The Costs and Scope of CMMC 2.0

By Rachel A. McCaffrey and Michael Seeds

iStock illustration

While yet to be fully implemented, the Defense Department first proposed the Cybersecurity Maturity Model Certification program in 2019, and the concept seems simple.

CMMC will ensure defense contractors comply with their contractual obligations to protect controlled unclassified information, or CUI, by requiring companies to hire third-party assessors to certify compliance, moving away from the “self-attestation” model.

However, nothing is ever as simple as it seems, and since the CMMC framework was first announced in 2019, “uncertainty” is a word that has been closely associated with the program.

The Defense Department released a proposed rule to implement the second iteration of CMMC, dubbed CMMC 2.0, on Dec. 26. The rule makes several changes, including reducing the number of compliance levels from five to three, aligning Level 2 compliance with National Institute of Standards and Technology Special Publication 800-171, and aligning Level 3 compliance with NIST SP 800-171 and 800-172.

While the streamlined CMMC 2.0 makes some positive improvements, as the short timeline for comments approaches rapidly, we find “uncertainty” remains with some elements, especially around the cost and scope of the program.

The costs surrounding CMMC have been a hotly debated topic since its inception. According to department estimates, the private sector will face an annualized cost of $4 billion to implement CMMC 2.0, which includes nonrecurring engineering costs, recurring engineering costs, assessment costs and affirmation costs.

The proposed rule acknowledges public feedback indicating the cost estimates for CMMC 1.0 were too low, and as a result of several changes, “some CMMC 2.0 costs may be higher than those included in CMMC 1.0.”

The proposed rule, however, still does not include the costs associated with implementing the actual underlying cybersecurity controls, such as the security requirements outlined in Federal Acquisition Regulation clause 52.204-21 for CMMC Level 1 and the security requirements outlined in NIST SP 800-171 Rev. 2 for CMMC Level 2. When the department implemented the requirement for defense contractors to protect controlled unclassified information in accordance with NIST SP 800-171 in 2017 under DFARS 252.204-7012, the department did not release a cost estimate to assess the impact on the defense industrial base.

Although the department knew the implementation would increase costs, it answered questions surrounding costs by stating they were “unknown” but “deemed necessary.”

Currently, the Pentagon believes it does not need to consider the cost of the underlying requirements for CMMC Levels 1 and 2 since they “should already have been incurred.” While this may be true for existing companies within the defense industrial base, it may be helpful for new entrants such as startups and nontraditional defense companies to understand the requirements and costs associated with military partnerships.

Another source of uncertainty is the scope of CMMC 2.0, which goes beyond companies simply complying with existing requirements. As expected, the proposed rule expands CMMC requirements to the application of all NIST SP 800-171 controls and certification assessments to the new category of organization, “external service provider.” This means all managed service providers and managed security service providers — companies that provide info-tech and cybersecurity services to defense firms — must certify before the companies they support, the “organization seeking certification,” can seek an assessment.

The rule seemingly fails to recognize that expanding the scope of where CMMC requirements are applied also drives a significant cost increase. It no longer simply assesses existing security requirements.

The proposed rule also expands the application of the requirements.

Further expanding the scope, the department creates a new category of information, “security protection data,” but does not clearly define the data.

The rule also effectively mandates that every security tool delivered as a cloud service must be FedRAMP authorized or equivalent. Defense companies will need to consider what security tools they have now and what they will need to buy in the future and decide whether to purchase the more expensive FedRAMP options wherever possible.

Another area is the affirmation requirements for Levels 1, 2 and 3. A senior company official must affirm continuing compliance with the requirements in all systems in scope. Still, it is not clear whether an affirmation covers a specific point in time or is continuous. While a company can undoubtedly certify at a point in time that all controls are in place and working, company officials will face new potential liability and an almost impossible task if they must affirm after a set point in time continuing compliance that systems will not break, controls will not fail and the threat will not change.

Finally, in addition to continued uncertainty related to costs and scope, NIST SP 800-171, the primary underlying security requirement for CMMC 2.0, is also undergoing a separate regulatory process to update from Revision 2 to Revision 3.

The Defense Department should partner with industry to develop and implement a plan to transition between revisions to ensure industry can make decisions to allow companies to meet contractual obligations under the Defense Federal Acquisition Regulation Supplement.

The department must prioritize partnering with industry on cybersecurity requirements and implementation. The National Defense Industrial Association strongly believes that more effective cybersecurity requirements will benefit warfighters by protecting our best ideas and technology.

However, the proposed rule requires significant adjustments to balance security requirements with implementation costs. ND

Rachel McCaffrey is senior vice president of membership and chapters, and Michael Seeds is senior director of strategy and policy at the National Defense Industrial Association.

Topics: Defense Department

Comments (4)

Re: NDIA POLICY POINTS: The Costs and Scope of CMMC 2.0

Thank you for this article. We all agree protecting information is extremely important. The article is an excellent analysis of a complex bureaucratic system gone awry. The gov't needs to provide some funding, at least for all the administrative burden and overhead.
BTW, it would be useful to know what will be declared as CUI. Is anything the gov't agency does with a DIB company CUI? Probably not. Also, many companies do work that cannot be CUI when they have commercial customers. Only a gov't agency can declare work as being CUI.

Dan Williams at 8:43 PM
Re: NDIA POLICY POINTS: The Costs and Scope of CMMC 2.0

Interesting article and comments. With regards to "what exactly is CUI or declared CUI"; CUI is established by the original classification authority (OCA) of the given system/agency that the industry partner supports. The designation of a classification of CUI is generally assigned for specific data/information, and not declared for a type of "work". It is the labeling and handling of information for a given system that will be assigned a classification of CUI. You can assume, for the most part, that any information regarding National Security Systems (NSS) will be assigned a label of CUI. You can look up more information on the DOD CUI processes and categories here: https://www.dodcui.mil/. While implementation of this process may seem costly; -without doing this, we are negating our missions and capabilties before they are even fielded. In analyzing the cost vs risk equation there is no cost that will outweigh the impact of negating our missions and warfighting capabilities. In today's digital era, we must take a defensive stance on protecting our data.

Kathy McGinn, CISSP at 6:36 PM
Re: NDIA POLICY POINTS: The Costs and Scope of CMMC 2.0

Someone needs to provide insights on DoD challenges to determining exactly what is CUI and how it is releaseable/ distr to only properly certified contractors who shall be compliant with the latest 800-171 revision. A pov

Randy Shearer at 6:37 PM
Re: NDIA POLICY POINTS: The Costs and Scope of CMMC 2.0

Let's say we have a big house but the cost of building a fence is larger than the scope of the house. While the existing house cannot increase in cost more in the same period of time but the fence has to increase in cost more than the first time, is it worth it? Why don't we increase the cost so that the entity inside the fence increases in value many times more than the fence. and how long will it take for us to increase costs for times 3 and 4...and more;In my opinion, we can accept paying any amount of CMMC costs, but the thing must first evaluation how much the core value is worth protecting as well as At what level does outside intrusion affect CMMC?

Tim Nguyen at 7:11 PM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.