How Much Does NIST 800-171 and CMMC Compliance Cost?

Over 14+ years working with the Department of Defense (DOD) contractor cybersecurity compliance requirements have evolved from voluntary to self-certification to now mandatory minimums validated by independent third parties via the Cybersecurity Maturity Model Certification (CMMC); the question of cost underpins almost every discussion. 

The CyberSheath team gets asked two questions every day, all day long. How much and how long? Contractors asking the question prefer a exact answer and ideally one that fits in their existing budget. The DOD and NIST have tried to provide some level of analysis around the cost impacts of cybersecurity compliance but when released these estimates are immediately questioned by industry. In our experience these government provided estimates are interesting but irrelevant to your specific situation. Applying the analysis done by the government is like trying to calculate your tax situation based on what you think your neighbors tax bill might be. It’s a waste of your time and guaranteed to be inaccurate. So how do you get a cost of compliance for NIST 800-171 and CMMC that is relevant and specific to your organization? It’s not actually that difficult, and I will share our process here and welcome you to contact us for your evaluation.

CyberSheath has been providing firm fixed price managed cybersecurity compliance for more than six years exposing us to tremendous amount of data around cost. We also understand the differences between cost of compliance in a manufacturing environment, software development organization, research and development and just about everything in between. A significant part of our customer base includes foreign owned US based defense contractors, so we understand those unique aspects as well. Our methodology is audit approved in the sense that our customers have successfully passed third party audits repeatedly.

Our Approach to Understanding the Cost of Compliance.

Don’t ask for a “ballpark”.

With the passage of the new law that went into effect on November 30, 2020, NIST 800-171 and CMMC compliance are being enforced, and it is time to get serious about actually implementing the controls. Ballparks on CMMC cost are not serious inquiries. I understand human nature and desire to “get a ballpark,” but it is a waste of your time, and it is impossible to get an actionable and accurate “ballpark”. There are simply too many variables specific to your situation that ballparks cannot account for. Cloud-based? On-premise? Windows networked domain environment? Cloud services? Hybrid Cloud? These are just some of the questions that drive cost and prevent a ballpark answer to the cost question. It is a bit like calling a personal trainer, having never met them or provided any information, and asking them how quickly you can get into shape. Don’t fret; there is a relatively painless way to understand what your cost might be. Please skip the ballpark conversation and instead put an hour or less into getting something accurate and actionable.   

Fill out a scoping document and have a conversation.

One of the things that we don’t ask potential customers is what their budget is. Candidly your budget is independent of the cost to become compliant. It’s our job to make your budget and the costs align as closely as possible. Still, ultimately, the cost of getting your specific environment compliant is a finite number independent of your actual budget. You probably didn’t account for the 110 security requirements of NIST 800-171 when you created your budget and CMMC likely wasn’t law, so your budget is not really part of the conversation. 

Your environment, the existing people, processes, and technologies you leverage to conduct your business, hold the answers to determining your cost of compliance. At CyberSheath we have developed a relatively simple process that generally takes less than an hour to complete. 

It starts with a facilitated conversation where we walk you through and fill out for you a comprehensive scoping document. The scoping document was developed through nearly a decade of experience delivering managed compliance services and the questions are geared towards the things we have seen in our experience drive the cost of compliance. You bring the appropriate person from your organization who can answer the questions, typically the “IT guy” and we do the rest. This takes anywhere from 30 to 45 minutes and the outcome is an accurate and actionable understanding of the cost and timelines for your organization to become compliant. In our experience, this is time well spent regardless of if you decide to move forward with CyberSheath as your managed compliance partner or not.

What You Get In Exchange For Your Time

A facilitated conversation that outputs a firm fixed price statement of work tailored to your organization’s people, processes, and technologies. It includes cost, schedule, and deliverables to understand how long and what it will take to get you fully compliant. Of course, we’d love to have you as another one of our satisfied customers, but it also allows you to understand what a comprehensive solution looks like if you’re talking to other vendors. 

Next Steps

Unsure of the cost and time for you organization to become compliant with NIST 800-171 and CMMC?  Schedule a meeting with a CyberSheath expert today.  To further your knowledge on how your organization compares with the cybersecurity posture of the DIB, please join our webinar, “How Secure if the Defense Industrial Base Supply Chain?” on February 3, 2021 at 9:00 am (PST) | 12:00 pm (EST) to access our data collected from hundreds of assessments to discover the concerning findings and best practices that lead to compliance.  Register Now.


How Secure is the DIB Supply Chain?


Join our May 29th 12 pm ET webinar Mastering CUI Boundaries: A Comprehensive Guide to Scoping, SPRS Input and Audit Navigation.
This is default text for notification bar