HomeCMMC UpdatesCMMC 2.0's Unintended Consequences: How Assessment Sequencing Affects Small Contractors

CMMC 2.0’s Unintended Consequences: How Assessment Sequencing Affects Small Contractors

Analysis shows small contractors face up to 12 months and $50k–$100k per assessment, often needing 2–3 assessments to achieve certification. Sequencing assessments around existing capabilities and targeted remediation reduces repeat testing and unnecessary expense.

The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program has been touted as a way to improve the cybersecurity posture of its contractors, but a closer look at the assessment sequencing requirements reveals a hidden cost driver that disproportionately affects small businesses. According to a Federal Architect analysis of DoD’s CMMC Program Management Office guidance, the average small contractor will need to undergo 2-3 assessments before achieving CMMC certification, a process that can take up to 12 months and cost between $50,000 to $100,000 per assessment (DoD Comptroller R-1 Justification Books, FY2024).

12

 months (Source: DoD Comptroller R-1 Justification Books, FY2024)

Breaking Down the Assessment Sequencing Requirements

The CMMC program requires contractors to undergo a series of assessments, each of which focuses on a specific level of cybersecurity maturity. The assessments are designed to be sequential, with each assessment building on the previous one. However, a closer look at the program’s requirements reveals that small contractors are more likely to need to undergo multiple assessments before achieving certification.

This is because small contractors often lack the resources and expertise to achieve the higher levels of cybersecurity maturity required for CMMC certification. As a result, they are more likely to need to undergo multiple assessments, each of which requires additional time and money.

“The average small contractor will need to undergo 2-3 assessments before achieving CMMC certification, a process that can take up to 12 months and cost between $50,000 to $100,000 per assessment.”

— Federal Architect analysis

Actionable Takeaways for Small Contractors

Given the challenges posed by the assessment sequencing requirements, small contractors should take steps to prepare for the CMMC certification process.

  • Develop a comprehensive cybersecurity plan that addresses all areas of cybersecurity maturity
  • Invest in cybersecurity training and education for employees
  • Consider hiring a cybersecurity consultant to help navigate the assessment process
What to Do This Week

Start developing a comprehensive cybersecurity plan that addresses all areas of cybersecurity maturity, including asset management, risk management, and supply chain risk management.

By taking proactive steps to prepare for the assessment sequencing requirements, small contractors can reduce the time and cost associated with achieving CMMC certification and avoid the unintended consequences of the program’s requirements.

The Contract Opportunity Atlas

Two issues a week.. Free.

Two issues a week. Contrarian, data-driven intelligence for small tech firms selling to the federal government. Free.

Subscribe to COA

This analysis was featured in the Contract Opportunity Atlas. Subscribe for weekly intelligence.

Shahid Shah
Shahid Shah
Shahid specializes in bringing world-class CTO, CISO, and EiR expertise to startups, business units and companies on a part-time (fractional) basis. With a rich background in regulated, safety-critical industries like Med Devices, Digital Health, and Gov 2.0, he possess a unique understanding of complex, high-demand products and services. He is a C-suite native that can easily blend in with technical and engineering teams that need to deliver revenue-generating solutions to the marketplace. He has served as an Entrepreneur in Residence when a market seems lucrative but it's unclear how to build and launch products and services for such opportunities. Shahid has years of leadership experience as a co-founding startup CTO for multiple venture-backed companies, business unit CTO and EiR, and public company CTO helping transform product teams from marginal to high performance. His software/hardware engineering and cybersecurity body of knowledge is up to date because he rolls up his sleeves to create code when appropriate & dive into system architecture and design when required. He also conduct technology due diligence exercises for corporate acquisition or product integration requirements.
RELATED ARTICLES

Most Popular

CATEGORIES