One of the most robust conversations surrounding CMMC rulemaking and compliance with NIST SP 800-171 is that regarding cost. Both NIST and the US Department of Defense are unable to comment on cost as it will differ from one organization to the next. NIST is simply involved in the development of the standards they are asked to create. The U.S. Department of Defense perspective is aligned with the cost of failing to protect CUI (Controlled Unclassified Information). Generally, though, the cost of a NIST assessment or a CMMC assessment cannot be generalized across the Defense Industrial Base (DIB). Here are five considerations to weigh when costing out one of these assessments.
Some of the disparate views regarding the pricing of CMMC compliance and assessments trace back to whether an organization is already NIST-compliant. If a defense contractor has already achieved compliance with NIST SP 800-171, the cost for a CMMC assessment will be less than for a company not yet compliant. That company will have to invest in everything a secure environment requires along with a NIST assessment and then the CMMC assessment. Since compliance was due to occur back in 2018, many who discuss pricing may not incorporate a discussion of what it costs to reach the completion of that journey. If a defense contractor is seeking pricing for NIST compliance through a CMMC assessment, the quotes they receive from a C3PAO will likely seem quite below the expectation (or the eventual reality).
Scoping is important when setting the boundaries and therefore the cost of an assessment. The bigger the enclave, or the more protections needed, the more in-depth the assessment will have to be. A smaller organization will likely pay less than a significantly larger company not because of financial mercy, but rather because there simply is less to review.
CMMC assessments will be a new product offering. As such, there is no tradition for pricing that C3PAOs or organizations can look to for reference. As C3PAOs vie for clients, prices are likely to move up and down across the marketplace. There likely will never be a single answer to the question, “How much does a CMMC assessment cost?”
C3PAOs cannot also serve as remediators or consultants. If a C3PAO offers you consultation as well as an assessment quote you should consider a different resource. This does mean, however, that if your company feels a consultation will help achieve a successful result, another party will need to be incorporated into the process. Not all companies will carry this investment, but those who do will, obviously, pay more than those who do not.
Many companies do not weigh the involvement required to achieve NIST or CMMC compliance, but it is substantial. From the executive team to leaders and team members of different departments ranging from quality to IT and more, compliance with NIST 800-171 and CMMC is a time-consuming process. Although this cost is not quoted by an external party, it nonetheless is a cost that should be budgeted before the process begins.
These five factors will likely also encourage companies to evaluate even more considerations that need to be reviewed before proceeding with a CMMC assessment. Budgeting is in large part going to be an organization-specific prospect versus an industry-wide rule.
If you have questions or would like to learn more, contact us today.