Ever since the Department of Defense (DoD) introduced the Cyber Security Maturity Model Certification (CMMC) concept in 2016, small and medium-sized businesses (SMEs) have been concerned about the costs of implementation. Now, however, the DoD says that it will be addressing the cost concerns of SMEs as part of an ongoing internal review. The department hopes that new measures will cut the cost of accreditation and help to level the playing field.
According to reports across media outlets, the DoD is looking for ways to reduce the cost of accreditation for small businesses and enterprises while addressing cybersecurity concerns. CMMC organizations, the department said, have valuable perspectives and their complaints about the cost should be taken seriously. Most should only need to achieve CMMC Level 1, it affirms, implying lower costs than those applying for Levels 2 and 3.
The DoD assures all parties concerned that it will be looking carefully for ways to reduce the cost burden on businesses so that the DoD supply chain can remain competitive and diverse. Critics of the CMMC policy point out that it places a disproportionate financial burden on smaller businesses, potentially leading to anti-competitive practices.
The DoD’s recent statements are in response to an early House Committee on Small Business subcommittee held on 24 June 2021. Companies invited to join the session expressed concerns and worries about the costs of meeting the new regulatory regime and asked members to forward their concerns to the DoD. Some members said that they were also struggling to understand the CMMC compliance requirements and weren’t sure whether they were meeting them or not.
The DoD is planning on overhauling the way that it communicates with SMEs. In the future, it is promising to provide more official information on the CMMC program to make it easier for companies to follow the requirements. It is also going to address issues raised about the way that it communicates about the scheme. One component of the review, according to the Department of Defense, will be to develop public media campaigns that can disseminate information more widely.
Currently, a typical 250-employee firm that wants to achieve CMMC Level 3 certification will need to pay roughly $15,000 to $35,000 in readiness costs, plus additional costs for gap remediation support. Thus, most SMEs can expect to pay somewhere in the $20,000 to $30,000 range for basic accreditation, although hard data is still lacking.
There are many components of the cost of complying with CMMC. So-called “soft costs” mainly involve the admin required to prepare for the audit. In addition, there are hard costs associated with the audit, such as preparing computer systems, and the direct costs of the certification process itself.
Companies are right to be concerned about the high costs of CMMC compliance. But thanks to the work by the House Committee on Small Business, it appears that the DoD will indeed be addressing the concerns of SMEs.