DOD Releases Cost Projections for CMMC 2.0 Implementation

Defense industrial base companies could spend roughly $4 billion over 20 years to implement the Cybersecurity Maturity Model Certification 2.0 program, according to new Pentagon estimates.

A proposed rule published in the Federal Register Tuesday would oblige contractors and subcontractors handling federal contract information and controlled unclassified information to adopt certain cybersecurity standards depending on the data’s sensitivity and undergo assessments to determine compliance with such requirements, DefenseScoop reported.

Starting on Oct. 1, 2026, the Pentagon plans to assign information security levels to any solicitation where DIB companies have to process FCI or CUI on unclassified systems. 

Each grade, from CMMC Level 1 to 3, would require contractors to evaluate themselves or undergo evaluations by government-authorized third-party assessors. Companies would need to pay along the way for related activities such as preparations, reporting and the actual assessment.

The Pentagon seeks to mandate triennial Level 3 certification assessments for each company information system processing CUI as part of contracted work. To implement Level 3 standards, large organizations could pay $4.1 million in recurring engineering costs and $21.1 million in nonrecurring costs. Obtaining a certification assessment and related affirmations could run such entities over $41,000.