by Scott Jack
Content Contributor, E-N Computers
7+ years experience in healthcare IT and tech support.
Updated November 21, 2023
As you may be aware, companies that want work from the Department of Defense will have to start meeting tougher IT security requirements, starting as soon as 2025. Many companies have been asking us whether achieving this CMMC compliance is worth it for them.
What’s the value of being CMMC certified? Does your business need to be CMMC 2.0 compliant? How expensive is it to get certified?
Here’s the short answer: most small businesses will need to double their IT budget to meet CMMC requirements. We’ll explain why it costs so much and the value you might get from CMMC certification.
E-N Computers is a Virginia-based IT managed services provider with remote services from coast to coast. We are focused on small business defense contractors, and two of our veteran engineers are CMMC Registered Practitioners with The Cyber AB. ENC is a Registered Practitioner Organization. So we understand the decision-making process you are going through right now, and we want to help.
QUICK ANSWER:
Is CMMC compliance worth it?
Most small businesses will need to double their IT budget to meet CMMC requirements. If you don’t handle defense contracts, we don’t recommend going through the certification process. If you depend on defense contracts, then you’ll have to get certified. Working with a certified IT managed service provider can reduce some of the costs and many of the headaches of certification.
What Is the value of CMMC certification?
In November 2021, the Department of Defense announced changes to the CMMC framework that align it with existing standards for information security. CMMC certification demonstrates your adherence to well-established information security protocols. It shows that security is not just something you have, but something you practice. With the explosion of cyber threats that can affect national security, the Department of Defense takes an intense interest in making sure the entire defense industrial base (DIB) is secured.
Because CMMC 2.0 has not been finalized, it is not a requirement for winning a federal defense contract for the moment. Once the framework has finished going through the rulemaking process, CMMC 2.0 compliance will be required for defense contractors, possibly early in 2025 with full implementation by 2028.
In the interim, the DoD encourages contractors to improve their cybersecurity and work toward CMMC compliance, a process that can take more than a year. Though the DoD said it might provide incentives to proactive businesses, no such program has been announced.
Do you need to be CMMC certified?
Whether you should become CMMC compliant depends on how heavily you rely on defense contracts. If you do not handle them currently, we don’t recommend going through the certification process. However, if you heavily depend on defense contracts, you will need to work toward compliance with CMMC.
The level of certification you need to meet will depend on the type of information you handle.
The three levels of CMMC 2.0
There are three levels of certification under CMMC 2.0. These levels align with widely recognized standards set by the National Institute of Standards and Technology (NIST). Here’s a quick overview of the levels.
Level One
CMMC 2.0 Level One is for businesses primarily dealing with federal contract information (FCI). FCI is administrative information from every phase of the project from proposal to award to execution. Every defense contractor handles FCI and therefore must practice at least CMMC Level One.
Level One is not burdensome. It consists of 15 basic security requirements that your business should already be practicing. And you can be certified by completing an annual self-assessment.
Level Two
Level Two is for businesses that deal with controlled unclassified information (CUI). This is information directly related to the deliverables of the contract like drawings, specs, manuals, reports, and computer code. Most small businesses with defense contracts handle CUI and must practice CMMC Level Two.
Level Two requires a concerted effort to achieve. There are 110 requirements that align with NIST SP 800-171. The NIST emphasizes that it is important to work with a qualified consultant to be compliant at this level.
Most businesses at Level Two need to complete a third-party audit every three years along with a self-affirmation each year. However, there are exceptions where an annual self-assessment is enough for Level Two certification.
Level Three
Level Three is for prime contractors like Raytheon and Northrop Grumman. As a subcontracted engineering or manufacturing firm, you don’t need to think about this level of certification. It’s based on a subset of NIST SP 800-172 and requires 20 more controls than Level Two. To remain compliant, companies at this level undergo government-led audits every three years and complete an annual self-affirmation.
How much does it cost to get certified?
There are at least two costs to consider when reaching for CMMC compliance. One is your IT budget; the other is the cost of an audit.
IT budget
If you already practice basic security hygiene—digital access controls, user authentication, physical access control, network security, and regularly monitoring and updating systems—you will likely reach Level One certification. But because Level Two requires far more security controls, you can expect your costs to jump. As mentioned, in our experience you will need to double your IT budget to implement everything required by Level Two certification.
The three major costs are consulting, tools and time. To explain these costs, we will use our own CMMC compliance managed service as an example.
Our regular managed services customers receive quarterly consultations as part of their service. But CMMC compliance could require that we meet with you once a month to once a week to keep you on track. At $250 per hour for consulting, this can become $1,000 a month or more in consulting costs.
CMMC requirements also force you to use a laundry list of tools from multi-factor authentication to user privilege management to endpoint encryption to security logging. These tools alone can add up to double your IT budget.
Then the last, and possibly largest, expense is your time. If you are trying to manage your own compliance, you’ll need to learn all of the tools and figure out which tools match which NIST controls. We have already learned how to manage those same tools at scale, so you can expect a significant cost savings by partnering with a managed service provider like E-N Computers. Think about the complexity of just managing antivirus software and operating system updates yourself, which we do at scale for all of our clients.
Audit fee
You will also be responsible for the cost of a third-party audit. Audits will be completed by four certified assessors over several days. The cost for assessing an individual location will be in the $30,000 to $50,000 range. If you have multiple locations that need to be assessed separately, your costs will be significantly higher.
Virginia businesses who need help with CMMC compliance were able to receive some funding under the Virginia Defend CUI program, administered by GENEDGE. The program has ended although GENEDGE has applied to renew it.
Learn more about CMMC compliance
READ: The Ultimate Guide to CMMC
READ: The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
READ: What are CMMC Registered Practitioners, and do I need one?
WATCH: CMMC Compliance – Securing shared user accounts with DUO
WATCH: CMMC Compliance – Least privilege made simple with AutoElevate
To get a more complete picture of CMMC 2.0, check out our Ultimate Guide to CMMC. We delve into more detail about what CMMC is and how to prepare for it.
If you are thinking about trying to meet the requirements on your own, please remember: most defense contractors will need to reach Level Two certification, and the NIST strongly recommends working with a qualified partner to accomplish this. E-N Computers is already helping clients to prepare for CMMC, and we can help you, too.
The videos linked above are examples of how we use two tools to implement important security measures like least privilege and user authentication. If you would like to discuss specifics about how you can prepare for CMMC, please schedule a free CMMC strategy session with a certified CMMC practitioner with nearly 30 years experience in IT. In just 30 minutes, we will go over what your next steps should be to quickly move toward certification.
Simply click the button below and pick a date and time that’s convenient for you.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
