April 22, 2025

To invest in CMMC or to not invest in CMMC? That is “the question” these days for many SMBs in the US defense industrial base (DIB) and the focus of this article.

 

Compliance with the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework at Level 2 is a potentially lofty but likely necessary goal for DIB companies that handle controlled unclassified information (CUI) and want to continue doing business with the US Department of Defense (DoD). 

 

The 110 controls required for CMMC Level 2 certification are identical to NIST 800-171 Rev. 2, which has been the DoD’s cyber compliance baseline since 2017 for DIB orgs that process, store, and/or transmit CUI. Perhaps the biggest difference is that CMMC Level 2 certification will require a third-party (C3PAO) audit, not just a self-attestation with executive affirmation. 

 

Once CMMC requirements start to appear in DoD contracts (probably by the end of 2025), DIB orgs with CUI will soon need a CMMC Level 2 certification to bid on new contracts or be awarded contract renewals. The cost, effort, and time required to achieve CMMC Level 2 certification can be quite high for some companies. But failure to comply also has its costs, including inability to bid on future contracts, loss of current contracts, regulatory fines and scrutiny in the wake of a cyber incident, or even prosecution under the False Claims Act for improper compliance self-attestation. 

What are the pros and cons of CMMC Level 2 compliance?

The choice to pursue CMMC Level 2 compliance or not depends on the specific costs and benefits to your organization. If you’re starting from scratch or have major gaps in your controls, the outlay could be daunting. But if you want to do business with the DoD there is no way around it. 

 

It is important to weigh your pros and cons carefully and comprehensively. While some companies are exiting the DIB to avoid cybersecurity investments, others are strengthening their cybersecurity postures and attaining early CMMC Level 2 certification to gain a competitive advantage, take market share, and maximize their overall ROI. 

 

The table below summarizes key pros and cons of achieving CMMC Level 2 certification through independent attestation.

Pros Cons
  • Your business can win new defense contracts and continue working on current contracts.
  • High upfront cost (totaling $100,000 and up even for orgs that currently attest to NIST 800-171 compliance.
  • Strongly enhanced cybersecurity posture leading to reduced risk of a data breach, successful ransomware attack, etc.
  • Extensive timeline, easily 9 to 18 months or even 24 months and more.
  • Competitive advantage versus firms that are not yet certified.
  • Ongoing annual costs to maintain certification and report compliance to the DoD.
  • Greater trust and peace of mind among all stakeholders, including investors, regulators, and boards.
  • Costs for recertification every 3 years.
  • Improved market reputation.
  • A long potential wait for your certification audit due to a lack of C3PAOs. The DoD estimates that approximately 77,000 to 80,000 DIB orgs will need CMMC Level 2 assessments, but well under 100 C3PAOs are currently authorized to conduct the assessments.
  • More effective risk management.
  • Increased complexity of your IT infrastructure from adding cybersecurity controls and compliance processes.
  • Better operational efficiency.
  • Risk of noncompliance penalties if you achieve certification but fail to maintain compliance.
  • Significant financial savings from avoiding the costs of a cyber incident, which usually exceed the costs of CMMC Level 2 certification.
  • Increased IT operational impacts from managing cybersecurity and compliance assets.
  • Reduces the risk of False Claims Act actions and other lawsuits stemming from a cyber incident or whistleblower scenario. 

 

Pro tip: If you decide to pursue CMMC Level 2 certification, you’ll enjoy more benefits and less business risk if you get certified sooner rather than later. You’ll also reduce the risk of negative business impacts from noncompliance, especially the risks of delays associated with a shortage of C3PAOs. 

What are the major CMMC Level 2 certification cost categories?

Understanding CMMC cost vectors early in your certification process helps with budget planning and resource distribution. On any CMMC Level 2 certification project, you should factor in these major cost categories:

 

  • “Hard” costs to implement and upgrade cybersecurity controls and associated hardware and software, including remediating vulnerabilities and compliance gaps. For companies that are far from CMMC Level 2 compliance today, this is often the largest cost area.
  • “Soft” costs like planning, budgeting, and risk assessment, as well as internal audits, creating/updating documentation (e.g., your system security plan and incident response plan), and employee training. Third-party consulting costs usually fall into this category a well.
  • “Time” costs like C-suite strategizing, project management, IT support, and employee or contractor work time. 
  • Third-party assessment costs, which will impact all but a handful of DIB orgs seeking CMMC Level 2 certification. A ballpark estimate of total costs for a formal C3PAO audit is $100,000, depending on the size of your CMMC scope and other factors (see below).
  • Maintenance costs for continuous compliance and continuous improvement of your CMMC Level 2 environment. 

What factors will influence our CMMC Level 2 costs?

The DoD recommends that companies earmark at least 0.5% of revenue to cybersecurity. CMMC Level 2 compliance/certification costs vary widely based on multiple factors. The biggest factors for any DIB org include:

 

  • The size and complexity of your business, including how many sites you have. Bigger companies usually have higher certification costs because there are more people and systems involved.
  • Your current cybersecurity posture largely determines how close you are today to CMMC Level 2 compliance and how much work you still need to do.
  • How much CUI do you have, and where does it come from, including whether you generate CUI as well as receive it? The number of users and systems that access CUI also impacts costs, with more access creating a bigger, more complex “compliance boundary” or “CMMC enclave.”
  • The maturity of your governance, risk, and compliance (GRC) program, including tools and processes to automatically monitor and report on cyber compliance metrics.
  • Your choice of C3PAO, as their fees vary.
  • How much do you rely on external resources for both strategic and tactical activities? Consulting services initially add to costs, but third-party expertise can also save money by reducing wasted effort and driving better decisions.
  • Whether your timeline is relaxed or rushed. It generally costs more to make a project happen faster.

How can we reduce our CMMC scope?

Unless every person in your company handles CUI, it usually makes sense to decrease the scope of your CMMC environment by creating a separate enclave and workflow where CUI stays. The smaller your CMMC scope, the more streamlined your control implementation and the faster, simpler, and cheaper your certification audit.

Scope reduction strategies include:

  • Keeping your CUI footprint as small as possible, including limiting the number of users who interact with CUI.
  • Leveraging skilled cybersecurity consultants who have years of experience with scoping.
  • Using pre-built documentation templates and other resources to save time and effort.
  • Paying attention to the user-friendliness of cybersecurity solutions, as usability impacts productivity and training costs.

Can external partners help us save time and money on CMMC certification?

Many DIB SMBs lack the internal cybersecurity expertise to correctly scope their CMMC environment, conduct a gap assessment, evaluate cyber risks, implement new technology, and address other challenges on the path to CMMC Level 2. An experienced external partner that is familiar with your industry and IT systems can often achieve better results in less time and with less risk of internal bias and blind spots. 

 

Some of the benefits of engaging a trusted partner to support your CMMC certification journey include: 

  • You can save money in the long run by accelerating your timeline and helping you sidestep potential pitfalls.
  • You get objective advice based on a proven, best-practice approach. 
  • A third-party expert can evaluate cloud-based services, operational technology (OT), Internet of Things (IoT) equipment, and other specialized assets within your CMMC scope.
  • An independent assessment of your cybersecurity posture can help you prove CMMC alignment or conformance for competitive or legal purposes prior to your successful certification. 
  • More than an internal assessment, a third-party audit of your cybersecurity posture helps build trust and peace of mind with stakeholders by showing that your business is committed to protecting CUI and other sensitive data. 

What’s next?

To connect with a CMMC expert on your CMMC 2.0 compliance goals and current status, contact CBIZ Pivot Point Security