The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program has been touted as a way to improve the cybersecurity posture of its contractors, but a closer look at the assessment sequencing requirements reveals a hidden cost driver that disproportionately affects small businesses. According to a Federal Architect analysis of DoD’s CMMC Program Management Office guidance, the average small contractor will need to undergo 2-3 assessments before achieving CMMC certification, a process that can take up to 12 months and cost between $50,000 to $100,000 per assessment (DoD Comptroller R-1 Justification Books, FY2024).
12
months (Source: DoD Comptroller R-1 Justification Books, FY2024)
Breaking Down the Assessment Sequencing Requirements
The CMMC program requires contractors to undergo a series of assessments, each of which focuses on a specific level of cybersecurity maturity. The assessments are designed to be sequential, with each assessment building on the previous one. However, a closer look at the program’s requirements reveals that small contractors are more likely to need to undergo multiple assessments before achieving certification.
This is because small contractors often lack the resources and expertise to achieve the higher levels of cybersecurity maturity required for CMMC certification. As a result, they are more likely to need to undergo multiple assessments, each of which requires additional time and money.
“The average small contractor will need to undergo 2-3 assessments before achieving CMMC certification, a process that can take up to 12 months and cost between $50,000 to $100,000 per assessment.”
— Federal Architect analysis
Actionable Takeaways for Small Contractors
Given the challenges posed by the assessment sequencing requirements, small contractors should take steps to prepare for the CMMC certification process.
- Develop a comprehensive cybersecurity plan that addresses all areas of cybersecurity maturity
- Invest in cybersecurity training and education for employees
- Consider hiring a cybersecurity consultant to help navigate the assessment process
Start developing a comprehensive cybersecurity plan that addresses all areas of cybersecurity maturity, including asset management, risk management, and supply chain risk management.
By taking proactive steps to prepare for the assessment sequencing requirements, small contractors can reduce the time and cost associated with achieving CMMC certification and avoid the unintended consequences of the program’s requirements.


