CMMC in 2025: The Basics, Costs, and Timeline

January 4, 2024

The CMMC rule (Title 32 CFR Part 170) went into effect on December 16. CMMC certification is expected to appear in Department of Defense (DoD) procurement contracts as a condition for award as early as Q1 2025.

Overview of CMMC | Dewpoint IT Security

Why CMMC?

The DoD wants the defense industrial base (DIB) to increase its overall cybersecurity posture as cyber threats grow. To ensure improvement, the DoD has published a new rule, CMMC. The CMMC rule is closely modeled after NIST 800-171 and contains three levels of compliance. 

• Level 1 focuses on safeguarding FCI (Federal Contract Information), and companies subject to this level must complete a self-assessment.
• Level 2 builds on Level 1 and adds the protection of CUI (Controlled Unclassified Information). Many organizations required to achieve Level 2 will need a formal third-party assessment to show compliance. Some will be permitted to complete a self-assessment. 
• Level 3 requirements are stringent and meant to protect the DIB from advanced persistent threats. According to the DoD, a small subset of the DIB will need to comply with Level 3. 

Timeline for CMMC Requirements

The DoD expects all contracts to contain CMMC requirements by October 1, 2026. However, it will enable its program managers to include CMMC requirements in contracts before that date. 

For companies who must pass a third-party assessment, the DoD expects it could take two years to become certified. Factors include, but are not limited to:

• The amount of time it will take companies to meet all applicable CMMC requirements at their designated level
• Controls that are fulfilled by documenting processes over months
• The availability of assessments and time needed to complete one

Cost of CMMC Certification

It’s expected that most companies in the DIB will need to meet Level 1 or Level 2. In the proposed rule, the DoD provided cost estimates for companies striving for each level. Note that for Levels 1 and 2, they did not include costs for implementing security measures or performing remediation activities. They assume that companies are already in compliance with the requirements and that the only outstanding need is to undergo the certification process. Cybersecurity experts have said the DoD’s estimates are low, and that they don’t include key cost drivers.

• The DoD estimates that a Level 1 self-assessment and affirmation will cost companies between $4,000 and $6,000 annually. 
• According to DoD estimates, for a triennial Level 2 self-assessment, companies will need to put up between $37,000-49,000. A third-party assessment is projected to cost between $105,000-118,000. According to the rule, “A CMMC Level 2 assessment must be conducted for each information system that will be used in the execution of the contract that will process, store, or transmit CUI.”
• For Level 3, the DoD included cost estimates to implement necessary security measures. The DoD’s estimates for recurring and nonrecurring engineering costs are $490,000 and $2.7 million, respectively. The cost of Level 3 certification is projected to be $41,000 or more.

CMMC Pre-Assessments

Many organizations will seek help from CMMC-qualified resources during their compliance journey, including from Registered Practitioner Organizations (RPOs) certified by the Cyber Accreditation Board.

RPOs and CMMC Third-Party Assessment Organizations (C3PAOs) play a critical role in the CMMC compliance process. Engaging with an RPO or C3PAO for a pre-assessment, sometimes called a “gap analysis” or “readiness assessment,” is essential for organizations to gauge their readiness for the official CMMC assessment. Read our November blog for more information about pre-assessments.

Action Items

Download our CMMC Guide and schedule a consultation with our CMMC Registered Practitioners today to kickstart your journey towards compliance. Time is of the essence — let’s build a robust cybersecurity foundation for your enterprise.

Dewpoint, an award-winning, Michigan-based technology firm, has been helping businesses prepare for, stay ahead of, and respond to IT challenges for over 26 years. From IT security to infrastructure management to automation, cloud migration, and beyond, Dewpoint has long been a trusted technology resource for businesses. 

Sources:

• CMMC 2.0: What Changed and the Pre-Assessment Process
• Cybersecurity Maturity Model Certification (CMMC) | Federal Register | 32 CFR Part 170
• Cybersecurity Maturity Model Certification Program Proposed Rule Published | Press Release | U.S. Department of Defense
• DOD plans four-phase roll out of CMMC
• Pentagon reveals updated cost estimates for CMMC implementation