There are a lot of questions surrounding the topic of CMMC (Cybersecurity Maturity Model Certification) right now – some have been answered; many have not. And of course, the more CMMC evolves, the more questions it creates.
How much does it cost?
There are two main, but quite different costs as play. One is the cost to our national security; the other is becoming CMMC compliant. At the heart of this whole issue is national security. For America to maintain its superiority on the battlefield and in the defense marketplace, we rely on the latest innovations – much of which comes from small and medium-size companies that are also the most vulnerable when it comes to cyber intrusion.
The fact is our intellectual property (IP) behind our innovations is being stolen by the Chinese. Their model is to steal our IP, create cutting edge technology from it, file for Chinese patents and offer the products and technology to the international marketplace. And because they have not incurred the costs of research and development, they can offer those products at a much lower cost than us. So not only are we losing money from international sales, but technology that should remain in our control is being sold on the open market. This puts our national security at risk because it challenges our superiority in the marketplace and on the battlefield. While the actual cost of IP loss is not exactly known, some reports put it from a conservative low of $225 billion to as high as $600 billion per year.
Why is it easy for the Chinese to steal our IP?
The short answer is our cybersecurity unpreparedness. To highlight this vulnerability, let’s look at some figures from a recent survey from Tier 1 Cyber. As a result, they found 27% of the companies surveyed admitted they were unprepared for a security breach. Fifty-eight percent were unfamiliar with the CMMC initiative (which started over a year ago); as a matter of fact, only 25% of the companies could even correctly identify the CMMC acronym.
When it came to subcontractors, only 12% of DoD prime contractors had confidence in their sub’s cybersecurity posture. Yet very few had done anything to better prepare their subs against a cybersecurity breach, so that whole chain would be more protected.
In another survey done for the National Defense Industrial Association (NDIA) by the company Verify, they found 40% of the 300 companies responding had only 1 to 10 employees dedicated to information technology; ten% had no dedicated individuals at all.
And 44% were still working to meet NIST 800-171 requirements. For reference purposes and why this is important, meeting NIST 800-171 requirements is part of Level 3 CMMC compliance.
As far as incident response, 41% said their response plan was a work in progress; another 20% said they did not have a response plan at all.
Our cyber unpreparedness makes it easy for the Chinese to steal our American IP, and we need to act now if we are to stop the hemorrhaging or at least slow it down. CMMC is a way to responsibly do that.
What are the costs to become CMMC compliant?
The answer to this question has a lot of factors, but with more data on implementation, the final numbers will become clearer over time. While the DoD originally estimated it to be a few thousand dollars, companies that have implemented all 110 controls necessary to achieve NIDA 800-171 compliance – essentially CMMC Level 3 compliance -reported it cost them around $250,000. While the Pentagon is working to keep the cost of compliance as low as possible, the fear is some of the smaller companies – especially those having a civilian commercial base along with a defense base – will decide to forgo the cost of becoming CMMC compliance and instead pull out of the defense marketplace. And that is not good for the U.S. as a whole because much of our innovation comes from small to medium-size companies that are currently part of the defense industrial base (DIB).
Cybersecurity …and especially CMMC, is something we have not fully gotten our arms around yet, but with CMMC, we’re headed in the right direction. But one thing for certain, we must get it under control at whatever expense if we are to remain dominant and competitive in the world.