How to Meet CMMC Compliance Mandates with STIG Automation
Everyone is talking about the cost of complying with the CMMC Compliance Mandate
Contractors across the Defense Industrial Base (DIB) are still trying to figure out how to fit CMMC into their long-term business goals. As a DIB member, you might be considering whether the certification costs are worth the benefit of the contract. When you’re trying to get and keep your DoD, using STIG automation can help you meet CMMC compliance requirements.
How much will CMMC compliance cost?
No one knows exactly how much CMMC compliance will cost. CMMC-AB has yet to provide reliable estimates, and the cost depends upon whether you need to be Level 1 or Level 3 compliant. The Defense Federal Acquisition Regulation Supplement (DFARS Case 2019-D041) suggests:
- Level 1: $2,999.56, with no recurring engineering costs
- Level 3: $51,095.60, with estimated recurring engineering costs at $41,666
However, these cost estimates may not be realistic. For example, one article from Pivot Point discusses hidden costs which, include everything from the size of your organization to whether or not you already have a mature NIST SP 800-171 compliant environment.
Hard Costs for Level 3
If you need to meet Level 3 compliance, you need to consider the hard costs of preparing for and undergoing the audit. Your current NIST SP 800-171 compliance maturity determines the cost to round out the necessary hardware and software before being audited. The Pivot Point article addresses the scope of unforeseen costs associated with becoming CMMC compliant.
Reasonably Mature Program
Mature environments with more technology will reduce long-term costs because of the established infrastructure. Prior investments in the environment reduce expenses, but several might still exist.
For example:
- Prep:
- Migrate current cloud products, like AWS and Azure, to the associated “Government Cloud” versions
- Cost factors:
- Migrations can run as high as $50,000
- Higher monthly subscription costs for upgraded services.
- Audit:
- Cost in flux because no clear guidance on what the audit process exists
- Estimated auditor time and documentation collection costs: $20,000-$40,000
Immature Program
Organizations with immature programs require a lot more work to become CMMC compliant. In addition, these organizations need to add more technologies, including log monitoring, training, and multifactor authentication.
For example:
- Prep:
- Engage in asset inventory and address technology gaps
- Average estimated costs: $20,000-60,000 but could go as high as $100K.
- Audit:
- Estimated auditor time and documentation collection costs: $20,000-$40,000
Soft Costs for Level 3
Soft costs for Level 3 CMMC compliance depend on program maturity, but the estimated costs set out by DoD don’t show the complete picture. Many professionals are anticipating soft costs running higher than DoD says it will.
Readiness assessments and technical testing of the current environment influence soft costs, especially if an organization requires support for gap remediation. Additionally, consultant fees and company size will also factor into costs.
Reasonably Mature Program
Soft costs depend on whether or not an environment is as mature as an organization thinks it is. As a result, reasonably mature programs still face higher soft costs than you might expect. Since environments may not be as mature as you think, technical support for resolving compliance gaps can quickly increase expenses.
For example:
- Gap assessment: $15,000 – $35,000
- Remediation: $0 – $25,000
Immature Program
By their very nature, immature programs must organize existing technologies, supplement missing but necessary ones, and document all practices and processes accordingly. As a result, the cost associated with establishing foundational compliance runs much higher than for mature programs.
For example:
- Gap assessment: $30,000 – $50,000
- Remediation: $10,000 – $40,000
What should all Defense Industrial Base (DIB) contractors consider?
The first step toward any compliance is always hardening systems. All the low-level controls that bring an environment into CMMC compliance are in National Institute of Standards and Technology Special Publications (NIST SP) 800-128 and 800-70. Secure Technical Implementation Guides (STIGs) are the key to setting the baseline controls, but maintaining these controls is incredibly time-consuming.
STIGS are updated every 90 days, and implementing new policies can lead to unwanted and unnecessary downtime. Automation makes it easier to maintain a secure baseline, allowing you to become compliant faster, freeing up your time and resources to focus on the more challening aspects of compliance.
ConfigOS STIG Automation: The Budget-Friendly Way to Accelerate CMMC Compliance
SteelCloud’s ConfigOS gives you a way to automate technical control configurations so that you can reduce the soft costs that come with CMMC compliance. Our easy-to-use solution can scan your entire environment and remediate configuration conflicts in less than a day. You can get your employees trained on ConfigOS in one morning, accelerating your CMMC compliance process. Since ConfigOS documents all activities, you no longer have to worry about the time it takes to provide audit documentation, reducing audit costs and enhancing security at the same time.
