grc.engineering / Resources / CMMC Cost Guide
Updated April 2026  ·  CMMC Level 2

What Does CMMC Level 2 Actually Cost?

Real numbers from public sources. No gatekeeping, no "contact us for pricing." C3PAO fees, remediation spend, consulting rates, and 3-year total cost of ownership — broken down for DIB SMBs of every size.

$35K–$118K C3PAO assessment fee
$30K–$150K+ gap remediation
12–24 mo typical timeline
$100–$400K 3-year TCO
Get My Personalized Estimate SPRS Score Simulator
Current Status

Where Is CMMC Enforcement Right Now?

The DoD CMMC Program final rule (32 CFR Part 170) was published October 15, 2024. Enforcement is rolling out in phases.

LIVE NOW
Phase 1: Self-Assessment
Dec 2024 onward

Contractors must post CMMC L2 self-assessment score to SPRS before award on applicable DoD solicitations.

Coming Nov 2026
Phase 2: C3PAO Required
~Nov 2026

CMMC Level 2 third-party certification begins appearing in DoD solicitations. Self-assessment no longer sufficient.

Future
Phase 3: Full Rollout
2028+

CMMC requirements in all applicable DoD contracts. CMMC L3 (NIST SP 800-172) requirements expected.

Note on Rev 2 vs Rev 3: CMMC Level 2 is legally locked to NIST SP 800-171 Revision 2 via 32 CFR 170.2 through approximately 2028–2029. Rev 3 controls apply to DoD assessment scoring but CMMC L2 certification assessments use Rev 2. Source: 32 CFR Part 170
Cost Category 1

C3PAO Assessment Fee

The mandatory third-party assessment conducted by a DoD-authorized C3PAO. Required for CMMC Level 2 certification. Fees are set independently by each C3PAO.

$35K – $118K+
Small Organization
< 50 employees · 1 enclave · < 250 CUI assets
$35K – $50K
Source: JunCyber C3PAO Cost Guide
Medium Organization
50–250 employees · 2–3 enclaves · multiple sites
$50K – $75K
Source: Red River: CMMC Assessment Cost
Large / Complex
250+ employees · 4+ enclaves · multi-site or cloud + on-prem
$75K – $118K+
Source: Workstreet CMMC Costs 2026

What Drives Assessment Cost?

  • Number of enclaves — each isolated CUI-handling environment requires separate assessment scope. A compliance enclave strategy keeps this at 1–2.
  • Total in-scope asset count — OSC (Organization Seeking Certification) asset inventory size directly drives assessor time.
  • Geographic distribution — multi-site assessments add assessor travel, coordination overhead, and day-rate costs.
  • Cloud vs. on-premises — cloud-only environments often assess faster; hybrid environments with on-prem CUI stores are more complex.
  • SPRS score at assessment entry — organizations entering with a score near 110 (full compliance) have shorter assessment cycles. Low scores mean more assessor findings, more documentation review.
C3PAO fees are not regulated by DoD — they are market-priced. The CMMC-AB maintains a C3PAO Marketplace where you can request quotes from multiple assessors. Always get 3+ bids.

Cost Category 2

Gap Remediation

The cost to fix the delta between where you are and CMMC L2 compliance. Highly variable — depends entirely on your current SPRS score.

$30K – $150K+
Technical controls MFA, encryption, logging, endpoint detection
$15K–$50K UNVERIFIED
Policy & procedure docs SSP, POA&M, incident response, access control policy
$10K–$30K UNVERIFIED
Infrastructure changes GCC High migration, enclave setup, network segmentation
$20K–$80K+ UNVERIFIED

SPRS Score: The Remediation Cost Multiplier

Your current SPRS score is the single most accurate predictor of remediation cost. SPRS ranges from -203 to 110; the DoD industry average is approximately -32 (meaning most SMBs have significant gaps). Each NIST SP 800-171 Rev 2 control has a weighted point value; fixing the highest-weight gaps first gives the best score-per-dollar improvement.

Calculate Your SPRS Score
GCC High migration alone can cost $20K–$80K+ in licensing, migration labor, and user retraining — even before addressing other CMMC controls. If CUI flows through standard Microsoft 365 or Google Workspace today, budget this line item specifically. UNVERIFIED

Cost Category 3

Consulting / RPO Fees

Registered Practitioner Organizations (RPOs) and independent consultants help you prepare for the C3PAO assessment. Not required — but most small DIB contractors need external help.

$15K – $75K
Gap assessment Current-state analysis, SPRS scoring, roadmap
$5K–$15K UNVERIFIED
Remediation support Hands-on help implementing controls, policy writing
$10K–$40K UNVERIFIED
SSP development System Security Plan authoring and evidence collection
$5K–$20K UNVERIFIED

RPO vs. Independent vs. Managed Service

A Registered Practitioner Organization (RPO) is a DoD-authorized body with trained practitioners. RPOs cannot conduct assessments — that is the C3PAO's role. But they can help you prepare. Verify RPO status at the CMMC-AB Marketplace.

Independent consultants may be faster and cheaper than large RPOs for smaller scopes — but verify their CMMC practitioner certifications (CCP or CCA credential) before engaging.


Cost Category 4

Ongoing Annual Costs

CMMC Level 2 certification is valid for 3 years, but maintaining compliance posture has recurring costs between assessments.

$15K – $50K / yr
GCC High licensing ~$35/user/month × 50 users = ~$21K/year
$12K–$30K/yr UNVERIFIED
SIEM / monitoring Managed detection, log aggregation, alert triage
$5K–$15K/yr UNVERIFIED
Continuous monitoring & affirmation Annual SPRS reaffirmation, drift detection, POA&M upkeep
$5K–$10K/yr UNVERIFIED

CMMC Level 2 requires an annual affirmation submitted to the DoD Supplier Performance Risk System (SPRS) confirming continued compliance with all 110 NIST SP 800-171 Rev 2 practices. This is not just a checkbox — it carries potential False Claims Act liability if submitted inaccurately. Source: 32 CFR 170 Final Rule


3-Year Total Cost of Ownership

What Does the Full Cycle Cost?

All-in cost over the 3-year CMMC certification cycle: one-time preparation + assessment + three years of ongoing compliance.

Small DIB SMB
$100K – $200K
Over 3 years. <50 employees, 1 enclave, mature starting posture (SPRS > 60). UNVERIFIED
C3PAO assessment$35K–$50K
Remediation$30K–$70K
Consulting / RPO$15K–$30K
3× annual costs$20K–$50K
Medium DIB Contractor
$200K – $400K
Over 3 years. 50–250 employees, 2–3 enclaves, typical starting posture (SPRS 0–50). UNVERIFIED
C3PAO assessment$50K–$75K
Remediation$75K–$150K
Consulting / RPO$30K–$75K
3× annual costs$45K–$100K
These ranges are estimates based on industry-reported figures. Actual costs depend heavily on your starting security posture, IT complexity, and how efficiently you scope the CUI boundary. Use the Cost Estimator tool for a tailored projection.

Free Tool
Get Your Personalized Cost Estimate
Answer 12 questions about your organization size, CUI scope, cloud environment, and current SPRS score. The estimator returns a waterfall cost breakdown — C3PAO fee range, remediation budget, consulting spend, and 3-year TCO — with downloadable output.
Example Output Preview
Assessment
Remediation
Consulting
Ongoing/yr
3-yr TCO est. $142K–$195K

The Other Side of the Equation

Cost of NOT Complying

Before treating CMMC as a cost center, consider what non-compliance actually risks.

🚫
Loss of DoD Contract Eligibility
$500K–$2M+/yr
Average DoD subcontract value for a DIB SMB. Without CMMC certification, you cannot bid on applicable solicitations — or retain existing contracts that are re-competed. UNVERIFIED — per annum revenue estimate
DFARS 252.204-7021 implements CMMC contract requirements
False Claims Act Liability
3× Treble Damages
Submitting a false SPRS self-assessment score or CMMC affirmation while aware of non-compliance can trigger DoJ FCA actions. Several CMMC-related FCA settlements have already been filed. Source: 31 U.S.C. §§ 3729–3733.
DOJ Civil Cyber-Fraud Initiative, active since Oct 2021
🔐
Data Breach Cost
$4.88M avg.
Average cost of a data breach globally in 2024. Without the controls CMMC requires (MFA, encryption, logging, IR plan), breach likelihood and impact both increase. Source: IBM Cost of a Data Breach Report 2024.
IBM Security, 2024
📄
Contract Termination
Existing Contracts
DFARS 252.204-7012 is already in virtually every DoD contract with CUI handling. Non-compliance with existing DFARS cyber clauses can trigger termination for cause — separate from the CMMC rule rollout.
DFARS 252.204-7012, Safeguarding Covered Defense Information

Getting More for Less

Cost Reduction Strategies

These five levers reliably lower CMMC compliance cost — without cutting corners on the controls themselves.

1
Start with Aggressive Scoping
Every in-scope asset, system, and user adds to C3PAO assessment time. Map exactly where CUI flows today, then eliminate unnecessary CUI touchpoints. A smaller CUI boundary means a cheaper assessment — often the difference of an entire assessment tier.
2
Use a Compliance Enclave
Segment all CUI handling into a dedicated, isolated environment (physical or cloud-based). Everything outside the enclave drops out of CMMC scope entirely. Enclave setup has upfront cost ($20–40K) but dramatically reduces ongoing compliance overhead. UNVERIFIED — cost estimate
3
Leverage Cloud-Inherited Controls
GCC High (Microsoft 365 Government) satisfies approximately 30–40% of CMMC L2 technical controls via FedRAMP High authorized services — physical security, data center controls, cryptographic modules. These are inherited, not built. UNVERIFIED — percentage estimate
4
Fix High-Weight SPRS Items First
NIST SP 800-171 Rev 2 practices are not equally weighted. MFA (AC.3.017, IA.3.083) and audit log retention (AU.2.041) carry heavy negative weights. Fixing these first maximizes your SPRS score improvement per dollar spent. Use the SPRS Simulator to model this.
5
SSP-as-Code to Cut Documentation Labor
Traditional SSP documentation takes 200–400 hours of consultant time — at $150–$250/hr. A compliance-as-code approach generates OSCAL-native SSP artifacts directly from your infrastructure state, cutting documentation labor by 60–80%. UNVERIFIED — labor reduction estimate That is the core value proposition of grc.engineering.

Approach Comparison

DIY vs. RPO-Assisted vs. Fully Managed

The right approach depends on your internal security capability, timeline pressure, and budget tolerance.

Approach Typical Cost Timeline Risk Level Best For
DIY (internal team) $50K–$100K+
labor cost, excludes C3PAO UNVERIFIED 		18–24 months High — assessment first-time failure rate unknown; gaps in assessor-legible documentation common Organizations with mature security teams, existing NIST experience, low time pressure
RPO-Assisted $100K–$200K
total incl. C3PAO UNVERIFIED 		12–18 months Medium — RPO experience reduces documentation gaps; C3PAO prep improves first-attempt pass rate Most DIB SMBs. Best balance of cost and risk reduction.
Fully Managed $150K–$300K
total incl. C3PAO UNVERIFIED 		9–14 months Lower — but verify RPO credentials and C3PAO relationships; conflicts of interest possible Organizations with hard contract deadlines, limited internal security bandwidth, or complex IT environments
Important: An RPO cannot be the same entity as the C3PAO conducting your assessment. DoD prohibits this conflict of interest. Verify that your chosen C3PAO is separate from your consulting firm. Source: Cyber AB Marketplace

Frequently Asked Questions

CMMC Cost FAQ

Common questions from DIB contractors building their CMMC budget.

Can I get CMMC certified for under $50,000?

Unlikely for CMMC Level 2 unless your scope is very small — fewer than 15 CUI-handling users, a single enclave, and no geographic distribution. C3PAO assessment fees alone start at approximately $35,000 for the smallest scopes (Source: JunCyber). Once you add gap remediation and consulting support, sub-$50K total is only realistic if you already have a near-perfect SPRS score and a robust existing security program. Most DIB SMBs spend $100,000–$200,000 total over the 3-year certification cycle.

How long does CMMC Level 2 certification take?

12–24 months is typical from kickoff to certified status. The timeline depends heavily on your starting SPRS score and how much remediation is required. Organizations with mature security programs can sometimes achieve certification in 9–12 months. Organizations starting from a low SPRS score (below 0) should plan for 18–24+ months.

Use the Timeline Calculator at grc.engineering for a personalized estimate based on your organization's profile.

What if I fail the CMMC assessment?

You are not immediately disqualified. CMMC allows a Plan of Action and Milestones (POA&M) for non-critical findings, with a maximum remediation window of 180 days. However, "critical" deficiencies — those with a negative SPRS weight of 5 or more and no existing mitigating factors — can result in assessment failure with no POA&M allowance.

A second assessment attempt will incur another C3PAO fee. Budget for this possibility, especially if you are entering assessment with known gaps.

Source: 32 CFR Part 170, DoD CMMC Program final rule.

Is CMMC certification required now?

Phase 1 is live. As of December 2024, contractors must conduct a CMMC Level 2 self-assessment and post their SPRS score before award on applicable DoD solicitations.

Phase 2 — requiring a third-party C3PAO assessment — is expected to begin appearing in DoD solicitations starting November 2026 per the phased implementation schedule in the final rule.

This means if you are bidding on a DoD contract today that handles CUI, your SPRS score must be posted. If your current SPRS score is negative (which is the industry average), you should be working your remediation roadmap now.

Source: DoD CMMC Program Office; 32 CFR Part 170 (October 15, 2024).

What is the biggest driver of CMMC certification cost?

Scope. The number of CUI-handling users, systems, and enclaves is the primary driver of both C3PAO assessment fees and remediation costs.

Before beginning your CMMC journey, conduct a rigorous CUI flow analysis: map every system that touches, stores, transmits, or processes CUI. Then ask whether each touchpoint is necessary. Consolidating CUI handling into a dedicated compliance enclave — and removing CUI from general business systems — is the single highest-ROI action before assessment.

The second-biggest driver is your starting SPRS score. Organizations with mature existing security posture spend dramatically less on remediation. If your score is above 80, your remediation budget may be under $30K. If it is below 0, plan for $100K+ in remediation alone.

Do subcontractors need CMMC certification too?

Yes — if the subcontractor handles, processes, or stores CUI. Prime contractors are responsible for flowing CMMC requirements down to subcontractors who handle CUI. A subcontractor receiving CUI must achieve the same CMMC level as the prime's contract requires.

Subcontractors who do not handle CUI are generally not in scope for CMMC — but the prime must have a method to verify this (typically a CUI non-disclosure and data flow agreement).

Source: 32 CFR 170.19, Flowdown requirements.
Sources & Citations
Start Building Your CMMC Budget
Five free tools to scope your CMMC investment — no email required to use any of them.
💸 Cost Estimator 📊 SPRS Simulator 📅 Timeline Calculator Readiness Quiz 🛡 Breach Calculator
Email us for the CMMC budget planning template
Get a real cost estimate based on your infrastructure.
We'll scan your environment, calculate your SPRS score, and scope the engagement — in 30 minutes.
Book a 30-minute scan →