The CMMC Proposed Rule released in December 2023 requires organizations who handle CUI to achieve CMMC Level 2 Certification. Over 95% of these organizations seeking Level 2 certification will be required to have an independent assessment completed every three years by a C3PAO (Certified Third-Party Assessment Organization).

The Department of Defense estimates that the cost of CMMC Level 2 assessments and required affirmations of compliance will exceed $100,000, plus the cost of any technology. This blog will help defense contractors understand the costs involved and provide 6 ways to save money on each step of the CMMC certification process.

DoD CMMC Level 2 certification cost estimates

DoD estimates that small defense contractors will need to spend $104,670 to achieve CMMC Level 2 with a C3PAO assessment, and submit annual affirmations of compliance, as shown below.

DoD CMMC Level 2 Certification and Cost Estimates
for small defense contractors with less than 500 employees or revenue less than $7.5 million


These cost estimates include time spent by both in-house IT specialists and External Service Providers (ESPs) such as Registered Practitioners (RPs), Certified CMMC Assessors (CCAs), and C3PAOs.
 
Note that these cost estimates start at the C3PAO assessment phase and do not include any costs up to that point. That’s because defense contractors have been required to comply with NIST SP 800-171—which CMMC Level 2 requirements mirror—since 2017. Therefore, DoD doesn’t consider NIST SP 800-171 compliance technologies or documentation a new expense.

How to reduce CMMC level 2 certification costs

Complying with NIST SP 800-171 and CMMC Level 2 will require a significant time and cost investment from defense contractors. However, we believe that many companies can achieve Level 2 at a lower cost than the DoD estimates above by deploying 6 strategies to achieve CMMC Level 2 certification faster and more affordably.

1. Reduce your compliance boundary

If only a portion of your organization handles CUI, then it makes sense to narrow the scope of the security requirements by creating a separate enclave. A smaller compliance scope means a simpler assessment process that saves you time and money. Also consider that some solutions like Microsoft GCC High often need to be deployed across entire organizations rather than just to carved-out CUI enclaves, adding significant costs and complexity.

How PreVeil addresses: PreVeil can be deployed to a smaller enclave created just for the users who handle CUI.

2. Choose a platform that’s easy to use and deploy

Platforms like Microsoft GCC High often require expensive consultants, separate email addresses, and a full rip-and-replace.

How PreVeil addresses: PreVeil can be deployed in hours, uses your existing email addresses, and is easy for your team to use since it integrates directly with the tools you’re already using, like Outlook, Gmail, File Explorer and MacFinder.

3. Deploy a solution with proven CMMC credentials

If your organization has migrated to the cloud, know that standard commercial cloud services such as Microsoft 365 Commercial do not meet CMMC requirements for storing, processing and transmitting CUI. Other solutions may not have FIPS 140-2 encryption modules. The last thing you want is to deploy software to protect CUI and then found out it doesn’t meet DFARS and CMMC requirements.

How PreVeil addresses: PreVeil works with over 1,000 Small and Medium size defense contractors and through a combination of inherited and shared controls, PreVeil supports over 90% of the NIST SP 800-171 security controls (102 of the 110). Read about how we meet CMMC requirements here. PreVeil customers have achieved perfect 110 out of 110 NIST SP 800-171 scores in rigorous DIBCAC and JSVA assessments. The JSVA assessments will translate directly to CMMC Level 2 Certifications once rulemaking is complete.

4. Use prepared compliance documentation to save you time and money

Defense contractors must do more than implement technology and policies to achieve CMMC compliance. To pass an assessment, contractors will need detailed, evidence based documentation clarifying how the controls are addressed within their company. This can be a daunting, time-consuming and costly task.

How PreVeil addresses: That’s why PreVeil offers its customers a compliance documentation package that gives them a huge head start on this essential documentation. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; a Customer Responsibility Matrix (CRM); POA&M templates; and more. (Note that your SSP will be the first document that your C3PAO will ask for later, as you kick off your C3PAO Level 2 assessment). In addition, organizations that purchase PreVeil University to educate their organization on CMMC also receive our SOPs and CMMC compliance artifacts

5. Identify consultants certified by the CyberAB who are familiar with your technology

It’s understandable that many organizations lack the internal security expertise to self-assess accurately and cost effectively. Outside partners can save time and money if you get stuck and need help.

How PreVeil addresses: To facilitate connections to the specialized help you may need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs, and other consultants and organizations certified by the Cyber AB—all with expert knowledge of DFARS, NIST, CMMC and PreVeil. This coordinated access offers peace of mind and streamlines your engagement because no time is spent learning how PreVeil supports compliance. Also, if you hire a C3PAO to help with your self-assessment, you may make sense to work with that same C3PAO for your CMMC assessment, since they will already know your organization well and you benefit from that efficiency as well.

6. Create a reasonable timeline that matches your budget

Once defense contractors have protected CUI, prepared their documentations, completed a self-assessment, and uploaded their SPRS score, the next step is to schedule your C3PAO Level 2 assessment. Assuming you have a score of 88 and the remaining controls are acceptable POAMs, you can take some time before completing the assessment. This may allow you to use next year’s budget, for example. Just note that the DoD has the authority to audit your organization at any time.

The PreVeil solution

PreVeil is the leading solution for NIST SP 800-171 and CMMC Level 2 compliance and is trusted by more than 1,000 small and midsize defense contractors. PreVeil customers have achieved perfect 110 out of 110 NIST SP 800-171 scores in rigorous DIBCAC and JSVA assessments. Learn more about how PreVeil can help your organization achieve CMMC Level 2 compliance faster and more affordably: