Cummings Reaearch Park

Navigating CMMC compliance: Key budgeting insights for local DoD contractors

Cover image: Provided by the Huntsville CVB/Marty Sellers of SellersPhoto Aerial Photography

Daniel Akridge and Sam Stiles of Summit 7 conducted a free 50-minute webinar on Wednesday, June 12 entitled “How to Budget for CMMC.” 

CMMC (Cybersecurity Maturity Model Certification) is a series of regulations, passed by the federal government, that will apply to defense contractors and subcontractors who conduct business with the U.S. Department of Defense (DoD).  

Summit 7 provided the webinar to educate DoD contractors and subcontractors on various aspects of the regulations, which Akridge and Stiles acknowledge can be challenging to grasp. 

The two questions that guided the webinar were: 

  1. What percent of revenue should companies allocate towards CMMC?
  2. What is the best solution for your company?

Akridge said that the question of cost is top of mind for nearly all of the 3,600 defense contractors that he has encountered through his role as Director of Engagement at Summit 7.

He explained that the DoD estimates that the cost to become compliant will be half a percent (.5%) of a company’s revenue. In addition to these one-time costs, there will also be annual costs associated with maintaining compliance. The annual costs are estimated to be 4% to 8% of annual revenue.

780x130 deltek Sep

While these numbers are significant, other highly-regulated industries have also faced expensive compliance costs. Finance, healthcare, and telecommunications are three industries that have transitioned to higher compliance costs — as the defense industrial base is experiencing now. 

In the spirit of transparency, and with the blessing of Summit 7 CEO Scott Edwards, Akridge and Stiles shared what Summit 7 spends each year on their own IT costs. 

“Ours is 8.2% of annual spend,” said Akridge. “This is a new paradigm shift for the DoD supply chain. It is a cultural change.”

Akridge and Stiles are certain that costs incurred on the way to compliance will be passed on, and that this will drive up the cost of doing business across the defense industrial base. 

“Cost equals scope,” said Akridge. “The bigger your boundary, the more assets and systems that you scope in, the more expensive it’s going to be.”

While the costs will be a burden to companies, the new regulations will create opportunities for workers who become experts in understanding the CMMC regulations, and the steps needed to bring companies into compliance. 

“Let’s say you hire a killer IT person, they know CMMC. The next competitor over says ‘We’ll triple your salary if you come over here.’ We see it happen all the time,” said Stiles. 

Companies will be required to get certified every three years, and self-assess once a year to attest to their compliance. 

Akridge and Stiles expect that a final CMMC rule will be released in October 2024, in advance of the U.S. presidential election. 

“They want to get it done pre-election for a myriad of different reasons,” said Akridge.

The demand for services that help companies become compliant with CMMC regulations is outpacing the number of providers of these services. For this reason, the Summit 7 team advises companies to earnestly begin taking steps toward compliance today. 

“You can’t be ‘on-time’ for CMMC. You’re either early or you’ll end up being very late,” said Akridge. 

If you are interested in viewing a free recording of the webinar, please visit https://www.summit7.us/webinars

Find Summit 7’s CMMC Compliance Guide at www.summit7.us/cmmc. Find Summit 7’s Free CMMC Readiness Brief at www.summit7.us/cmmc-readiness-brief.

ad