Eyes Wide Shut for Looming Costs of CMMC Credentialing

January 31, 2021 marks the first anniversary of the publication of the Department of Defense Cybersecurity Maturity Model (CMMC) 1.0. One year after the policy was published there are only 36 Certified Third Party Assessment Organizations (C3PAOs) certified by the CMMC Accreditation Body (AB). However despite being credentialed by the CMMC AB the 36 C3PAOs are, “not yet ready” to perform CMMC assessment according to a statement made by Ms. Diane Knight, the government lead for CMMC Pathfinder and Pilot programs. This statement was made without additional elaboration in a Town Hall webinar presented by the CMMC AB on 26 January 2021. 

One year into CMMC there are zero CMMC certified vendors at any level, only two CMMC “Pathfinder” projects, one from Missile Defense Agency and one from Defense Logistics Agency, have been completed (as opposed to the 10 that were planned) and none of the 15 CMMC Pilot project contract solicitations have yet begun.  

The number of 1500 CMMC certified companies by the end of FY-21 that was forecasted by USD(A&S) CISO on 2 September 2020 is nearly an impossibility with one third of the fiscal year already past and no certifications on the horizon until at least April. Despite missing almost every schedule milestone that was forecasted, suggested, or even vaguely insinuated USD(A&S) has not conceded that the roll-out schedule for CMMC to be fully implemented by 1 October 2025 is unrealistic and will slip. As serious as the schedule slip is, schedule is not the elephant in the room but rather the unknown cost of the CMMC credentialing process.

A full year into the CMMC mandate there is no authoritative data on how much it will cost vendor companies to obtain a CMMC assessment event for Level 1, let alone the far more demanding certification levels of 3-5.  The CMMC AB will also certify the personnel who are employed by C3PAOs that perform assessment and they will be granted credentials as Registered Practitioners. Indeed.com lists the average salary for jobs in the category if Cbyersecurity Analyst as being in the range of $96,000. I expect that a CMMC Registered Practitioner would command at least $115,000 in annual salary so the fees charged for their work are not trivial. Many companies are opting to hire a Registered Practitioner Organization (RPO) to advise and help them prepare for official assessment by a C3PAO and these RPO services are effectively doubling the cost of assessment but will not be included in the allowable costs for reimbursement.

As the first seven C3PAO companies were certified in early December 2020 the question of how much they would charge for an assessment became a hot topic of discussion on forums such as the National Defense Industrial Association (NDIA) Connect message boards. The length of time necessary to conduct an assessment for various CMMC levels is also actively debated. Business owners from the SDVOSB with just 10 employees up to the big-five defense contractors still do not know how much to budget for the credentialing process and how much lead-time will be necessary for assessment before the vendor may propose to a contract containing the DFARS 254.204.7021 CMMC clause. 

The creation of a manadated CMMC assessment performed by private companies signaled the beginning of a cybersecurity gold rush for C3PAO companies certified to perform assessments. C3PAOs have a federally mandated clientele of 300,000 companies that are constrained to seek out their services or cease to be active members of the DIB.

What makes it worse is that the DoD has made no provision and expended no effort to implement a process to gather, analyze, and monitor the industry niche of C3PAOs that was created by the pen-stroke of the USD(A&S). Consider the business process mandated by the DoD that created the business model for C3PAOs. The DoD also contracted with the CMMC Accreditation Body to regulate the C3PAO companies. Doesn’t it seem just the least bit odd that the DoD did not put in place any regulation on the fees charged by C3PAOs to perform an assessment that is very strictly controlled by the CMMC framework? 

It’s not as if the DoD does not know how much manpower and how much time is required to perform an assessment because the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is performing the CMMC assessments on the companies bidding on the CMMC Pilot projects. Since the DCMA DIBCAC scrupulously records the number of personnel, the amount of hours worked, and the cost of tools and materiel to perform these assessments, why is that data not released to the public and more specifically to the companies that will be negotiating with a C3PAO for an assessment fee?

Mandatory annual motor vehicle testing requirement levied in most states on passenger vehicles is a useful analogy for CMMC credentialing. The process for performing the emissions test is standardized, just like CMMC assessments. The performance thresholds are established by the government, just like CMMC assessment. The fee charged by private emissions testing service providers is tightly regulated by the government. So why is it only in that last element that the analogy between motor vehicle emissions testing and CMMC assessment by C3PAOs fails to hold?

Data on CMMC assessment fees not only provides important cost comparison information to vendor companies, it would provide the OSD Cost Analysis and Program Evaluation (CAPE) office with actual data to be used to quantify the cost of the CMMC mandate as it will be reflected in the lifecycle cost estimates for all DoD programs. USD(A&S) policy for CMMC states that certification costs will not be reimbursed for fixed price contracts and the subsequent recertification costs after the expiration of an initial three year certification will not be an allowable cost. All regulatory costs are ultimately reflected in the cost of goods and services. Only the most na?ve government policy writer would not concede that credentialing costs for all CMMC activities will indeed be passed on to the government, and ultimately the taxpayers, in the form of general and administrative costs on every contract.  

For the good of everyone involved, USD(A&S) needs to gather and then publish the data on CMMC assessment fees. If DoD refuses to regulate the fee structure of C3PAO businesses that they created with the CMMC mandate then the least that they can do is provide, as former USD(AT&L) Mr. Frank Kendall would have described it, “should-cost” data to companies in the DIB so that they can effectively negotiate their fees.  

This could be accomplished quickly and easily by a modification to the contract awaded to the CMMC Accreditation Body to require that C3PAO companies report fees for mandated CMMC assessment to the Accreditation Body.  DIB companies are constrained by the CMMC mandate to obtain certification and they deserve the same transparency in the unregulated fee structure from C3PAOs that motor vehicle drivers have with respect to regulated vehicle emissions testing fees.