CMMC in 2024: The Basics, Costs, and Timeline

January 4, 2024

On December 26, 2023, the Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC) Program Proposed Rule for a 60-day comment period. 

The Basics of CMMC 2.0

The DoD wants the defense industrial base (DIB) to increase its overall cybersecurity posture as cyber threats grow exponentially. To ensure improvement, the DoD has published a new proposed rule, CMMC. The CMMC proposed rule is closely modeled after NIST 800-171 and contains three levels of compliance. 

• Level 1 focuses on safeguarding FCI (Federal Contract Information), and companies subject to this level will need to complete a self-assessment and may need a formal certification assessment. 
• Level 2 is based on the protection of CUI (Controlled Unclassified Information). Organizations required to achieve Level 2 will need a formal third-party assessment to show compliance.  
• Level 3 requirements are stringent and meant to protect the DIB from advanced persistent threats.  According to the DoD, only a select few companies will need to comply with Level 3. 

Timeline

The DoD expects all contracts to contain CMMC requirements by October 1, 2026. However, it will enable its program managers to include CMMC requirements in contracts before that date. 

For companies who must pass a third-party assessment, the DoD expects it could take about two years to become certified. Factors include, but are not limited to:

• The amount of time it will take companies to meet all applicable CMMC requirements at their designated level
• Controls that are fulfilled by documenting processes over months
• The availability of assessments and time needed to complete one

Costs

It’s expected that most companies in the DIB will need to meet Level 1 or Level 2. In the proposed rule, the DoD provided cost estimates for companies striving for each level. Note that for Levels 1 and 2, they did not include costs for implementing security measures or performing remediation activities. They assume that a company meets all requirements but still needs to undergo the certification process. Some cybersecurity experts have said the DoD’s estimates are low, and that they don’t include certain key cost drivers.

• For a Level 1 self-assessment and affirmation, the DoD estimates it will cost companies between $4,000-6,000 annually. 
• According to DoD estimates, for a triennial Level 2 self-assessment, companies will need to put up between $37,000-49,000. A third-party assessment is projected to cost between $105,000-118,000. According to the proposed rule, “A CMMC Level 2 assessment must be conducted for each information system that will be used in the execution of the contract that will process, store, or transmit CUI.”
• For Level 3, the DoD included cost estimates to implement necessary security measures. The DoD’s estimates for recurring and nonrecurring engineering costs are $490,000 and $2.7 million, respectively. The cost of Level 3 certification is projected to be $41,000 or more.

CMMC Pre-Assessments

Many organizations will seek help from CMMC-qualified resources during their compliance journey, including from Registered Practitioner Organizations (RPOs) certified by the Cyber Accreditation Board.

RPOs and CMMC Third-Party Assessment Organizations (C3PAOs) play a critical role in the CMMC compliance process. Engaging with an RPO or C3PAO for a pre-assessment, sometimes called a “gap analysis” or “readiness assessment,” is essential for organizations to gauge their readiness for the official CMMC assessment. Read our November blog for more information about pre-assessments.

Action Items

Download our CMMC Guide and schedule a consultation with our CMMC Registered Practitioners today to kickstart your journey towards compliance. Time is of the essence — let’s build a robust cybersecurity foundation for your enterprise.

Dewpoint, an award-winning, Michigan-based technology firm, has been helping businesses prepare for, stay ahead of, and respond to IT challenges for over 26 years. From IT security to infrastructure management to automation, cloud migration, and beyond, Dewpoint has long been a trusted technology resource for businesses. 

Sources:

• CMMC 2.0: What Changed and the Pre-Assessment Process
• Cybersecurity Maturity Model Certification (CMMC) Program | Federal Register
• Cybersecurity Maturity Model Certification Program Proposed Rule Published | Press Release | U.S. Department of Defense
• DOD plans four-phase roll out of CMMC
• Pentagon reveals updated cost estimates for CMMC implementation