As the rollout to CMMC comes closer, defense contractors are worried about how much compliance will cost their company. For some that have been keeping up with NIST 800-171 and DFARS 252.204.7012 requirements, compliance will be a manageable cost. For others, the cost of compliance will become a significant expense.
To get a better understanding of CMMC compliance costs, we spoke to John Verry who is the CEO of Pivot Point Security. Pivot Point is an information security company located in northern New Jersey. They have been in business for 20 years and have deep experience in helping companies reach their compliance goals.
The following interview has been edited for brevity and clarity.
PreVeil: How did Pivot Point get started?
Pivot Point: Pivot Point started in September 2000, I had just left another company because I had Lyme disease and Pivot Point was a way to pay some bills. We started life as an internet and network security firm because I thought the internet was going to be a big thing. The initial plan was to be a conventional Checkpoint/ network VAR and that’s where I thought we were going.
And just when we were starting to get traction, September 11th hit and there was nothing going on in the New York area. A relative asked me to help with a security audit for his CPA firm and I fell in love with the work. I fell in love with the idea of helping companies in a consultative way rather than a product centric way – which is the right way to do things.
Today, we are still a product agnostic company. We don’t sell or promote any particular products. We stay true to the consult and assess roots we started with way back when.
PreVeil:So how did that bring you to working on CMMC?
Pivot Point:CMMC is just a logical extension of what Pivot Point began focusing on 14 years ago which is the increasing need for companies to prove to stake holders that they are secure and compliant.
As we move to concepts like clouds and 3rd party service providers, increasingly our information assets are in someone else’s IT infrastructure. And if I’m going to share my data with you then I need to have some level of assurance that you are handling it properly.
In 2005, ISO built on the ISO 17799 good code of practices and evolved it to ISO 27002. They also introduced ISO 27001 which added a concept of third-party attestation that you are effectively managing the risk associated with information.
So, we saw that as something that was important and was going to grow. Pivot Point became specialists in ISO 27001 and helping companies prove they are secure and compliant. Think about ISO 27001, SOC-2, NIST cybersecurity framework, HI-TRUST, FEDRAMP. These are all mechanisms to hand a 3rd party attestation to someone else and say you can trust we are doing things the right way because we had an independent third party validate that we are.
PreVeil: One of the main things I wanted to discuss was pricing. How should defense companies start to think about pricing of CMMC compliance and get their heads around what it will cost.
Pivot Point: Well it depends. There are a lot of variables that go into what it’s going to cost.
If we break it down into ‘get prepped’ and what it ‘costs to get audited’ – which are the two main costs – and then what it costs to ‘maintain that status’ over time there are three cost buckets.
The first thing you have to figure out is if you are going to be compliant, what level do you need to comply with. If it’s just level 1 and you just have FCI, that’s a relatively low bar to reach. There are just 17 controls. There’s a pretty fair chance that you are doing most of those controls already.
If you got Microsoft 365 and folks have to log-in then you already have authentication.
Someone can implement these standards on their own and write up a couple of policies. Download an assessment tool. I don’t see any of these as a big issue.
In terms of the audit costs, well anyone who is predicting audit costs now is doing so with the absence of information necessary to actually come up with an accurate number. The CMMC-AB’s goal is to establish programs that will result in consulting companies and C3PAO’s being able to establish accurate pricing for their services The AB hasn’t done so yet.
That said, for level 1 you are probably only looking at a one- or two-day audit. Unlikely that this will cost more than $6k.
PreVeil: OK. That’s good information if I want to be at level 1. What if I want to be at level 3?
Pivot Point: At level 3, where most people want to know about pricing, it is a different story.
With a level 3 assessment, the first thing I want to know is the clauses they are looking at in their current contract. If you look at an existing contract, that is where you’ll be able to determine what the current requirements are.
For example, a reference to clause DFARS 7012 in an existing contract let’s us know that you are handling CUI. Under DFARS, you already had a requirement to implement NIST 800-171. This used to be self-attestation. The Primes didn’t do a good job of enforcing this and subcontractors would just attest that they were implementing NIST 800-171 even if they weren’t. And that’s why we’re in this situation today. That’s why CMMC is an audit centric standard.
If a company is NIST 800-171 conforming already and has a risk assessment from within the last quarter and has a system security plan from the last quarter, then there’s not a lot of cost to get to CMMC level 3. It could cost $0-$30k. And, the wide disparity there is where you are nonconforming and what are the costs of solving that problem.
The reason for that disparity for example, could be that they are using commercial version of Microsoft 365. And that is not compliant. So, if they need to shift to GCC High that will likely cost $30k or more.
The advanced threat protection that CMMC calls out or security informative event management (SIEM) solution or MFA or mobile device management can be very expensive. But, if you have everything in place and we just need to touch up policies, standards, and procedures then you can mainly do that by yourself. Or maybe it’s a $5k-$10k exercise. If there are a lot of pieces to move around then it could easily be a $30k exercise.
Learn the affordable approach to getting your defense company on the path to CMMC compliance. Download our whitepaper
The variation is high, because there is a lot of variation in where you are. I wrote a blog with a lot more detailed guesstimating in it – you may want to link to that.
PreVeil:That could make compliance an expensive proposition.
Pivot Point:Any system that stores or processes CUI needs to be in the scope of your system security plan and needs to be treated in accordance with the 130 practices that need to be applied.
So, one of the things that needs to be looked at is whether the whole company needs to achieve level 3. We have a client that is a 300-person manufacturing organization. They do some work for the DoD but a lot of their production is non-DoD related. Moreover, only 50 people in the company are involved in DoD work.
The way they do it now, they have email stored on a central file storage location that everyone has access to. Everyone also has access to the CAD system. With this structure you are creating a much larger CUI scope than is really necessary, which means that all those systems need MFA, logging, alerting, .etc. So, it makes sense in these cases to segregate the data This reduces scope of the environment by 6-fold. And that makes for a much lower, affordable cost for doing compliance.
From PreVeil’s perspective this is exactly what you are doing. That is what scoping is. If you are using GCC High you are incurring costs for everyone in your organization. But if you are using PreVeil, and you only use Preveil for users accessing CUI, then bill is less every month. So, scoping can save a lot of time and money.
PreVeil: Is scoping where you guys start?
Pivot Point: Yes, we typically start with scoping. Then, we conduct a risk assessment if the client doesn’t already have one. Then do a gap assessment. We look at what they are doing now against the controls they have and determine what the gap remediation plan should be. This is where you get hard costs.
For a typical 300-person organization, that has to go through scoping, risk assessment, gap assessment that could be $35k-ish. And then we have a plan of what needs to be done to get certified.
At that point, we can determine the hard and soft costs of implementing the plan. For example, if a company has a SIEM or not? That could be $0 or cost an additional $5k a month.
PreVeil:What are the actual audit costs?
Pivot Point: I think the audit costs will likely land between $15k-40k.
However, some of the audits done by DIBCAC on NIST SP 800-171 are 20-25 man days – which if they were done by a private auditing firm would likely cost $45 – 75K..
My best guess is that $20k-$40k is probably the right range to estimate until the CMMC-AB releases the audit program.
PreVeil: Does the price for compliance scale logically? Is it linear, for example?
Pivot Point:With regard to costs, we have seen orgs spend $150k-$175k to get ready for NIST 800-171. That might be a bit high but not crazy if you went top shelf on every choice.
The numbers I’m talking are for a 250-person manufacturing company with one or two locations.
However, for example, I spoke this morning to a company that has 12 locations and 3,000k plus employees. If, different business units, sell different products under different contracts, and it necessitates multiple SSP’s I can see it costing them k, as much as $500k, potentially more depending upon their business structure.
As the company gets larger, the costs go up. Because you have to make sure you apply those controls across all locations.
And if the company has multiple contracts on multiple product lines, then CUI comes into the organization and the scope varies which adds complexity to building the cybersecurity program.
On the other hand, if you have a 50-person company, you don’t just divide costs by 1/5th. It’s like most major frameworks. There are 130 practices and 51 processes that we need to implement for CMMC level 3. It doesn’t matter if it’s 5 or 50 people. We still need to document every one of those and get answers.
Unfortunately, the cost difference between 50 and 500-person company is negligible.
PreVeil: Well thank you, John. Really appreciate your taking the time to talk to us.