Hundred dollar bills

17 Feb 2020

One of the most frequent questions I hear from our clients about the new Cybersecurity Maturity Model Certification, after a few choice words, is: “How much is this going to cost me?”

It’s a great question, and one I can’t fully answer because, unfortunately, they haven’t even rolled out the auditor program yet!!

That being said, it does appear that the Office of the Under Secretary of Defense for Acquisition & Sustainment is wiling to foot the bill… Kind of.  Because according to their FAQ page:

“The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive…”

Which is great, isn’t it?  But there are no further details mentioned, and it is followed by this caveat,

“For contracts that require CMMC you may be disqualified from participating if your organization is not certified.”

But, as you can probably imagine, there are going to be other costs besides just auditing. That said, if you actually have all the NIST  SP 800-171 security controls in place (which, of course you do! I mean, doesn’t everyone?) like you are supposed to have before you won any contracts in the first place, then they shouldn’t be significant.  I will go ahead and take a stab at calculating the costs, outside of auditing, but since there are no concrete answers yet, I’m just making educated guesses and these costs are, of course, subject to change.

I’ve broken down the expected costs into three categories:

  1. Preparation costs
  2. Security Control costs
  3. Audit costs

Naturally, the total cost to your company is going to vary, based on a multitude of factors, such as:

  • Just how far along you’ve come with the NIST SP 800-171 security controls (is that nervous laughter I hear?)
  • The size and scope of your business (number of employees, locations, devices/stations, networks, etc…)
  • Your current IT situation  (do you have an internal department or do you outsource?)
  • Target CMMC Level
  • The scope of your data (is it CUI or just FCI?)

I know those are a lot of unknown variables, but it’s reasonably safe to assume that your goal, at least initially, will be CMMC Maturity Level (ML) 3, so to not overwhelm you, let’s go with that.

From here, to figure out your preparation costs, we are going to look at the costs of those who have most of the NIST SP 800-171 security controls in place (like you, right?) and those who don’t…

Security Controls Implemented: $35,000 to $100,000

  1. Preparation Costs
    • CMMC Readiness Assessment: $15,000 to $35,000
      • This is the cost for medium-sized, 250-person firm with multiple locations and whose security controls were handled in-house.
      • We got this by comparing it to an ISO 27002 Gap Assessment, which has a similar number of controls.
    • CMMC Gap Remediation to fix any lapses found in the Readiness Assessment
      • Prepared: $0-$10,000
      • Less Prepared: $0-25,000
      • This is dependent on the findings and what it will take to make your company ready.
  2. Security Control Costs: $0
    • If you have stayed on top of your security controls over the last five years, it is likely this will cost you nothing.
    • It pays to stay up-to-date!
  3. Audit Costs:  $20,000-$40,000 (but possibly reimbursable)
      • We are pretty much just guessing here because nothing has been released.
      • Based on other similar auditing costs, it’s assume the CMMC Audit will be in a similar price range. to

Security Controls NOT Implemented: $80,000 to $190,000

  1. Preparation Costs: $40,000 to $90,000
    • CUI Scoping Exercise (recommended) & Risk Assessment (CMMC requirement): $30,000-$50,000
      • This is the cost for medium-sized, 250-person firm with multiple locations and whose security controls were handled in-house.
      • We got this by comparing it to an ISO 27002 Gap Assessment, which has a similar number of controls.
    • Gap Remediation: $10,000-$40,000
      • Covers issues found in the Risk Assessment.
      • Builds a foundation for the System Security Plan.
  2. Security Control Costs: $20,000 – $60,000
    • This costs is going to vary greatly depending on what technology your company has implemented.
    • CMMC ML 3 requires pretty common sense controls that most businesses will have in place already, such as:
      • Data backup
      • Advanced email protection
      • Mobile device management
      • multifactor authentication
      • Logging and monitoring
      • Security training
  3. Audit Costs:  $20,000-$40,000 (initial preparedness is irrelevant)

Please keep in mind that the costs I’m estimating above are just that… ESTIMATES.  Even though the first version of the CMMC has been released, it is subject to change.  Sometimes I wish I could read the future, but alas…. I cannot.

However, if you have any other questions and would like us to go over your particular situation, feel free to schedule a free consultation online, or give us a call at 919-422-2607, and we will be more than happy to answer your questions!

Schedule an Appointment

Schedule an Appointment

    Our clients are awesome!

    Based on 55 reviews.
    Jeremy Richards
    Jeremy Richards
    Petronella provides great advanced digital marketing and automation solutions for my business!
    Kate Swenson
    Kate Swenson
    Highly recommended for CMMC certification assistance! Excellent and affordable options for secure data hosting on local infrastructure. 5 stars!
    Tom Matzen
    Tom Matzen
    Petronella Technology Group helped us setup our sales and marketing automation, cybersecurity and compliance for our new Blockchain startup. Great to work with! Craig in particular really knows his stuff, can translate into non-tech speak, and has wisdom beyond his years. Highly recommend them.
    Justin Summers
    Justin Summers
    Craig is awesome! He is very professional and efficient with his work. I would definitely recommend Petronella Technology to anyone who needs state of the art service.
    Blake Rea
    Blake Rea
    Craig is an expert in his field. Impressed by his knowledge, A true pioneer in Cybersecurity. My business is safer thanks to Petronella Tech!
    Robert Friedman
    Robert Friedman
    For the last five years Craig has been the Contributing Editor for Cybersecurity for NC Triangle Attorney Law Magazine which I publish. His base of knowledge is always leading edge, pragmatic and early to understand for our readers who are not techies. He is patient and easy to work with.
    Tammy Everett
    Tammy Everett
    Craig Petronella, CEO of Petronella Technology Group provided the members of the Defense Alliance of North Carolina expert advice on cybersecurity and NIST compliance. Eye opening experience! Thanks so much!
    Julie Brown
    Julie Brown
    Craig and the Petronella Technology Group, Inc. team made HIPAA compliance for my small practice so simple and easy! They helped me with all of my HIPAA training, HIPAA Security Risk Assessment, Penetration Test, and HIPAA secure hosting so I can rest easy.
    Pivot Point
    Pivot Point
    Petronella Technology Group helped us with our marketing strategy for our new web startup. Awesome experience!!!!
    Richard Brunet
    Richard Brunet


    Make It Happen Now


    Don't Feel Stranded


    Get Best Advice


    Make A Payment