That Shepherd Boy Looks Familiar!
As I prepare to talk about the Cost of CMMC, I’d like to ask you to reminisce with me. Do you remember when you were just a little whippersnapper and your parents, trying to instill some virtues of basic human decency, told you the story of The Boy Who Cried Wolf? In the story, a shepherd boy amuses himself by warning his village that a wolf is attacking him and his sheep. In reality, he is simply bored and playing a prank to liven up his day. The villagers race up the hill to the shepherd boy, ready to turn the wolf into a rug, just to find the boy laughing at their anxiety. I just picture him laughing like Woody from Toy Story when he tricked Buzz Lightyear into thinking there was an alien behind him!
Please pardon my love for a good ole’ Pixar reference. The story goes on with the boy playing this prank a couple more times before ultimately losing the trust of the villagers. When the boy and his flock were in danger, no one came to help him. The moral of the story is simple: misrepresentation breeds distrust and will harm one’s ability to be taken seriously when it matters most.
Though not one-to-one, there’s a similar distrust in the Department of Defense (DoD) contracting industry around the CMMC burden conversation. If you spent any amount of time on social media, at conferences, or with organizations in the Defense Industrial Base (DIB) engaging with the concerns, complaints, and different perspectives about the DoD’s Controlled Unclassified Information (CUI) program, then you’ve almost certainly seen a topic of debate that’s been raging on for the last few years regarding the “Costs of CMMC”. The debate entails one side (normally DIB organizations, usually small/medium-sized businesses) expressing their concerns and frustrations with CMMC and how much it’s going to cost them, while the other side (usually representatives of the DoD or experts in the GRC world) relegate these concerns to a status of dismissal with the common refrain, “You’ve had these requirements since 2016/2017” or “The cost of CMMC is really only the cost of the assessment” or “You’ve been ‘cryin’ wolf’ about this for years!”
In today’s blog, I’m hoping to look at both sides of the argument with the aim of providing a helpful perspective and to bring some peace to the trenches of this debate. I believe both sides are saying true things, but both sides are also talking past each other in some important ways. Hopefully, this advances the conversation, bolsters irenicism and empathy, and encourages positive actions to implement the necessary requirements, protects CUI, and secures our nation in good faith. We’ll talk about the problems of both positions and how to move forward honestly and with reality in view.
Wondering what CMMC compliance actually looks like in practice, not just the debate around it? We’ll walk you through how organizations are scoping CUI environments, structuring implementation efforts, and preparing for CMMC assessments in the real world. Grab 20 minutes with IntelliGRC and we’ll show you how it works.
To Provide for the Common Defense
First, let’s get some important facts out of the way. CMMC, conceptually, is pretty simple. CMMC is the intentional, DoD-commissioned, and regulated verification program for the security requirements associated with the safeguarding of Federal Contract Information (FCI) and CUI associated with DoD Contracts. It is unambiguous what the intention of the regulations and guidance related to CMMC has been. It has always been to implement basic, obviously necessary mitigation measures for risks associated with information that is not classified, but is sensitive enough that if our adversaries were to get their hands on it, it would work against the United States’ interests in protecting its intellectual property and, in turn, our citizens and warfighters. This message and purpose have been reiterated so many times from the DoD in memos, supplemental context portions of regulations, etc. that I sometimes hear it in my dreams. I haven’t slept in years! So, to all the naysayers of these efforts who believe that CMMC is totally un-based in reality and in the mission the government has articulated, I love you, but please in the words of the great Michael Jordan, “Stop it. Get some help.”
It is also incredibly important to be honest about the numbers and data associated with CMMC costs. It is true that NIST SP 800-171 implementation has been required “as soon as practical, but not later than December 31, 2017.” It is also true that the government has put in an immense amount of time trying to get the message across and FOR GOOD REASON. The idea by some within the DIB that “doing this CMMC thing” is going to be a huge and totally new cost for their business is, to put it bluntly, wrong. The costs associated with implementing the NIST SP 800-171 requirements on “all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components” (Abstract from NIST SP 800-171) have been a reality for DoD contractors handling CUI as part of their contracts since 2017 and the fact that the self-attestation model didn’t work, due to low actual compliance with the requirements, was and still is, justification enough for CMMC. It is the government’s prerogative to secure our Nation. Thinking back to the good ole’ days of elementary school in civics class, we recall that this is one of the primary purposes of government enshrined in the Preamble to the Constitution of the United States: “To provide for the common defense.” So, “you’ve had these requirements since 2016” is, in a sense, true.
But…
The Past Judged by the Standards of the Present
Ok, now that I’m done admonishing the individuals in the DIB and talking heads who’ve encouraged dissention from cooperation and implementation of the DoD’s CUI program via CMMC, I’d like to take a moment to chide in the other direction because I think it’s also warranted. The historian, Denys Winstanly, once wrote “Nothing is more unfair than to judge men of the past by the ideas of the present.” What in the world does that quote have to do with anything, Steve? I was getting there, gimme a moment, would ya’?! You see, while there’s a lot of truth to the rebuttal, “You’ve had these requirements, like, forever,” there’s also some not-truth to it as well. In fact, there are some quite important not-truths in this claim that, understandably, have led to confusion, stagnation of effort, and complexities for organizations in the DIB which need to be nuanced. And I’m going to name the big ones I see once and for all.
There’s a big difference between the claim that DIB contractors have had since 2016 to implement the NIST SP 800-171 requirements on “all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components” and the claim that “you’ve had these requirements since 2016” more generally. The latter is quite a problematic statement, and the reason is simply that it’s misleading for two main reasons.
Firstly, contractors have NOT had the same expectations for implementing the DFARS 252.204-7012 requirements since 2016. It has evolved. Sure, the language of the DFARS hasn’t changed much, but the understanding and guidance on its implementation have morphed and been clarified over time, especially since the announcement of CMMC in 2019, which had the creation and publishing of the Interim Rule (DFARS 252.204-7019, DFARS 252.204-7020, and DFARS 252.204-7021), and the release of the initial drafts of the CMMC scoping and assessment guidance documents in 2020. For example, before 2020, the only thing that contractors who were paying attention knew (which, agreed, wasn’t a lot) was that they were required to implement the NIST SP 800-171 security requirements on components of their system that handled CUI or provided protections to those components (i.e., what we somewhat refer to as “CUI Assets” and “Security Protection Assets”, though the nuances and definition of “Security Protection Asset” has even evolved a tad). There was NO formal concept of the two other CMMC Asset Categories, Contractor Risk Managed Assets (CRMAs) or Specialized Assets (SAs). In principle, SAs were briefly mentioned in an obscure portion of NIST SP 800-171 Rev 1 and Rev 2, however, the requirements for how these are to be handled are not one-to-one with what we know now. My point being, even the scoping expectations and OSA obligations for the different types of system components/assets within a nonfederal system weren’t totally settled and clearly communicated to contractors in the same, more upfront way that the 32 CFR part 170 and the related CMMC Scoping and Assessment guides provide.
Another big’n is how our understanding of External Service Providers (ESP), like Managed Service Providers (MSP) and Cloud Service Providers (CSP) are to be considered and treated, and how contractors understand their involvement in their scope and how they would be assessed during the formal audit of their compliance program when utilizing them has evolved in recent years. To be frank, in the grand scheme of things, our understanding of ESPs to this day still has some murkiness to it. Shucks! Many of the clarifications around how MSPs that handle CUI on behalf of their clients versus those that don’t (and how CSPs that store or process CUI versus those that don’t) should be addressed appropriately have only been communicated to the public within the last two years or so. The concept of FedRAMP Equivalency wasn’t clarified by the DoD until the memo released in January 2024 after the language of equivalency being on the books in DFARS 252.204-7012 since 2016. We are still semi-regularly getting clarifications, new expectations, etc. from the DoD on these matters through helpful resources they’ve been releasing over time, such as the “Technical Application of CMMC Requirements” PowerPoint they published in February 2025. That’s not to mention the things that have been stated by the DoD in the different cybersecurity and CMMC Frequently Asked Questions (FAQ) documents on the DoD Procurement Website and the DoDCIO’s website for CMMC resources, which have been revised several times.
Finally, I wanted to briefly touch on the “Costs of CMMC” part of this dissent. It is technically true that, because NIST SP 800-171 has been required since the inclusion of DFARS 7012 in contracts, the implementation of these requirements isn’t a net-new cost coming from CMMC. But as mentioned before, HOW the NIST SP 800-171 requirements are to be implemented in a contractor’s system has been fleshed out, especially in relation to ESPs, only within the last few years as a direct result of the 32 CFR and its related supplemental documentation. So, it’s not entirely accurate or nuanced to say that there have been no incurred or additional costs from CMMC in regards to the implementation of DFARS 7012 requirements because CMMC validates that the implementation of these requirements are done in accordance with non-DFARS 252.204-7012 regulatory obligations (i.e., 32 CFR Part 170, CyberAB’s CMMC Assessment Process, DoD Assessment Methodology from 2020, CMMC and DoD Procurement Toolbox FAQs, etc.)! This most certainly makes things more complex which leads to higher consulting and implementation costs that weren’t originally anticipated in 2016. And that’s all on top of the assessment costs which we’ve seen range from $30-$85k (remember, every three years) depending on the size and complexity of the CMMC scope to be assessed.
There are other things I could mention, but I think you get the point. All these things (and more) take time to understand, develop a plan to address, implement, and establish a mechanism or method to maintain. And every time there’s another change or adjustment in how things are required to be handled, it’s something that contractors may, again, have to take time to evaluate, plan for, and address. It all takes time, and they have to do it all while running a business that doesn’t exist for the sole purpose of implementing governmental requirements and guidance nuances. They’re machine shops and manufacturers and software developers and mechanical engineers and training professionals that have so much else to do. Yes, they must do the thing. Yes, they should have already done much of it. Yes, if many of them hadn’t ignored the requirements or blatantly disregarded or even lied about implementing them, then maybe I wouldn’t be writing this, and this debate wouldn’t have occurred at all. But, at the same time, it’s not fair to just say “You’ve been delinquent for years” without any nuance. I don’t think it’s a stretch to say that many DIB contractors aren’t as informed as others in this industry, and while I agree that ignorance of requirements isn’t an excuse, it at least should give us some pause and help us not to just assume the worst in people.
So, What Do We Do Now?
I’ll cut right to the chase. You can probably tell what my advice is for this industry. For those in the DIB who have procrastinated or have been in denial about the benefits and purpose of the CUI program and have emphasized the failures, changes, or confusion while downplaying the successes, benefits, and security enhancements around CMMC and its requirements, I hope Mr. Jordan’s words ring in your ears. For those in the knowledge sharing industry or representatives from the DoD that are taking a harsher tone with contractors who are bringing their anecdotes to bear in the way they express concerns about CMMC and their journey through it, please be patient and have some grace. No one blames you for their procrastination and, when there are legitimate, knowledgeable fraud and obvious, blatant neglect in their contractual obligations to protect sensitive information, most can agree that it needs to be addressed with contractual and, even, legal ramifications (i.e., False Claims Act). But I think a positive, encouraging, and supportive disposition along with the actual implementation of the CMMC Rollout Phases will be effective in getting organizations to where they need to be and secure FCI and CUI appropriately. Let’s not kick anyone while they’re down. Let’s help them up, come alongside them in their failings and shortcomings, and help them implement these requirements in good faith while sticking to our guns about the ultimate mission. Both can happen. Both should. And I will say there are many from the DoD and the knowledge-sharing industry who are doing this wonderfully, and we’re very thankful for the support!
As for contractors trying to do the right thing, define your scope in according with the scoping guidance from CMMC if you haven’t already, assess yourself against the requirements using the assessment guidance, evaluate your ESPs like your MSPs and CSPs to see if they’re going to hurt you or help you in your efforts to become compliant with your contractual requirements, and, yes, budget accordingly. Depending on your size and complexity, prepare to spend $30k+ on the assessment in addition to your implementation costs, which can also vary greatly. If you’re not sure where to start or how to do any of these things, seek help from those who do and empower your staff where you can with opportunities to learn. There are several MSPs and consultants out there that know what they’re doing and can be a great asset to your compliance journey.
Ladies and gents, I truly do hope this was helpful. We, at IntelliGRC, have big hearts for this industry. We were born in it, we’ve grown and thrived in it, and we’re very hopeful for the future. I can’t tell you how many inspirational stories we’ve heard from our friends across the DIB and their supply chain that only encourage us to keep helping. That being said, if you or your company are looking for a helping hand in getting these requirements put in place, or if you’re a MSP interested in learning how to support this industry backed by a solid Governance, Risk, and Compliance platform to simplify and make things easier for you along the way, please don’t hesitate to reach out! You can contact us either by our Contact Us page on our website or by sending an email to [email protected].
As always, Happy Implementing!
