The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

STATUS — Phase II suspended . Self-assessments still required.

The Department suspended the Level 2 (C3PAO) expansion. Level 1 and Level 2 self-assessments, SPRS submission, annual affirmations, and False Claims Act exposure all remain in force. The cost figures on this page were not revised by the suspension. See what changed and what didn’t.

CMMC Self-Assessment Cost: What Level 1 and Level 2 Actually Run in 2026

By The Defense Compliance Report Editorial Team · Last verified:

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures. We are not affiliated with the Cyber AB, the Department of Defense, the Department of War, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice.

Level 1 (Self) — FCI only

~$4K–$6K

per year · DoD estimate, assessment & affirmation only GOV-PUBLISHED

Level 2 (Self) — CUI, where contract permits

~$37K–$49K

over the 3-year cycle · DoD estimate, assessment & affirmation only GOV-PUBLISHED

CMMC self-assessment cost is not zero — but it’s also nowhere near the six-figure number you’ve been quoted for a third-party audit. The Department of Defense’s own estimate, published in the CMMC Program Rule (32 CFR Part 170) in 2023 dollars, is about $4,000–$6,000 a year for a Level 1 self-assessment and roughly $37,000–$49,000 over a three-year cycle for a Level 2self-assessment — when your contract lets you self-assess. Here’s the part almost every page buries: those figures cover the work of assessing and attesting— planning, gathering evidence, running the assessment, reporting to SPRS, and the affirmation — but not the work of getting compliant. That exclusion is deliberate, and it’s usually where the real money is.

CMMC self-assessment cost quick reference — DoD estimates by level
Path (self-assessment)DoD estimate — assessment & affirmation only GOV-PUBLISHEDCadence
Level 1 (Self) — FCI only~$4,000–$6,000 per yearAnnual
Level 2 (Self) — CUI, where your contract permits~$37,000–$49,000 over the three-year cycleFull assessment every 3 years + annual affirmations

What’s not in those numbers: implementing the security requirements, closing gaps, tools, cloud or enclave changes, managed security, or ongoing maintenance. For most contractors, those excluded costs are the real budget — they can run well beyond the assessment itself. A firm already meeting the requirements might spend little; a firm starting from scratch can spend six figures. (Source: CMMC Program Rule, 32 CFR Part 170, Regulatory Impact Analysis.)

This page is for you ifyour solicitation, contract, or a prime’s flow-down points to Level 1 (Self) or Level 2 (Self), and you need to turn a vague range into a real budget.

This page is not your best starting point if you’re pricing a full Level 2 build-out (see our CMMC Level 2 cost guide), a C3PAOcertification audit, or you haven’t yet confirmed whether you handle FCI (Federal Contract Information) or CUI (Controlled Unclassified Information) — because that, and the contract clause, decide everything else.

The right CMMC provider isn’t the same for every contractor — the category you need depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.

Number labels used on this page:

  • GOV-PUBLISHED Government-published— straight from the CMMC Program Rule’s cost analysis (2023 dollars).
  • MARKET-REPORTED Market-reported — aggregated from current provider cost guides; vary widely by scope and starting maturity. Context, not the rule.
  • EDITORIAL Editorial — our judgment, based on sourced facts.

Not sure which level your contract requires?

The right provider category for your self-assessment depends on your required CMMC level, FCI vs. CUI handling, IT environment, and contract timeline. Use the routing tool to map your situation before you request quotes. Do not submit CUI, drawings, or contract numbers.

Find My CMMC Path →orEstimate my self-assessment cost →

How much does a CMMC self-assessment cost in 2026?

The DoD estimates a Level 1 (Self) assessment at about $4,000–$6,000 per year and a Level 2 (Self) assessment at roughly $37,000–$49,000 across a three-year cycle, per the CMMC Program Rule’s cost analysis in 2023 dollars. Those figures cover planning and preparation, conducting and scoring the assessment, reporting the result, and the affirmations — not implementing the security requirements. Your true all-in cost depends almost entirely on how close your environment already is to those requirements.

Let’s put the government’s numbers next to reality. The left side is what the rule modeled. The right side is what defense contractors actually spend once you count the work the model skips — figures aggregated from current provider cost guides, labeled as market estimates that vary widely.

CMMC self-assessment cost: DoD estimate vs. real all-in market range
PathDoD estimate — assessment & affirmation only GOV-PUBLISHEDWhat it coversWhat it excludesReal all-in, year one MARKET-REPORTED
Level 1 (Self)~$4,000–$6,000 / yrPlanning, conducting, reporting, and the annual affirmationImplementing the 15 safeguarding requirements, tooling~$5,000–$20,000
Level 2 (Self)~$37,000–$49,000 / 3-yr cyclePlanning and prep (including gathering evidence), conducting and scoring, reporting, and affirmationsRemediation to meet the 110 requirements, tools, enclave, staff hours~$37,000–$80,000+ for a small firm; more with a large CUI footprint
Level 2 (C3PAO) — contrast only; not a self-assessment~$104,670 (small) / ~$117,768 (other-than-small) / 3-yrThe third-party audit + prep + affirmationsSame remediation as aboveSee our Level 2 cost guide

The sentence that ends the confusion:

The DoD’s figure is what it costs to measure and attest — not what it costs to comply.If your systems already meet NIST SP 800-171, the assessment really can land near the government number. If they don’t, the gap between where you are and where you need to be isyour cost, and it isn’t in that estimate.

The four government figures — initial year vs. three-year cycle

Contractors get burned comparing a provider quote to the wrong government number. Here are the actual figures broken out by initial year and full cycle, per the rule’s cost analysis (2023 dollars, GOV-PUBLISHED):

CMMC self-assessment — four government cost figures by entity size, initial year and three-year cycle
Path & sizeInitial assessment + affirmationFull three-year cycle
Level 1 (Self) — other-than-small~$4,042 / yr~$4,042 each year
Level 1 (Self) — small entity~$5,977 / yr~$5,977 each year
Level 2 (Self) — small entity~$34,277~$37,196
Level 2 (Self) — other-than-small~$43,403~$48,827

Two things to take from this table. First, the Level 2 three-year figure is not one immediate charge and notan even annual cost — most of it lands in the initial assessment year, with smaller annual-affirmation costs after. Second, whether you’re “small” isn’t a headcount rule — the government model uses SBA size standards, which vary by NAICS code and can be based on employees or revenue. Confirm your applicable NAICS standard before you assume which model fits you.

Why is the Level 1 small-business estimate higher than the large-business one?

Because the model doesn’t scale the way you’d expect. For Level 1, the small-entity figure (~$5,977) runs higher than the other-than-small figure (~$4,042); for Level 2, it flips, and the small figure (~$37,196) runs lowerthan the large one (~$48,827). It’s not a typo. The government model assumes an external service provider performs portions of the Level 1 planning, assessment, and reporting for the small-entity case, while the other-than-small case uses internal management and IT labor — which pushes the small-entity Level 1 number up. The practical lesson: your headcount is a weak predictor of your real cost. What you handle, how tightly you’ve scoped it, and how mature your controls already are will move your number far more.

▶ Put your own rates behind these figures → — the government model uses assumed labor rates. Plug in yours, then add the excluded line items, for a budget you can take to your CFO.

Why is the DoD’s estimate so much lower than what contractors actually pay?

Because the government figure covers only assessment and affirmation labor — it explicitly excludes implementation. In the rule’s cost analysis, the Department stated it “did not consider the cost of implementing the security requirements themselves because implementation is already required by FAR clause 52.204-21 (2016) and DFARS clause 252.204-7012,” with compliance due by December 31, 2017. If your environment isn’t already at that standard, the remediation to get there is your real cost — and it lives outside the government number.

This is the single most important thing to understand about CMMC self-assessment cost, so we’ll be blunt: the government assumed you’d already spent the money. NIST SP 800-171 — the 110-requirement standard behind Level 2 — has been a contractual obligation for years under DFARS 252.204-7012. The cost model treats the assessment as a verificationexercise layered on top of requirements that “should already have been incurred.” In practice, plenty of small and mid-size contractors never fully closed that gap. If that’s you, your self-assessment is cheap; your remediation is not.

That’s why every honest breakdown separates two things the government estimate blurs:

For a firm starting from a modern-but-not-compliant IT stack, provider cost guides put remediation anywhere from roughly $10,000 to $250,000+ MARKET-REPORTED— it’s the widest and most variable line, because your starting point dominates. The government estimate does not include a dollar of it.

Which CMMC self-assessment do I actually owe — Level 1, Level 2 (Self), or a C3PAO?

The data you handle sets your minimum, but the applicable contract clause or flow-down is what creates the obligation. If a requirement calls for Level 1 (Self) for a scope that handles FCI, that self-assessment is annual. If a requirement calls for Level 2 (Self) for a scope that handles CUI, that self-assessment is every three years, with an affirmation at the assessment and annually after. If your contract specifies a C3PAO assessment, that is not a self-assessment — and its rollout is currently suspended.

Most “cost” confusion is really scenario confusion — people compare their situation to the wrong number. Find yourself here first:

Which CMMC self-assessment you owe — scenario decision table
If a contract/flow-down requires… for a scope that handles…You conduct…Key rules
Level 1 (Self) — FCI onlyA Level 1 self-assessment, annually15 safeguarding requirements from FAR 52.204-21(b)(1); results + affirmation in SPRS; no POA&Ms — all 15 must be met (32 CFR 170.15)
Level 2 (Self) — CUIA Level 2 self-assessment, every 3 years110 NIST SP 800-171 Rev. 2 security requirements; scored in SPRS; POA&Ms limited, closed within 180 days; annual affirmation (32 CFR 170.16)
Level 2 (C3PAO) — CUIA third-party certification — not a self-assessment SUSPENDEDGoverned by 32 CFR 170.17. This is the requirement the July 2026 suspension paused — see below. (32 CFR 170.17)

One clarification that trips people up: Level 1 is 15 security requirements, drawn from FAR 52.204-21(b)(1). You’ll sometimes see “17” — that’s because those 15 requirements map to 17 NIST SP 800-171 Rev. 2 security requirements (one FAR requirement is split into three parts; the other 14 align). Level 2 is the full 110 security requirements across 14 families, assessed against the 320 assessment objectivesin NIST SP 800-171A. If you handle CUI, don’t talk yourself into Level 1 because it’s cheaper — the data you touch, and the clause, set the level.

Not sure which level your contract triggers?

Tell us your level, FCI/CUI scope, and timeline, and we’ll point you to the right provider category. Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

What actually drives your CMMC self-assessment cost?

Four things move the number: how close your environment already is to NIST SP 800-171 (by far the biggest driver), your CUI scope, how much documentation help you need, and whether you use outside consultants or a managed provider. Company size is a weak predictor — a small, tightly scoped enclave can be cheaper to assess than a larger but sprawling flat network.

Here’s where the money in a real Level 2 self-assessment budget tends to go. These are market-reported estimates, not government figures, and yours will vary:

CMMC self-assessment real cost budget buckets — market-reported ranges
Cost bucketMarket-reported range MARKET-REPORTEDNotes
Gap assessment$3,500–$20,000Establishes your current gaps before you scope remediation spending
Remediation / control implementation$10,000–$250,000+The single largest and most variable line; driven by your starting maturity
SSP & documentation$12,000–$60,000 (or internal hours)You can't complete a Level 2 assessment without a current System Security Plan describing each in-scope system
vCISO / consulting$250–$400 / hrInterpretation, scoping, and evidence review
CUI enclave~$300–$400 / user / moIsolating CUI can meaningfully cut everything else by shrinking scope
Security tooling$10,000–$50,000 / yrEncryption, EDR, SIEM, vulnerability scanning
Internal staff time (Level 2)Hundreds of hoursDocumentation, evidence collection, coordination — routinely underbudgeted

The highest-leverage move most contractors miss is scope reduction. Assets that process, store, or transmit CUI are in scope and get assessed against the Level 2 requirements; other asset categories get the treatment specified in 32 CFR 170.19. If CUI is scattered across your whole network, your whole network tends to be in scope. Pull that CUI into a defined enclave — when your asset categorization, data flows, and technical boundary actually support it — and you shrink what you have to secure, document, and assess. It’s not right for everyone (if CUI already lives everywhere, an enclave can be a bigger project than it saves), but it’s the first question worth asking.

Depending on your scope and the gaps you find, remediation may include multi-factor authentication, logging and monitoring, FIPS-validated encryption where cryptography protects CUI, network segmentation, an SSP that reflects reality, and the staff time to run it all. None of that is in the government’s assessment figure.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

How is a self-assessment scored, what goes into SPRS, and can I use a POA&M?

A Level 2 self-assessment produces a numerical score under the DoD Assessment Methodology in 32 CFR 170.24: you start at 110 and subtract points for each requirement you haven’t fully met, down to a floor of −203. Level 1 is different — it’s a pass/fail result where all 15 requirements must be met. The score itself is free to calculate; the cost is closing the gap between your current score and the threshold you need.

How the Level 2 score works

Start at 110 and subtract 5, 3, or 1 point for each security requirement you have not fully implemented, down to a floor of −203. Higher-impact requirements carry the 5-point weight. Two requirements carry an adjusteddeduction — multi-factor authentication (IA.L2-3.5.3) and FIPS-validated encryption (SC.L2-3.13.11) — where you lose 5 or 3 points depending on how far you’ve implemented them. There’s a common myth that scoring is strictly all-or-nothing; those two requirements are the documented exception. The lower your starting score, the higher your remediation bill. For a full walkthrough of how to calculate and submit it, see our SPRS score guide — that page covers the how; this one covers the cost.

What goes into SPRS

Level 1 and Level 2 report differently. Level 1 submits a compliance result and affirmation. A Level 2 self-assessment record includes, at minimum: your CMMC level, the CMMC Status Date, the CMMC Assessment Scope, all CAGE codes for the in-scope information systems, your overall Level 2 score, and POA&M status if applicable (32 CFR 170.16). And note: you can’t complete a Level 2 assessment at all without a current SSP describing each system in scope — the scoring methodology requires it.

Can I use a POA&M, and what score do I need?

For Level 2, a limited Plan of Action & Milestones (POA&M) can support a Conditional status only if you score at least 88 out of 110 (80%), the outstanding items are eligible (generally 1-point items, with a narrow encryption exception), and none of the requirements the rule bars from a POA&M appear on it (32 CFR 170.21). You must close it within 180 days of your Conditional status date. Level 1 permits no POA&Ms— all 15 requirements must be met before you affirm. Budget for the fact that any open POA&M item is remediation you still owe, on a clock.

Did the July 2026 CMMC suspension change what a self-assessment costs — or whether I still need one?

No. Self-assessments still apply. On , the Department of War suspended CMMC Phase II — the expansion that was set to introduce Level 2 (C3PAO) requirements where applicable, scheduled for November 10, 2026 — and paused all pending and future CMMC milestones for a 60-day review. The suspension did not revise the cost benchmarks in the 2024 CMMC Program Rule, and it did not touch Level 1 and Level 2 self-assessments, DFARS 252.204-7012, NIST SP 800-171 Rev. 2, SPRS submission, or False Claims Act exposure.

This matters, because as of this writing almost every competing cost page still treats November 10, 2026 as a live certification deadline. It isn’t — but the self-assessment requirement you’re budgeting for is exactly the piece that survived.

The CMMC phase timeline, as it stands:

What the July 2026 CMMC suspension changes and what to do — by contractor situation
Your situationWhat it changesWhat to do
A pre-July solicitation still names Level 2 (C3PAO)The requirement is to be amended, but a press release doesn't rewrite your contractRequest the solicitation amendment from your contracting officer; confirm with the prime and, where material, qualified counsel or an RP/RPO
An active contract has a C3PAO requirementTo be removed by modification per the guidanceRead the actual contract modification — don't assume
Your requirement is Level 2 (Self)UnchangedKeep doing your NIST SP 800-171 work
You hold a DFARS 252.204-7012 clauseRemains in effectContinue safeguarding and incident-reporting obligations

Sources: Department of War release, July 13, 2026 and the accompanying implementation memorandum; supporting analysis from Jenner & Block.

Our read EDITORIAL, based on the sourced facts:

The Department announced a 60-day review, with recommendations due around mid-September. The form, timing, and substance of any resulting change are not established by the release. But the underlying self-assessment obligation is unchanged today— so pausing your NIST SP 800-171 work on the theory that “CMMC is dead” is the expensive bet, not the safe one.

Is the CMMC self-assessment really “free”? What’s the catch?

A self-assessment avoids a separate C3PAO certification-assessment invoice — but it is not free, and signing it is not risk-free. “Self-assessed” also doesn’t mean “unchecked.” Even during the current suspension, the government continues to run select government-led assessments, and the rule lets a DCMA DIBCAC assessment supersede your self-assessed status. Your SPRS score is a formal representation to the government, and knowingly overstating it can create False Claims Act exposure.

Case: MORSECORP $4.6M settlementFALSE CLAIMS ACT

In March 2025, defense contractor MORSECORP agreed to pay $4.6 million to settle False Claims Act allegations after it submitted an SPRS score of 104 in January 2021 when its true implementation was about 22% of the NIST SP 800-171 requirements — a real score of −142 — and then delayed correcting it. The whistleblower (MORSE’s own head of security) received about $851,000 of the settlement.

Source: DOJ Office of Public Affairs. This is one case; False Claims Act liability turns on the legal elements being met — a data breach isn’t required.

Now the hopeful part, because this is very manageable: the fix isn’t to spend more on the assessment — it’s to make your score honest and defensible.That means a real gap assessment, an SSP that matches what you actually do, and evidence you could put in front of an assessor. A low score isn’t the risk. A score that overstates the truth is. A cheap self-assessment, done carefully, is a strength — not a liability.

If you’re worried your honest score is low, that’s a remediation project, not a paperwork problem. Don’t inflate the number to make it go away — close the gap. See where the money goes, or get matched to readiness help.

Is CMMC Level 2 (Self) the same as the legacy NIST SP 800-171 “Basic Assessment”?

No. The legacy Basic Assessment under DFARS 252.204-7019/-7020 is a contractor-generated NIST SP 800-171 score using the DoD Assessment Methodology, posted to SPRS. CMMC Level 2 (Self) is a formal statusunder 32 CFR Part 170 and DFARS 252.204-7021, with CMMC-specific scope, a status and unique identifier, an annual affirmation, and defined cadence. They share the same 110-requirement foundation, but they are not interchangeable — and your contract’s clause package tells you which one you owe.

This has a real cost consequence. You may already hold a current SPRS score from the older Basic Assessment regime and assume you’re done. You may not be. Moving to a valid Level 2 (Self) status can still require you to reconfirm your CMMC scope, reassess against the current CMMC procedures, produce defensible evidence, establish the CMMC status, and complete the affirmation.

Legacy NIST Basic Assessment vs. CMMC Level 2 (Self) — comparison
 Legacy Basic AssessmentCMMC Level 2 (Self)
Governing authorityDFARS 252.204-7019/-7020; DoD Assessment Methodology32 CFR Part 170; DFARS 252.204-7021
ResultA NIST SP 800-171 score in SPRSA Conditional or Final Level 2 (Self) status
Annual affirmationNot the same mechanismRequired, by an affirming official, in SPRS
Interchangeable?No — read your actual solicitation, contract, and applicable clauses.(see legacy column)

Both use a 110-point weighted model derived from NIST SP 800-171, but you must follow the scoring, scope, status, affirmation, and submission procedure tied to your applicable clause and CMMC requirement. The math rhymes; the program wrapper is new.

How often do Level 2 self-assessments and affirmations happen?

A Level 2 (Self) status can stay current for up to three years, but an affirming official — the senior official responsible for the affirmation — must submit an affirmation of continuing compliance at the assessment and annually thereafter. The annual affirmation is not automatically another full 110-requirement assessment, but you must maintain the requirements and evidence needed to make it truthfully, and you must retain your assessment artifacts for six years from the CMMC Status Date.

For budgeting, the three-year cadence looks like this:

Two details keep contractors honest. Don’t budget the three-year figure as an even annual charge — the assessment year carries the bulk. And factor in the ongoing evidence-management overhead: the rule requires you to retain assessment artifacts for six years from the CMMC Status Date (32 CFR 170.16), not just survive the assessment sprint.

Does using an MSP, MSSP, or cloud provider remove it from my CMMC scope?

No. Handing security or IT to an external service provider (ESP), managed security provider (MSSP), or cloud service provider (CSP) does not automatically remove those services from your CMMC assessment scope. The applicable services, the shared responsibilities, the documentation of who does what, and any on-premises infrastructure connected to the provider can all remain relevant to your assessment.

This matters for cost because contractors sometimes assume “we outsourced IT, so we’re covered.” You’re not automatically covered — you’re responsible for documenting how each requirement is met, including the parts your provider handles, and for the evidence behind them. A capable managed provider can carry much of the implementationload, but the assessment scope and the affirmation responsibility stay with you. The rule addresses ESP and CSP treatment specifically; confirm how your provider’s services map into your scope before you assume they’re out of it.

Do I need a separate self-assessment for every CAGE code or environment?

Not necessarily one per CAGE code — but your SPRS record must associate all the industry CAGE codes tied to the information systems in your assessment scope, and a genuinely separate environment can require its own assessment. The unit of assessment is the CMMC Assessment Scope, not simply “the company.”

The practical cost angle: if you run multiple, genuinely segmented environments — say, one enclave that handles CUI and a separate corporate network that doesn’t — you scope and assess based on what actually touches FCI or CUI, and your SPRS record reflects the CAGE codes for those in-scope systems. Don’t reduce this to a reflexive “one company, one score.” Map your environments and data flows first; that mapping is what tells you how many assessments, and how much cost, you’re really facing.

Can an RPO, consultant, or MSP help — and does that change what I owe?

Yes. Registered Practitioners, consultants, MSSPs, GRC platforms, and enclave providers can all help you interpret requirements, scope your environment, implement controls, and organize evidence — but you remain responsible for the accuracy of your self-assessment and affirmation. Buying help does not turn a self-assessment into a C3PAO certification, and no provider can guarantee a compliant status or a certification outcome.

Which category you want depends on the gap you actually have. Here’s how to think about it — no vendor names, just the categories and what each is (and isn’t) good for:

CMMC self-assessment provider categories — best fit, not right for, and what to ask
CategoryBest forNot the right fit forAsk before you hire
RPO / RP (Registered Provider Organization / Practitioner)Requirement interpretation, gap assessment, scoping, SSP/POA&M structure, readiness24/7 security operations; a formal C3PAO assessmentFor a sample gap report and scoping deliverable
MSSP (Managed Security Service Provider)Implementing and running controls — identity, endpoint, monitoring, logging, backup; cloud administrationContract interpretation; legal advice; independent assessmentExactly which requirements they own vs. leave to you
GRC platformMapping requirements, evidence workflows, SSP/POA&M, affirmation calendarsTechnical implementation or scoping judgment on its own — software alone does not make you compliantWhether it produces assessor-ready evidence, not just checklists
CUI enclaveDeliberate scope reduction — isolating CUI into a bounded, defensible environmentContractors whose CUI already lives everywhere, or who haven't confirmed they handle CUIThe shared-responsibility matrix, in writing
C3PAO (Certified Third-Party Assessment Organization)Formal Level 2 certification when validly requiredA current Level 1 or Level 2 (Self) requirement — and new C3PAO designations are paused during the 2026 reviewTheir active Cyber AB Marketplace status

One rule the program enforces, and you should too: keep readiness help and formal assessment separate. Under 32 CFR 170.8(b)(17) and the CMMC Code of Professional Conduct, a CMMC Ecosystem member may not participate in the Level 2 certification assessment for an organization it served as a consultant within the prior three years— and that bar applies regardless of which level the earlier consulting prepared you for. If a vendor offers to “get you ready and certify you,” that’s a conflict worth questioning.

This is the logic behind The CMMC Path Framework — our named method for mapping your required CMMC level, FCI vs. CUI handling, assessment type, IT and cloud environment, and contract timeline to the category of help you need. It routes to a category, never a named provider, and it is not a score, a ranking, or compliance advice.

Get matched with source-checked provider options.

Tell us your level, scope, and timeline, and we’ll point you to the right category. Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

Calculate your own CMMC self-assessment cost

Start with the government’s model, then make it yours. The DoD’s estimate is built on assumed labor for assessment, reporting, and affirmation. Swap in your own loaded internal and external rates, then add the implementation and operating costs the rule excludes. That gives you a defensible planning budget instead of a generic range that fits nobody.

The official figures to start from GOV-PUBLISHED (2023 dollars):

CMMC self-assessment official cost figures — starting point for your own calculation
Path & sizeInitial assessment + affirmationFull three-year cycleWhat’s excluded (add separately)
Level 1 (Self) — other-than-small~$4,042 / yr~$4,042 each yearImplementing the 15 requirements; tooling
Level 1 (Self) — small~$5,977 / yr~$5,977 each yearSame
Level 2 (Self) — small~$34,277~$37,196Remediation, tools, enclave, staff hours
Level 2 (Self) — other-than-small~$43,403~$48,827Same

Then build your real number in five steps:

  1. Pick your path— Level 1 (Self), Level 2 (Self), or “not sure” (which routes you to Find My CMMC Path before it shows you a misleading number).
  2. Pick your size model — SBA small entity or other-than-small, using the SBA size standard for your NAICS code, not a headcount rule.
  3. Enter your own labor ratesfor the roles that do the work (leadership, IT/security staff, and any outside provider), starting from the government’s model rates as clearly labeled 2023-dollar defaults.
  4. Add the excluded buckets — gap assessment, documentation, remediation, tooling, cloud/enclave, managed services, training, and contingency.
  5. Review by year and cycle— your assessment burden, your annual-affirmation burden, your three-year total, the excluded implementation total, and how far your real budget sits from the government’s figure.

This framework estimates labor and planning burden. It does not determine your required CMMC level, establish compliance, replace the contract clause, or constitute legal, contractual, or compliance advice. Do not enter CUI, drawings, system diagrams, contract text, or credentials — it only needs generalized categories and financial inputs.

What we actually verified

We built this page from primary sources and dated our checks. Where a figure is the government’s, we labeled it Government-published; where it’s an aggregate of provider guides, we labeled it market-reported; where it’s our judgment, we called it editorial.

Verified , against primary sources:

What we did not claim:a single “real total” market price (there isn’t one — your starting maturity dominates); that any specific provider is best; that your self-assessment is accurate; that your contract requires a particular level; or that the 60-day review will produce a specific outcome. Our market-reported ranges are aggregated from provider cost guides and are labeled as estimates that vary by scope and maturity.

CMMC self-assessment cost FAQ

FAQPage JSON-LD intentionally omitted — Google retired FAQ rich results May 7, 2026. The visible FAQ remains for readers and AI machine comprehension.

Is a CMMC self-assessment free?
No. It avoids a separate C3PAO invoice, but the government's own model assigns real cost to a self-assessment — about $4,000–$6,000 a year for Level 1 and roughly $37,000–$49,000 over a three-year cycle for Level 2 — and that's before any remediation.
What does the DoD estimate for a CMMC Level 1 self-assessment?
About $4,042 a year for a larger entity and $5,977 for a small entity, per the CMMC Program Rule's cost analysis (2023 dollars). It covers the assessment and annual affirmation, not implementing the 15 safeguarding requirements.
What does the DoD estimate for a CMMC Level 2 self-assessment?
For a small entity, about $34,277 for the initial assessment and affirmation and $37,196 over the three-year cycle; for a larger entity, about $43,403 initial and $48,827 over three years. Both exclude remediation and tooling.
Does the DoD figure include getting compliant with NIST 800-171?
No. The rule explicitly excludes implementation, because NIST SP 800-171 has been required under DFARS 252.204-7012 since December 31, 2017. If you haven't fully implemented it, that gap is your real cost.
Why is the Level 1 estimate higher for small businesses?
The government model assumes small entities use an external service provider for parts of the Level 1 assessment while larger entities use internal staff, which makes the small-entity figure run higher.
Is "small" just under 500 employees?
No. The rule uses SBA size standards, which vary by NAICS code and may be based on employees or revenue. Confirm your applicable standard.
Is a Level 2 self-assessment done every year?
No. The full Level 2 self-assessment is every three years; the affirmation is required at the assessment and annually thereafter.
Can I use a POA&M for Level 2, and what score do I need?
A limited POA&M can support a Conditional status only if you score at least 88 out of 110, the open items are eligible, and none of the requirements the rule bars from a POA&M appear on it — closed within 180 days. Level 1 permits no POA&Ms.
Does the July 2026 suspension mean I can stop?
No. The suspension paused the Level 2 (C3PAO) rollout. Level 1 and Level 2 self-assessments, DFARS 252.204-7012, SPRS submission, and False Claims Act exposure all remain in force.
Do I currently need a C3PAO?
During the suspension, contracting activities may designate Level 1 (Self) or Level 2 (Self), not Level 2 (C3PAO) or Level 3. Read your actual (amended) solicitation, contract, or flow-down rather than relying on general guidance.
Can the government still check my work?
Yes. The current guidance preserves select government-led assessments, and the rule allows a DCMA DIBCAC assessment to supersede a self-assessed status.
Does outsourcing IT to an MSP or cloud provider remove it from my scope?
No. Applicable services, shared responsibilities, and connected infrastructure can stay in scope, and the affirmation responsibility remains yours.
Is Level 2 (Self) the same as the old NIST 800-171 Basic Assessment?
No. They share the 110-requirement foundation, but the Basic Assessment is a DFARS 252.204-7019/-7020 score, while Level 2 (Self) is a 32 CFR Part 170 status with its own scope, status, and annual affirmation.
Does CMMC Level 2 use NIST 800-171 Rev. 2 or Rev. 3?
Revision 2, unless and until the controlling rule changes.
How long must I keep my assessment records?
Six years from the CMMC Status Date.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Do not submit CUI, drawings, system diagrams, credentials, contract attachments, or sensitive technical details.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

This article is educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.

Related resources

Primary sources

Page last reviewed . Regulatory state last verified . Updated when official guidance changes. This page is educational research, not legal, contractual, assessment, or compliance advice.