CMMC Pricing Details
The CMMC Accreditation Body, entrusted by the Department of Defense to manage the CMMC ecosystem, has finally begun sharing the requirements for C3PAOs, CMMC assessors, and consultants. Most anticipated, perhaps, has been information about the costs and requirements associated with each role. We now have those details, from which we can begin getting a sense of how much the actual CMMC audits might cost.
How Do I Become a CMMC Assessor
The first step is to decide which role you would like to fill. Entry-level assessors are called Certified Professionals (CPs); they should have a technical degree or experience and at least 2 years of IT experience. CPs will only be able to participate in assessments under a Certified Assessor’s supervision. Alternatively, they can pursue the training and examinations necessary to become a Certified Assessor for themselves.
Certified Assessors are licensed to audit up to a certain CMMC level (1-5). The process is designed to ensure only the most experienced assessors can audit at higher levels. For example, CMMC Level 3 requires over four years of IT experience, and to become a CMMC Level 5 assessor, you must participate in at least 15 Level 3 assessments.
Once you’ve chosen your desired role, you can register on the CMMC AB website. The initial application fee is $200, and exams range from $275 (for the CP exam) to $450 (for CMMC Assessor 3). Training costs have not been announced at this time. There are also annual maintenance fees that cost up to $500 for CMMC Assessor 3. However, the largest cost for becoming a CMMC Assessor will be the requirement for each assessor’s first audit to be observed by an AB credentialed individual at a rate of $2,500 per day (not including travel and per diem). Despite the expense, the CMMC AB reported 87 applications within 24 hours of opening registrations. That number will grow exponentially as interest and awareness grows.
How Can My Company Become a C3PAO?
Companies interested in becoming C3PAOs can apply now. However, there are associated costs that you should be aware of. First are the costs associated with becoming a CMMC Auditor: as you can see, getting your assessors trained and ready will not be cheap. You’ll need to provide a background check for each assessor too.
Your company will also need to provide proof of insurance (general liability, errors and omissions, and cybersecurity breach policies) for an undetermined amount of coverage. You will then pay the $1,000 application fee, followed by an activation fee of $2,000 upon acceptance. Starting in January 2022, there will also be a $2,000 annual maintenance fee. When an assessment is booked, the C3PAO will need to pay a per-assessment fee. 5-pack vouchers are available now. CMMC ML1 is $300, while CMMC ML3 is $750.
Naturally, the C3PAOs should have a high level of cybersecurity maturity before attempting to audit other companies. ISO 17021 certification and CMMC Level 3 certification will be required; a DCMA government audit will verify your firm’s compliance. Additionally, any external cloud services your company uses will have to meet the FedRAMP High Baseline (IL4). The costs associated with meeting those standards could be substantial for some companies, depending on your baseline level of compliance.
C3PAOs can provide advisory CMMC consulting services and support, but not to companies that they are also auditing. Registered Provider Organizations (RPO), on the other hand, focus exclusively on CMMC consulting and support; they can not conduct audits at all. Signing up as an RPO requires a $5,000 annual fee, which authorizes the use of the CMMC logo and a listing in the CMMC Marketplace. RPO staff undergo training in CMMC fundamentals and pay a $500 annual fee in order to become Registered Practitioners (RP). This route could enable your company to immediately operate in the CMMC ecosystem while working towards the more stringent requirements associated with becoming a C3PAO.
What Does this Mean for the CMMC Audit Cost?
Without knowing the size, scale, or complexity of your company’s infrastructure, it’s impossible to determine how much your audit might cost.
Market factors, the availability of assessors in your region (or the cost of traveling to your location), and how long it takes assessors to audit your systems will dramatically influence the cost of your audit. What we can do, however, is extrapolate by examining the costs each C3PAO will need to invest before they can begin conducting audits.
First, each aspiring C3PAO must achieve compliance with the certification standards listed in the previous section. This alone could range from $10,000 to $50,000, depending on the size, complexity, and security maturity of the C3PAO. They must then pay the application fee, activation fee, purchase insurance, and purchase assessment fee vouchers, which together totals roughly $7,000. Let’s assume the C3PAO employees three cybersecurity auditors. For those employees to conduct audits, the C3PAO must pay the application fees, training costs, the CMMC exam costs, and of course, the employee’s salaries and benefits (anywhere from $80k to $180k, depending on the market). Next, add the $2,500 per day observation fee for their first audit. Suppose the audit takes five business days; including per diem and travel for the observer, we can estimate $15,000.
With each C3PAO investing tens of thousands of dollars before even beginning their first audit, we can reasonably expect the cost of CMMC audits to be a little higher than other cybersecurity audits. This will be exacerbated by the intense market demand for qualified auditors, of which there will only be a limited number.
Take Steps to Get Ahead
Fortunately, there are reasonable, pragmatic steps you can take to substantially reduce the costs of your future CMMC audit. Investing in your cybersecurity posture today means you will have a mature, organized security program in place long before CMMC becomes mandatory. That positions you to request your audit as early as possible, before thousands of slower, less-prepared firms begin clamoring for audits of their own. Having an efficiently designed cybersecurity program also means your audit will be completed quicker. Rather than waste time searching for artifacts and proof of compliance (and increasing your costs with each passing hour), your program will have everything laid out and immediately accessible.
Our expert cybersecurity engineers have over a decade of experience developing and implementing the security plans, policies, and cultural changes necessary to transform your organization’s cybersecurity posture. Reach out and tell us your security concerns: we can work together to develop cost-effective security solutions specially designed for your company’s unique circumstances or attend our CMMC Virtual Course to better prepare for your CMMC certificate and to become an expert in DFARS Compliance for your clients. With Totem’s experienced support, you will be surprised at how smooth, quick and inexpensive you can get the understanding you need to become a CMMC Assessor or a C3PAO.