of the 110 NIST SP 800-171 security controls.

Identify consultants certified by the Cyber AB to help you with your self-assessment if needed. It’s understandable that many organizations lack the internal security expertise to self-assess accurately and cost effectively. Outside partners can save time and money if you get stuck and need help. To facilitate connections to the specialized help you may need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs, and other consultants and organizations certified by the Cyber AB—all with expert knowledge of DFARS, NIST, CMMC and PreVeil. This coordinated access offers peace of mind and streamlines your engagement because no time is spent learning how PreVeil supports compliance. Also, if you hire a C3PAO to help with your self-assessment, you may make sense to work with that same C3PAO for your CMMC assessment, since they will already know your organization well and you benefit from that efficiency as well.

Close security gaps revealed by the self-assessment. You’ll need to create a POA&M indicating how and when your security gaps, if any, will be remediated. The more NIST SP 800-171 controls your organization meets, the faster and more cost effectively you’ll be in closing out your POA&M. If you haven’t yet needed to hire outside expertise, this may be a reasonable point to do so rather than struggle with closing gaps on your own.

Schedule, prepare for, and complete your C3PAO Level 2 assessment. These tasks map to the DoD’s cost estimate table above; your organization is ready for its external assessment. If you hired a C3PAO to help with your NIST SP 800-171 self-assessment, it may make sense to work with that same C3PAO for your CMMC assessment, since they already know your organization well and you can benefit from that efficiency. And given all that you will have accomplished by this stage, you’ll be well positioned to cross the finish line to CMMC Level 2 certification without hitting expensive delays or barriers.

Report assessment results and submit annual affirmations. The final steps are for your C3PAO to package and report your assessment findings to the DoD, and for your organization to submit annual affirmations of compliance with CMMC Level 2 requirements.

Finally, it’s important to know that your organization doesn’t need to be perfect! If you meet the necessary 88 of the 110 NIST SP 800-171 controls in your C3PAO assessment, you will be issued a Conditional CMMC Level 2 certification and then have 180 days to close out your POA&Ms. Fortunately, too, technology solutions that reduce the time and costs to achieve CMMC Level 2 are available to help you maintain your competitive position for winning DoD contracts.

CMMC timeline

Typical small to midsize organizations anywhere from 12-18 months to meet CMMC Level 2 requirements. That time frame exceeds estimates of how long it will be before CMMC requirements begin to appear in DoD contracts. To avoid serious business risks, now is the time to get started on CMMC compliance.

The PreVeil solution

PreVeil’s platform and documentation can help. PreVeil is the leading solution for NIST SP 800-171 and CMMC Level 2 compliance and is trusted by more than 1,000 small and midsize defense contractors. PreVeil customers have achieved perfect 110 out of 110 NIST SP 800-171 scores in rigorous DIBCAC and JSVA assessments.
 
Learn more about how PreVeil can help your organization achieve CMMC Level 2 compliance faster and more affordably:

• Sign up here for a free 15-minute consultation with our compliance team
• Check out our white paper, Achieving CMMC Compliance: A guide for small and midsize defense contractors, which has been downloaded by more than 3,000 times by defense contractors

The post 7 Ways to Tackle the CMMC Cost Challenge appeared first on PreVeil.

*** This is a Security Bloggers Network syndicated blog from Blog Archive - PreVeil authored by Orlee Berlove, reviewed by Jamie Leupold. Read the original post at: https://www.preveil.com/blog/7-ways-to-tackle-the-cmmc-cost-challenge/