The National Defense Industrial Association argues implementing the Pentagon’s Cybersecurity Maturity Model Certification program will put a significant cost on companies that could be a barrier to entry for industry partners, as part of an annual report taking the pulse of defense firms.
“After several years and multiple iterations of rulemaking, the Department released the final rule for the CMMC program on October 15, 2024, which became effective on December 16, 2024. As the defense industry moves forward with implementation of CMMC, many companies are still facing uncertainty and questions surrounding the program, especially regarding cost,” according to NDIA’s “Vital Signs” 2025 report.
The report reviews the costs of implementing NIST Special Publication 800-171, which is the foundation for level two of the CMMC program.
Defense companies who hold controlled unclassified information were required to meet the 110 controls in NIST 800-171 starting on Dec. 31, 2017, but many companies did not meet those standards and DOD decided to create a third-party assessment requirement through establishing the CMMC program.
The NDIA report was released Feb. 26 at the start of a House Armed Services Committee hearing on strengthening the defense industrial base featuring NDIA president and CEO David Norquist, Aerospace Industries Association president and CEO Eric Fanning and Matthew Paxton, president of Shipbuilders Council of America.
The final rule allowed official CMMC assessments to start. A second rulemaking expected to be finalized by mid-2025 will set up a four-phase timeframe for CMMC requirements to start showing up in DOD contract solicitations.
NDIA says, “According to DOD’s estimates, the private sector will face an annualized cost of $4B to implement the CMMC program. The rule also estimates a cost of more than $100,000 for three years of compliance for even small companies.”
“However, the department’s cost estimates are just related to the assessment and certification of the standards – they do not include the cost of meeting the actual NIST SP 800-171 standards, something that the department never estimated prior to release but are costs DOD ‘deemed necessary’ in 2017,” the report says.
The report continues, “Without knowing the full costs, it can be difficult for industry partners, especially small businesses and nontraditionals, to make a fully informed business decision of whether to conduct business with DOD, which can become a large barrier to entry.”
NDIA conducted a “DIB IT and Cybersecurity Survey” in 2024 that is separate from the trade association’s Vital Signs 2025 survey.
The cyber survey found nearly half of respondents spent more than $100,000 on initial costs to implement the 110 controls in NIST 800-171. Twenty-eight percent spent more than $500,000 and the remaining respondents spent over $1 million to reach compliance.
After the initial implementation costs, NDIA says over 45 percent of respondents said they were spending more than $100,000 annually to remain in compliance with NIST 800-171. Twenty percent spent more than $500,000 and the rest spent over $1 million.
The report says, “When asked about the top challenges that respondent organizations face in implementing the security requirements in NIST SP 800-171,” companies who spent up to $2 million on compliance “cited include the financial cost (65%), insufficient guidance on compliance (46%), difficulty in understanding the security requirements (38%), and shortage of qualified IT professionals (38%).”
“These findings were echoed in an identical question asked in the Vital Signs 2025 Survey, with the financial cost associated with implementing NIST SP 800-171 as the top answer, cited by 45% of the private sector respondents,” the report says.
In addition, NDIA found many organizations don’t have a full-time person on staff who manages their cybersecurity efforts.
The report says, “Aside from impacts on contractors, there are also impacts on the department itself. Companies can include their compliance costs in the pricing of their products and services. As currently implemented, CMMC will add significant cost to every major weapons system and service contract, especially as a higher percentage of U.S. DIB companies raise their level of compliance with the underlying NIST standards and expend additional resources toward this effort.”
There will be additional costs when DOD requires industry to move revision two of NIST 800-171 which was finalized while the CMMC rulemaking process is ongoing, according to NDIA. DOD issued a class deviation in May 2024 to keep the CMMC requirements aligned with NIST 800-171 Rev. 1.
“As implementation continues, there could also be additional management costs incurred by the Department that are not currently being adequately accounted for in budget planning assumptions. Since DOD topline is not expected to increase significantly over the next several years, these increases in expenditures will reduce funds available for other important priorities,” the report says.
The report recommends, “Congress and the Department must work to enact provisions that support companies unable to adequately invest in cybersecurity protections, including tax credits and Small Business Administration (SBA) guaranteed loans.”
NDIA also raises concerns over the CUI program itself.
“Industry continues to highlight several instances where inconsistencies, ambiguities and inaccuracies within the current CUI marking process lead to confusion, increased costs, and decreased security for all parties,” the report states.
NDIA adds, “As industry continues to move forward with implementation of CMMC, it will be important for policymakers within the department, Congress and other stakeholders to be mindful of the challenges facing industry and to identify ways to assist those that are below the ‘cybersecurity poverty line.’”
“Understanding the costs to contractors to safeguard information is an essential element to ensure that companies, especially small businesses and start-up companies, are not regulated out of their ability to support the Department and its missions. It will also be important for policymakers to remain mindful and plan for the impact in other areas, including the increasing cost of weapons systems, the management of the CMMC program, and the overall CUI program itself,” NDIA says.