CMMC Cost for Small Business: The Real Numbers by Level (2026)
Educational research, not legal, contractual, or compliance advice. The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.
CMMC cost for small business runs from a $5,977 Level 1 self-assessment and affirmation — plus about $560 a year to reaffirm — up to $104,670 over three years for a Level 2 third-party (C3PAO) certification. Those are the Department of Defense’s own small-entity estimates, straight from the rule. But here’s the part that ambushes most owners: those numbers only cover proving you’re compliant. They don’t cover getting compliant.
If you’ve been maintaining NIST SP 800-171 since it was first required (December 31, 2017), the DoD figure is close to your real number. If you’re a typical small shop running normal business IT — Microsoft 365 Commercial, file shares, email, maybe CAD — your real number is higher, sometimes significantly so. This page separates those two situations, sources every figure to the rule, and gives you a budgeting framework you can take into a vendor conversation.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
Who this page is for: small defense contractors and subcontractors — machine shops, fabricators, manufacturers, SBIR/STTR firms, engineering shops, IT and software vendors — trying to build a realistic CMMC budget before requesting a single quote.
Who it’s not for: anyone who needs a named-provider ranking, a certification guarantee, or legal interpretation of a specific contract. The contract clause and your CUI handling set your requirement, not a checklist or a website.
CMMC cost for small business, at a glance
Here’s the verdict before you scroll. The table below is the spine of this page: the official DoD small-entity estimate for each path, what that figure quietly excludes, and the realistic all-in range a small business actually budgets.
The DCR Small-Business CMMC Cost Reality Matrix
| Your path | Official DoD small-entity estimate | What that estimate covers | What it leaves out | Realistic all-in, starting from normal small-business IT (market snapshot) | Realistic all-in, mature NIST 800-171 program (market snapshot) |
|---|---|---|---|---|---|
| Level 1 (Self) — FCI only | $5,977 self-assessment + affirmation; ~$560 annual reaffirmation | Conducting the annual self-assessment; posting to SPRS; affirming | Implementing the 15 FAR 52.204-21 safeguards | ~$5,000–$15,000 total | Often under $10,000 |
| Level 2 (Self) — CUI, contract allows self-assessment | $37,196 over three years (triennial assessment + two annual affirmations) | Planning and running the self-assessment; reporting; affirmations | Implementing the 110 NIST SP 800-171 Rev. 2 controls; tools; enclave; documentation; remediation | ~$37,000–$80,000 | ~$37,000–$60,000 |
| Level 2 (C3PAO) — CUI, contract requires third-party | $104,670 over three years (assessment + cert + two annual affirmations) | Preparing for and conducting the C3PAO assessment; reporting; affirmations | The enclave, tools, and remediation are not in this number | ~$100,000–$300,000+ over 3 yrs | ~$90,000–$150,000 over 3 yrs |
| Level 3 (DIBCAC) — high-value CUI, government-led | $2.7M nonrecurring + $490K recurring engineering per small entity, plus $12,802 assessment/affirmation over 3 yrs — on top of a Level 2 (C3PAO) status | NIST SP 800-172 enhanced engineering + DIBCAC assessment | — | Specialist-scoped before budgeting | Specialist-scoped |
Source class: DoD dollar figures from the CMMC Final Rule’s Regulatory Impact Analysis (32 CFR Part 170; Federal Register, Oct. 15, 2024). Level 1 is an annual self-assessment figure, not three-year. Level 2 and Level 3 figures are three-year. All-in ranges are from our market snapshot below — planning bands, not quotes. How we built this matrix: official DoD estimates from 32 CFR Part 170, layered with a June 2026 public market-cost snapshot, normalized by DCR across level, assessment type, CUI boundary, and provider category.
The 10-second version
- No CUI — just FCI? You’re almost certainly Level 1. Budget low-five-figures and stop reading vendor pages that quote $100,000.
- You handle CUI, and your contract allows self-assessment? Budget for Level 2 implementation plus the SPRS posting and affirmation — but don’t assume you need a C3PAO.
- You handle CUI, and your contract requires a C3PAO? Budget readiness first, assessment second. The assessment is the smaller line item.
- Someone said “Level 3”? Verify the contract actually requires it before you spend a dollar. Level 3 carries new engineering costs in the millions for a small entity, and it sits on top of Level 2.
Estimate your CMMC cost path
A table gives you the ranges. To get yourrange — based on your company size, FCI vs. CUI, current security maturity, and contract requirements — use our Find My CMMC Path tool. It returns a likely cost band for your profile, with the DoD baseline shown separately so you can see the gap between the official number and your real budget.
Estimate your likely CMMC cost path before you request quotes
It takes a minute, and it tells you which provider category to talk to first.
Find My CMMC Path →Educational estimate, not a quote. Your level and assessment type are set by your contract clause and CUI handling. Do not enter CUI, controlled drawings, or sensitive contract details.
How this page was built (what we actually verified)
We don’t expect you to take a cost number on faith. Here’s our work, on the table.
| Claim | Primary source | What we checked |
|---|---|---|
| The three CMMC levels, assessment types, and small-entity cost estimates | CMMC Final Rule, 32 CFR Part 170 (Federal Register, Oct. 15, 2024) | We read the rule and its cost analysis. Level 1 small-entity: $5,977 self-assessment/affirmation, ~$560 annual reaffirmation. Level 2 self: $37,196 over three years. Level 2 C3PAO: $104,670 over three years. Level 3: $2.7M nonrecurring + $490K recurring engineering per small entity, plus $12,802 assessment/affirmation over 3 yrs. |
| Why the Level 1 and 2 estimates exclude implementation | 32 CFR Part 170 Regulatory Impact Analysis | DoD states it did not include the cost of implementing the security requirements, because that was already required by FAR 52.204-21 and DFARS 252.204-7012 (by Dec. 31, 2017). Level 3's new engineering is counted, because those requirements are new. |
| How many small businesses face the expensive path | 32 CFR Part 170 (Federal Register) | DoD estimates about 8,350 medium and large entities will face the Level 2 (C3PAO) requirement as a condition of award, out of more than 200,000 companies in the DIB — most of the base sits at Level 1 or Level 2 self-assessment. |
| Phase timing | CMMC Final Rule, 32 CFR 170.3; DoD CIO CMMC page | Phase 1 began November 10, 2025 and runs through November 9, 2026; Phase 2 begins November 10, 2026, adding the Level 2 (C3PAO) requirement as a condition of award. |
| The contract clause that sets your requirement | DFARS 252.204-7021; provision DFARS 252.204-7025 | The solicitation provision specifies the required level and assessment type; the clause requires you to hold and flow down that status. |
| Requirement counts | FAR 52.204-21; NIST SP 800-171 Rev. 2; NIST SP 800-172 | Level 1 = 15 requirements; Level 2 = 110 requirements across 14 families and 320 assessment objectives; Level 3 = Level 2 plus a selected subset of NIST SP 800-172 (134 total). |
What we could not verify for you: your required level and assessment type. Those live in your specific contract clause and your CUI handling. Confirm them with a CMMC Registered Practitioner (RP) or RPO, or a qualified federal-contracts attorney before you commit budget.
Why are DoD’s official CMMC cost estimates lower than the quotes small businesses get?
The DoD’s small-entity estimates cover assessment, certification, and affirmation only — not the work of becoming assessable.For Level 2, the Final Rule explicitly assumes you already implemented the 110 NIST SP 800-171 Rev. 2 controls, because that’s been a contractual obligation since December 31, 2017. If you haven’t, the gap between where you are and where you need to be is where your real cost lives — and it’s usually larger than the assessment itself. (32 CFR Part 170 Regulatory Impact Analysis.)
That ceiling only applies to one kind of reader. If you handle only FCI, you’re Level 1 and nowhere near six figures. If you handle CUI but you’ve already done the security work, your remediation bill is small. The scary $200,000–$300,000 figures describe an unprepared Level 2 shop with CUI sprayed across its whole network — not every small business, and possibly not you.
To see why the estimate and the invoice diverge: in the rule, DoD considered four cost categories — nonrecurring engineering, recurring engineering, assessment, and affirmation. For Levels 1 and 2, it counted only assessment and affirmation, deliberately leaving engineering out on the stated logic that those costs “should already have been incurred.” For Level 3, DoD did add engineering costs, because those enhanced requirements are genuinely new.
Official estimate vs. what shows up in a real quote
| Cost category | In the DoD Level 1–2 estimate? | In a real vendor quote? | Why it matters to a small business |
|---|---|---|---|
| Assessment / affirmation labor | Yes | Yes | This is the official anchor — the test fee. |
| Implementing the missing controls | No (assumed already done) | Yes | This is where most sticker shock comes from. |
| SSP and documentation cleanup | Partly | Yes | Thin documentation slows readiness and the assessment itself. |
| Tools and licensing (MFA, EDR, SIEM, logging) | No | Yes | Often a recurring annual cost, not one-time. |
| Managed security / SOC monitoring | No | Yes | Frequently monthly — small teams rarely run this alone. |
| CUI environment (enclave, GCC High, GovCloud) | No | Often | Can be the single biggest line if CUI isn't contained. |
| Internal labor (owner, IT, ops time) | Estimated in DoD's burden model | Usually ignored by buyers | Real cost, even when no invoice exists. |
| C3PAO assessment fee | Yes (for the C3PAO path) | Yes, varies by scope | Only enters once you're assessment-ready. |
A real look at the market: the DCR Market Cost Snapshot
DoD’s figures are the regulatory floor. The numbers below are what the open market charges to get you ready for the assessment DoD priced — the readiness, tooling, environment, and operations work the rule leaves out. These are aggregated public figures, not quotes, and they move; we re-verify them quarterly.
DCR Market Cost Snapshot —
| Cost line | Market range (industry-reported) | One-time or recurring | What it includes | Vs. the DoD estimate |
|---|---|---|---|---|
| Gap / readiness assessment | ~$3,500–$20,000+ | One-time | Measuring your current state against the applicable level | Excluded from the DoD figure |
| Control remediation / implementation | ~$20,000–$150,000+ | One-time (with recurring tails) | Closing the gaps — identity, EDR, logging, configuration | Excluded; often the single largest line item |
| Documentation (SSP/POA&M) | ~$10,000–$60,000 | One-time, updated ongoing | System Security Plan, policies, evidence framework | Excluded |
| CUI enclave (managed) | ~$300–$400 per user/month | Recurring | A contained environment for CUI users | Excluded |
| Microsoft 365 GCC High licensing | ~$24–$57 per user/month | Recurring | Government-cloud licensing, before engineering | Excluded |
| C3PAO assessment fee (Level 2) | ~$30,000–$75,000 | Per 3-yr cycle | The third-party assessment itself | This is the DoD C3PAO line |
| Ongoing monitoring / maintenance | ~20–30% of initial cost per year | Recurring | SOC/MSSP, evidence upkeep, training, updates | Partly captured; mostly additional |
Sources include published 2026 cost reporting from CMMC-focused MSPs, enclave providers, and assessment-ecosystem analyses, cross-referenced against our own CMMC enclave cost and CMMC Level 2 cost analyses. These are planning bands; your quote will depend on scope, maturity, and architecture.
The headline this table delivers: across the market, the assessment fee is typically only about a quarter of total Level 2 cost. The other three-quarters is everything DoD assumed you’d already done.
Do small businesses (and subcontractors) even have to do CMMC?
There is no small-business exemption in the CMMC rule. If your contract requires a CMMC level and your information systems will process, store, or transmit FCI or CUI, the requirement applies regardless of headcount. But you’re only pulled into scope when your systems actually process, store, or transmit that information — and by DoD’s own analysis, only about 8,350 medium and large entities face the Level 2 (C3PAO) requirement, out of more than 200,000 companies in the defense industrial base. (32 CFR Part 170; DFARS 252.204-7021; 32 CFR 170.23.)
Is there a small-business exemption? No.
During rulemaking, commenters asked DoD to exempt small entities — and specifically to exempt second-tier small-business suppliers from Level 2. DoD declined; the Final Rule includes no such exemption. (Federal Register, 32 CFR Part 170; DFARS rulemaking comment responses, 2025.) Size doesn’t change whetherCMMC applies. It only changes the cost — and, as you’ll see, your scope decisions change that a great deal.
Subcontractor flow-down: when you’re in scope, and when you’re not
Primes must flow CMMC requirements down to subcontractors at all tiers whose systems will process, store, or transmit FCI or CUI in performance of the subcontract (DFARS 252.204-7021; 32 CFR 170.23). The nuance: if your systems will not process, store, or transmit FCI or CUI, the CMMC requirement should not be flowed down for that system. If controlled information never touches your environment, you may not carry a CMMC requirement at all — but confirm the flow-down in writing with your prime, because primes are increasingly declining to work with subs who can’t show a current status in SPRS. See our guide on SPRS scores for more context.
FCI vs. CUI — the single biggest fork in your budget
FCI (Federal Contract Information) is non-public information provided by or generated for the government under a contract — and handling only FCI maps to Level 1 (15 safeguards, annual self-assessment, low-five-figures). (FAR 52.204-21.)
CUI (Controlled Unclassified Information) is government information that must be protected by law or policy — think export-controlled technical data, engineering drawings, certain specifications — and handling CUI maps to at least Level 2 (110 controls, six figures). The solicitation and contract decide whether that Level 2 is self-assessed or C3PAO-assessed. (32 CFR Part 2002; 32 CFR 170.)
The most expensive mistake we see small shops make is treating an FCI-only business as Level 2 out of fear. Before you spend, get a straight answer on whether actual CUI touches your systems. If it doesn’t, your budget just moved from a six-figure Level 2 path to a five-figure Level 1 path. See our CMMC scoping guide for a structured approach.
Which CMMC level and assessment type changes your cost the most?
The biggest cost driver isn’t small business versus large business — it’s which path your contract requires. The level is set by the data you handle (FCI vs. CUI); the assessment type is set by the contract clause. Together they decide your cost, timeline, and which provider category you engage. (32 CFR Part 170; DFARS 252.204-7025.)
CMMC paths compared
| Path | Information type | Security requirements | Assessment | Where results post | Renewal | Relative cost |
|---|---|---|---|---|---|---|
| Level 1 | FCI | 15 FAR 52.204-21 safeguards | Annual self-assessment | SPRS (binary Yes/No) | Annual affirmation | Lowest |
| Level 2 (Self) | CUI | 110 NIST SP 800-171 Rev. 2 requirements | Triennial self-assessment, when the contract allows | SPRS (score, –203 to 110) | Annual affirmation | Moderate–high |
| Level 2 (C3PAO) | CUI | 110 NIST SP 800-171 Rev. 2 requirements | Third-party C3PAO assessment | CMMC eMASS / SPRS | Annual affirmation; 3-yr cycle | High |
| Level 3 | Highest-sensitivity CUI | Level 2 + selected NIST SP 800-172 requirements (134 total) | DCMA DIBCAC (government) assessment | CMMC eMASS / SPRS | Annual affirmation; 3-yr cycle | Highest |
Level 2 is scored. Your SPRS score ranges from –203 to 110. To earn a conditional status, you generally need at least 88 of 110 (80%), with remaining gaps tracked on a POA&M (Plan of Action and Milestones). (32 CFR 170.21.) See our guide on how to improve your SPRS score.
A POA&M has a clock. Conditional status expires if open items aren’t closed within 180 days. Certain high-value controls can’t sit on a POA&M at all, and Level 1 allows no POA&M — every requirement must be met at assessment time. (32 CFR 170.21.)
A Level 2 assessment is per information system. The rule requires an assessment for each in-scope information system that processes, stores, or transmits CUI. Two enclaves can mean two assessments — which is exactly why scope is your biggest lever. (32 CFR Part 170.)
The contract clause sets your level — not a checklist
The requirement comes from your solicitation and contract, through provision DFARS 252.204-7025 and clause DFARS 252.204-7021 — not from a generic online checklist and not from what a vendor tells you. Read the solicitation for the 7025 provision before you price anything. CMMC requirements began phasing into solicitations on November 10, 2025, with the C3PAO requirement arriving in Phase 2 on November 10, 2026. (32 CFR 170.3.)
What’s the realistic CMMC cost by small-business profile?
A two-person SBIR firm, a 20-person machine shop, and a 75-person manufacturer can all be “small businesses” and still face wildly different CMMC costs. The real number follows where FCI/CUI lives, how many systems and users touch it, and whether the contract requires self-assessment or a C3PAO — not headcount alone.
| Profile | Likely CUI users | Where cost concentrates | Best cost-reduction move | Provider category to engage first |
|---|---|---|---|---|
| 2–5 person SBIR/STTR firm, limited CUI | 1–3 | Avoid overbuilding; keep the CUI workflow tiny | Contain CUI to a minimal set of users and tools | RP/RPO advisor, or a CUI enclave-first approach |
| 10–25 person machine/job shop, occasional CUI drawings | 2–8 | Email, file shares, workstations, CAD, documentation gaps | Map where CUI actually flows before buying anything | RP/RPO + a manufacturing-aware MSP/MSSP |
| 25–50 person engineering or IT services firm | 5–20 | CUI spread across Microsoft 365, endpoints, collaboration tools | Segment CUI users and systems first; license last | RP/RPO + MSSP + possibly a GRC platform |
| 50–100 person manufacturer or prime-facing sub | 10–40 | Production, quality, and supplier workflows embedded with CUI | Keep CUI out of departments that don't need it | Manufacturing-aware RP/RPO + MSSP, C3PAO later |
| Small prime managing its own subs | Varies | Flow-down management and supplier evidence | Build a clean CUI boundary and a flow-down process | RP/RPO + a GRC/evidence workflow |
The lesson under every row is the same: your cost is a function of scope and maturity, not size. A disciplined 50-person shop with a tight enclave can pay less than a sloppy 15-person shop with CUI everywhere.
What costs do most CMMC quotes leave out?
Small businesses routinely compare CMMC quotes wrong, because one quote includes readiness, tools, and monitoring while another includes only an assessment or a documentation package. A useful quote separates scoping, remediation, security operations, evidence, and formal assessment as distinct line items.
The DCR Quote Normalization Grid
Use this to put any two quotes side by side and see what each one is — and isn’t — covering.
| Cost line | One-time or recurring | Who usually owns it | The question to ask a bidder | Red flag |
|---|---|---|---|---|
| CUI scoping & data-flow mapping | One-time | RP/RPO or you | "Is scoping included, or assumed done?" | No scope assumptions stated |
| Gap assessment | One-time | RP/RPO | "Do I get an SPRS-style score and a gap list?" | "We'll tell you after you sign" |
| SSP & POA&M documentation | One-time, updated ongoing | RP/RPO or GRC | "Do you write the SSP, or hand me a template?" | Templates billed as "done for you" |
| Technical remediation | One-time + tails | MSP/MSSP or you | "Which of the 110 controls does this close?" | Tools excluded but "compliance" implied |
| CUI environment / enclave | Recurring | MSP/MSSP/enclave | "Is licensing in this number or extra?" | GCC High assumed without scoping |
| Managed security / monitoring | Recurring | MSSP | "Is ongoing monitoring in scope or year one only?" | Year-one-only pricing on a 3-yr need |
| C3PAO assessment | Per 3-yr cycle | C3PAO (only) | "Is the assessor separate from my readiness team?" | A C3PAO that also "gets you compliant" |
| Internal labor | Ongoing | You | "How many of my staff-hours does this assume?" | Owner/admin time treated as free |
Before your next vendor call, copy this grid, drop your contract’s level and assessment type at the top, and make every bidder fill in the columns. It’s the fastest way to turn three confusing quotes into one honest comparison.
Can a small business reduce CMMC cost without weakening compliance?
Yes — but only by reducing legitimate scope, not by ignoring requirements.The cleanest savings come from limiting where CUI is processed, stored, or transmitted, then building the compliant boundary around that smaller environment. Across market reporting, a well-designed CUI enclave can cut remediation cost by roughly 40–60% by shrinking everything the 110 controls have to touch. (Scope authority: 32 CFR 170.19.)
The five real levers — with the traps next to them
| Lever | What it means | Why it lowers cost | What not to do |
|---|---|---|---|
| CUI flow-down review | Confirm whether CUI actually reaches your systems | Avoids assuming Level 2 when you may be Level 1 | Don't ignore CUI that is present |
| CUI data-flow mapping | Trace where CUI enters, lives, moves, exits | Prevents accidental whole-company scope | Don't map from memory — verify the systems |
| User reduction | Limit who can access CUI | Lowers licensing, training, endpoint, and evidence burden | Don't block people who operationally need access |
| Enclave strategy | Keep CUI in a controlled environment | Certifies a small boundary instead of your whole network | Don't assume an enclave erases every responsibility |
| Quote discipline | Compare scope, deliverables, and assumptions | Stops apples-to-oranges decisions | Don't pick the cheapest bid if it excludes required work |
One caution on the regulation: certification doesn’t simply “transfer” between environments. Each in-scope environment is assessed against the applicable scope, and encrypting CUI does not by itself remove it from scope. Scope reduction is a design discipline, not a loophole. (32 CFR Part 170.)
Do small businesses need GCC High, AWS GovCloud, or a CUI enclave?
Not automatically.Whether you need Microsoft 365 GCC High, AWS GovCloud, or a dedicated CUI enclave depends on where CUI lives, what cloud services process or store it, the contract requirements, and whether you’re trying to shrink the assessed boundary. Many small businesses with narrow CUI use can certify a small enclave instead of rebuilding their whole environment.
| Environment | Best fit | Cost implication | The question that decides it |
|---|---|---|---|
| Existing commercial environment, no CUI | FCI-only or non-CUI work | Lowest | Are we certain no CUI is processed, stored, or transmitted here? |
| Hardened existing environment | Limited CUI, mature IT, strong documentation | Moderate–high | Can we meet every applicable requirement without overhauling the whole company? |
| CUI enclave | Narrow CUI use, few users | Often the lowest-scope path | Can all CUI work realistically stay inside the enclave? |
| GCC High / GovCloud architecture | Broader CUI workflows or specific contract/customer mandates | Higher recurring cost | Is this required by scope, customer, or architecture — or are we buying it on reflex? |
| Outsourced secure collaboration | Very small teams exchanging limited CUI | Efficient if correctly scoped | What responsibilities remain ours after we outsource? |
A quick reality check: managed enclaves commonly run $300–$400 per user per month, and GCC High licensing alone runs roughly $24–$57 per user per month before any engineering (market snapshot, June 2026). The single factor that moves this line the most is how many people actually touch CUI. For the full breakdown, see our CMMC enclave cost analysis.
RPO, MSSP, GRC, enclave, or C3PAO — which do you engage first?
Most small businesses should not start by hiring a C3PAO.Readiness, implementation, managed security, evidence management, and formal certification are different jobs done by different providers — and under the Cyber AB CMMC Assessment Process, a C3PAO that has provided advice or recommendations to improve your readiness can be conflicted from then conducting that same assessment. Engage readiness first; bring in the assessor only when you’re ready to be assessed.
| Provider category | What they do | When to engage | What to verify before hiring |
|---|---|---|---|
| RPO / RP (Registered Provider Organization / Registered Practitioner) | Readiness, scoping, SSP/POA&M, interpretation | Early | Registered status, sector experience, and that they make no certification guarantee |
| MSP / MSSP (Managed [Security] Service Provider) | Implementation, monitoring, endpoint and security operations | Early to mid | CMMC-specific experience, a clear shared-responsibility split, evidence support |
| GRC platform (Governance, Risk, Compliance software) | Evidence workflows, control mapping, POA&M tracking | Mid-stage and ongoing | That it maps to NIST SP 800-171 Rev. 2 for CMMC and produces usable evidence |
| CUI enclave provider | Scope reduction, secure CUI collaboration | Early, if CUI can be contained | The boundary, the user workflow, and which responsibilities remain yours |
| C3PAO (Certified Third-Party Assessment Organization) | The formal Level 2 certification assessment | Only when assessment-ready | Authorized/accredited status in the Cyber AB Marketplace; independence boundaries |
| Federal-contracts attorney | Contract interpretation, flow-down disputes, allowable-cost questions | When the question is legal | GovCon experience and CMMC/DFARS familiarity |
The independence boundary, and why the government won’t pick your assessor
Independence is structural:under the Cyber AB CMMC Assessment Process, if a C3PAO or its assessment team has provided advice, implementation help, or recommendations to improve your preparedness, that can conflict the firm from conducting your certification assessment. Readiness and assessment are meant to stay separate, and blurring them can jeopardize the assessment’s validity. (Cyber AB CMMC Assessment Process; 32 CFR 170.9.)
No one brokers your assessor for you — the Cyber AB, CAICO, and DoD don’t recommend specific C3PAOs or facilitate introductions; your assessment is a private agreement between your company and the C3PAO. That’s exactly why a neutral way to identify the categoryyou need — before you start cold-calling — is worth having.
For a deeper walk through the certification path itself, see our CMMC certification process guide; for the full control set behind Level 2, see CMMC Level 2 requirements; and if you’re weighing specific provider categories for a small shop, our CMMC providers for small business breakdown goes deeper.
When does the C3PAO assessment cost enter the budget — and what’s a fair quote?
The C3PAO assessment cost belongs near the end of a Level 2 project, not the beginning.It enters once your contract requires certification and you’re actually ready to be assessed. If you’re still missing controls, evidence, documentation, or scope clarity, a C3PAO quote isn’t your project cost — it’s the final exam fee. In the current market, the C3PAO assessment fee alone runs roughly $30,000–$75,000 and typically represents only about a quarter of total compliance cost.
The correct sequence, so you don’t pay for a failed assessment:
- Confirm your contract level and assessment type (DFARS 252.204-7025/-7021).
- Confirm FCI/CUI scope and map your data flows.
- Complete readiness and remediation against the 110 controls.
- Build your SSP, evidence, and POA&M strategy.
- Select an authorized/accredited C3PAO from the Cyber AB Marketplace — only when you’re assessment-ready.
- Complete the assessment.
- Maintain annual affirmations and continuous evidence.
The small-business C3PAO quote checklist
Before you compare bids, make every assessor put these on paper:
| Quote line | Must be explicit? |
|---|---|
| Assessment scope assumptions (systems, sites, users) | Yes |
| Travel cost handling | Yes |
| Assessment team roles (Lead CCA + additional assessors) | Yes |
| Evidence submission process | Yes |
| POA&M closeout handling (and the 180-day clock) | Yes |
| Timeline and dependencies | Yes |
| A clear statement that certification is not guaranteed | Yes |
Quote red flags — walk away or ask hard questions:
- “Guaranteed certification.” No legitimate provider guarantees an assessment outcome — the Cyber AB CMMC Assessment Process prohibits C3PAOs from promising results.
- No scope assumptions, or no stated contract level.
- No separation between readiness and assessment (an independence problem).
- A sales form that asks you to upload CUI.
- Tools and licensing excluded, but “full compliance” implied.
- A C3PAO assessment scheduled before readiness is complete.
- Pricing or scoping built on NIST SP 800-171 Revision 3 as if it were the current CMMC Level 2 standard — for CMMC purposes, Level 2 currently maps to Rev. 2 unless and until DoD amends the rule.
What does CMMC cost every year after you certify?
CMMC is not a one-time purchase.Every level requires an annual affirmation to keep your status current. Level 1 requires an annual self-assessment and affirmation, with DoD estimating about $560 for the annual reaffirmation. Level 2 adds an annual affirmation (about $1,459 a year in DoD’s small-entity C3PAO figure) plus a triennial reassessment (market-reported at roughly $15,000–$50,000+) and continuous monitoring that many shops budget at 20–30% of the initial cost per year. You also must retain assessment records for six years. (32 CFR 170.15–170.16; DFARS 252.204-7021.)
| Recurring item | Why it persists |
|---|---|
| Annual affirmation | Required to maintain a current CMMC status |
| Monitoring and logging | Controls have to keep operating, not just exist on assessment day |
| Vulnerability management | Evidence must stay current between assessments |
| Policy and training updates | People-and-process controls drift as staff and systems change |
| GRC / evidence maintenance | Your next assessment depends on continuous evidence |
| MSSP / MSP support | Small teams rarely operate security controls alone |
| Triennial reassessment (Level 2 C3PAO) | The certification cycle resets every three years |
Under DFARS 252.204-7021, your CMMC status is only “current” if it satisfies the applicable timing and affirmation conditions and nothing has changed that would affect compliance. A new system, a new CUI flow, or a lapsed affirmation can quietly break “current.” See our guide on the CMMC certification process for the full ongoing obligations.
Is CMMC worth it for a small business — and what if you can’t afford Level 2?
For a small business, CMMC is a margin-and-strategy decision, not just a compliance one. The honest test compares your expected defense gross margin and strategic value against first-cycle cost, annual run-rate, internal labor, and opportunity cost.If Level 2 genuinely doesn’t pencil out, the answer isn’t to fake it — it’s to clarify CUI flow-down, reduce scope, pursue FCI-only work, team with a compliant partner, or step back from the opportunity.
The pencil-out test
CMMC business case = expected contract gross margin + strategic future value − first-cycle CMMC cost − annual run-rate − internal labor burden − opportunity cost.
| Your situation | Likely call |
|---|---|
| DoD work is tiny with no pipeline | Weigh whether FCI-only or non-CUI work is the rational lane |
| DoD work is 15–25% of revenue with growth potential | Scope aggressively, then decide |
| DoD work is core to the business | Treat CMMC as strategic infrastructure, and start now |
| A prime flowed down Level 2 but CUI is unclear | Get written clarification before spending heavily |
| Level 2 C3PAO is required and the contract value is low | Model whether certification cost exceeds margin |
If Level 2 is genuinely out of reach
| Option | When it fits | The risk |
|---|---|---|
| Ask the prime/customer to clarify CUI | Flow-down language is vague | You can't ignore CUI that's actually present |
| Limit CUI scope | CUI can be contained operationally | Requires discipline and documentation |
| Use a CUI enclave | Few users need CUI | Doesn't erase every responsibility |
| Pursue FCI-only work | The contracting path allows it | May narrow your opportunity set |
| Team or subcontract differently | A partner can hold the CUI scope | Needs contract and legal review |
| Exit the opportunity | CMMC cost exceeds margin | Lost revenue, but no bad-compliance exposure |
What timeline should a small business budget?
Budget time, not just dollars.Level 1 can be quick — often 1–3 months if your basic safeguards are close. Level 2 readiness usually takes months because scoping, remediation, documentation, evidence, and assessment scheduling happen in sequence, not in parallel. Market reporting puts most focused Level 2 efforts at 12–18 months.
| Path | Practical planning timeline |
|---|---|
| Level 1 self-assessment | 1–3 months if basic safeguards are close |
| Level 2 self-assessment, narrow scope | 3–9 months depending on gaps |
| Level 2 C3PAO, narrow controlled scope | 6–12+ months |
| Level 2 C3PAO, broad environment | 9–18+ months |
| Level 3 | Contract-specific; scope with a specialist |
The calendar is doing some of the deciding for you. With Phase 2 — and the C3PAO requirement as a condition of award — arriving November 10, 2026, assessor availability tightens as that date approaches. There is a finite pool of authorized C3PAOs and a large field of contractors heading for the same slots. (32 CFR 170.3.) A rushed sub-six-month Level 2 C3PAO project is high-risk unless your scope is narrow, your SSP is mature, your evidence is ready, and remediation is already substantially complete.
Frequently asked questions
How much does CMMC cost for a 10-person small business?
It depends almost entirely on whether you handle only FCI or also CUI. FCI-only, you're Level 1 — typically $5,000–$15,000 all-in. If CUI is in scope, the driver isn't your headcount; it's where CUI flows across email, file storage, endpoints, cloud, and subcontractor workflows, which pushes you toward a Level 2 budget. (32 CFR Part 170.)
What's the cheapest legal way to do CMMC?
Confirm the correct level (many small shops are Level 1, not Level 2), avoid unnecessary CUI scope, keep CUI inside the smallest workable environment, and don't buy tools before you've scoped. The cheapest unsafe path — under-scoping CUI or treating Level 2 as a paperwork exercise — is the one that fails an assessment or triggers False Claims Act exposure. (32 CFR 170.19.)
Is CMMC Level 1 only a self-assessment?
Yes. Level 1 is an annual self-assessment against the 15 FAR 52.204-21 safeguarding requirements for FCI, posted to SPRS with an executive affirmation. No third party is required, and no POA&M is allowed. (32 CFR 170.15; FAR 52.204-21.)
Does CMMC Level 2 always require a C3PAO?
No. Level 2 can be either self-assessed or C3PAO-assessed, depending on what the solicitation and contract require. The assessment type changes your cost, evidence expectations, timing, and provider sequence — so confirm it before budgeting. (32 CFR 170.16; DFARS 252.204-7025.)
Is the $104,670 Level 2 figure a provider quote?
No. It's DoD's official small-entity estimate for a Level 2 C3PAO assessment and affirmations over three years — not a quote for full implementation. The rule's cost analysis assumes the 110 NIST SP 800-171 Rev. 2 requirements are already implemented. (32 CFR Part 170, Regulatory Impact Analysis.)
How much does CMMC Level 3 cost a small business?
Level 3 is a different magnitude. DoD estimates new engineering costs of about $2.7 million nonrecurring and $490,000 recurring per small entity to meet the NIST SP 800-172 requirements, plus about $12,802 for the assessment and affirmations over three years — and all of that sits on top of a Level 2 (C3PAO) status. Verify your contract actually requires Level 3 before budgeting, and scope it with a specialist. (32 CFR Part 170, Regulatory Impact Analysis.)
Can a small business use a POA&M for CMMC?
Sometimes, depending on level and assessment path. For Level 2, a conditional status requires a qualifying score and a POA&M that's closed within 180 days, and certain high-value controls can't be deferred at all. Level 1 allows no POA&M. (32 CFR 170.21.)
Can my MSP be my C3PAO?
Your MSP can implement and run security operations, but a firm that helped prepare your environment can be conflicted from then assessing it — independence rules keep readiness and assessment separate. Engage an authorized C3PAO from the Cyber AB Marketplace once you're ready. (Cyber AB CMMC Assessment Process; 32 CFR 170.9.)
Do I need GCC High for CMMC?
Not automatically. The right cloud or enclave depends on your CUI scope, contract requirements, and whether your current environment can meet the applicable controls. Many narrow-CUI small businesses contain CUI in an enclave instead.
What if my SPRS score is outdated or missing?
Offerors subject to NIST SP 800-171 must have a current assessment posted in SPRS, and that summary score is used in award consideration. A missing or stale score can cost you eligibility before CMMC even enters the picture. (DFARS 252.204-7019/-7020.)
Can my prime pay for CMMC, and is it an allowable cost?
A prime may provide support or negotiate terms, and some compliance costs may be treated as business or contract-related costs — but reimbursability and allowability depend on contract structure and federal acquisition rules. This is an area to confirm with a federal-contracts attorney or GovCon accountant; the answer depends on your contract.
The bottom line
CMMC cost for small business isn’t one number — it’s a decision tree. The DoD’s estimates ($5,977 for Level 1, $104,670 for a Level 2 C3PAO) tell you what it costs to prove compliance. Your scope and your starting maturity tell you what it costs to achieve it.Most of the expensive mistakes happen before anyone signs a contract — buying Level 2 when you’re Level 1, leaving CUI sprayed across your whole network, or hiring an assessor before you’re ready. Get those three decisions right and the budget becomes manageable. Get them wrong and you’ll fund a competitor’s lesson.
Primary sources
- CMMC Program Rule — 32 CFR Part 170 (eCFR)
- CMMC Final Rule — Federal Register, Oct. 15, 2024 (89 FR 83214)
- CMMC Regulatory Impact Analysis — regulations.gov, DOD-2023-OS-0063
- DFARS CMMC Acquisition Rule — Federal Register, Sept. 10, 2025
- DFARS 252.204-7021 (Acquisition.gov)
- DFARS 252.204-7019 (Acquisition.gov)
- 32 CFR 170.21 — POA&M requirements (eCFR)
- DoD CIO — About CMMC (phase timing)
- FAR 52.204-21; NIST SP 800-171 Rev. 2 and NIST SP 800-172 (NIST CSRC)
- Cyber AB — CMMC Assessment Process (CAP) and Marketplace
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This article is educational research, not legal, contractual, or compliance advice. The contract clause and your CUI handling set your CMMC level, not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you commit budget. Found an error? See our corrections policy or editorial standards.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Do not submit CUI, controlled drawings, or sensitive contract details.
Find My CMMC Path
The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path →