Helping companies become CMMC compliant, we have learned a lot about the options companies have out there and how to become compliant with the 110 control requirements (over 300 control objectives) of the standard.
Key CMMC Pitfalls include:
Organizations pursuing CMMC Level 2 certification often encounter significant challenges that can derail their compliance efforts and result in costly delays
- Poorly defined CUI boundary with too many assets in scope and/or missing considerations for key assets in scope.
- Implement end-to-end FIPS 140-2 compliant encryption for CUI, both at rest within the boundary and in transit across it.
- Assess all physical locations for secure CUI handling, including paper-based CUI, and enforce wireless security using FIPS 140-2 compliant encryption.
- Control access to printers and other devices capable of displaying or outputting CUI; maintain detailed access logs.
- Maintain robust endpoint security, including vulnerability scanning, activity logging, and continuous monitoring for all users and devices accessing CUI.
- Ensure a CMMC-compliant email security solution.
- Provide detailed CUI handling guidelines and acceptable use policies, with documented end-user acknowledgment.
Key Costs to be CMMC Compliant
| Costs (USD)/ Features | Manage Internally | Manage with Virtual Workspaces on Cloud Infrastructure | Use CMMC Compliant MSSPs (Managed Security Services Provider) |
| End to End Encryption | Over $430 per user per year | Over $430 per user | They offer it in their services (feel below) |
| Microsoft GCC High | Not needed if using end to end encryption software with messaging | Not needed if using end-to-end encryption software with messaging | Approx. 1,000 per user per year |
| SPA Assets Costs | No additional costs if you already have- MDR/EDR on all endpoints, vulnerability scanner, and security monitoring operations. If not, these costs need to be incurred. Good news, products don’t have to be FedRAMP authorized. | Cloud Operational and Monitoring Software Costs ( e.g. CloudTrail, CloudWatch, GuardDuty in AWS) | Charged between 10-20k per month to do both Operational and Security Monitoring (irrespective of number of users) |
| Dedicated Infrastructure for Virtual Workspaces | May not necessarily need it if end-to-end encryption implemented, hard drive endpoint encryption, and sufficient logging and monitoring in endpoints with access to CUI. | GovCloud (specially needed if ITAR with export control): -High Compute cost per user per month in cloud service providers approx. $145 per month (engineers using 3D engineering software) -Light GPU user approx. 40 per month per user -Directory service approx. 400 per month per domain -Storage costs- 43 per month per 1TB | $215 to 315 per user per month for support, compute costs and Virtual Worspaces Mgmt Additional costs to set up site-to-site VPN infrastructure for printers and CUI assets in the physical boundary |
| Additional IT Support | May need additional resources to maintain CMMC program | May need additional resources to maintain CMMC program | Included but additional fees for changes and special requests. |
| GRC software | Per SSP approx. 6k per year | Per SSP approx. 6 k per year | They included it but charge 7k per month for maintenance |
| SME CMMC Advisor | SSP Preparation (one SSP), policies and audit support 50K-70k (year 1) depending on effort. Multiple SSP and complexity to negotiate. Year 2- Year 3 (15-20k) | SSP Preparation (one SSP), policies and audit support 50-70k (year 1) depending on effort. Multiple SSP and complexity to negotiate. Year 2- Year 3 (15-20k) | Over 250k for 3 years |
| C3PAO Auditor | Approx 70-80k per audit every 3 years (one SSP) | Approx 70-80k per audit every 3 years (one SSP) | Approx 70-80k per audit every 3 years (one SSP) |
The above is a summary of the potential costs and considerations to achieve CMMC Level 2 compliance. Cost management strategies include figuring out which scenario works best for your organization based on your current state, the type of data you handle (e.g. CUI, ITAR/ EAR), and your capabilities to manage the changes required.
At Elevate, we helped many organizations prepare and obtain CMMC Level 1 and Level 2 compliance. Our goal is to help you ensure your CUI boundary is properly defined, your gap analysis and remediation are complete to ensure a successful audit and/or self-assessment to the Department of Defense (DoD) is achieved.
Contact us for a complimentary assessment of your current state and determination of the total cost towards CMMC compliance. You will get your SPRS score and recommendations to meet CMMC compliance.