November 21, 2022
October 1, 2025 is the date -- plan accordingly
A recent update to the official CMMC website includes a new page, CMMC Resources, which shows the following information after a link to the CMMC clause in the interim rule (DFARS 252.204-7021 "Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement")
Effective 1 Oct 2025. Requires CMMC certificate by time of contract award. Until 1 Oct 2025, DoD must approve CMMC clause in new acquisitions. Contractor certification level must be maintained for contract duration and this clause must be flowed down, as required.
So, it looks like October 1, 2025 is now officially the drop-dead date for the CMMC clause to appear in all DoD contracts, and it will appear in some contracts prior to that date. (We've been hearing this in webinars for months now, but this is the first time I've seen it in writing from an official DoD source.)
What does this mean for your organization? If you haven't already, now is absolutely the time that you need to allocate resources to achieve your CMMC-L2 compliance in 2024 at the latest, to have time for an official assessment before October 1, 2025. There will be a rush for certification at the end! Don't get pushed out.
What resources do we need to allocate? Ahhh, that's a good question, and one that gets asked a lot. The biggest constraints I see are time and money. Let's look a bit closer at these two.
How long will it take? How much will it cost?
These are the two most common questions I hear. Last week I attended a CMMC Update Briefing Webinar by the The National Defense Industrial Association (if you aren't a member of NDIA, you should look into it -- they provide a LOT of useful information) with some crowd-sourced figures on cost and time required to achieve compliance. These fit with what I have heard from colleagues and what we have said ourselves, so I would consider them valid.
How long will it take?
Of course it depends on how far along you already are, but generally speaking, most organizations should plan on spending 18-24 months to fully implement the requirements and be ready for an official assessment. (How long will the official assessment take? Depends on how far down the waiting list of the C3PAO you are! Don't delay.) NDIA offered that it's possible to do a "crash course" version in as little as 7 months, but this will require heavy investment, primarily in outside help and "out of the box" solutions for many of the controls. The "7 weeks" or "7 days" advertised by some unscrupulous vendors is "un-executable at any cost" according to NDIA.
How much will it cost?
Again, that depends on many factors (how much you have done already, the size of your organization, what type of business, etc.) but NDIA provided some general numbers for small businesses (under 200 users) with which I concur. (Note: the cost for a 5-person company is about the same as for a 25-person company. There are some economies of scale over 100 employees.)
I break it down in greater detail below, but I rounded NDIA's numbers and came up with a summary: $100k-200k to achieve compliance, $100k-150k/year to maintain compliance, and $50k-150k every 3 years for an official assessment. Whew.
Initial implemention of technical controls for compliance may run $80k-150k or more, depending on how much you do in-house and the choices you make (remember that many of the controls may be met by either policy or by technology, so those choices can greatly impact the cost). The annual expense for maintaining compliance is estimated at $3500-$4000 per user per year -- so for a 25-person organization, that's another $100k per year. Note also, and this is important: these figures are for IT spend for compliance and do not include general IT spend (workstations, tech support, backups, etc.)
Non-technical controls (including the development & organization of 250-300 pages of documentation) will require another $30k-52k minimum for the initial implementation, with a similar annual spend to maintain and update as needed (including your annual Basic Self-Assessment after achieving a 3-yr official CMMC certification). As one of the speakers succintly summed it up: "Compliance is like having a baby -- you must feed and care for it forever!"
One of the individuals who was involved in compiling information for these slides commented in a different forum online "I feel terrible about those numbers actually but I think they are really on the low end in most cases. Unfortunately." To be honest, I fear he may be right. A speaker at a CMMC event I attended a few months ago, who owns a 5-person company that recently passed a DIBCAC "high" assessment on NIST 800-171, told us that she spent $200k to achieve compliance from scratch (including writing all her own documentation, and she is the system administrator for her network), but believes she could have cut that cost significantly if she had gotten qualified outside help.
What about the cost of the assessment itself? This will vary widely according to the size of the organization, type of business, workflows, etc., but it seems that prices are "starting at" $30k (for 1-2 people with laptops) and going up from there. A good ROM is $50k-150k for a small business. (At least this cost, the actual assessment, is believed to be an "allowable cost" -- though again, until the final rule is out, we won't know for sure.)
The time to prepare is now. If you have been waiting for the signal to start, this is it! If you dive head-on into your compliance program right now, you should just make the cutoff to officially assess before October 1, 2025. (And if you are a subcontractor, you may be getting the CMMC clause flowed down to you sooner than that, so plan accordingly.)
Need help? You know where to find me!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!
Glenda R. Snodgrass
The Net Effect, LLC
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!