Cost of CMMC: Conquer the Fear Of Finding Out

by Linda Rust and Mike Warner | Mar 24, 2024

What Will CMMC Cost Our Organization?

Conventional wisdom says a Rough Order of Magnitude (ROM) estimate for CMMC (Cybersecurity Maturity Model Certification) compliance takes a project and significant sunk costs. A SecuriThink Step Zero report answers the question with a verified level of accuracy in as little as 72 hours for a flat fee.

Many Defense contractors have business questions swirling about CMMC. They can be tough topics like

Should we stop doing Defense contracts?
Should we sell the company instead of dealing with CMMC?
Is the new contract we’re signing profitable given the costs of CMMC?

Step Zero describes the situation in financial terms that clarify the trade-offs and support data-driven decisions. It’s a cybersecurity tool for business decision-makers.

For Organizations that have a Fear Of Finding Out (FOFO), it’s a way to rip off the band-aid.

About Acronyms

With CMMC at the intersection of cybersecurity and the U.S. Department of Defense (DoD), the alphabet soup is deep. A listing of relevant acronyms is found at the end of this post.

The Backstory

Some contractors for the DoD have had requirements like those of CMMC for well over a decade. One of those prime contractors had a Chief Information Security Officer (CISO) who led his own organization to compliance but, in the years that followed, the company regularly made acquisitions. Each acquisition introduced a new security risk and a new compliance challenge.

The conventional approach to these projects is to perform a gap analysis (Step One in the graphic) followed by a phase of high-level Plan & Design (Step Two). A preliminary budget and schedule aren’t known until most of that second phase is done.

While that’s good due diligence, this process takes weeks or even months depending on the size and complexity of the situation. It also requires a number of individuals to cover all the bases and that becomes a confidentiality problem during Mergers and Acquisitions (M&A) dealmaking. In practice, full due diligence is rarely done early in the cycle.

The CISO took another tack; Step Zero is the outcome.

Verified Accuracy

Step Zero, draws its greatest strength from the fact the story doesn’t end there. The CISO had the ultimate accountability for the cybersecurity gap no matter how good the estimate was; he was highly motivated to be accurate because he also knew there would always be another acquisition.

Report verification is based on 12 Fortune 500 M&A deals over a period of 8 years with several deals closely tracked to completion 14-36 months later. The CISO leveraged his access to real spending data to get past the post-deal tendency to over- or under-report costs. Meticulous data collection over long duration projects is difficult to impossible without insider access to time and cost-tracking systems.

This diligent tracking of deals from transaction to transformation resulted in a verified range of accuracy which is a unique dimension of Step Zero.

Step Zero was created for Mergers and Acquisitions (M&A); why is it relevant to CMMC?

Step Zero was forged in an environment where the DoD was the primary customer driving cybersecurity contract requirements. While the Fortune 500 organization which inspired this approach was itself meeting DoD requirements, as it continued to acquire new companies that were less prepared, Step Zero was forged specifically to measure the costs to close the cybersecurity gap of each new acquisition target.

Step Zero was forged by M&A yet it’s a powerful tool to be wielded by compliance. It’s a perfect fit for organizations that want to know what CMMC will cost them.

Cyber Tool for CMMC Business Decision-makers

Step Zero describes the CMMC business problem in business terms: dollars and sense.

Step Zero includes all costs for

Step One (Gap Analysis)
Step Two (Plan & Design)
Step Three (Execute)
Recurring costs

The costs are broken down to allow the Chief Financial Officer (CFO) and their team to plan for expenditures by quarters and, since it’s a long duration project, across fiscal years. The one-time lift is separated from the recurring costs. Expenses are separated from capital.

Business decision-makers engage when the report is in their language and supports data-driven decisions.

See the Frequently Asked Questions (FAQ) for more details on accuracy, what’s included in the Step Zero estimate, and how the report breaks down the numbers.

Benefits for Technology Leaders

Engage business decision-makers with the big picture. Use a top-down outline to avoid the drip, drip, drip water-torture they complain about when resource requirements are built progressively from the bottom up during Steps 1, 2, and then 3.

When business decision-makers make a preliminary Go/No-Go based on Step Zero, it gives technical leaders the breathing room to do what they need to do. You can hit the ground running with Step One and Step Two because there’s already buy-in to go that far.

How is a Step Zero report different from a vendor proposal, such as one from a Managed Services Provider (MSP)?

Even the most comprehensive MSP has a Shared Responsibility Matrix (SRM). There are some responsibilities that always fall to your organization. From the backstory above, it should be clear that the basis of Step Zero is the entire picture from the perspective of what the CMMC Rule calls an Organization Seeking Assessment (OSA).

What does SecuriThink experience say about the timeline to implement CMMC?

Across 12 M&A deals over 8 years, our shortest time to fully implement was 14 months, and some took nearly 36 months. CMMC is not something an organization can quickly tackle with a War Room and a Tiger Team; more than half of the requirements require people and process change which are long-term accomplishments. In addition, a number of the Assessment Objectives require demonstrating that the control has been in place for some time.
We have already seen DoD contracts that specify once CMMC is fully authorized, the existing contract will be subject to the requirement, which leaves little wiggle room for compliance.
To quote Dan Akridge, “You can’t be on time for CMMC. You’re either early or you’ll be very late.”

Is the DoD SPRS Score a Deliverable of Step Zero?

Calculating this score is not actually performed during Step Zero. The Step Zero estimate includes this task to be performed during Step One, the Gap Analysis phase.

For those not familiar with this, the DoD requires contractors and subcontractors to calculate a score using the NIST SP 800-171 DoD Assessment Methodology (DoDAM) then report it in the Supplier Performance and Risk System (SPRS).

Why SecuriThink?

12 years Fortune 500 CISO experience – starting from greenfield and building a program that won awards from the U.S. Department of Defense (DoD) and ranked in the top 10% for maturity
50+ years combined experience on Fortune 500 mission critical projects requiring both tech skills and business savvy
30+ years combined experience creating the technology business case for owners, Boards of Directors, and CxOs
35+ years combined experience in cybersecurity and network engineering
Team includes a Certified CMMC Assessor (CCA), CMMC Provisional Instructor (CMMC-PI), Certified CMMC Professional (CCP), and CMMC Registered Professional (CMMC-RP)
Fortune 100 experience included smaller operational units that scale to medium-size businesses
Nationally recognized experts accustomed to working globally
Our clients describe our track record better than we can