It’s a competitive market, and everyone in the defense industrial base (DIB) is preparing for the Cybersecurity Maturity Model Certification (CMMC). CMMC is no longer a future concern. It’s already appearing in flow downs, and requirements are tightening across the DIB because the implementation requirement has been in place since December 31, 2017. If you’re not preparing now, you’re already behind.
Buyers should be cautious in environments like this where urgency is high, options seem similar and pricing pressure is intense, especially where cost is a concern. In this situation, several hidden costs can arise when it comes to the CMMC Cloud experience.
One of the strategic actions many organizations take is to employ Microsoft’s Azure GCC High to limit assessment scope to just the part of their businesses that manage controlled unclassified information (CUI). The other approach is to accelerate CMMC readiness by partnering with an organization that can expedite the CMMC Cloud strategy as a consultant, managed services provider (MSP) or managed security service provider (MSSP), all of which are considered external service providers (ESPs) under the CMMC umbrella. But there are key milestones in this journey that are often overlooked or, quite frankly, unclear to organizations, which can result in costs exceeding their planned goal for Level Two CMMC Certification.
What Are Hidden Costs in CMMC Cloud Compliance?
Hidden costs in CMMC cloud compliance often arise from unclear pricing, lack of tenant ownership, limited support during certification assessments and inadequate long-term cloud management. These issues can delay certification and increase risk for defense contractors.
GCC High Deployment and Implementation Mismatch
Secure cloud expertise is one reason defense contractors rely on cloud service providers (CSPs) to properly implement the cloud. Cloud expertise, coupled with a thorough understanding of CMMC and NIST 800-171, the National Institute of Standards and Technology’s defined standard for protecting controlled unclassified information in non-federal systems and organizations, is the actual requirement that organizations should seek. It is often limited and dependent on the provider, however. Microsoft and Azure licensing can be complex to navigate, leading to decisions that can leave the organization missing key components.
Many service providers presume to know how an organization manages, creates or transmits CUI but lack a true understanding of the data flows, workflows or overall business activities. Without a CUI inventory and flow details, how can an organization validate that the CMMC cloud will meet the control standards and procedures for data protection? The ones that take time to understand and help with CUI inventory will be the ones that can deliver the assurance that your data will be protected.
Ultimately, if an organization seeking certification (OSC) is unhappy with the cloud service provider, it must take action. Their CMMC Certification can easily be at risk, and now they are faced with the weight of selecting another provider and a migration project. The seemingly too-good-to-be-true price upfront is now burdened with additional costs that were not budgeted for in the beginning. There are service providers whose business model involves building their cloud service under one tenant and then implementing clients as sub-tenants. Ultimately, the cloud service provider is the owner of the cloud tenant, not the OSC, making it impossible to transfer cloud infrastructure ownership or management to others.
CMMC Cloud Management Assumptions
Not all cloud service providers are created equal. Some are taking advantage of organizations, their inexperience with CMMC cloud requirements and the general lack of understanding about what it takes to sustain ongoing compliance. Though service providers may be clear upfront about their ability to deploy and implement a CMMC compliant cloud, we’ve heard from clients that, just days after implementation, they’re hit with unexpectedly high quotes for ongoing cloud management, often at a much greater cost than anticipated because the organization did not know what questions to ask.
Although this type of service may suit organizations with the IT bandwidth to learn quickly and manage the new cloud environment, many do not have the resources available to maintain continuous monitoring of the environment. In addition, the level of management varies even if it’s built into the program. Being new to cloud services, these organizations should ask for details about the roles and responsibilities of the cloud service provider and their organization’s IT resources. Is there 24/seven cloud infrastructure monitoring? What happens when a network service becomes unavailable or anomalous activity is detected? How do the two organizations work together to protect CUI and the defense contractor’s long-term business viability?
Though larger contractors can spread compliance costs across more contracts, smaller businesses must be cautious to avoid hidden fees and missteps that can derail both budgets and opportunities.
The cloud service provider can exercise economies of scale. We have seen some CMMC cloud providers give clients flat hourly rates for service management without many details, however. This is a signal of a provider that may be strong in deployment and implementation but lacks maturity in providing the longer-term management and maintenance needed for the actual implementation requirements that CMMC validates.
External Service Provider Certification Assessment Fees
Contractors who have worked with an ESP and now have a CMMC cloud are continuing to share some of their frustrations with providers that find it necessary to charge additional fees for certification assessment assistance over and above what was promised in the initial contract negotiations.
For instance, there are service providers who charge clients for the remediation needed for the infrastructure or activities clearly provided by the ESP that are uncovered during the CMMC certification assessment. The provider can then benchmark this for future engagements, thus improving their own implementation offering. These findings must then be tracked on a plan of action and milestones (POA&M) and accounted for in the OSC’s own requirements, that must be demonstrated through evidence as part of the assessment.
A Plan of Action and Milestones (POA&M) is a document used to outline a plan for correcting identified cybersecurity weaknesses or deficiencies, ensuring progress is tracked toward fulfilling specific requirements and assigned to specific individuals. For any ESP that advertises they support the DIB, they really should not have any items called out in a client POA&M in the first place. If it does happen, however, the issue is that these providers charge clients for correction activities on items that should be addressed anyway. This adds an additional burden and possible certification delay to the OSCs who put their trust in providers that claim to have CMMC and NIST 800-171r2 experience.
CMMC Readiness at Risk
Beyond billing surprises, the most critical cost may be losing the ability to bid on new contracts or even keep existing ones. As Primes shore up their own compliance, they’re already shifting subcontracted work away from uncertified partners. Certification isn’t just about readiness. It’s about staying in the game.
In such a connected DIB ecosystem, it’s challenging to grasp the fact that everyone is now moving forward to enhance the security of those supporting the U.S. Department of Defense with third-party CMMC Certification. Yet, the current state for contractors is buyer beware regarding CMMC cloud solutions.
What to Watch for in Your CMMC Cloud Plan
Before signing on the dotted line with a CMMC Cloud provider, make sure you’re asking the right questions and thinking ahead. Here are four takeaways that could save your budget and your certification:
1. Get the Full Cost Up Front
Don’t just ask for a quote. Ask for the whole story. Understand what’s included, what’s not, and what surprises might show up post-implementation. Flat rates with vague terms are a red flag.
2. Clarify Cloud Ownership
Know who owns the tenant. If it’s not you, switching providers later could mean starting over from the ground up.
3. Can They Pass the Test With You?
Your cloud provider plays a role in your CMMC assessment. If they can’t provide solid evidence of their readiness, your certification could be at risk.
4. Hybrid May Be the Smart Play
Hosting everything in GCC High can be costly, especially with CAD files and high-performance workloads. A hybrid model might save you serious money while still keeping your CUI secure and compliant.
When it comes to CMMC and the cloud, the cheapest option today can become the most expensive tomorrow. Choose wisely.
