CMMC Certification Cost in 2026: What Defense Contractors Should Actually Budget

Q: Is CMMC Level 2 based on NIST SP 800-171 Revision 2 or Revision 3?

As of May 27, 2026, CMMC Level 2 security requirements are NIST SP 800-171 Revision 2. NIST SP 800-171 Revision 3 exists, but 32 CFR Part 170 incorporates Revision 2 for CMMC Level 2 unless and until the Department of Defense amends the rule.

By The Defense Compliance Report Editorial Team · The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance.

Published: May 27, 2026 · Last verified: May 27, 2026

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor on our published advisor list. Verify scope and applicability with a CMMC Registered Practitioner (RP) before acting. This article is educational and is not legal, contractual, or compliance advice. Provider-matching forms on this site may generate referral or lead-routing compensation. This page contains no named provider rankings or endorsements. See our Methodology and Editorial & Advertising Policy.

The bottom line, before you scroll

CMMC certification cost ranges from roughly $5,977 for a small entity’s Level 1 self-assessment to north of $3 million for a small entity’s full Level 3 program in the Department of Defense’s published model, with Level 2 — where most CUI-handling contractors face the largest cost decision — running $34,277 to $117,768 over a three-year cycle in DoD’s official estimate. That official estimate is real and primary-sourced to the Federal Register. It is also the single most misleading number in the CMMC ecosystem, because it excludes nearly everything that makes a CMMC program expensive.

Below is the full breakdown by Level, by company size, by environment, and by provider category. We pulled every official number directly from the CMMC Program Final Rule (32 CFR Part 170) published in the Federal Register on October 15, 2024, the DFARS final rule (DFARS Case 2019-D041)published September 10, 2025 (effective November 10, 2025), and the Cyber AB’s public ecosystem documentation. We cite each one.

CMMC certification cost at a glance — the four paths

Your situation	Likely path	DoD official three-year estimate (small entity)	Realistic first-year all-in
Handles FCI (Federal Contract Information) only, no CUI	Level 1 Self-Assessment (annual)	~$5,977 initial + ~$560/yr reaffirmation	$5,000–$20,000
Handles CUI (Controlled Unclassified Information), contract allows self-assessment	Level 2 Self-Assessment (triennial)	$37,196 over three years	$50,000–$200,000
Handles CUI, contract requires third-party assessment	Level 2 C3PAO (triennial)	$104,670 over three years	$75,000–$300,000
Identified for the most sensitive CUI program	Level 3 DIBCAC (after Final Level 2 C3PAO)	$12,802 over three years for assessment/affirmation, plus ~$2.7M nonrecurring and ~$490K recurring engineering (small entity)	Highly variable; consistent with DoD’s small-entity engineering model

Sources: 32 CFR Part 170 Regulatory Impact Analysis, Federal Register, October 15, 2024. Real-world bands for Levels 1 and 2 are DCR editorial market estimates compiled from public 2026 industry pricing data, verified May 27, 2026 — see methodology and verification table below.

Decision Resolution Point #1 — Stop guessing your Level.

Your company size does not choose your CMMC path. For prime contracts, the CMMC Level is determined by the DoD program office or requiring activity and appears in the solicitation provision and contract clause. For subcontracts and supplier agreements, the prime or next higher-tier subcontractor flows down the required CMMC Level for the work.

Find your CMMC path →

Answer scope, environment, and timeline questions, and we’ll match you with the right category of provider (C3PAO, RPO, MSSP, GRC platform, or CUI enclave) for your situation. Any provider-matching relationship is disclosed before referral.

How much does CMMC certification cost in 2026?

Answer capsule:For a small entity, the Department of Defense officially estimated Level 1 self-assessment at $5,977 (initial), Level 2 self-assessment at $37,196 (three-year cycle), and Level 2 third-party (C3PAO) certification at $104,670 (three-year cycle). DoD’s small-entity Level 3 model includes approximately $2.7 million in nonrecurring engineering and $490,000 in recurring engineering, on top of $12,802 over three years for the Level 3 assessment and affirmation cycle and the Final Level 2 C3PAO prerequisite. Real-world first-year cost at Level 2 commonly runs above DoD’s estimate because the DoD figures exclude implementation, remediation, technology, and documentation costs.

CMMC — the Cybersecurity Maturity Model Certification program codified at 32 CFR Part 170 — establishes three Levels of cybersecurity requirements for defense contractors and a corresponding assessment regime. The contract clause DFARS 252.204-7021 and the solicitation provision DFARS 252.204-7025 are the mechanisms that flow CMMC requirements into individual Department of Defense contracts. The DFARS final rule became effective November 10, 2025.

The reason this guide exists is that CMMC certification cost is not one number. It is at least four numbers stacked together:

The official DoD estimate in the Federal Register (assessment, certification, reporting, affirmation only).
The real-world readiness budget to get your environment, documentation, and evidence into a state where you can actually pass the assessment.
The C3PAO invoice — the fee charged by a Certified Third-Party Assessment Organization for the formal Level 2 assessment.
The ongoing sustainment cost to keep your status current between assessments and through annual affirmations.

Every other CMMC cost page on the internet collapses these into one range. That collapse is the source of nearly every cost surprise we’ve seen contractors hit.

Why the DoD’s $104,670 estimate is misleading (and what it actually covers)

Answer capsule:The DoD’s published Level 2 C3PAO cost estimate of $104,670 over three years for a small entity covers only assessment, certification, reporting, and affirmation activities. Per the 32 CFR Part 170 Regulatory Impact Analysis, DoD excluded the cost of implementing the underlying security requirements on the basis that they were already required by FAR 52.204-21 (since 2016) and DFARS 252.204-7012 (since 2017). For contractors whose environment, documentation, and controls are not assessment-ready, the gap between DoD’s estimate and the real-world cost is the implementation cost that DoD excluded.

This is the single most important sentence on this page, so we’ll repeat it plainly: DoD’s official CMMC certification cost estimates assume you already implemented NIST SP 800-171 Revision 2. That assumption is stated directly in the Final Rule’s economic analysis. DoD’s logic is that DFARS clause 252.204-7012 has required NIST SP 800-171 implementation since December 31, 2017, so the cost of implementing those 110 security requirements is not a newCMMC cost — it’s a sunk cost.

That is defensible as regulatory accounting. It is not how a CFO budgets a project.

What’s inside DoD’s $104,670 figure — and what’s not

Cost component	Included in DoD’s $104,670?	Approximate amount (small entity, per RIA)
Planning/preparing for the C3PAO assessment	Yes	~$20,699
Conducting the certification assessment (total)	Yes	~$76,743 (includes the DoD-modeled C3PAO firm engagement of ~$31,234)
Reporting of assessment results	Yes	~$2,851
Initial affirmation	Yes	bundled
Two annual affirmations over the 3-year cycle	Yes	~$1,459/yr
Gap analysis / readiness assessment	No	DCR editorial market estimate
Remediation of control gaps	No	DCR editorial market estimate
New security technology (SIEM, EDR, MFA, FIPS-validated crypto)	No	DCR editorial market estimate
Migration to GCC High, AWS GovCloud, or on-prem enclave	No	DCR editorial market estimate
System Security Plan (SSP) development from scratch	No	DCR editorial market estimate
POA&M (Plan of Action and Milestones) development and closeout	No	DCR editorial market estimate
Consulting / RPO (Registered Provider Organization) engagement	No	DCR editorial market estimate
Ongoing managed security services	No	DCR editorial market estimate

Source for “included” rows: 32 CFR Part 170 Regulatory Impact Analysis, Federal Register, October 15, 2024. “Not included” line items reflect cost categories DoD explicitly excluded from the regulatory cost estimate; market amounts for those layers are addressed separately in our seven-layer budget stack below.

The damaging admission: No honest CMMC cost page can give you one universal price. A five-person subcontractor with one CUI enclave is not the same project as a 300-person manufacturer with multiple sites, hybrid infrastructure, an MSP, stale documentation, and a 90-day prime deadline. Any provider that hands you a clean fixed price before scoping is selling convenience, not certainty.

But the cost drivers are predictable. Once you separate official assessment cost from readiness, remediation, tooling, and sustainment, you can tell whether a quote is reasonable. The rest of this guide does exactly that.

CMMC Cost Reconciliation Matrix — DoD estimate vs market reality

Answer capsule:Across the four CMMC certification paths, real-world first-year costs at Level 2 commonly run above the Department of Defense’s published estimates because the DoD figures exclude implementation, remediation, technology, documentation, and environment costs. The gap is largest for contractors at Level 2 C3PAO who are not already at a strong NIST SP 800-171 Revision 2 baseline, and smallest for Level 1 contractors who already implemented FAR 52.204-21 basic safeguarding.

This is the centerpiece table. We assembled it from primary-source DoD figures (Column A) and DCR editorial market estimates compiled from public 2026 industry pricing data (Columns B and C). The fourth column — the gap — is the number we believe most readers came here to find.

CMMC Path	Path label	DoD official three-year estimate (Federal Register RIA)	Market reality — C3PAO/RPO fees alone	Realistic first-year all-in	Gap (real vs DoD)
Level 1 Self	Annual self-assessment, FCI only	$5,977 small / ~$4,000 other-than-small (initial) + ~$560/yr	n/a (no third-party assessment)	$5,000–$20,000	Roughly aligned
Level 2 Self	Triennial self-assessment, CUI	$37,196 small / $48,827 other-than-small (3-yr cycle)	n/a (no third-party assessment)	$50,000–$200,000 first year	Commonly multiples of DoD estimate
Level 2 C3PAO	Triennial third-party certification, CUI	$104,670 small / $117,768 other-than-small (3-yr cycle)	C3PAO assessment alone: market ranges vary by scope, scale, and assessor	$75,000–$300,000 first year	Commonly 1.5x–3x DoD estimate
Level 3 DIBCAC	Government-led, sensitive CUI	$12,802 small (assessment/affirmation 3-yr), plus ~$2.7M nonrecurring + ~$490K recurring engineering for a small entity, plus Final Level 2 C3PAO prerequisite	n/a (DIBCAC-conducted, no marketplace fee)	Consistent with DoD’s small-entity engineering model; highly contract-, scope-, and program-dependent	DoD model already accounts for most implementation cost

Sources: 32 CFR Part 170 Regulatory Impact Analysis, Federal Register, October 15, 2024. Market bands for Level 1 and Level 2 are DCR editorial market estimates from public 2026 industry pricing data, verified May 27, 2026.

What this matrix actually tells you

If you’re a small DIB contractor handling CUI and you’ve been quoted somewhere between $75,000 and $150,000 for a Level 2 C3PAO program in year one, the quote is in the normal range — assuming your current NIST SP 800-171 Rev. 2 implementation is partial and you need readiness, remediation, and documentation support alongside the assessment.

If you’ve been quoted $30,000 or less for “CMMC Level 2 certification,”the quote is either an assessment-only fee (fine, if you’re already evidence-ready) or it excludes readiness work you actually need (dangerous).

If you’ve been quoted $300,000+and you’re a small contractor, the provider is either bundling multiple years of managed services into year one, building you an enclave from scratch, or assuming your environment requires more remediation than it actually does. It might be the right quote. Demand the line-item breakdown before you sign.

Decision Resolution Point #2 — Sanity-check that quote before you write a check.

If a Level 2 C3PAO program quote came back at a number that doesn’t feel right, the issue is almost always missing scope clarity, not assessor greed.

Compare provider categories →

See what a C3PAO, RPO, MSSP, GRC platform, and CUI enclave each actually charge for — and what should not be in the same line item.

What does CMMC Level 1 certification cost?

Answer capsule:CMMC Level 1 applies to contractors who handle Federal Contract Information (FCI) but no Controlled Unclassified Information (CUI). It is satisfied by an annual self-assessment against the 15 basic safeguarding requirements in FAR 52.204-21, with results affirmed by a senior official in the Supplier Performance Risk System (SPRS). DoD’s official estimate is $5,977 for a small entity’s initial Level 1 self-assessment and affirmation, with approximately $560 per year for the annual reaffirmation. Realistic year-one cost lands at $5,000–$20,000 when basic documentation and tooling effort are included.

Level 1 is the foundational tier of the CMMC program. The 15 practices come directly from the FAR 52.204-21 basic safeguarding clause that has been in defense contracts since 2016, so for most Level 1 contractors, the requirements are not new — only the affirmation and SPRS posting steps are.

Who needs Level 1

Contractors and subcontractors whose work involves only FCI — information not intended for public release that is provided by or generated for the Government under a contract, excluding public-facing data and routine commercial transactional information. See our FCI vs CUI guide for the full distinction.

Why Level 1 still costs something even though it’s a self-assessment

Real Level 1 costs land in four places: internal time to perform the assessment, documentation of the 15 practices (typically a written affirmation record and supporting policies), incident-response process and access-control hygiene, and the senior official’s affirmation effort each year. Most well-run small contractors can complete the self-assessment in-house. The cost spike happens when a contractor has no current documentation and treats Level 1 like a from-scratch project.

Level 1 quote red flags

A provider selling a “Level 1 certification assessment” by a C3PAO. Level 1 is not assessed by a C3PAO. There is no third-party certification path for Level 1 under 32 CFR Part 170.
A provider treating Level 1 like Level 2 in pricing.
A quote that doesn’t address the annual SPRS affirmation requirement.

What does CMMC Level 2 self-assessment cost?

Answer capsule: CMMC Level 2 Self-Assessment applies when a contractor handles CUI and the contract clause permits a self-assessment path. The official DoD estimate is $34,277 initial for a small entity, totaling $37,196 over a three-year cycle. For an other-than-small entity, the three-year estimate is $48,827. Real-world year-one cost commonly lands at $50,000–$200,000 when documentation, remediation, and tooling are included.

Level 2 against NIST SP 800-171 Revision 2 — 110 security requirements organized into 14 control families — is where most CUI-handling defense contractors live. The split between Level 2 self-assessment and Level 2 C3PAO assessment is determined per solicitation or contract by the Department of Defense, not chosen by the contractor.

When Level 2 Self applies

The CMMC program allows Level 2 self-assessment for the subset of contracts where the DoD program office or requiring activity determines that self-assessment is sufficient. The applicable path is identified in the solicitation provision DFARS 252.204-7025, which became effective with the DFARS final rule on November 10, 2025.

What’s included in the official $37,196 figure

Triennial self-assessment effort against all 110 NIST SP 800-171 Rev. 2 requirements
SPRS submission of the assessment score
Senior official affirmation at initial assessment and at each of the two subsequent annual affirmations
Limited assessment-planning activities

What’s not included — and where the real cost lives

SSP development. A System Security Plan that accurately reflects your environment and the 110 control implementations is the central artifact for any Level 2 path.
Evidence collection and organization. Even on a self-assessment path, you need defensible evidence of implementation.
Remediation. The DoD’s RIA assumes implementation is already done. If your environment has gaps against any of the 110 requirements, remediation cost lives outside the $37,196.
GRC tooling. Most contractors find that a Governance, Risk, and Compliance platform is functionally necessary for tracking 110 requirements, 320 assessment objectives, evidence, and POA&M items.
POA&M management. A Plan of Action and Milestones is permitted at Level 2 (with conditions), but it doesn’t substitute for implementation, and it generates its own management cost.

When Level 2 Self is not enough

If your solicitation or prime flow-down requires Level 2 C3PAO status, self-assessment is not equivalent. The contract clause governs. If you submit a self-assessed SPRS score against a C3PAO-required contract, you are not eligible for award.

What does CMMC Level 2 C3PAO certification cost?

Answer capsule: DoD estimates that a Level 2 third-party (C3PAO) certification cycle costs a small entity $101,752 initially and $104,670 over three years, including a DoD-modeled C3PAO firm engagement of $31,234. For an other-than-small entity, DoD estimates $112,345 initially and $117,768 over three years, with a modeled C3PAO firm engagement of $52,056. These are official regulatory estimates from the 32 CFR Part 170 Regulatory Impact Analysis, not market prices. Real-world Level 2 C3PAO first-year all-in costs commonly run $75,000 to $300,000 when readiness, remediation, technology, documentation, and the assessment fee are combined.

This is the path most CUI-handling defense contractors will face once Phase 2 of the CMMC implementation schedule begins on November 10, 2026. At that point, DoD intends to include Level 2 C3PAO status for applicable DoD solicitations and contracts as a condition of award, with discretion to delay the requirement to an option period.

What “Level 2 C3PAO” actually means

A C3PAO — a Certified Third-Party Assessment Organization — is an entity authorized by The Cyber AB (the CMMC Accreditation Body) under 32 CFR Part 170 to conduct formal CMMC Level 2 assessments. The C3PAO sends a team led by a Certified CMMC Assessor (CCA) to review your System Security Plan, examine evidence, interview personnel, and test controls against all 110 NIST SP 800-171 Revision 2 requirements and 320 assessment objectives. The C3PAO then issues a Level 2 Certificate of CMMC Status if you pass — with a three-year validity, contingent on annual affirmation.

What’s in DoD’s official $104,670 figure

Planning and preparing for the assessment — approximately $20,699 for a small entity
Conducting the certification assessment (total) — approximately $76,743 for a small entity, which includes the DoD-modeled C3PAO firm engagement of approximately $31,234 (or $52,056 for an other-than-small entity)
Reporting of assessment results — approximately $2,851
Initial Level 2 affirmation
Two subsequent annual affirmations — approximately $1,459 each

What’s not in the $104,670 — and almost always shows up

A real System Security Plan if you don’t already have one
Remediation of any control gaps surfaced during readiness
Technology investments (MFA, EDR, SIEM, log aggregation, FIPS 140-validated crypto, secure backup)
Migration to a compliant environment (Microsoft 365 GCC High, AWS GovCloud, on-prem enclave, or third-party CUI enclave)
Pre-assessment readiness consulting from an RPO
POA&M closeout support if your initial assessment yields a Conditional Level 2 status
Travel and per-diem for the C3PAO assessment team

A note on C3PAO independence

Under The Cyber AB’s published ecosystem rules, individuals holding multiple implementation and assessor designations cannot assess a company if they previously assisted with implementation for that same company. C3PAOs and assessors must also comply with the Accreditation Body’s conflict-of-interest and ethics requirements. This is a core independence requirement — and the most common source of mismatched provider engagements we see contractors fall into.

If a provider is offering to “prepare you for assessment and then assess you” as a single package, ask for a written independence and conflict-of-interest statement before you sign. Treat readiness and assessment as two separate engagements, with two separate providers, even if both happen to be on the Cyber AB Marketplace.

Decision Resolution Point #3 — Separate your readiness from your assessment.

Most Level 2 C3PAO budget surprises come from confusing “readiness” with “assessment.” They’re different scopes of work, performed by different categories of provider, under different rules.

Find your CMMC path →

We’ll route your situation to the right category of provider, in the right order: readiness first, then assessment when you’re evidence-ready. Any provider-matching relationship is disclosed before referral.

How much does the C3PAO assessment fee itself cost?

Answer capsule:The C3PAO firm engagement — the modeled portion of the assessment performed by the third-party assessor — is currently modeled by DoD at $31,234 for a small entity and $52,056 for an other-than-small entity inside the broader $76,743 “conducting the assessment” cost category. Market fees vary considerably by scope, scale, sites, and assessor, and DoD’s Regulatory Impact Analysis acknowledges that market forces, availability, and scope complexity affect C3PAO pricing. The fee is one line item on a Level 2 C3PAO budget — not the whole budget.

Why a C3PAO assessment fee may be lower than the total Level 2 C3PAO quote

Some C3PAOs bundle pre-assessment readiness, mock assessment, documentation review, and post-assessment POA&M closeout into a single quote. Others quote only the formal assessment activity. The bundled quote will be higher. The unbundled quote requires you to source the rest separately — and to confirm that the readiness provider is independent of the assessor.

Both are legitimate. The dangerous version is the bundled quote that impliesit includes everything but doesn’t define the line items. That is the quote that produces six-figure change orders mid-engagement.

What to demand in a written C3PAO quote

Active authorization status on the Cyber AB Marketplace as of the quote date
Scope assumptions — number of users, systems, sites, External Service Providers (ESPs), and CUI flows in scope
Number of assessors and assessment days budgeted
Travel and per-diem assumptions
Pre-assessment documentation expectations — what they expect from you before they show up
POA&M closeout fee — if your initial result is Conditional Level 2, what does closeout cost
Appeal/dispute process
Written independence and conflict-of-interest statement — confirmation that no individual on the assessment team performed readiness work at your organization
Explicit list of what is excluded from the quote

The supply context shaping C3PAO pricing

The Department of Defense’s DFARS final rule estimates 118,289 entities in the Level 2 Certificate category, 6,759 entities in the Level 2 Self category, 209,540 at Level 1, and 3,380 at Level 3 — a total of approximately 337,968 affected entities in DoD’s economic analysis. Of those, 229,818 are small entities and 108,150 are other-than-small entities (roughly 68% small). C3PAO assessment capacity, which is regulated and credentialed through The Cyber AB, has to scale into that demand over Phases 2 through 4 of the implementation schedule. Cyber AB Marketplace counts of authorized C3PAOs and credentialed Certified CMMC Assessors are volatile and change month to month. Before relying on a current capacity figure, check The Cyber AB Marketplace directly on the day you make your assessment scheduling decision.

What does CMMC Level 3 cost?

Answer capsule:CMMC Level 3 is the highest tier and applies to a narrow set of contractors handling the most sensitive CUI on programs designated by DoD. Level 3 requires a prior Final Level 2 C3PAO certification as a prerequisite, plus the 24 selected enhanced security requirements from NIST SP 800-172 Feb 2021 identified in Table 1 to 32 CFR §170.14(c)(4). The Level 3 assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by a C3PAO. DoD’s 32 CFR Part 170 RIA estimates Level 3 assessment and affirmation activity at $12,802 over three years for a small entity. The implementation cost is much larger — DoD’s small-entity Level 3 figure includes approximately $2.7 million in nonrecurring engineering and $490,000 in recurring engineering, on top of the Level 2 C3PAO prerequisite.

We’re flagging this because most public CMMC cost pages understate Level 3 dramatically. Quotes you’ll see online of “Level 3 = Level 2 + $40,000” are describing the incremental assessment activity, not the full Level 3 program cost. The Federal Register RIA is unambiguous on this point.

What Level 3 actually requires

Final Level 2 C3PAO certification as a prerequisite (you cannot start at Level 3)
The 110 NIST SP 800-171 Revision 2 requirements (from Level 2)
The 24 selected NIST SP 800-172 Feb 2021 enhanced security requirements identified in Table 1 to 32 CFR §170.14(c)(4), plus DoD Organization-Defined Parameters
DIBCAC-conducted assessment every three years
Annual affirmation

Who conducts the Level 3 assessment

The DCMA DIBCAC— the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center. This is a federal assessment body, not a commercial C3PAO. There is no marketplace fee for the DIBCAC assessment itself, which is why DoD’s $12,802 three-year figure is so much lower than Level 2 C3PAO. The cost lives in implementation.

What to do if a prime tells you “you need Level 3”

Do not start by buying a “Level 3 readiness package.” Confirm three things first:

The specific contract requirement and program designation
Whether Final Level 2 C3PAO is already achieved (it must be, before Level 3 work begins)
That the affected assessment scope is tied to the 24 selected NIST SP 800-172 requirements identified in 32 CFR §170.14(c)(4), plus any contract-specific implementation details

Most contractors flagged for Level 3 by a prime turn out to be Level 2 C3PAO with elevated documentation expectations. Verify before you spend.

What should be inside a real CMMC certification budget?

Answer capsule: A defensible CMMC certification budget separates seven distinct cost layers: scope definition, System Security Plan development, control remediation, technology and environment, the C3PAO assessment (or DIBCAC assessment at Level 3), annual affirmation, and ongoing sustainment. If a quote does not identify which bucket each dollar belongs to, you cannot compare it against another quote — and you cannot defend it to a CFO. Total first-year Level 2 C3PAO budgets typically range from $75,000 for well-prepared small contractors to $300,000+ for contractors building a CUI program from a low NIST SP 800-171 Rev. 2 baseline.

The seven-layer CMMC certification budget stack

Layer	Required for which path	Typical owner	Notes
1. Scope definition	All paths handling CUI	Internal + readiness consultant (RPO)	The highest-leverage cost lever. Defines where FCI/CUI lives, which systems are in scope, and where scoping reductions might apply.
2. System Security Plan (SSP)	Required for Level 2 (self or C3PAO)	Internal + RPO	Must reflect actual implementation, not a template. The central artifact a C3PAO will review.
3. Remediation	If gaps exist against the 110 requirements	Internal IT + MSP/MSSP + RPO	The largest variable in the entire budget. Maturity-dependent.
4. Technology and environment	All paths handling CUI	Internal IT + cloud/enclave vendor	GCC High, AWS GovCloud, on-prem secure enclave, hybrid, or third-party CUI enclave.
5. Assessment	Level 2 C3PAO and Level 3 DIBCAC	C3PAO (Level 2) or DIBCAC (Level 3)	Cannot be the same individual or firm that did your readiness, per Cyber AB independence rules.
6. Annual affirmation	All paths	Senior official internal	Carries False Claims Act exposure if false. Not optional.
7. Ongoing sustainment	All paths	Internal + MSSP/advisor	Continuous monitoring, evidence maintenance, control operation, recertification preparation.

Layer-by-layer market cost ranges are DCR editorial market estimates from public 2026 industry pricing data, verified May 27, 2026, and depend heavily on company size, current maturity, and CUI scope.

The budget layer most contractors forget

Ongoing sustainment.A Final Level 2 C3PAO certification is valid for three years, but it is not “set and forget.” DFARS 252.204-7021 requires current CMMC status and annual affirmation throughout the contract period. Final Level 2 (C3PAO) and Final Level 3 (DIBCAC) statuses have a three-year validity structure with annual affirmation requirements, and the ongoing operation of the 110 controls — log review, access management, vulnerability management, incident response, monitoring — is a real recurring operational cost that lives outside the assessment cycle. Most contractors who underbudget CMMC do so by funding year one and forgetting years two and three.

How do you know if a CMMC quote is reasonable? (The Quote Sanity Checklist)

Answer capsule:A reasonable CMMC quote defines the Level, the assessment path (self or third-party), the scope boundary (which users, systems, sites, and ESPs are in scope), the provider role (readiness vs assessment), the deliverables, the assumptions, the exclusions, the credential status, the independence posture, the timeline, and the POA&M closeout terms. A vague quote is dangerous even at an attractive price. A high quote is not necessarily bad if it itemizes the work.

We built this checklist because the most common question we see from defense contractors is a variation of: “Is this number reasonable?” The honest answer is almost always “it depends on what’s inside it.”Here’s how to find out.

The CMMC Quote Sanity Checklist

Question to ask the provider	Green flag (good answer)	Red flag (bad answer)
What Level and assessment type does this quote assume?	“Level 2 C3PAO assessment under DFARS 252.204-7021” or similar specificity	“CMMC certified” with no specified path
Which users, systems, sites, and ESPs are in scope?	Boundary map, CUI flow analysis, CAGE codes, ESP arrangements identified	“Whole company” or “all IT” with no scoping work
Is this quote for readiness, assessment, or both?	Each role clearly labeled and priced separately	Combined into one line item without disclosure
Who performs the readiness work?	Named RPO or Registered Practitioner, with Cyber AB Marketplace verification	Vague “compliance partner”
Who performs the assessment?	Named C3PAO with active Cyber AB Marketplace authorization, verified as of the quote date	“Partner assessor” without Marketplace verification
Are the readiness and assessment providers independent of each other?	Yes, with a written independence and conflict-of-interest statement	Same individuals or unclear independence
What deliverables are included?	SSP, evidence index, POA&M, policies, network diagrams, executive briefings — listed	“Compliance package”
Are remediation costs included?	Either included with line-item detail, or explicitly excluded with a guideline range	Hidden assumptions
Is POA&M closeout support included if we receive Conditional Level 2 status?	Fee, scope, and timeline stated	Not mentioned
Does the quote guarantee certification?	No — process and readiness only, with honest disclosure that the C3PAO determines the outcome	“Guaranteed pass” or implied outcome
What’s the assumed timeline?	Normal vs urgent pricing distinguished	Vague
What are the travel and per-diem assumptions?	Specified for assessment team	Not addressed

The “too cheap” problem

A $20,000 quote for a Level 2 C3PAO program for a contractor with no SSP, partial NIST SP 800-171 Rev. 2 implementation, and a broad CUI scope is not a deal. It is almost certainly either an assessment-only fee being presented as a full program, or a low-ball that will trigger expensive change orders. A $20,000 quote is reasonable onlyif you’re already evidence-ready and the provider is quoting the C3PAO assessment activity alone, separately from independent readiness work you’ve already completed elsewhere.

The “too expensive” problem

A $300,000 quote for the same contractor may also be reasonable — if it includes scope reduction, CUI enclave buildout, full SSP development, remediation, GRC tooling, mock assessment, the formal assessment, and twelve months of managed security operations. The quote is dangerous only if it bundles these layers without defining them. Demand the itemization. If the provider can produce it, the high quote may be fair. If they can’t, walk.

Decision Resolution Point #4 — Take the checklist with you to your next vendor call.

The single most useful thing you can do before signing any CMMC engagement is force the provider to answer this list, in writing.

CMMC Readiness Checklist →

Use our readiness checklist before your next provider call to clarify scope, deliverables, and assumptions.

Can a CUI enclave reduce CMMC certification cost?

Answer capsule: A CUI enclave can reduce CMMC certification cost when it legitimately reduces the assessment boundary — narrowing the systems, users, and workflows that process, store, or transmit Controlled Unclassified Information. Reducing the assessment boundary reduces the number of systems that must meet all 110 NIST SP 800-171 Revision 2 requirements, which reduces remediation, tooling, and assessment cost. The savings depend on where CUI actually lives, which assets remain in scope under the 32 CFR §170.19 asset categorization, and which responsibilities the enclave provider inherits vs leaves to the contractor.

The most common CUI enclave options for defense contractors in 2026 are Microsoft 365 GCC High, AWS GovCloud (US), an on-premises secure enclave, or a third-party CUI enclave SaaS designed specifically to host CUI documents and workflows behind a defined boundary. See our CMMC managed enclave guide for a deeper comparison.

Scope Reduction Test — the asset categories that drive the boundary

Asset category (per 32 CFR §170.19)	In Level 2 assessment scope?	What must be documented
CUI Assets — process, store, or transmit CUI	Yes — assessed against all applicable Level 2 requirements	Documented in the SSP; included in the assessment boundary
Security Protection Assets — provide security functions to CUI Assets	Yes — assessed against the requirements relevant to their security function	Documented in the SSP; included in the assessment boundary
Contractor Risk Managed Assets — capable of, but not intended to, process/store/transmit CUI; risk-based managed by the contractor	Yes — assessed for risk-based policies, procedures, and practices; not assessed against all Level 2 requirements	Documented in the SSP, including risk-based decisions; assets are not allowed to process/store/transmit CUI in practice
Specialized Assets — Government-furnished equipment, IoT/IIoT, OT, Restricted Information Systems, Test Equipment	Treatment per 32 CFR §170.19 and the CMMC Scoping Guidance for the relevant Level	Documented in the SSP; treatment varies by Level
Out-of-Scope Assets — cannot process/store/transmit CUI and physically/logically separated	No	Not in the assessment boundary, but physical/logical separation must be defensible

Source: 32 CFR Part 170 §170.19, Cybersecurity Maturity Model Certification Program, eCFR.

When an enclave is the right move

CUI handling is concentrated in a small number of users and workflows
CUI documents can be isolated from your general business environment
Your commercial environment is messy and full-environment remediation would be expensive
A prime flow-down can be satisfied by a bounded system rather than your whole network
You want a defensible, narrowly-scoped CMMC assessment boundary

When an enclave is the wrong move

CUI is embedded across ERP, manufacturing systems, engineering CAD, email, file shares, ticket systems, and vendor portals
Users routinely move CUI between systems and can’t be constrained to the enclave
Business workflows cannot tolerate the separation
The enclave vendor cannot clearly explain inherited controls vs customer-responsible controls in a Customer Responsibility Matrix (CRM)

A note on FedRAMP and cloud control inheritance

A cloud service provider authorized at FedRAMP Moderate (or higher), or one that meets FedRAMP Moderate equivalency per DoD guidance, can support the CUI cloud use path under 32 CFR Part 170. That status, by itself, does not make the contractor compliant. The contractor still has to document shared responsibilities, connected infrastructure, asset treatment, and remaining CMMC requirements in the SSP and assessment scope. A FedRAMP-authorized environment is a starting point, not a finish line.

How can a small defense contractor lower CMMC cost without cutting compliance corners?

Answer capsule:The legitimate ways to reduce CMMC certification cost are scope reduction (CUI enclave), appropriate use of FedRAMP-authorized cloud services for inherited components, in-house policy documentation, pre-readiness gap analysis before engaging a C3PAO, and (where available) state Manufacturing Extension Partnership (MEP) cybersecurity grant programs. The illegitimate “cost-cutting” approaches — denying CUI exists, treating POA&M as a substitute for implementation, using template SSPs that don’t match the environment, having one individual prepare and assess you — are forms of compliance debt that produce larger costs later and can carry False Claims Act exposure when affirmed.

Cost-control moves that are legitimate

Map your CUI data flow first. Every dollar you spend before knowing where CUI lives is a dollar at risk of being misallocated.
Reduce the number of users who touch CUI. Fewer users in scope means fewer endpoints to secure.
Enclave CUI where practical. See the Scope Reduction Test above.
Remove unnecessary systems from scope. Most contractors have systems that touch CUI by accident rather than necessity.
Use FedRAMP-authorized cloud services appropriately. Document the shared-responsibility model in your SSP. Do not assume the CSP’s authorization satisfies your obligations.
Document policies in-house where capacity allows. Outsourcing every policy to an RPO is expensive when staff with a competent technical writer can produce comparable policies — provided the policies match actual operations.
Pre-readiness gap analysis. Conduct an independent RPO gap analysis before your C3PAO engagement. This surfaces gaps when remediation is still inexpensive.
State MEP cybersecurity programs. The NIST Manufacturing Extension Partnership national network includes state-level cybersecurity assistance programs for small manufacturers. Check directly with your state MEP center for current availability.

Cost-control moves that are dangerous

“We’ll say no CUI exists” — without a documented CUI determination by the contracting officer
Using a POA&M to defer implementation indefinitely
Buying a template SSP that doesn’t match your environment
Having one individual perform readiness and then serve as your assessor for the same engagement
Assuming GCC High or AWS GovCloud, by itself, equals compliance
Waiting until 90 days before contract award to begin readiness work

How to estimate your CMMC cost path before you ask for quotes

Answer capsule: Before requesting CMMC quotes, contractors should classify themselves into a cost path using six inputs: whether they handle FCI, CUI, or both; the CMMC Level required by the solicitation, contract, or flow-down; the assessment path (Level 1 Self, Level 2 Self, Level 2 C3PAO, or Level 3 DIBCAC); the current environment; the current SSP and SPRS posting status; and the target deadline. Each combination produces a different cost path, official DoD estimate, real-world cost layer set, and recommended first provider category to contact.

The six inputs that determine your cost path

Information type — FCI only, CUI, or both
Required CMMC Level — Level 1, Level 2, or Level 3, as identified in the solicitation provision or flow-down
Assessment path — Level 1 Self, Level 2 Self, Level 2 C3PAO, or Level 3 DIBCAC, as identified in the contract clause
Current environment — where CUI is currently processed, stored, or transmitted
Current SSP and SPRS posting status — do you have a current System Security Plan and a current NIST SP 800-171 DoD Assessment Methodology score posted in SPRS
Deadline pressure — how soon is the next solicitation, option period, or affirmation date

What you get from running through those inputs

The official DoD estimate that applies to your path
The non-DoD cost layers you should expect to budget on top of it
The provider category to contact first
The quote red flags specific to your situation
A baseline cost range to defend in front of your CFO

Decision Resolution Point #5 — Run your situation through the matching form before you request quotes.

The hardest part of CMMC budgeting is not the math. It is the scoping that comes before the math.

Find your CMMC path →

Answer the six inputs above and we’ll match you with the right provider category for your situation. Any provider-matching relationship is disclosed before referral.

When does CMMC certification cost become urgent under the DFARS rule?

Answer capsule: The DFARS final rule implementing CMMC in defense acquisition (DFARS Case 2019-D041) became effective November 10, 2025, and phases CMMC requirements into solicitations and contracts on a four-phase schedule. Phase 1 began November 10, 2025, focusing on Level 1 and Level 2 self-assessment requirements in applicable solicitations. Phase 2 begins November 10, 2026, when DoD intends to include Level 2 C3PAO status for applicable DoD solicitations and contracts as a condition of award, with discretion to delay to an option period. Phase 3 expands the program further; Phase 4 — projected for November 2028 — applies CMMC across the full DoD acquisition portfolio.

What changed on November 10, 2025

The DFARS final rule added contract language — primarily through DFARS 252.204-7021 and the related solicitation provision DFARS 252.204-7025 — that requires offerors to have the applicable CMMC status before contract award for systems that will process, store, or transmit FCI or CUI under the contract. The clauses establish CMMC UID, affirmation, and SPRS posting requirements.

Award eligibility, in plain terms

A contractor can be ineligible for award if the required current CMMC status, or a higher status, and the required affirmation are not posted in SPRS for each applicable CMMC UID at the time of award. Conditional Level 2 and Conditional Level 3 statuses can support award only within the allowed 180-day POA&M closeout window; Level 1 requires Final status.

Why subcontractors cannot ignore this

DFARS 252.204-7021 flow-down provisions require that subcontracts at any tier requiring the processing, storage, or transmission of FCI or CUI carry the CMMC requirements applicable to the work being flowed down. A subcontractor handling CUI for a prime under a DFARS 252.204-7021-covered contract has the same Level 2 obligation the prime has — assessment path included.

What happens if we rely on a POA&M?

Answer capsule:A Plan of Action and Milestones (POA&M) is permitted at CMMC Level 2 and Level 3, but only under defined conditions and only for a limited set of requirements that are eligible for POA&M deferral. If your initial Level 2 assessment yields a Conditional status because of POA&M-eligible gaps, you have 180 days to close the POA&M and receive Final status. If the POA&M is not successfully closed within that window, the Conditional status expires and you are no longer eligible for contracts that require Final Level 2. POA&M is a planning tool, not a substitute for implementing the underlying requirement.

POA&M cost implications

Closeout support fees. Most C3PAOs will charge a separate fee for the closeout assessment activity.
Internal remediation timeline. You must fund the remediation work itself within the 180-day window.
Contract eligibility risk. A Conditional status that expires before closeout creates a real and immediate eligibility problem for new contracts and option-period exercises.

The quote question to ask

“Does this quote include POA&M closeout support, and what is the cost and timeline if our initial assessment yields a Conditional Level 2 status?”

Which provider category affects CMMC certification cost the most?

Answer capsule:Five distinct provider categories make up the CMMC ecosystem, and most defense contractors need two or three of them in sequence — not one. A C3PAO conducts the formal Level 2 assessment. An RPO (Registered Provider Organization) provides readiness consulting before assessment. An MSP or MSSP operates parts of your security environment. A GRC platform organizes documentation, evidence, and POA&M tracking. A CUI enclave or secure cloud provider supplies the technical environment. Each affects your total CMMC certification cost in a different way — and confusing one for another is the most common source of mismatched provider engagements.

The five provider categories, side by side

Provider category	What it reduces	What it cannot do	Where it most often costs you money
C3PAO (Certified Third-Party Assessment Organization)	Assessment uncertainty; produces the Level 2 Certificate of CMMC Status	Individuals cannot assess a company they previously helped implement; firms must meet Accreditation Body conflict-of-interest and ethics requirements	Engaging the C3PAO before you are evidence-ready, triggering a failed assessment and remediation rework
RPO/RP/CCP (Registered Provider Organization, Registered Practitioner, CMMC Certified Professional)	Scoping uncertainty, SSP gaps, remediation planning	Cannot issue or determine certification	Paying for strategy without paired implementation support
MSP/MSSP (Managed Service Provider / Managed Security Service Provider)	Operational security execution, monitoring, evidence generation	Cannot replace assessment or senior-official affirmation	Monthly spend on services that don’t map cleanly to the 110 NIST SP 800-171 Rev. 2 requirements
GRC platform (software)	Evidence tracking, control mapping, POA&M management, dashboards	Cannot implement controls	Buying the software before the underlying processes exist
CUI enclave / secure cloud (GCC High, AWS GovCloud, on-prem, enclave SaaS)	Scope reduction through environment isolation	Cannot eliminate all CMMC obligations	Believing the enclave alone equals compliance

The provider-engagement decision rule

Don’t know your scope yet? Start with an RPO for scoping and SSP work.
Know your scope but have weak controls? Start with remediation — internal IT, MSP, or MSSP partnered with your RPO.
Controls exist but evidence is disorganized? A GRC platform plus documentation cleanup is the next step.
Evidence-ready? Schedule a C3PAO assessment.
CUI scattered across the business? Evaluate a CUI enclave before you expand full-enterprise remediation.

Decision Resolution Point #6 — Match to a provider category, not a provider name.

The right category of provider depends on which problem you’re solving right now. The right named provider within that category depends on the verification work that comes next.

Compare provider categories →

See what each category does, what to verify before engaging, and which category you likely need first based on your situation.

CMMC certification cost for small business: the panic question, answered honestly

Answer capsule:A small defense contractor handling only FCI typically spends $5,000–$20,000 total for Level 1 self-assessment readiness and the annual affirmation cycle. A small contractor handling CUI on the Level 2 C3PAO path typically spends $75,000–$150,000 in year one, with remediation rather than the assessment fee as the largest single line item. Per DoD’s DFARS final rule entity estimate, 229,818 of 337,968 affected entities are small entities — approximately 68%. The Small Business Administration’s Office of Advocacy formally raised concerns about small entity burden in its February 2024 comment letter on the CMMC proposed rule, and DoD’s own Regulatory Impact Analysis acknowledges that small entities bear a disproportionate share of CMMC compliance burden.

The decision frame for small-contractor CMMC

If your defense contract revenue cannot absorb a $75,000–$150,000 year-one CMMC investment for Level 2 C3PAO, plus the ongoing sustainment cost in years two and three, the rational question is whether to stay in the defense market for that contract. We’re not telling you to exit. We’re telling you that “exit, or invest” is a real decision frame, and pretending otherwise is the kind of advice that costs contractors more than they would have lost by walking away cleanly.

If you do invest, the order of operations matters

For a small contractor on the Level 2 C3PAO path, the order that produces the lowest total cost is consistent:

Scope first. Where does CUI actually live? Map the data flow.
Reduce the boundary. If you can put CUI in an enclave, do it before any broad remediation spend.
Document the as-is. Build the SSP for what you actually do, not what a template says you should do.
Remediate the gaps that matter. Not all 110 are equally gapped; surface the worst first.
Set up the evidence machine. GRC platform or equivalent — whatever produces defensible records.
Operate for a quarter or two. Let the controls actually run and generate evidence before the assessment.
Schedule the C3PAO. Now you’re evidence-ready.

The contractors who skip steps 1–6 and start at step 7 are the contractors who get the eye-watering quotes. The quotes aren’t wrong. The order is.

What we actually verified for this guide

We do this on every decision page. Here’s what we read directly, what we cross-checked, and what we relied on secondary sources for.

Item	Source	Verified
CMMC Program Final Rule effective date (December 16, 2024) and codification at 32 CFR Part 170	Federal Register, October 15, 2024; eCFR 32 CFR Part 170	Last verified May 27, 2026
DFARS final rule (DFARS Case 2019-D041) publication date (September 10, 2025) and effective date (November 10, 2025)	Federal Register, September 10, 2025	Last verified May 27, 2026
DFARS 252.204-7021 clause text	Acquisition.gov DFARS 252.204-7021	Last verified May 27, 2026
DFARS 252.204-7025 provision text	Acquisition.gov DFARS 252.204-7025	Last verified May 27, 2026
NIST SP 800-171 Revision 2 as the current CMMC Level 2 control set	NIST CSRC SP 800-171 Rev. 2; 32 CFR Part 170	Last verified May 27, 2026
24 selected NIST SP 800-172 enhanced requirements for Level 3 in Table 1 to 32 CFR §170.14(c)(4)	NIST CSRC SP 800-172; eCFR 32 CFR §170.14	Last verified May 27, 2026
Official DoD cost estimates ($5,977 / $34,277 / $37,196 / $101,752 / $104,670 / $112,345 / $117,768 / $31,234 / $52,056 / $76,743 / $12,802 / ~$2.7M / ~$490K)	32 CFR Part 170 Regulatory Impact Analysis, Federal Register, October 15, 2024	Last verified May 27, 2026
DFARS final rule entity estimate (229,818 small entities; 108,150 other-than-small; 337,968 total; 209,540 Level 1; 6,759 Level 2 Self; 118,289 Level 2 Certificate; 3,380 Level 3)	DFARS Case 2019-D041 final rule, Federal Register, September 10, 2025	Last verified May 27, 2026
32 CFR §170.19 asset categorization (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, Out-of-Scope Assets)	eCFR 32 CFR §170.19	Last verified May 27, 2026
Cyber AB independence rule on individuals holding multiple implementation and assessor designations	The Cyber AB — Consulting and Implementation	Last verified May 27, 2026
Phased implementation schedule (Phase 1 began November 10, 2025; Phase 2 begins November 10, 2026)	32 CFR §170.3; DoD CIO CMMC page	Last verified May 27, 2026
2026 market price ranges for C3PAO assessments and Level 2 programs	DCR editorial market estimates from public 2026 industry pricing data	Last verified May 27, 2026 — not DoD official figures
SBA Office of Advocacy comment letter on small entity burden (February 2024)	SBA Advocacy — Cybersecurity Maturity Model Certification Program	Last verified May 27, 2026

We did not contact named C3PAOs or RPOs to ask for current price sheets. Where market ranges appear in this article, they reflect DCR editorial market estimates compiled from public 2026 industry pricing data, not direct quotes. Treat them as orientation, not a quote. Cyber AB Marketplace counts of authorized C3PAOs, Certified CMMC Assessors, and issued certifications are volatile; check The Cyber AB Marketplace directly at the time of engagement for current figures.

Frequently asked questions about CMMC certification cost

How much does CMMC certification cost in 2026?

For a small entity, the Department of Defense estimated Level 1 self-assessment and affirmation at $5,977 initially, Level 2 self-assessment at $37,196 over three years, and Level 2 third-party (C3PAO) certification at $104,670 over three years. DoD’s small-entity Level 3 model includes approximately $2.7 million in nonrecurring engineering and $490,000 in recurring engineering, on top of $12,802 over three years for the Level 3 assessment and affirmation cycle and the Final Level 2 C3PAO prerequisite. Real-world first-year cost at Level 2 commonly runs above DoD’s estimate once implementation, remediation, technology, and documentation are included.

Why did my CMMC quote come back higher than DoD’s estimate?

Because DoD’s Level 1 and Level 2 cost estimates exclude implementation costs. The 32 CFR Part 170 Regulatory Impact Analysis states that the cost of implementing the underlying security requirements was already required by FAR 52.204-21 (since 2016) and DFARS 252.204-7012 (since 2017), so DoD did not attribute that cost to CMMC. If your environment, documentation, or controls are not assessment-ready, your quote will include the implementation work that DoD’s estimate left out.

Do I need a C3PAO for CMMC Level 1?

No. CMMC Level 1 is satisfied by an annual self-assessment against the 15 basic safeguarding requirements in FAR 52.204-21, with senior-official affirmation in SPRS. There is no third-party certification path at Level 1.

Does every Level 2 contractor need a C3PAO?

No. CMMC Level 2 includes both a self-assessment path and a C3PAO third-party certification path. The required path is identified in the solicitation or contract — most commonly through the solicitation provision DFARS 252.204-7025. The Department of Defense, not the contractor, determines which path applies. Phase 2 of the CMMC implementation schedule begins November 10, 2026, when DoD intends to include Level 2 C3PAO status for applicable DoD solicitations and contracts as a condition of award, with discretion to delay the requirement to an option period.

What is the difference between CMMC compliance cost and CMMC certification cost?

“Certification cost” typically refers to the assessment-and-affirmation cycle, particularly for Level 2 C3PAO — the DoD’s $104,670 figure for a small entity. “Compliance cost” refers to the broader work needed to implement and maintain the underlying NIST SP 800-171 Revision 2 controls, documentation, evidence, tooling, and security operations. Certification cost is one line item inside compliance cost.

Can a CMMC consultant certify my company?

No. A readiness consultant or Registered Provider Organization (RPO) can prepare you for assessment, but only an authorized C3PAO can conduct a Level 2 certification assessment and issue a Level 2 Certificate of CMMC Status. Level 3 assessments are conducted by the DCMA DIBCAC, not by a C3PAO.

Can the same provider prepare us and assess us?

The Cyber AB states that individuals holding multiple implementation and assessor designations cannot assess a company if they previously assisted with implementation for that same company. C3PAOs and assessors must also comply with the Accreditation Body’s conflict-of-interest and ethics requirements. Ask for a written independence and conflict-of-interest statement before engaging any provider that offers both readiness and assessment services.

Is CMMC Level 2 based on NIST SP 800-171 Revision 2 or Revision 3?

As of this verification date (May 27, 2026), CMMC Level 2 security requirements are NIST SP 800-171 Revision 2. NIST SP 800-171 Revision 3 exists, but 32 CFR Part 170 incorporates Revision 2 for CMMC Level 2 unless and until the Department of Defense amends the rule. Any cost guide that describes CMMC Level 2 against Revision 3 is, on the current rule, inaccurate.

How long is CMMC certification valid?

A Final Level 1 self-assessed status is not older than one year. Final Level 2 self-assessed, Final Level 2 C3PAO-assessed, and Final Level 3 DIBCAC-assessed statuses are not older than three years from the assessment date, with annual affirmation requirements in each year of the three-year validity.

What’s the cheapest legitimate path to CMMC Level 2?

The cheapest legitimate path is: (1) tightly scope where CUI lives, (2) confine CUI to a defined enclave where practical, (3) document the shared-responsibility model for any FedRAMP-authorized cloud services in your SSP, (4) document policies in-house where capacity allows, (5) complete a pre-readiness gap analysis with an independent RPO, (6) operate the controls long enough to generate defensible evidence, then (7) engage a separate C3PAO for the formal assessment. Contractors who follow this order come in at the lower end of the small-contractor band.

What should I do before requesting CMMC quotes?

Determine whether you handle FCI, CUI, or both. Confirm the required CMMC Level and assessment path from your solicitation or prime flow-down. Map your CUI users and systems. Then ask every provider to quote against the same defined scope, with the same deliverables list. Without these steps, you cannot compare quotes — and providers can’t give you accurate quotes either.

The next step depends on where you are right now

Three paths, three different commitment levels. Pick the one that matches where you actually are.

1. You’re still figuring out what CMMC even requires of you.

Read our complete CMMC 2.0 guide and the three CMMC Levels explainedfirst. You don’t need a provider yet. You need clarity.

2. You know you need help, but you’re not sure which provider category fits your situation.

This is the most common state — and the most expensive one to skip past. Need help deciding what type of CMMC provider you need? Get matched with verified providers in 60 seconds.

Find your CMMC path →

3. You already know you’re on the Level 2 C3PAO path and want the deeper cost breakdown.

Read our Level 2-specific cost deep-dive, which goes into C3PAO selection criteria, assessment-day mechanics, and post-assessment POA&M scenarios in more depth than this page does.

Related guides

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Department of Defense, The Cyber AB, or any U.S. government agency. This article is editorial information and is not legal, contractual, or compliance advice. CMMC requirements vary by contract, scope, and CUI handling specifics. Consult a CMMC Registered Practitioner (RP/RPO) or qualified federal contracts counsel before making compliance decisions.

Last verified: May 27, 2026. Reverification cadence: regulatory facts quarterly and on any DoD amendment; Cyber AB Marketplace counts at the time of engagement; market price ranges quarterly. For our full verification process see Methodology. For our disclosure practices see Editorial & Advertising Policy.