CMMC Certification Cost: Complete Breakdown by Level (2026)
If you’re a defense contractor trying to figure out what CMMC is going to cost your company, you’ve probably already gotten a dozen different answers. One consultant says $50,000. Another says $300,000. A vendor is quoting you $2,000 a month for some tool you’ve never heard of. Meanwhile, you’re trying to run a business and deliver on the contracts that keep the lights on.
We get it. We sit across the table from companies in exactly this position every week — machine shops, software firms, engineering companies — all trying to figure out the same thing: what’s the real number, and is my business going to survive it?
Here’s the straight answer based on what we’ve actually seen, not what we’re trying to sell you.
CMMC Cost at a Glance
Before we get into the details, here’s the quick reference. If your eyes glaze over at everything below, at least walk away with this table.
| CMMC Level | Who It’s For | Typical Total Cost | How You’re Assessed |
|---|---|---|---|
| Level 1 | You handle basic government data (FCI) but nothing classified or sensitive | $3,000 – $15,000 | You assess yourself once a year |
| Level 2 (Self-Assessment) | You handle sensitive data (CUI) on lower-priority contracts | $50,000 – $150,000 | You assess yourself every 3 years |
| Level 2 (Third-Party) | You handle sensitive data (CUI) on high-priority contracts | $100,000 – $300,000+ | An independent assessor evaluates you |
| Level 3 | You work on the most sensitive DoD programs | $500,000+ | The government assesses you directly |
Quick jargon check: FCI (Federal Contract Information) is basic contract data — delivery schedules, performance reports, that kind of thing. CUI (Controlled Unclassified Information) is the sensitive stuff — technical drawings, specifications, test data that DoD doesn’t want adversaries to get. If you’re not sure which one your contracts involve, look at your contract clauses. DFARS 252.204-7012 means CUI. DFARS 252.204-7021 is the CMMC requirement itself.
Now, the ranges above are wide because every company is different. A 15-person engineering firm that already uses Microsoft 365 with decent security has a very different starting point than a 200-person manufacturer still running email on an on-premise Exchange server from 2014.
Let’s break it down by level so you can find where you land.
CMMC Level 1 Costs: $3,000 – $15,000
If your contracts only involve FCI — not CUI — you need Level 1. This is the lighter lift. It covers 17 basic cybersecurity practices that, frankly, any business should already have: use antivirus, require passwords, lock your server room, that kind of thing.
The good news: You probably already do most of this. If your company uses Microsoft 365 with multi-factor authentication turned on, has antivirus on your computers, and locks the office at night, you’re already partway there.
Here’s where the money goes at Level 1:
| What You’re Paying For | Typical Range | What This Actually Means |
|---|---|---|
| Reviewing your setup against the 17 requirements | $0 – $5,000 | Either your team does this or you hire someone to check |
| Fixing any gaps (if needed) | $0 – $3,000 | Might need to turn on MFA, install antivirus, or encrypt laptops |
| Documenting everything | $0 – $5,000 | You need to prove you meet each requirement — not just say you do |
| Submitting your score to DoD | $0 | Free — you enter it into the SPRS portal |
No one comes to inspect you for Level 1. You assess yourself, submit your score, and sign an annual statement saying you still meet the requirements. The biggest real cost is the time your people spend reviewing everything and pulling together documentation.
Bottom line: If you’re a small shop with decent IT hygiene, Level 1 might cost you $3,000–$5,000 in staff time and a few minor upgrades. If your IT is a mess, budget closer to $15,000 including some outside help.
CMMC Level 2 Costs: $50,000 – $300,000+
This is where most defense contractors land, and it’s where the sticker shock hits.
Level 2 maps to 110 security requirements from a NIST standard called SP 800-171. We won’t bore you with the standard itself — what matters is that it covers everything from who can access your systems, to how you log activity, to how you respond if something goes wrong. It’s comprehensive, and it’s not optional if your contracts involve CUI.
There are two paths through Level 2, and your contract dictates which one you’re on:
Self-assessment: For contracts the DoD considers lower priority. You evaluate yourself against all 110 requirements, submit your score, and affirm it’s accurate. No outside auditor. This is the cheaper path, but you still have to actually implement everything — you just don’t have someone looking over your shoulder.
Third-party assessment (C3PAO): For contracts DoD flags as “prioritized acquisitions” — the sensitive ones. A certified assessment organization (called a C3PAO) comes in and independently evaluates you. Think of it like the difference between doing your own taxes and getting audited by the IRS. Same rules, very different experience.
If you’re working on anything related to weapons systems, military platforms, or technical data that has export restrictions, assume you’ll need the third-party assessment.
Where Your Money Actually Goes
Here’s the honest breakdown. No hidden fees, no surprise line items.
| Cost Component | Range | Plain English |
|---|---|---|
| Gap assessment | $10,000 – $30,000 | A consultant reviews your current security setup against all 110 requirements and tells you exactly where you fall short |
| Technology upgrades | $20,000 – $100,000+ | New software and tools to close those gaps — secure email, security monitoring, endpoint protection |
| Documentation | $15,000 – $40,000 | Writing the formal security plans, policies, and procedures that prove your controls work |
| Consultant guidance | $20,000 – $80,000 | Someone to steer the ship from gap assessment through final assessment |
| Third-party assessment fee | $30,000 – $120,000 | What the C3PAO charges to actually assess you (only if your contract requires it) |
| Total (self-assessment path) | $50,000 – $150,000 | |
| Total (third-party path) | $100,000 – $300,000+ |
These ranges are real. We’re not inflating them to make our services look cheap, and we’re not lowballing them to get you in the door. A 25-person company with a focused scope might spend $80,000 total. A 150-person company with CUI spread across multiple offices and dozens of systems could easily exceed $250,000.
The two biggest cost drivers deserve a closer look.
Technology: The Line Item That Varies Most
This is where two companies with the same headcount can end up with completely different bills.
If you’re already running Microsoft 365 with decent security settings, you have a head start. If you’re running commercial Gmail or a 10-year-old Exchange server, the technology bill goes up significantly because you’ll likely need to move to a government-approved cloud environment.
The most common technology investments we see:
- Microsoft 365 GCC High — a government-specific version of the Microsoft 365 you already know. Runs $35–55 per user per month. If your CUI lives in email, SharePoint, or OneDrive, this is typically required. Migrating to GCC High is its own project — budget 2–4 months just for the move.
- Security monitoring (SIEM) — software that collects and analyzes logs from across your network. Runs $5,000–$30,000/year. You need this to prove you’re watching for suspicious activity.
- Endpoint protection — think advanced antivirus that watches for threats in real time on every computer. $3–15 per user per month. This may already be included in your Microsoft 365 license.
- Backup and recovery — $2,000–$10,000/year. You need to prove you can recover your data if something goes wrong.
- Vulnerability scanning — software that regularly checks your systems for known security weaknesses. $2,000–$8,000/year.
If those acronyms and product names make your head spin, that’s normal. You don’t need to understand the technical details — you need to understand that the technology bill depends heavily on where you’re starting from.
Self-Assessment vs Third-Party: What’s the Real Difference?
| Self-Assessment | Third-Party (C3PAO) | |
|---|---|---|
| What it costs | Your team’s time (no assessment fee) | $30,000 – $120,000 for the assessment alone |
| Who does the assessing | You | An independent, certified organization |
| How thorough | As rigorous as you make it | They interview your staff, review evidence, and test your systems |
| What you get | A score in SPRS + your sworn affirmation | An official CMMC certificate valid for 3 years |
| Risk of failing | Low — you’re grading your own test | Real — roughly 30% of assessments result in conditional findings |
One important rule: the company that helps you prepare (called an RPO) cannot be the same company that assesses you. That’s like having your accountant also be your auditor. If someone offers to do both, walk away. We explain the difference between RPOs and C3PAOs in more detail if you want to understand the ecosystem.
CMMC Level 3 Costs: $500,000+
Level 3 applies to contractors working on the most sensitive DoD programs. It adds advanced requirements from NIST SP 800-172 on top of everything in Level 2, and the government itself conducts the assessment.
We’ll be direct: if you’re reading a blog post to figure out Level 3 costs, you probably don’t need Level 3. Companies at this tier typically have dedicated cybersecurity staff, existing security programs, and multi-million-dollar contracts that justify the investment. If that sounds like your company, the cost is $500,000 or more — but you likely already have a security budget.
The Hidden Costs Nobody Warns You About
The numbers above cover the obvious line items. Here’s what catches companies off guard.
Your Team’s Time
This is the biggest hidden cost, and nobody puts it on a quote. Preparing for CMMC is a part-time job for someone at your company for 6–12 months. Pulling together evidence, answering questions from consultants, sitting in meetings, reviewing documents, participating in the assessment itself.
For a 50-person company, we typically see 200–400 hours of internal time over the course of a CMMC engagement. If you value that time at $75/hour (a reasonable loaded cost for a project manager or engineer), that’s $15,000–$30,000 in labor that never appears on any vendor’s invoice.
The Disruption Factor
During the actual assessment — especially a C3PAO assessment — your key people are essentially off their day jobs for 1–2 weeks. The assessors need to interview your technical staff, walk through your systems, and see live demonstrations of your security controls. If you’re a small company with 3 people who know the systems, that’s a real disruption.
Ongoing Costs After You Pass
CMMC doesn’t end when you get your certificate. You have to maintain compliance continuously: scanning for vulnerabilities, monitoring your systems, keeping your documentation current, training your staff annually, and submitting a yearly affirmation that everything still meets the standard.
Budget $20,000–$50,000 per year for ongoing compliance maintenance after your initial assessment. This catches a lot of companies off guard because they planned for the assessment like a one-time expense.
Unfinished Business (POA&Ms)
If your assessment turns up controls that aren’t fully met, they go on a document called a POA&M (Plan of Actions and Milestones). You get 180 days to fix them. That remediation work costs money, and it’s money you might not have budgeted because you didn’t know the gaps existed until assessment day.
DIY vs Hiring Help vs Managed Solutions
This is the fork-in-the-road decision that affects everything downstream.
| Approach | Best For | Typical Cost | The Upside | The Downside |
|---|---|---|---|---|
| Do it yourself | Companies with a strong IT person who knows NIST | $30,000 – $80,000 | Cheapest direct cost, you own all the knowledge | Slowest, highest risk of failing the assessment |
| Hire a consultant | Most mid-size contractors (20–200 employees) | $80,000 – $200,000 | Expert guidance, faster, much higher pass rate | Still requires real commitment from your team |
| Managed service / enclave | Small businesses without dedicated IT staff | $60,000 – $150,000 + monthly fees | Fastest path, dramatically reduces what you’re responsible for | You’re dependent on the provider long-term |
Be honest with yourself on the DIY path. It works if you have someone on staff who genuinely understands these security requirements — not an IT generalist, but someone who can write a System Security Plan that will hold up under an independent assessment. This person is rarer than most companies think. We’ve seen more failed DIY attempts than successful ones.
A consultant (RPO) is the most common path for a reason. They assess your gaps, tell you exactly what to fix, help build your documentation, and prepare you for the assessment. Yes, it costs more — but the pass rate is dramatically higher, and you don’t waste months going down the wrong path.
An enclave solution deserves serious consideration if you’re a small manufacturer or contractor. The concept is simple: instead of securing your entire company network, you isolate CUI handling into a small, tightly controlled environment — like a secure room within your house instead of fortifying the whole property. Fewer systems in scope means fewer requirements to meet, which means lower cost. The trade-off is monthly fees and reliance on the provider.
5 Ways to Reduce Your CMMC Costs
There’s no way around compliance, but there are smart ways to do it without overspending.
1. Shrink your scope. This is the single most powerful lever you have. Every computer, every user, every office location that touches CUI is “in scope” and needs to meet all 110 requirements. The math is simple: fewer things in scope = fewer things to secure = less money spent. Limit who has access to CUI. Segment your network. Consider an enclave approach.
2. Get a gap assessment first. Don’t guess. A proper gap assessment tells you exactly where you stand today and what to prioritize. Spending $15,000 upfront to understand your gaps can save you $50,000 in wasted effort fixing the wrong things.
3. Pick technology that pulls double duty. Microsoft 365 GCC High with the right license tier can satisfy over 60 of the 110 NIST 800-171 requirements on its own — email encryption, data loss prevention, activity logging, access controls, multi-factor authentication. That’s more than half the requirements from one platform.
4. Don’t gold-plate it. You don’t need a Fortune 500 security program. CMMC requires you to meet the requirements, not exceed them. A $200,000 enterprise security platform is overkill if a $15,000/year solution checks the same boxes.
5. Start with documentation. The number one reason assessments result in findings isn’t that the technology is missing — it’s that companies can’t prove what they’re doing. Missing policies, incomplete security plans, and undocumented procedures sink more assessments than actual security gaps. Documentation costs time, not money. Start now.
Frequently Asked Questions
How much does it cost to get CMMC certified?
Total costs range from $3,000 for a basic Level 1 self-assessment to $300,000+ for a Level 2 third-party assessment. The biggest variables are your CMMC level, company size, how much CUI you handle, and whether you go it alone or hire help. See the cost summary at the top of this article for ranges by level.
Is CMMC going to be required?
Yes. The CMMC final rule took effect in December 2024 and DoD is phasing requirements into contracts through 2028. If you hold or pursue defense contracts that involve government data of any kind, CMMC will appear in your solicitations. It’s not a question of if, but when.
What does a CMMC Level 2 assessment cost?
The third-party assessment fee alone (paid to the C3PAO) runs $30,000–$120,000 depending on how many users, systems, and locations are in scope. That doesn’t include preparation. Total cost including technology, documentation, consulting, and the assessment typically falls between $100,000 and $300,000.
Can I get CMMC certified for free?
For Level 1, close to it — if your company already meets the 17 basic practices, your only cost is the time to document and submit your score. For Level 2, no. Even the self-assessment path requires real investment in technology, documentation, and security controls.
How long does it take to get CMMC certified?
Most companies need 6–12 months from starting to being ready for a Level 2 assessment. If you need to migrate to GCC High or make significant technical changes, plan for the longer end. Level 1 can typically be knocked out in 1–3 months if your security basics are in decent shape.
What happens if I don’t get CMMC certified?
You won’t be able to win — or in some cases, keep — DoD contracts that require CMMC. The requirement is tied to contract award, meaning you need to have your certification (or self-assessment score) before the contract is awarded. No CMMC, no contract. For companies where defense work is a significant revenue stream, this isn’t something you can wait on.