CMMC Level 1 Cost: What You'll Actually Pay in 2026 (and What Not to Buy)
Methodology · Editorial standards · Corrections policy
CMMC Level 1 cost is almost always far lower than the five- and six-figure numbers circulating in the defense industry — because Level 1 is an annual self-assessmentfor companies that handle Federal Contract Information (FCI), not a third-party certification assessment. The Department of Defense's own cost analysis in the CMMC Final Rule (32 CFR Part 170) puts the annual cost at $5,977 for a small entity and $4,042 for an other-than-small entity — and those figures cover the self-assessment, SPRS submission, and affirmation only. Not implementation. Not remediation. Not a consultant.
Here's the fast version before you scroll:
| Your question | The straight answer |
|---|---|
| What's the official DoD cost estimate? | $5,977/year for a small entity; $4,042/year for an other-than-small entity. It covers the self-assessment, SPRS reporting, and affirmation — not implementation. |
| Is that a vendor quote? | No. It's the DoD's modeled labor burden from the rule's cost analysis, not what a consultant charges. |
| Do I need a C3PAO? | No. Level 1 is self-assessed, and there's no C3PAO certificate to earn at Level 1. You can hire help, but it stays a self-assessment and you keep the liability. |
| Can I have a POA&M (a fix-it-later plan)? | No. Every applicable Level 1 requirement must be MET to claim Final Level 1 (Self). |
| What do I submit? | Your CMMC Level, status date, assessment scope, CAGE code(s), and compliance result in SPRS — plus an annual affirmation. |
| When does Level 1 stop being enough? | The moment you process, store, or transmit Controlled Unclassified Information (CUI), or your contract requires a higher level. Then you're in Level 2 territory. |
Sources: 32 CFR §170.15 and §170.14; CMMC Final Rule cost analysis.
Get your number, not a range
Use our CMMC readiness checklist to walk the 15 FAR requirements, identify your gaps, and build a defensible evidence record — before you call anyone.
Use the CMMC Level 1 readiness checklist →The CMMC Level 1 Cost Reality Matrix
We separated four things almost every other page blurs together: (1) the DoD's official modeled cost, (2)what you'll actually spend in cash if you're already in decent shape, (3)what you'll spend if basic safeguards are missing, and (4)the overbuy risk — when a “Level 1” conversation quietly becomes a Level 2 project.
| Your situation | Official Level 1 requirement | DoD-modeled annual cost | Real-world cash to plan for | What's driving the cost | What not to buy first | Best next move |
|---|---|---|---|---|---|---|
| FCI only · 1–10 people · modern IT already in place | Annual self-assessment, SPRS result, annual affirmation | Small-entity model: $5,977 | $0–$2,000 plus internal time (editorial estimate) | Owner/IT time, evidence cleanup | C3PAO assessment, CUI enclave, enterprise GRC platform | Self-assess in-house if all 15 are MET |
| FCI only · 10–50 people · weak documentation or access controls | Same | Same | $2,000–$10,000 (editorial estimate) | A few hours of consultant or MSP help, evidence and access cleanup | A full Level 2 readiness package (unless CUI is actually in scope) | Scoped gap check against the 15 FAR requirements |
| FCI only · 50–250 people · multiple sites or shared IT | Same | Same | $5,000–$15,000 (public-market benchmark) | Multi-site scoping, CAGE/system mapping, evidence consistency | C3PAO by default; a company-wide security overhaul | Scoped quotes from readiness/RPO/MSP providers |
| Prime flow-down says “Level 1,” but your files might include CUI | Level 1 may be the wrong level if CUI is in scope | Not enough information yet | Don’t budget until you confirm the data type | CUI discovery, contract clause, prime’s flow-down language | “Cheap Level 1” before you’ve confirmed there’s no CUI | Jump to the Level 1-vs-Level 2 section below |
| You got a $50,000+ “Level 1” quote | Level 1 does not require a C3PAO certification | Same ($5,977 / $4,042) | The quote likely bundles Level 2 readiness, managed IT, GRC, or an enclave | Bundled scope | Signing before you get an itemized scope | Make the vendor split Level 1 self-assessment help from Level 2/CUI work |
| You handle CUI | Not a Level 1-only scenario | Level 2 cost model applies | See our Level 2 guide | NIST SP 800-171 Rev. 2, SSP, POA&M rules, assessment type | Treating Level 1 as sufficient | Confirm Level 2 (Self) vs. Level 2 (C3PAO) |
How to read this: the DoD number is the same regardless of your situation, because it only measures the act of assessing and affirming— not the work of getting compliant. Your real spend is driven almost entirely by how much of the 15-requirement baseline you already have, and by whether you're accidentally being sold a higher level than you need.
Methodology: official burden figures are from the CMMC Final Rule cost analysis; regulatory requirements are from 32 CFR Part 170, FAR 52.204-21, and the DFARS clauses. “Public-market benchmark” ranges reflect what vendor and software pages publicly stated for Level 1 as of June 3, 2026.
How much does CMMC Level 1 cost in 2026?
CMMC Level 1 cost starts with one official number: the DoD estimates the annual self-assessment and affirmation at $5,977 for a small entity and $4,042 for an other-than-small entity. That figure assumes you've already implemented the 15 basic safeguards — it does not include remediation, tools, or consulting. In practice, your cash spend ranges from near zero (if you can assess in-house) to low-five figures (if you need scoping, cleanup, or outside help).
Those numbers come from the Regulatory Impact Analysis the DoD published with the CMMC Final Rule (32 CFR Part 170, effective December 16, 2024). It's an annual cost because Level 1 is reassessed and re-affirmed every year.
That number is not: It's not a price tag from a consultant
It's the DoD's estimate of the internal and external labor hours it takes to run the assessment, score it, post it to SPRS, and have a senior official sign the affirmation. Of that total, the affirmation step alone is estimated at roughly $560 for a small entity. The rest is assessment effort.
That number is not: It's not your remediation budget
If you're missing controls, fixing them is a separate cost — and that's where the real variance lives.
That number is not: It's not a certification fee
There is no government filing fee to submit a Level 1 self-assessment in SPRS, and there is no third-party assessor to pay.
When you see Level 1 quoted online at “$5,000–$15,000” or “$3,000–$15,000,” you're usually looking at the official assessment cost plussomebody's estimate of light remediation and advisory help — bundled into one range without saying so. That bundling is the source of nearly all the confusion. We'll unbundle it in the next section.
Why Level 1 cost estimates are all over the map — and why yours is probably lower
The wild spread in Level 1 cost estimates comes down to a single line item: implementation. The DoD's $5,977 figure deliberately excludes the cost of standing up the 15 safeguards, because those have been a federal contract requirement since 2016. Vendor ranges that hit $10,000–$20,000 are quietly adding remediation, tools, and consulting — costs you only incur for the requirements you don't already meet.
Why the DoD left implementation out:The department said plainly why in the rule's cost analysis. The 15 basic safeguards were already required by FAR clause 52.204-21, effective June 15, 2016, and (for CUI) by DFARS clause 252.204-7012 by December 31, 2017. In the DoD's words, those costs “should already have been incurred.”
Translation: CMMC Level 1 doesn't add new security requirements — it adds the requirement to check yourself, report the result, and affirm it.That's why the official cost is so low.
Which leads to the practical question that decides your budget: how much of that baseline do you already have?For most small contractors on a current business IT stack, the answer is “most of it.” The next section shows you exactly where the remaining cost hides.
What are the 15 CMMC Level 1 requirements you're paying to assess?
CMMC Level 1 is built on the 15 basic safeguarding requirements in FAR 52.204-21(b)(1)(i) through (xv), which protect Federal Contract Information. Your cost depends less on the rule itself than on whether you can already prove access control, authentication, media protection, physical protection, boundary protection, patching, and malware protection are working. The requirements that cost money are the few you don't yet have.
We grouped the 15 requirements into the six families they fall into, flagged which ones a typical modern setup (Microsoft 365 Business or Google Workspace, run by a competent IT person or MSP) usually covers already, and named the ones that tend to generate a remediation bill.
| Requirement family (FAR 52.204-21) | What it asks for, in plain English | Evidence you'd show | Usually covered by a modern IT setup? | Cost driver if you're missing it |
|---|---|---|---|---|
| Access Control | Limit system access to authorized users; limit what they can do; control connections to external and public systems | User/account list, permission settings, acceptable-use policy | Mostly yes | Cleaning up shared logins and documenting who has access and why |
| Identification & Authentication | Identify users, processes, or devices, and authenticate them before granting access | Authentication settings, unique-account records (MFA settings if used) | Often yes | Enforcing unique user accounts and authentication. (FAR 52.204-21 requires authentication — it does not name multi-factor authentication as a standalone Level 1 requirement, though MFA is a strong, common way to satisfy it.) |
| Media Protection | Sanitize or destroy media containing FCI before disposal or reuse | Disposal/wipe procedure, vendor certificates | Sometimes | A written, actually-followed media-disposal process |
| Physical Protection | Limit physical access to systems and equipment; escort and monitor visitors | Visitor log, badge/lock records | Partial | Visitor logs and documented physical access limits, especially across multiple sites |
| System & Communications Protection | Monitor and control communications at system boundaries; separate publicly accessible components | Firewall config, network diagram | Often yes | Boundary/firewall configuration and basic network separation |
| System & Information Integrity | Identify and correct flaws promptly; protect against malicious code; keep protections updated; scan files and systems | Patch records, antivirus/endpoint reports, scan logs | Mostly yes | Endpoint protection and a documented patching cadence |
The recurring theme: the requirements that cost money are authentication enforcement, endpoint/antivirus coverage, boundary configuration, and the documentation that proves you do what you say. If those are handled, your Level 1 spend is mostly your own time. If they're not, budget for a few hours of IT or MSP work to close the gaps — not a six-figure compliance program.
About the “15 vs. 17” confusion
You'll see Level 1 described as both “15 requirements” and “17.” Both are correct, and they describe the same current standard. There are 15 safeguarding requirements in FAR 52.204-21(b)(1). But the official mapping table in 32 CFR §170.15 lists 17 rows, because one requirement (PE.L1-b.1.ix, on physical access) is split into three separate NIST SP 800-171A assessment objectives. So “15 requirements” and “17 mapped objectives” are two ways of counting the same Level 1.
Want the gap check on paper?
Our CMMC readiness checklist covers all 15 FAR requirements with evidence, owner, and MET / NOT MET columns — the same structure a careful self-assessment uses.
Use the CMMC Level 1 evidence checklist →The honest catch: Level 1 is cheap, but it isn't “nothing”
CMMC Level 1 is far cheaper than Level 2, but it is not automatically free or trivial. You still have to scope FCI correctly, meet every applicable requirement (no partial credit), submit your result in SPRS, sign an affirmation, and keep your evidence for six years. And because that affirmation is a binding attestation to the government, getting it wrong carries real legal exposure — not just a failed checkbox.
Here's what Level 1 actually demands, under 32 CFR §170.15:
You must MET all 15 applicable requirements
There is no Plan of Action and Milestones (POA&M) allowed at Level 1 — the fix-it-later mechanism that exists at Level 2 does not exist here. If one requirement is NOT MET, you have not achieved Final Level 1 (Self). You fix it first, then submit.
You must scope it honestly
Under §170.19, Level 1 scope considers the people, technology, facilities, and External Service Providers in your environment that process, store, or transmit FCI. Hiding an in-scope system to shrink the assessment isn't a cost-saving trick — it's a misrepresentation.
You must submit to SPRS and affirm annually
The Supplier Performance Risk System (SPRS) is the DoD's database where your result lives. A senior Affirming Official attests that the requirements are implemented and will stay implemented.
You must retain evidence for six years
Section 170.15 is explicit: the artifacts you used as evidence must be retained for six years from the CMMC Status Date.
It's legally binding
Your SPRS submission and affirmation are assertions to the government. The U.S. Department of Justice has used the False Claims Act in cybersecurity-related matters through its Civil Cyber-Fraud Initiative. "Self-assessed" does not mean "casual."
Do you need a C3PAO or a consultant for CMMC Level 1?
No — Level 1 does not require a C3PAO, and there is no C3PAO certificate to earn at Level 1. Under 32 CFR §170.9, a C3PAO's formal role is conducting Level 2 certification assessments. You can bring in outside help — a Registered Provider Organization (RPO), a CMMC-focused MSP, or a consultant — to prepare for or walk through your Level 1 self-assessment. But it stays a self-assessment: the result is Final Level 1 (Self), and you keep responsibility for the affirmation.
Some readers assume any CMMC requirement means hiring an auditor. At Level 1, it doesn't. So when is outside help worth it, and when is it overkill?
Outside help makes sense when:
- You have no internal IT owner and nobody on staff can speak to the 15 requirements
- A self-check reveals real gaps — authentication isn't enforced, no media-disposal process, access controls are a mess
- A prime gave you a tight deadline and you need to move fast and defensibly
- You're not certain your data is FCI-only — this is the big one
Outside help is usually overkill when:
- You're a small, FCI-only shop with a modern IT setup and an MSP already handling patching, antivirus, and access
- Your controls are clean and documented and there's no CUI anywhere in your workflow
Independence note worth keeping in mind
Some firms that are authorized C3PAOs also sell readiness help. That's allowed, but if you think you'll pursue Level 2 later, keep your readiness provider separate from the C3PAO you'll eventually hire to assess you — using the same firm for both can raise conflict-of-interest questions at Level 2. See our guide on RPO vs. C3PAO.
Not sure you need anyone at all?
Tell us your level, scope, and timeline and we'll help you figure out whether this is an in-house self-assessment, a few hours of readiness help, or a sign you're looking at Level 2. If the honest answer is “you don't need to buy anything,” we'll tell you that.
Tell us your situation →Does CMMC Level 1 require an SSP?
Not the way Level 2 does. There is no explicit formal System Security Plan (SSP) mandate for a Level 1 self-assessment in 32 CFR §170.15 — Level 2's SSP requirement flows from NIST SP 800-171 and DFARS 252.204-7012, which don't apply to an FCI-only Level 1 company. But “no SSP required” does not mean “keep no records.” Level 1 evidence artifacts must be retained for six years from the CMMC Status Date.
In plain terms: you don't need a Level 2-style security plan to do Level 1, and you shouldn't pay for one. What you do need is a lightweight record — scope, the systems in play, requirement-by-requirement proof, who owns each control, and the dates — so you can stand behind your affirmation if a contracting officer or prime ever asks. That's the difference between a five-minute answer and a scramble two years from now. Our CMMC SSP and POA&M services guide covers Level 2 SSP requirements in detail if your scope is growing.
When a “CMMC Level 1” quote is secretly a Level 2 quote
A Level 1 quote should raise your eyebrow when it includes CUI enclave migration, Microsoft GCC High setup, full NIST SP 800-171 readiness, C3PAO scheduling, a complete SSP and POA&M buildout, or an enterprise GRC platform — without explaining why an FCI-only company needs any of it. Those items can be perfectly legitimate for Level 2. They are not automatically required for a Level 1 self-assessment.
Here's how to tell the difference before you sign:
| Line item in the quote | Fine for Level 1? | What it usually signals |
|---|---|---|
| Self-assessment support, FCI scoping, evidence organization | Yes ✅ | Appropriate Level 1 readiness help |
| Light remediation of the 15 basics (authentication, antivirus, access cleanup) | Yes ✅ | Normal if you're missing controls |
| "C3PAO certification assessment" or "certification audit" | No ❌ | This is a Level 2 service — there's no Level 1 certificate to buy. A C3PAO firm may offer readiness help, but using your future assessor for readiness can raise independence questions later |
| "110 controls" / "NIST 800-171 readiness" | No ❌ | That's the Level 2 control set, for CUI |
| GCC High / CUI enclave / FedRAMP Moderate environment | Usually no ❌ | Built for CUI handling — Level 2 territory |
| Full SSP + POA&M program | Usually no ❌ | Level 1 has no POA&M and no formal SSP mandate |
| Enterprise GRC platform subscription | Rarely ⚠️ | Useful at scale for Level 2 evidence; overkill for a small FCI-only self-assessment |
A quick way to score a quote (Overbuy Scale)
If your contract says Level 1 and FCI only, anything scoring a 3 or 4 needs a hard conversation. Three questions force the issue: What data type is driving this line item — FCI or CUI? Which specific requirement does this satisfy? Can you separate Level 1 self-assessment support from Level 2 readiness? A good provider itemizes it without flinching.
Got a quote that feels too big for Level 1?
Review the CMMC provider categories guide before you sign — it helps you separate Level 1 self-assessment help from Level 2 readiness, managed IT, software, and assessment costs.
Review CMMC provider categories →CMMC Level 1 vs Level 2 cost — and how to be sure which one you are
Level 1 (FCI only) runs from near-zero cash to low-five figures. Level 2 (CUI) is an order of magnitude higher — the DoD's analysis models a small-entity Level 2 self-assessment at $37,196 over three years, and a Level 2 C3PAO certification at $104,670 over three years, before any implementation. The dividing line is your data: FCI keeps you at Level 1; any CUI pushes you to Level 2. Misjudging this is the single most expensive Level 1 mistake.
| CMMC Level 1 | CMMC Level 2 | |
|---|---|---|
| Protects | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Number of requirements | 15 (FAR 52.204-21) | 110 (NIST SP 800-171 Revision 2) |
| Assessment type | Annual self-assessment | Self-assessment or C3PAO certification, every 3 years — set by the contract |
| POA&Ms (fix-it-later)? | Not allowed | Allowed within limits; close out within 180 days |
| DoD-modeled cost (small entity, 3-yr) | $5,977/yr | $37,196 (self) / $104,670 (C3PAO) |
| Who it's for | FCI-only suppliers | Anyone handling CUI |
NIST SP 800-171 Revision 2 is the controlling version for CMMC Level 2 today, incorporated by reference in the rule. Don't let anyone budget you against Rev. 3 unless and until the DoD amends the rule.
How do you know which one you are? One question: does any information in your contract performance qualify as CUI?FCI is non-public information provided by or generated for the government under a contract — but it excludes simple transactional data. CUI is a separate, marked category of sensitive-but-unclassified information. If you only ever touch FCI, you're Level 1. The instant CUI enters your systems, you're at Level 2 minimum.
Not certain your data is FCI-only?
If a prime's flow-down hints that CUI is coming, don't budget Level 1 yet. Read the Level 2 cost guide and confirm your data type first. Spending on the wrong level is the costliest move you can make.
Read the CMMC Level 2 cost guide →How to submit your CMMC Level 1 self-assessment and affirmation in SPRS
Once you've assessed against the 15 requirements and can document that all applicable ones are MET, you submit your result through PIEE/SPRS. The key inputs are: your CMMC Level (1), your CMMC Status Date, your assessment scope (a description of the system or environment), your CAGE code(s), and your compliance result. SPRS then issues your CMMC Unique Identifier (CMMC UID) — a 10-character alphanumeric code per assessed system. Under DFARS 252.204-7025, offerors must list their CMMC UIDs in proposals for any covered system.
Your Affirming Official — a senior official of your organization — then signs the annual affirmation under 32 CFR §170.22, attesting that the requirements are and will remain implemented. That affirmation repeats annually. Your evidence artifacts are retained for six years from each CMMC Status Date. A consultant can assist with the process, but the affirmation liability stays with your organization — it cannot be outsourced.
What we actually verified for this guide
We treat CMMC as a Your-Money-Your-Life topic. Click any source to confirm it yourself.
| Claim | Primary source | Where to find it | Last verified |
|---|---|---|---|
| Level 1 = 15 requirements from FAR 52.204-21, protecting FCI | 32 CFR §170.14; FAR 52.204-21 | §170.14(c)(2); 52.204-21(b)(1) | June 3, 2026 |
| Official cost: $5,977 (small) / $4,042 (other-than-small); implementation excluded because FAR 52.204-21 effective June 15, 2016 | Federal Register, CMMC Final Rule | Regulatory Impact / cost analysis | June 3, 2026 |
| No POA&Ms; annual self-assessment + affirmation; SPRS inputs; six-year evidence retention | 32 CFR §170.15 | §170.15(a)–(c) | June 3, 2026 |
| "17 mapped rows" because PE.L1-b.1.ix splits into three NIST objectives | 32 CFR §170.15 | Table 2 to §170.15(c)(1)(ii) | June 3, 2026 |
| Level 1 scope: people, technology, facilities, ESPs touching FCI | 32 CFR §170.19 | §170.19(a)–(b) | June 3, 2026 |
| C3PAO's role is Level 2 certification assessments | 32 CFR §170.9 | §170.9(a) | June 3, 2026 |
| Affirming Official submits affirmation at completion and annually | 32 CFR §170.22 | §170.22 | June 3, 2026 |
| CMMC UID required in proposals; status a condition of award | DFARS 252.204-7025 | 252.204-7025(d) | June 3, 2026 |
| Phase 1: Nov 10, 2025 – Nov 9, 2026; DFARS 7021 effective Nov 10, 2025 | DoD CIO CMMC | dodcio.defense.gov/cmmc | June 3, 2026 |
| Level 2 (small entity, 3-yr): $37,196 self / $104,670 C3PAO; Level 2 satisfies Level 1 for same scope | Federal Register, CMMC Final Rule | Cost analysis; §170.15 | June 3, 2026 |
Who wrote this, how, and why
Who: The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance. (Editorial standards · Corrections policy)
How:We read the CMMC Final Rule, the current 32 CFR Part 170 text, FAR 52.204-21, DFARS 252.204-7021 and 252.204-7025, the DoD CIO's CMMC program materials, and a range of public cost pages from CMMC vendors and software providers. We separated primary regulatory requirements from public-market budget ranges from our own editorial recommendations, and marked each accordingly. (Full methodology)
Why:Most CMMC Level 1 cost pages do one of two things — hand you a vague range, or steer you toward a vendor. This page exists to help FCI-only contractors avoid both failure modes: under-compliance on one side, and overbuying a Level 2 program you don't need on the other.
Frequently asked questions
Is CMMC Level 1 free?
Not exactly. There's no government filing fee and no third-party assessor to pay, so your cash cost can be near zero if you assess in-house. But the DoD still models a labor burden of $5,977/year for a small entity to run the self-assessment and affirmation. “Free of vendor fees” is realistic; “free of effort” is not.
What is the DoD's official CMMC Level 1 cost estimate?
$5,977 per year for a small entity and $4,042 for an other-than-small entity, per the CMMC Final Rule's cost analysis. That covers self-assessment, reporting, and affirmation only — not implementation or remediation.
Does CMMC Level 1 require a C3PAO?
No. Level 1 is self-assessed, and there's no C3PAO certificate to earn at Level 1 — under 32 CFR §170.9, a C3PAO's formal role is Level 2 certification assessments. You can hire outside help for Level 1, but the result stays a Final Level 1 (Self) status and you keep the affirmation liability.
Does CMMC Level 1 allow POA&Ms?
No. A Plan of Action and Milestones (a plan to fix gaps later) is not permitted at Level 1. Every applicable requirement must be MET before you submit, per 32 CFR §170.15.
How often do I renew CMMC Level 1?
Annually. Level 1 requires an annual self-assessment and an annual affirmation in SPRS, and you retain your evidence for six years from each CMMC Status Date.
What happens if one requirement isn't met?
You haven't achieved Final Level 1 (Self). Because there's no POA&M option, the correct move is to fix the missing requirement first, then submit your result and affirmation.
Is Level 1 enough if we handle CUI?
No. If you process, store, or transmit Controlled Unclassified Information, Level 2 is the minimum. Level 1 only covers Federal Contract Information.
Why do some pages say “17 practices”?
Level 1 has 15 safeguarding requirements in FAR 52.204-21. Some current rule materials show 17 mapped rows because one requirement (on physical access) is split into three separate NIST SP 800-171A assessment objectives in the §170.15 mapping table. It's two ways of counting the same standard, not a separate 17-requirement version.
What is the CMMC UID?
A CMMC Unique Identifier is a 10-character alphanumeric code that SPRS issues for each assessed contractor information system after you enter your self-assessment results. Under DFARS 252.204-7025, offerors must list their CMMC UIDs in proposals for any system that will handle FCI or CUI during performance.
Can a consultant submit CMMC Level 1 for us?
A consultant can assist, but the organization retains responsibility and liability for the affirmation, which must be made by a senior Affirming Official and can't be outsourced away.
The bottom line
If you handle FCI and not CUI, CMMC Level 1 is one of the most achievable requirements in federal contracting. The DoD's number is $5,977 a year for a small business; your real cash cost is driven by how many of the 15 basics you already have, and by whether you avoid paying for a Level 2 program you don't need. Confirm your scope, fix only what's missing, document it, and submit it. That's the whole game.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options.
Get matched with source-checked CMMC provider options →Or: Download the CMMC Level 1 readiness checklist and work the 15 requirements at your own pace.
Keep going
- CMMC cost calculator: estimate your level, scope & 3-year budget
- CMMC Level 1 vs Level 2 vs Level 3: which applies to you
- CMMC Level 1 vs Level 2: the FCI vs. CUI dividing line explained
- CMMC Level 2 cost guide (2026)
- CMMC certification cost overview
- CMMC self-assessment vs C3PAO assessment
- FCI vs CUI: which applies to your contracts
- How to submit a CMMC self-assessment in SPRS
- CMMC gap assessment: what it covers and what to do with the results
- CMMC readiness providers for small business
- CMMC for small defense contractors: cost, timeline, and options
- CMMC SSP and POA&M services guide
- CMMC implementation phases and timeline
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Department of Defense, the Cyber AB, NIST, SPRS, eMASS, or any U.S. government agency. This guide is educational and is not legal, contractual, or compliance advice. We label DoD figures as government estimates and market ranges as public-source benchmarks — neither is a quote for your specific environment. Read our editorial standards and corrections policy.
Last verified: June 3, 2026. Next scheduled review: September 2026.