CMMC Cost Calculator: DoD's Official Estimate vs. Your Real Cost

Estimate your first-cycle and three-year CMMC budget by level, CUI scope, environment, and readiness — then see the number DoD's official estimate leaves out.

Methodology · Editorial standards · Corrections policy

This CMMC cost calculatorgives you a defensible budget range, not a sales quote. Here is the bottom line up front: DoD's own small-business estimates are $5,977 a year for a Level 1 self-assessment, $37,196 over three years for a Level 2 self-assessment, and $104,670 over three yearsfor a Level 2 certification assessment by a third party. Those figures come straight from DoD's Regulatory Impact Analysis for the CMMC rule. But here's the part almost no vendor tells you: for Levels 1 and 2, those numbers cover only the assessment — not the implementation, remediation, environment, and maintenance work it takes to become compliant in the first place. This tool reconciles the two.

Use the CMMC cost calculator

What this calculator does, in one line:it starts from DoD's official assessment estimate for your level, then adds the readiness, remediation, environment, evidence, and maintenance work DoD's estimate excludes — and returns a first-cycle range, a three-year range, your biggest cost driver, and the provider category to talk to first. It is an editorial budgeting tool, not a quote, and not legal or contractual advice.

DoD's official estimate vs. budget reality

The single most expensive mistake in CMMC budgeting is treating four different numbers as one. DoD's official estimate, a C3PAO's assessment fee, a readiness firm's quote, and your true all-in budget are not the same number. The table below is our reconciliation of DoD's published per-level estimates against what the same effort tends to cost once you add the work DoD's estimate leaves out.

*Realistic all-in ranges are The Defense Compliance Report's editorial planning estimates, informed by publicly published provider pricing and our own reporting — not DoD figures, and not a substitute for a scoped quote. The Level 3 figures above are DoD's own model.

Look closer at that $104,670, because the breakdown is the whole lesson. The accredited assessor's own engagement fee is just $31,234 of it. The rest is your side of the table: $45,509for your team's and your IT provider's labor to conduct and sit through the assessment, $20,699 to plan and prepare, $2,851 to report, and $4,377 for three years of affirmations. Add it up and you get $104,670 — and not one dollar of it fixes a single security gap. It is the cost of proving readiness, not achieving it.

How much does CMMC cost in 2026?

CMMC cost depends on four things: your level, your assessment type, how much of your business touches CUI, and whether you're budgeting only for the assessment or for the full path to readiness. DoD's official small-entity estimates are roughly $6,000 a year for Level 1, $37,000 over three years for Level 2 self-assessment, and $105,000 over three years for a Level 2 certification assessment by a third party. Those are assessment costs only.

CMMC(Cybersecurity Maturity Model Certification) is the Department of Defense's program for verifying that defense contractors and subcontractors actually protect the sensitive information they handle. It exists for a blunt reason: between January 2020 and February 2022, the FBI, NSA, and CISA reported sustained Russian state-sponsored targeting of U.S. cleared defense contractors, and a DoD Inspector General audit (DODIG-2019-105) found contractors were not consistently implementing the security controls they had already agreed to.

Here's the honest range by path, with DoD's anchor on one side and the budget reality on the other:

• Level 1 (FCI only): ~$5,977 per year for the self-assessment and affirmation. Federal Contract Information, or FCI, is non-public information you generate or receive under a contract. Level 1 is the lightest path — if you're certain you handle no CUI.
• Level 2 self-assessment: ~$37,196 over three years for the assessment and affirmations. Available only when your contract permits self-assessment.
• Level 2 certification assessment (by a C3PAO): ~$104,670 over three years. A C3PAO (Certified Third-Party Assessment Organization) is a Cyber AB–authorized or accredited firm that performs the Level 2 certification assessment that results in a Level 2 (C3PAO) status. Many CUI contractors will need to budget for this path as Phase 2 arrives.
• Level 3: assessed by the government, with assessment and affirmation at ~$12,802 over three years — but only after you hold a Final Level 2 (C3PAO) status, and only after implementing the NIST SP 800-172 enhanced controls that, in DoD's model, dominate the Level 3 budget.

To put scale on it: DoD estimates roughly 8,350 medium and large entities will need a Level 2 certification assessment as the rule fully rolls out, and its Regulatory Impact Analysis projects about 56,689 small-entity Level 2 certification assessmentsacross the phase-in. This is not a niche compliance chore; it's a market-wide budgeting event, and the contractors who price it correctly now will have a scheduling and cash-flow advantage over the ones who wait.

What DoD's official CMMC cost estimates include — and deliberately leave out

Here is the damaging admission this calculator is built around: DoD's official Level 1 and Level 2 cost estimates are not your all-in budget, and DoD says so plainly. For Levels 1 and 2, those estimates cover only assessment, reporting, and affirmation — the cost to proveyou're compliant. They exclude implementation, remediation, and maintenance, because DoD assumes you already implemented the underlying security controls years ago.

This is the most important section on the page, so we'll be precise. In its Regulatory Impact Analysis, DoD states that for Levels 1 and 2, “cost estimates are not included for an entity to implement the CMMC Level 1 or 2 security requirements, maintain compliance with current security requirements, or remediate a Plan of Action for unimplemented requirements.” Why not? Because those controls were already mandated: FAR 52.204-21 (the basic safeguarding clause, effective June 15, 2016) requires the 15 Level 1 safeguards, and DFARS 252.204-7012 required implementation of NIST SP 800-171 Rev. 2 by December 31, 2017.

Read that again, because it's the whole game. DoD's $104,670 is the cost to verify work it assumes you finished in 2017. If you did finish it, that figure is roughly your number. If you didn't, your real budget includes everything DoD left out.

How do we know many contractors didn't? DoD knows too, and it built the rule around the gap. The same analysis cites the DoD Inspector General's finding that contractors “did not consistently implement” the required safeguards. And buried in the analysis is the detail that explains every sticker-shock story in the Defense Industrial Base. DoD writes, in plain language, that under the existing self-attestation model “a contractor is compliant with the NIST SP 800-171 Rev 2 standard if 10% of NIST SP 800-171 Rev 2 requirements are implemented and the other 90% are listed in a Plan of Action.” A Plan of Action and Milestones, or POA&M, is a document listing security gaps and your plan to fix them. For years, contractors marked themselves “compliant” in SPRS(the Supplier Performance Risk System, DoD's official supplier database) while most of their controls lived on that list. CMMC is the moment the list comes due — especially at the Level 2 certification assessment, where a third party verifies what you've actually built, not what you've promised.

So why does this raise your odds of doing CMMC well, rather than scaring you off? Because it tells you exactly where your money goes, and in what order. The contractors who blow their budgets are the ones who schedule an assessment before fixing anything, then pay for a failed assessment and a remediation scramble. The contractors who do it cleanly figure out their real gap first, close it, organize evidence, and thenbring in an assessor. The calculator above separates these costs precisely so you can sequence them. There's good news in the structure, too: at Level 2, the most powerful cost lever isn't the assessment fee — it's how much of your business touches CUI, which you can often shrink. That's the next question.

Why do two Level 2 companies get completely different CMMC quotes?

Two companies can both need Level 2 and still receive wildly different quotes because cost is driven by scope, maturity, environment, and timeline — not company size. DoD's own analysis says Level 2 cost is “driven by multiple factors, including market forces … and the size and complexity of the enterprise or enclave under assessment.” A 12-user enclave with organized evidence is a different budgeting problem than an enterprise-wide mix of cloud and on-prem systems with unmapped CUI.

If you've collected quotes and felt like you were comparing apples to anvils, you weren't imagining it. Here's the same calculator run on two real-world small-business profiles — same level, very different invoice:

Ranges are illustrative outputs of this calculator's editorial planning model; your scoped quote is the binding number.

Four drivers move the number far more than your employee count does.

Scope is usually the first cost driver. The single biggest variable is how much of your organization is in the assessment boundary— the set of systems, people, and workflows that store, process, or transmit CUI. Fifteen users handling CUI inside one controlled environment is a small, knowable assessment. The same company with CUI flowing through email, three SaaS apps, a file server, and everyone's laptop is a far larger one.

Maturity changes cost more than size. A near-ready company with a written System Security Plan (an SSP — the document describing how you meet each requirement), organized evidence, and a SPRS score in the 90s is mostly buying an assessment. A company with no SSP and a low score is buying months of remediation first. Same level, same headcount, very different invoice.

Environment complexity can dominate the budget. Where CUI lives determines how hard it is to control and prove. Commercial Microsoft 365 or Google Workspace, government cloud such as Microsoft GCC High or AWS GovCloud, on-prem servers, endpoints, identity, and logging each carry different remediation and evidence costs. The wrong architecture can quietly expand your scope and your bill.

Timeline pressure raises the price.A 12-month runway lets you remediate methodically. A 60-day scramble means premium consulting rates, rework, and competing for scarce assessor calendar slots. Urgency is itself a cost driver — the unglamorous reason to start before you're forced to.

What's the difference between assessment, readiness, remediation, environment, and maintenance costs?

A credible CMMC budget separates five buckets instead of hiding them inside one number. Assessment is the cost to evaluate and report your status. Readiness is preparing for it. Remediation is fixing the gaps. Environment is the cloud or enclave work to control CUI. Maintenanceis keeping it all current year after year. For Levels 1 and 2, DoD's official estimate covers only the first bucket.

This is the framework that prevents the most expensive budgeting error. When a vendor hands you a single CMMC number, the first question is always: which buckets are in this, and which are missing?

A few definitions, since these provider categories get used loosely. An RPO (Registered Provider Organization) is a Cyber AB–registered firm that provides CMMC consulting and readiness — note, readiness, not certification. An MSP (Managed Service Provider) runs your IT; an MSSP (Managed Security Service Provider) runs your security operations. DCMA DIBCACis the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center — the government body that conducts Level 3 assessments. Knowing which category owns which bucket is half the battle; the order you engage them in is the other half.

Which NIST SP 800-171 control families usually drive CMMC cost?

Level 2 maps to NIST SP 800-171 Rev. 2: 110 security requirements organized into 14 control families. Not all 14 cost the same to implement and prove. In our experience reviewing readiness work, a handful of families — audit logging, access control, identity, and system/communications protection — account for most of the remediation spend, because they usually require new tooling and architecture rather than just a written policy. The table below is our editorial cost-driver mapping, not a DoD cost allocation; DoD does not publish cost by family.

If your environment is light on logging, identity, and encryption today, expect those four high-weight families to dominate your remediation budget — which is exactly why the calculator weights environment and maturity so heavily.

Should you budget for an RPO, MSP/MSSP, CUI enclave, GRC tool, or C3PAO first?

The right first spend depends entirely on your stage. If your CUI scope is unclear, start with scoping. If your controls are weak, start with readiness and remediation. If CUI is spread everywhere, evaluate an enclave before buying tools. If your evidence is organized and your contract requires certification, compare C3PAOs — and never let the firm that prepared you also be the firm that assesses you.

Use this as a sequencing guide. Spending out of order is how budgets balloon.

One rule overrides all of the above, and it's not optional. The firm that helps you get ready generally cannot be the firm that certifies you. CMMC's ecosystem rules — administered by the Cyber AB(the Cyber Accreditation Body, DoD's authorized accreditation body for the program) and reflected in 32 CFR 170.8 — require assessor independence. A C3PAO that consulted on your readiness has an organizational conflict of interest and generally can't perform your Level 2 certification assessment. Practically, that means budgeting for two relationships: a readiness partner to get you ready, and an independent assessor to certify you.

How much should a small business budget for CMMC Level 2?

A small business should treat DoD's ~$104,670 figure as the floor for provingcompliance, then add the buckets DoD excludes: readiness, remediation, environment, evidence tooling, internal labor, and ongoing maintenance. The biggest swing factor is rarely employee count — it's how much of the business touches CUI and how mature your existing NIST SP 800-171 program is. Realistic Year-1 all-in budgets for small contractors commonly run from the high five figures into the low-to-mid six figures.

DoD's own data is built for small business, which is useful. Across the phase-in, its Regulatory Impact Analysis projects about 56,689 small-entity Level 2 certification assessments, and it cites a Federal Procurement Data System annual average of 30,145 unique small-business DoD contractors(FY2019–2022). This is your peer group. Here's how the budget tends to split by situation.

Narrow CUI enclave, organized evidence

Lower scope, fewer CUI users, a smaller remediation surface. You're closer to “just the assessment,” though you still need disciplined evidence and operations. This is the cheapest credible path to a Level 2 (C3PAO) status, and it's often reachable on purpose by containing CUI.

CUI spread across email, file shares, endpoints, and SaaS

Broad scope, higher architecture cost, a heavier evidence burden, and the highest risk of underbudgeting. This is where Year-1 numbers climb toward and past six figures, mostly from environment and remediation work — not the assessment.

No SSP or a low SPRS score

Remediation dominates. You need readiness and implementation before an assessment is even worth scheduling, and treating a C3PAO quote as your first budget number guarantees a painful surprise.

Near-ready for a certification assessment

The assessment cost finally becomes the main event. Evidence quality and assessor scheduling matter most here, and you're the rare contractor for whom DoD's $104,670 is close to your real number.

One more piece of context worth budgeting around: DoD's cost model assumes an experienced in-house IT specialist at about $86/hour and an external service provider or assessor at about $260/hour, and industry practitioners commonly put Level 2 preparation at six to twelve months. This calculator treats that as the default runway unless a scoped quote says otherwise. The longer your runway, the more of this you can do at sane rates instead of emergency ones.

How does a CUI enclave change CMMC cost?

A CUI enclave can lower cost when it genuinely narrows the systems, users, and workflows in scope — but it can raise cost when it adds duplicate operations or creates a false sense of scope reduction while CUI still moves elsewhere. The decision hinges on whether you can truly contain CUI to the enclave.

A CUI enclaveis a separated, tightly controlled environment where you confine all CUI handling, so the rest of your business stays out of the assessment boundary. Done right, it's the most reliable way to cut Level 2 cost. Done wrong, it's a second environment you pay for and a scope problem you still have.

When an enclave lowers cost: a small number of CUI users, clear and containable workflows, and an existing enterprise environment that would be expensive to bring fully into scope. If you can route all CUI through the enclave and keep it there, you shrink everything downstream — remediation, evidence, and the assessment itself.

When an enclave raises cost:users still export, download, or email CUI outside the enclave; multiple programs need conflicting workflows; identity, device, and logging integration is poor; or you treat the enclave as a substitute for evidence discipline it doesn't actually provide. An enclave controls whereCUI lives — it doesn't erase your obligation to prove control.

A quick enclave-fit check. An enclave is usually worth it when most of these are true: you have a small count of true CUI users; CUI touches a limited set of systems; external collaboration is predictable; users can realistically keep CUI inside the enclave; and your broader environment would otherwise be expensive to bring into scope. The more of those that are false, the more an enclave adds cost instead of cutting it.

Do you need a C3PAO, or can you self-assess?

Whether you can self-assess or must hire a C3PAO is set by your contract, not your preference. Level 1 is always self-assessed. Level 2 can be either self-assessed or third-party assessed, depending on the solicitation — and starting in Phase 2 (November 10, 2026), a Level 2 certification assessment by a C3PAO becomes a condition of award in applicable solicitations. Level 3 is assessed by the government.

This distinction drives a roughly threefold difference in assessment cost, so it's worth getting right. The rule never lets you choose the cheaper path on your own — the solicitation tells you which applies. (For the full breakdown of how the levels map to data types and requirements, see our CMMC levels guide.)

• Level 1 (self-assessment): Annual self-assessment, annual affirmation, results posted to SPRS. No POA&M is permitted at Level 1 — you either meet the 15 basic safeguards or you don't.
• Level 2 (self-assessment): A triennial self-assessment scored against the 110 requirements of NIST SP 800-171 Rev. 2, plus annual affirmations, posted to SPRS. Permitted only when the contract allows it.
• Level 2 (C3PAO): A triennial certification assessment by a Cyber AB–authorized or accredited C3PAO, with results submitted through the CMMC instance of eMASS (the government's compliance reporting system) and on to SPRS. A limited POA&M is allowed only under specific conditions and must be closed within 180 days; certain high-weight requirements can't be on a POA&M at all.
• Level 3 (DIBCAC): Conducted by the government, and only after you hold a Final Level 2 (C3PAO) status.

The timing matters for cash flow. Through most of 2026, many contracts still accept a Level 2 self-assessment under Phase 1. But the planning reality is fixed: a certification assessment takes months to prepare and schedule, and Phase 2's requirement lands in November 2026. If your work involves CUI, plan for the C3PAO path even if your current contract hasn't demanded it yet.

What about Level 1 and Level 3 costs?

Level 1 is the cheapest path — about $5,977 per year for FCI-only contractors, with no POA&M allowed. Level 3 is the most specialized and the most expensive: the government assessment itself is small (~$12,802 over three years, no C3PAO fee), but DoD's small-entity Level 3 model also budgets $2.7 million one-time plus $490,000 per year to implement the NIST SP 800-172 controls — and Level 3 requires a Final Level 2 (C3PAO) status first.

Level 1exists for contractors who handle only FCI and no CUI. The budget is the annual self-assessment, reporting, and affirmation — DoD's small-entity figure is $5,977 per year. The one trap is misjudging scope: if any CUI is actually in your environment, you're not a Level 1 company, and budgeting as one will fail you at the worst possible moment. Confirm FCI-only status before you bank on the low number.

Level 3is a different animal, and most readers of this page are not Level 3 candidates. The government (DCMA DIBCAC) conducts the assessment, so there's no C3PAO fee, and the assessment and affirmation run only ~$12,802 over three years. But unlike Levels 1 and 2, Level 3 adds a defined subset of NIST SP 800-172 enhanced controls that are notrequired under any prior rule — so DoD's model does include the implementation cost it omits elsewhere: $2.7 million in non-recurring engineering plus $490,000 a year in recurring engineeringper small entity. Stack on the Level 2 (C3PAO) status you must hold first, and DoD's own small-entity Level 3 model runs to roughly $4.3 million over three years.If you're a Level 3 candidate, treat it as a program-level budget and validate the requirement directly against your contract.

The CMMC cost timeline: why the budget clock is already running

CMMC rolls out in four phases through 2028, and the deadlines are fixed in the DFARS final rule. Phase 1 began November 10, 2025. Phase 2 — a Level 2 certification assessment by a C3PAO as a condition of award in applicable contracts — begins November 10, 2026. Because Level 2 preparation typically takes six to twelve months, the budgeting and remediation window for many contractors is now, not later.

This is the one place scarcity is real rather than manufactured, because the dates come from federal regulation. The contracting rule (DFARS clause 252.204-7021, with the solicitation provision at 252.204-7025) took effect November 10, 2025 and set this schedule:

• Phase 1 — November 10, 2025 through November 9, 2026: Level 1 and Level 2 self-assessment requirements begin appearing as conditions of award in applicable solicitations, at DoD's discretion.
• Phase 2 — November 10, 2026: A Level 2 certification assessment by a C3PAO becomes a condition of award in applicable solicitations. This is the deadline most CUI contractors are budgeting toward.
• Phase 3 — November 10, 2027: Level 2 certification extends to option exercises, and Level 3 requirements begin appearing at award.
• Phase 4 — November 10, 2028: Full implementation — CMMC requirements apply across all applicable contracts and solicitations.

Two practical notes that affect timing and cost. First, many prime contractors are already requiring subcontractors to be Level 2–ready ahead of the formal schedule, so your effective deadline may be a prime's flowdown date, not DoD's. Second, the rule revised CMMC's cost estimates upwardfrom the 2020 version after more than 750 public comments said the original numbers were too low. Even the official estimates already reflect the reality that contractors don't do this alone.

How we built this CMMC cost calculator

This calculator starts from official DoD assessment estimates, adds clearly labeled editorial planning bands for the real-world costs DoD excludes, and returns a range rather than a single number — because false precision would be dishonest where scope is the dominant variable. We separate what's official, what's our editorial estimate, and what only a scoped quote can settle.

What's official.The DoD anchors in the tool — $5,977 for Level 1, $37,196 for Level 2 self-assessment, $104,670 for a Level 2 certification assessment, and the Level 3 model ($12,802 assessment plus $2.7M non-recurring and $490K recurring engineering) — are taken directly from DoD's Initial Regulatory Flexibility Analysis for the CMMC rule (32 CFR Part 170, RIN 0790-AL49). The level structure, assessment types, affirmation cadence, SPRS and eMASS reporting, POA&M limits and the 180-day closeout, and the phase timing all come from 32 CFR Part 170 and the DFARS final rule.

What's editorial.The readiness, remediation, environment, evidence-tooling, annual-operations, and contingency bands are The Defense Compliance Report's own planning estimates, informed by publicly published provider pricing and our reporting. They are not DoD figures, and we re-verify them quarterly. The way your inputs scale those bands is summarized below.

What requires a quote. Named-provider pricing, your actual C3PAO fee, your specific cloud or enclave costs, your true remediation scope, your internal labor capacity, and whether any cost is allowable or reimbursable under your contract. The calculator estimates exposure; only a scoped engagement produces a binding number.

One accuracy note we won't skip: CMMC Level 2 currently maps to NIST SP 800-171 Rev. 2, not Rev. 3. NIST published Revision 3 in 2024, but the CMMC rule remains pinned to Rev. 2 unless and until DoD amends it through future rulemaking.

What we actually verified

We're a trade publication, not a vendor, so we'll tell you exactly what we checked and what we didn't.

Verified on June 3, 2026, against primary sources:

• The CMMC program rule (32 CFR Part 170) effective date — December 16, 2024 — and the DFARS final rule effective date — November 10, 2025.
• The four-phase rollout schedule, including Phase 2's November 10, 2026 Level 2 certification-assessment requirement.
• DoD's official small-entity cost estimates and their line-item composition, read directly from the Regulatory Impact Analysis (RIN 0790-AL49), including the $104,670 breakdown and the Level 3 engineering figures.
• DoD's stated exclusion of implementation and maintenance costs from the Level 1 and Level 2 estimates — and its inclusion of those costs for Level 3 — with the FAR 52.204-21 / DFARS 252.204-7012 basis.
• The Level 1 / Level 2 self / Level 2 (C3PAO) / Level 3 requirement structure and assessment types under 32 CFR Part 170.
• That CMMC Level 2 maps to NIST SP 800-171 Rev. 2, and the Rev. 2 vs. Rev. 3 distinction.
• The Cyber AB assessor-independence (conflict-of-interest) principle separating readiness from certification, and the 180-day POA&M closeout window.

What you still need to verify yourself:

• Your contract clause and the exact CMMC level and assessment type it requires.
• Your true CUI scope and current SPRS score.
• Any provider's current status on the Cyber AB Marketplace.
• Whether a readiness provider has a conflict that bars it from assessing you.
• Named-provider pricing and any compensation relationship.
• Whether a given cost is allowable or reimbursable under your contract — a question for qualified counsel or a contracts professional.

Primary sources

• CMMC Program rule, 32 CFR Part 170 — Federal Register, Oct 15, 2024
• CMMC Initial Regulatory Flexibility Analysis, RIN 0790-AL49 (cost figures, Table 1 and by-level breakdown) — regulations.gov PDF
• 32 CFR Part 170, current text — eCFR; Accreditation Body / independence — 32 CFR 170.8
• NIST SP 800-171 Rev. 2 and SP 800-172 (Level 3 enhanced requirements) — NIST CSRC
• DoD CIO — About CMMC; C3PAO and RPO status — Cyber AB Marketplace

CMMC cost calculator FAQ

Regulatory answers below are sourced to 32 CFR Part 170, the DFARS final rule, DoD's Regulatory Impact Analysis, and NIST CSRC — see Primary sources above.