Oxebridge has obtained three price proposals for official CMMC assessments, and none of the proposals showed assessment fees less than $150,000. The documents, one of which was reported as being the final contract, also lacked almost all the expected contractual terms and conditions, leaving them exposed for litigation.
Two of the proposals were for small companies with less than 50 employees, with assessment costs averaging $155,000 between the two. A third cited a cost of just over $300,000; Oxebridge’s source claimed this company was a “large company with over 100 employees,” but it was not clear how many employees “over 100” the company actually has.
In all cases, the prices did not include travel or other expenses which would be billed on top of the assessment costs. Two of the contracts did not specify what expenses would be billed, and merely required all “reimbursable” expenses to be paid, leaving the clients exposed to the whim of the C3PAO. The lack of specifics would thus allow the C3PAO assessors to travel first class and tally unlimited expenses.
The contracts also demanded 50% to be paid upfront, before any services are delivered.
The clients receiving the proposals each had a single site; in the case of the two small companies, their activities were described as being on a single on-premises network. The complexity of the larger company was not clear, nor was it clear if they utilized any cloud services.
In the official DFARS Interim Rule, the US Dept. of Defense claimed a Level 3 implementation and assessment combined would cost $50,676 at “the upper estimate,” saying actual fees would be much less for most companies. It is now clear the DOD figures were off by an order of magnitude. Companies are reporting implementation costs of $100,000 or more, which would be incurred before any CMMC assessment costs.
One of the sources of the documents characterized the costs as “price gouging” on the part of C3PAOs. In comparison, an ISO 27001 certification audit of a 50-person company would cost approximately $20,000 for a 5-day on-site assessment, including all travel expenses.
Lack of Standard Contract Language
The proposals appear to also act as final contracts, but Oxebridge is confirming this. Only in one case did the source claim the proposal was also the final contract, and the document did have some rudimentary contract language. All three had execution signature pages.
As formal contracts, the documents would invite legal contests or have entire elements deemed largely unenforceable, due to a shocking lack of detail. The documents did not include common contractual language, such as defining the prevailing court jurisdiction, rules for confidentiality and nondisclosure, how appeals or complaints would be processed, or even cancellation policies.
Contrary to the claims by the CMMC-AB that “100%” of work-from-home employees would have to open their homes for physical inspection against CMMC controls, none of the contracts reviewed had any such language. The DOD promised an official ruling on this controversial policy, which Oxebridge confirmed would violate the US Constitution’s Fourth Amendment, but such a ruling has still not been issued. It is therefore still unclear if WFH employees would have to open their homes during the assessment.
One attorney told Oxebridge that the document appeared to have “been written by a sales intern.”
Another attorney — a Federal contracts specialist — commented that they felt it was “clear that no legal team had reviewed the contracts before release” and that the documents “leave the certification company frighteningly exposed.”
Insight Into Assessment Activities
The documents do give insight into a very rough structure for the CMMC assessment itself. Proposals from one C3PAO defined the process as follows:
- Collect and examine objective evidence (OE)
- Assessment kickoff – opening briefing
- Examine and analyze artifacts
- Conduct interviews and analyze results
- Observe tests and analyze results
- Verify OE and record gaps
- Update OE review approach and status
- Rate practices and validate preliminary results
- Determine & record initial model practice ratings
- Generate preliminary recommended findings
- Validate preliminary recommended findings & ratings
- Generate final recommended assessment results
- Determine final practice pass/fail results
- Determine level recommendation
- Create & finalize recommended final findings
The proposals did not indicate any assessment duration, leaving clients to wonder how many days they would be required to host the on-site assessors.
One of the clients interviewed said they had no idea how many assessors would be sent, raising security concerns. It is likely these issues would be finalized before any formal assessment, however.