CMMC 2.0: The High Cost of Skipping Cyber Certification

CMMC 2.0: The High Cost of Skipping Cyber Certification

What’s New in CMMC | Column 4

“What’s New in CMMC” is a regular column from MxD explaining aspects of the CMMC 2.0 framework.

How much will it cost manufacturers to implement the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) framework?

Much depends on individual factors such as a company’s size and the type of defense work it does. The Pentagon has promised “a comprehensive cost analysis,” of implementing each of the three levels of CMMC 2.0. That’s still in progress.

Possibly just as important to consider, however, is the cost of not getting certified. 

The first and obvious hit to the bottom line in that scenario is that manufacturers who forgo CMMC 2.0 will not be able to win any Defense Department contracts. Compliance, once CMMC 2.0 rules go into effect, will be required to bid on or accept Pentagon projects.

And skipping certification as a way to limit cybersecurity spending can be a risky financial move. Cybersecurity gaps expose companies and their entire supply chain to cyberattacks at a time when they are more frequent, more complex, and much more expensive.

Manufacturing has become “the world’s most attacked industry,” according to IBM’s Security X-Force Threat Intelligence Index, which provides a snapshot of cybersecurity statistics and trends.

If a cyberattack is a data breach, the price tag could reach the $4.24 million average, according to the IBM and Ponemon Institute’s Cost of a Data Breach Report 2021. The report found that the average total cost of a data breach climbed nearly 10% from a year earlier, with the price described as the largest annual increase in seven years.

“Costs,” it said, “were significantly lower for some organizations with a more mature security posture.”

For a ransomware breach (and about one-quarter of cyberattacks targeting manufacturers involve ransomware, IBM found) the average price was an even higher $4.62 million. That number, according to the Ponemon report, didn’t include any ransom that was paid.

To help with perspective, a cyberattack last year forced Colonial Pipeline to shut down operations, plus the company paid a $4.4 million ransom.

“Ransomware gives criminals leverage with their targets, especially when that target plays critical roles in global supply chains,” Charles Henderson, who heads X-Force at IBM Security, told Insider.

The Ponemon report – which studied 537 organizations in 17 countries and 17 industries – singled out four “cost centers” in any breach:

  • Detection and escalation
  • Notification
  • Lost business
  • Post-breach response

Lost business, the report said, accounted for nearly 40% of the overall average and included revenue lost due to downtime as well as to the higher post-breach cost of acquiring new business “due to diminished reputation.” Post-breach response, the report noted, can include legal fees and fines.Not every company can make it through a breach and its aftermath, said Laura Élan, MxD’s senior director of cybersecurity, making such costs essential to consider when assessing cybersecurity spending and whether to implement CMMC 2.0 or other cybersecurity framework controls.

MxD’s Cyber Marketplace offers assessments that provide organizations with vetted, market-ready cybersecurity solutions. Visit for more information.