STATUS — Phase II suspended . Self-assessments still required.
The Department suspended the Level 2 (C3PAO) expansion. Level 1 and Level 2 self-assessments, SPRS submission, annual affirmations, and False Claims Act exposure all remain in force. The cost figures on this page were not revised by the suspension. See what changed and what didn’t.
CMMC Self-Assessment Cost: What Level 1 and Level 2 Actually Run in 2026
~$4K–$6K
~$37K–$49K
CMMC self-assessment cost is not zero — but it’s also nowhere near the six-figure number you’ve been quoted for a third-party audit. The Department of Defense’s own estimate, published in the CMMC Program Rule (32 CFR Part 170) in 2023 dollars, is about $4,000–$6,000 a year for a Level 1 self-assessment and roughly $37,000–$49,000 over a three-year cycle for a Level 2self-assessment — when your contract lets you self-assess. Here’s the part almost every page buries: those figures cover the work of assessing and attesting— planning, gathering evidence, running the assessment, reporting to SPRS, and the affirmation — but not the work of getting compliant. That exclusion is deliberate, and it’s usually where the real money is.
| Path (self-assessment) | DoD estimate — assessment & affirmation only GOV-PUBLISHED | Cadence |
|---|---|---|
| Level 1 (Self) — FCI only | ~$4,000–$6,000 per year | Annual |
| Level 2 (Self) — CUI, where your contract permits | ~$37,000–$49,000 over the three-year cycle | Full assessment every 3 years + annual affirmations |
What’s not in those numbers: implementing the security requirements, closing gaps, tools, cloud or enclave changes, managed security, or ongoing maintenance. For most contractors, those excluded costs are the real budget — they can run well beyond the assessment itself. A firm already meeting the requirements might spend little; a firm starting from scratch can spend six figures. (Source: CMMC Program Rule, 32 CFR Part 170, Regulatory Impact Analysis.)
This page is for you ifyour solicitation, contract, or a prime’s flow-down points to Level 1 (Self) or Level 2 (Self), and you need to turn a vague range into a real budget.
This page is not your best starting point if you’re pricing a full Level 2 build-out (see our CMMC Level 2 cost guide), a C3PAOcertification audit, or you haven’t yet confirmed whether you handle FCI (Federal Contract Information) or CUI (Controlled Unclassified Information) — because that, and the contract clause, decide everything else.
The right CMMC provider isn’t the same for every contractor — the category you need depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.
Number labels used on this page:
- GOV-PUBLISHED Government-published— straight from the CMMC Program Rule’s cost analysis (2023 dollars).
- MARKET-REPORTED Market-reported — aggregated from current provider cost guides; vary widely by scope and starting maturity. Context, not the rule.
- EDITORIAL Editorial — our judgment, based on sourced facts.
How much does a CMMC self-assessment cost in 2026?
The DoD estimates a Level 1 (Self) assessment at about $4,000–$6,000 per year and a Level 2 (Self) assessment at roughly $37,000–$49,000 across a three-year cycle, per the CMMC Program Rule’s cost analysis in 2023 dollars. Those figures cover planning and preparation, conducting and scoring the assessment, reporting the result, and the affirmations — not implementing the security requirements. Your true all-in cost depends almost entirely on how close your environment already is to those requirements.
Let’s put the government’s numbers next to reality. The left side is what the rule modeled. The right side is what defense contractors actually spend once you count the work the model skips — figures aggregated from current provider cost guides, labeled as market estimates that vary widely.
| Path | DoD estimate — assessment & affirmation only GOV-PUBLISHED | What it covers | What it excludes | Real all-in, year one MARKET-REPORTED |
|---|---|---|---|---|
| Level 1 (Self) | ~$4,000–$6,000 / yr | Planning, conducting, reporting, and the annual affirmation | Implementing the 15 safeguarding requirements, tooling | ~$5,000–$20,000 |
| Level 2 (Self) | ~$37,000–$49,000 / 3-yr cycle | Planning and prep (including gathering evidence), conducting and scoring, reporting, and affirmations | Remediation to meet the 110 requirements, tools, enclave, staff hours | ~$37,000–$80,000+ for a small firm; more with a large CUI footprint |
| Level 2 (C3PAO) — contrast only; not a self-assessment | ~$104,670 (small) / ~$117,768 (other-than-small) / 3-yr | The third-party audit + prep + affirmations | Same remediation as above | See our Level 2 cost guide |
The sentence that ends the confusion:
The DoD’s figure is what it costs to measure and attest — not what it costs to comply.If your systems already meet NIST SP 800-171, the assessment really can land near the government number. If they don’t, the gap between where you are and where you need to be isyour cost, and it isn’t in that estimate.
The four government figures — initial year vs. three-year cycle
Contractors get burned comparing a provider quote to the wrong government number. Here are the actual figures broken out by initial year and full cycle, per the rule’s cost analysis (2023 dollars, GOV-PUBLISHED):
| Path & size | Initial assessment + affirmation | Full three-year cycle |
|---|---|---|
| Level 1 (Self) — other-than-small | ~$4,042 / yr | ~$4,042 each year |
| Level 1 (Self) — small entity | ~$5,977 / yr | ~$5,977 each year |
| Level 2 (Self) — small entity | ~$34,277 | ~$37,196 |
| Level 2 (Self) — other-than-small | ~$43,403 | ~$48,827 |
Two things to take from this table. First, the Level 2 three-year figure is not one immediate charge and notan even annual cost — most of it lands in the initial assessment year, with smaller annual-affirmation costs after. Second, whether you’re “small” isn’t a headcount rule — the government model uses SBA size standards, which vary by NAICS code and can be based on employees or revenue. Confirm your applicable NAICS standard before you assume which model fits you.
Why is the Level 1 small-business estimate higher than the large-business one?
Because the model doesn’t scale the way you’d expect. For Level 1, the small-entity figure (~$5,977) runs higher than the other-than-small figure (~$4,042); for Level 2, it flips, and the small figure (~$37,196) runs lowerthan the large one (~$48,827). It’s not a typo. The government model assumes an external service provider performs portions of the Level 1 planning, assessment, and reporting for the small-entity case, while the other-than-small case uses internal management and IT labor — which pushes the small-entity Level 1 number up. The practical lesson: your headcount is a weak predictor of your real cost. What you handle, how tightly you’ve scoped it, and how mature your controls already are will move your number far more.
▶ Put your own rates behind these figures → — the government model uses assumed labor rates. Plug in yours, then add the excluded line items, for a budget you can take to your CFO.
Why is the DoD’s estimate so much lower than what contractors actually pay?
Because the government figure covers only assessment and affirmation labor — it explicitly excludes implementation. In the rule’s cost analysis, the Department stated it “did not consider the cost of implementing the security requirements themselves because implementation is already required by FAR clause 52.204-21 (2016) and DFARS clause 252.204-7012,” with compliance due by December 31, 2017. If your environment isn’t already at that standard, the remediation to get there is your real cost — and it lives outside the government number.
This is the single most important thing to understand about CMMC self-assessment cost, so we’ll be blunt: the government assumed you’d already spent the money. NIST SP 800-171 — the 110-requirement standard behind Level 2 — has been a contractual obligation for years under DFARS 252.204-7012. The cost model treats the assessment as a verificationexercise layered on top of requirements that “should already have been incurred.” In practice, plenty of small and mid-size contractors never fully closed that gap. If that’s you, your self-assessment is cheap; your remediation is not.
That’s why every honest breakdown separates two things the government estimate blurs:
- Assessment activity GOV-PUBLISHED (what the DoD priced): planning and preparation — including gathering or developing evidence — conducting and scoring the assessment, reporting to SPRS, and the affirmation.
- Getting compliant MARKET-REPORTED (what the DoD excluded): closing gaps against the requirements, plus the tools and staff time to run them.
For a firm starting from a modern-but-not-compliant IT stack, provider cost guides put remediation anywhere from roughly $10,000 to $250,000+ MARKET-REPORTED— it’s the widest and most variable line, because your starting point dominates. The government estimate does not include a dollar of it.
Which CMMC self-assessment do I actually owe — Level 1, Level 2 (Self), or a C3PAO?
The data you handle sets your minimum, but the applicable contract clause or flow-down is what creates the obligation. If a requirement calls for Level 1 (Self) for a scope that handles FCI, that self-assessment is annual. If a requirement calls for Level 2 (Self) for a scope that handles CUI, that self-assessment is every three years, with an affirmation at the assessment and annually after. If your contract specifies a C3PAO assessment, that is not a self-assessment — and its rollout is currently suspended.
Most “cost” confusion is really scenario confusion — people compare their situation to the wrong number. Find yourself here first:
| If a contract/flow-down requires… for a scope that handles… | You conduct… | Key rules |
|---|---|---|
| Level 1 (Self) — FCI only | A Level 1 self-assessment, annually | 15 safeguarding requirements from FAR 52.204-21(b)(1); results + affirmation in SPRS; no POA&Ms — all 15 must be met (32 CFR 170.15) |
| Level 2 (Self) — CUI | A Level 2 self-assessment, every 3 years | 110 NIST SP 800-171 Rev. 2 security requirements; scored in SPRS; POA&Ms limited, closed within 180 days; annual affirmation (32 CFR 170.16) |
| Level 2 (C3PAO) — CUI | A third-party certification — not a self-assessment SUSPENDED | Governed by 32 CFR 170.17. This is the requirement the July 2026 suspension paused — see below. (32 CFR 170.17) |
One clarification that trips people up: Level 1 is 15 security requirements, drawn from FAR 52.204-21(b)(1). You’ll sometimes see “17” — that’s because those 15 requirements map to 17 NIST SP 800-171 Rev. 2 security requirements (one FAR requirement is split into three parts; the other 14 align). Level 2 is the full 110 security requirements across 14 families, assessed against the 320 assessment objectivesin NIST SP 800-171A. If you handle CUI, don’t talk yourself into Level 1 because it’s cheaper — the data you touch, and the clause, set the level.
Not sure which level your contract triggers?
Find My CMMC Path →What actually drives your CMMC self-assessment cost?
Four things move the number: how close your environment already is to NIST SP 800-171 (by far the biggest driver), your CUI scope, how much documentation help you need, and whether you use outside consultants or a managed provider. Company size is a weak predictor — a small, tightly scoped enclave can be cheaper to assess than a larger but sprawling flat network.
Here’s where the money in a real Level 2 self-assessment budget tends to go. These are market-reported estimates, not government figures, and yours will vary:
| Cost bucket | Market-reported range MARKET-REPORTED | Notes |
|---|---|---|
| Gap assessment | $3,500–$20,000 | Establishes your current gaps before you scope remediation spending |
| Remediation / control implementation | $10,000–$250,000+ | The single largest and most variable line; driven by your starting maturity |
| SSP & documentation | $12,000–$60,000 (or internal hours) | You can't complete a Level 2 assessment without a current System Security Plan describing each in-scope system |
| vCISO / consulting | $250–$400 / hr | Interpretation, scoping, and evidence review |
| CUI enclave | ~$300–$400 / user / mo | Isolating CUI can meaningfully cut everything else by shrinking scope |
| Security tooling | $10,000–$50,000 / yr | Encryption, EDR, SIEM, vulnerability scanning |
| Internal staff time (Level 2) | Hundreds of hours | Documentation, evidence collection, coordination — routinely underbudgeted |
The highest-leverage move most contractors miss is scope reduction. Assets that process, store, or transmit CUI are in scope and get assessed against the Level 2 requirements; other asset categories get the treatment specified in 32 CFR 170.19. If CUI is scattered across your whole network, your whole network tends to be in scope. Pull that CUI into a defined enclave — when your asset categorization, data flows, and technical boundary actually support it — and you shrink what you have to secure, document, and assess. It’s not right for everyone (if CUI already lives everywhere, an enclave can be a bigger project than it saves), but it’s the first question worth asking.
Depending on your scope and the gaps you find, remediation may include multi-factor authentication, logging and monitoring, FIPS-validated encryption where cryptography protects CUI, network segmentation, an SSP that reflects reality, and the staff time to run it all. None of that is in the government’s assessment figure.
How is a self-assessment scored, what goes into SPRS, and can I use a POA&M?
A Level 2 self-assessment produces a numerical score under the DoD Assessment Methodology in 32 CFR 170.24: you start at 110 and subtract points for each requirement you haven’t fully met, down to a floor of −203. Level 1 is different — it’s a pass/fail result where all 15 requirements must be met. The score itself is free to calculate; the cost is closing the gap between your current score and the threshold you need.
How the Level 2 score works
Start at 110 and subtract 5, 3, or 1 point for each security requirement you have not fully implemented, down to a floor of −203. Higher-impact requirements carry the 5-point weight. Two requirements carry an adjusteddeduction — multi-factor authentication (IA.L2-3.5.3) and FIPS-validated encryption (SC.L2-3.13.11) — where you lose 5 or 3 points depending on how far you’ve implemented them. There’s a common myth that scoring is strictly all-or-nothing; those two requirements are the documented exception. The lower your starting score, the higher your remediation bill. For a full walkthrough of how to calculate and submit it, see our SPRS score guide — that page covers the how; this one covers the cost.
What goes into SPRS
Level 1 and Level 2 report differently. Level 1 submits a compliance result and affirmation. A Level 2 self-assessment record includes, at minimum: your CMMC level, the CMMC Status Date, the CMMC Assessment Scope, all CAGE codes for the in-scope information systems, your overall Level 2 score, and POA&M status if applicable (32 CFR 170.16). And note: you can’t complete a Level 2 assessment at all without a current SSP describing each system in scope — the scoring methodology requires it.
Can I use a POA&M, and what score do I need?
For Level 2, a limited Plan of Action & Milestones (POA&M) can support a Conditional status only if you score at least 88 out of 110 (80%), the outstanding items are eligible (generally 1-point items, with a narrow encryption exception), and none of the requirements the rule bars from a POA&M appear on it (32 CFR 170.21). You must close it within 180 days of your Conditional status date. Level 1 permits no POA&Ms— all 15 requirements must be met before you affirm. Budget for the fact that any open POA&M item is remediation you still owe, on a clock.
Did the July 2026 CMMC suspension change what a self-assessment costs — or whether I still need one?
No. Self-assessments still apply. On , the Department of War suspended CMMC Phase II — the expansion that was set to introduce Level 2 (C3PAO) requirements where applicable, scheduled for November 10, 2026 — and paused all pending and future CMMC milestones for a 60-day review. The suspension did not revise the cost benchmarks in the 2024 CMMC Program Rule, and it did not touch Level 1 and Level 2 self-assessments, DFARS 252.204-7012, NIST SP 800-171 Rev. 2, SPRS submission, or False Claims Act exposure.
This matters, because as of this writing almost every competing cost page still treats November 10, 2026 as a live certification deadline. It isn’t — but the self-assessment requirement you’re budgeting for is exactly the piece that survived.
The CMMC phase timeline, as it stands:
- Phase 1: November 10, 2025 – November 9, 2026 — Level 1 (Self) and Level 2 (Self) requirements in applicable solicitations.
- Phase 2: was scheduled to begin November 10, 2026, adding Level 2 (C3PAO) requirements where applicable.
- Phase II suspended; pending and future milestones paused for a 60-day review; Phase 1 self-assessments remain in place.
| Your situation | What it changes | What to do |
|---|---|---|
| A pre-July solicitation still names Level 2 (C3PAO) | The requirement is to be amended, but a press release doesn't rewrite your contract | Request the solicitation amendment from your contracting officer; confirm with the prime and, where material, qualified counsel or an RP/RPO |
| An active contract has a C3PAO requirement | To be removed by modification per the guidance | Read the actual contract modification — don't assume |
| Your requirement is Level 2 (Self) | Unchanged | Keep doing your NIST SP 800-171 work |
| You hold a DFARS 252.204-7012 clause | Remains in effect | Continue safeguarding and incident-reporting obligations |
Our read EDITORIAL, based on the sourced facts:
The Department announced a 60-day review, with recommendations due around mid-September. The form, timing, and substance of any resulting change are not established by the release. But the underlying self-assessment obligation is unchanged today— so pausing your NIST SP 800-171 work on the theory that “CMMC is dead” is the expensive bet, not the safe one.
Is the CMMC self-assessment really “free”? What’s the catch?
A self-assessment avoids a separate C3PAO certification-assessment invoice — but it is not free, and signing it is not risk-free. “Self-assessed” also doesn’t mean “unchecked.” Even during the current suspension, the government continues to run select government-led assessments, and the rule lets a DCMA DIBCAC assessment supersede your self-assessed status. Your SPRS score is a formal representation to the government, and knowingly overstating it can create False Claims Act exposure.
Case: MORSECORP $4.6M settlementFALSE CLAIMS ACT
In March 2025, defense contractor MORSECORP agreed to pay $4.6 million to settle False Claims Act allegations after it submitted an SPRS score of 104 in January 2021 when its true implementation was about 22% of the NIST SP 800-171 requirements — a real score of −142 — and then delayed correcting it. The whistleblower (MORSE’s own head of security) received about $851,000 of the settlement.
Source: DOJ Office of Public Affairs. This is one case; False Claims Act liability turns on the legal elements being met — a data breach isn’t required.
Now the hopeful part, because this is very manageable: the fix isn’t to spend more on the assessment — it’s to make your score honest and defensible.That means a real gap assessment, an SSP that matches what you actually do, and evidence you could put in front of an assessor. A low score isn’t the risk. A score that overstates the truth is. A cheap self-assessment, done carefully, is a strength — not a liability.
If you’re worried your honest score is low, that’s a remediation project, not a paperwork problem. Don’t inflate the number to make it go away — close the gap. See where the money goes, or get matched to readiness help.
Is CMMC Level 2 (Self) the same as the legacy NIST SP 800-171 “Basic Assessment”?
No. The legacy Basic Assessment under DFARS 252.204-7019/-7020 is a contractor-generated NIST SP 800-171 score using the DoD Assessment Methodology, posted to SPRS. CMMC Level 2 (Self) is a formal statusunder 32 CFR Part 170 and DFARS 252.204-7021, with CMMC-specific scope, a status and unique identifier, an annual affirmation, and defined cadence. They share the same 110-requirement foundation, but they are not interchangeable — and your contract’s clause package tells you which one you owe.
This has a real cost consequence. You may already hold a current SPRS score from the older Basic Assessment regime and assume you’re done. You may not be. Moving to a valid Level 2 (Self) status can still require you to reconfirm your CMMC scope, reassess against the current CMMC procedures, produce defensible evidence, establish the CMMC status, and complete the affirmation.
| Legacy Basic Assessment | CMMC Level 2 (Self) | |
|---|---|---|
| Governing authority | DFARS 252.204-7019/-7020; DoD Assessment Methodology | 32 CFR Part 170; DFARS 252.204-7021 |
| Result | A NIST SP 800-171 score in SPRS | A Conditional or Final Level 2 (Self) status |
| Annual affirmation | Not the same mechanism | Required, by an affirming official, in SPRS |
| Interchangeable? | No — read your actual solicitation, contract, and applicable clauses. |
Both use a 110-point weighted model derived from NIST SP 800-171, but you must follow the scoring, scope, status, affirmation, and submission procedure tied to your applicable clause and CMMC requirement. The math rhymes; the program wrapper is new.
How often do Level 2 self-assessments and affirmations happen?
A Level 2 (Self) status can stay current for up to three years, but an affirming official — the senior official responsible for the affirmation — must submit an affirmation of continuing compliance at the assessment and annually thereafter. The annual affirmation is not automatically another full 110-requirement assessment, but you must maintain the requirements and evidence needed to make it truthfully, and you must retain your assessment artifacts for six years from the CMMC Status Date.
For budgeting, the three-year cadence looks like this:
- Year 1: full self-assessment, post the score and status in SPRS, submit the initial affirmation. (This is where most of the government-modeled cost lands.)
- Year 2: maintain the requirements and evidence, submit the annual affirmation.
- Year 3: maintain, submit the annual affirmation, and prepare for a fresh full self-assessment before the status goes stale.
Two details keep contractors honest. Don’t budget the three-year figure as an even annual charge — the assessment year carries the bulk. And factor in the ongoing evidence-management overhead: the rule requires you to retain assessment artifacts for six years from the CMMC Status Date (32 CFR 170.16), not just survive the assessment sprint.
Does using an MSP, MSSP, or cloud provider remove it from my CMMC scope?
No. Handing security or IT to an external service provider (ESP), managed security provider (MSSP), or cloud service provider (CSP) does not automatically remove those services from your CMMC assessment scope. The applicable services, the shared responsibilities, the documentation of who does what, and any on-premises infrastructure connected to the provider can all remain relevant to your assessment.
This matters for cost because contractors sometimes assume “we outsourced IT, so we’re covered.” You’re not automatically covered — you’re responsible for documenting how each requirement is met, including the parts your provider handles, and for the evidence behind them. A capable managed provider can carry much of the implementationload, but the assessment scope and the affirmation responsibility stay with you. The rule addresses ESP and CSP treatment specifically; confirm how your provider’s services map into your scope before you assume they’re out of it.
Do I need a separate self-assessment for every CAGE code or environment?
Not necessarily one per CAGE code — but your SPRS record must associate all the industry CAGE codes tied to the information systems in your assessment scope, and a genuinely separate environment can require its own assessment. The unit of assessment is the CMMC Assessment Scope, not simply “the company.”
The practical cost angle: if you run multiple, genuinely segmented environments — say, one enclave that handles CUI and a separate corporate network that doesn’t — you scope and assess based on what actually touches FCI or CUI, and your SPRS record reflects the CAGE codes for those in-scope systems. Don’t reduce this to a reflexive “one company, one score.” Map your environments and data flows first; that mapping is what tells you how many assessments, and how much cost, you’re really facing.
Can an RPO, consultant, or MSP help — and does that change what I owe?
Yes. Registered Practitioners, consultants, MSSPs, GRC platforms, and enclave providers can all help you interpret requirements, scope your environment, implement controls, and organize evidence — but you remain responsible for the accuracy of your self-assessment and affirmation. Buying help does not turn a self-assessment into a C3PAO certification, and no provider can guarantee a compliant status or a certification outcome.
Which category you want depends on the gap you actually have. Here’s how to think about it — no vendor names, just the categories and what each is (and isn’t) good for:
| Category | Best for | Not the right fit for | Ask before you hire |
|---|---|---|---|
| RPO / RP (Registered Provider Organization / Practitioner) | Requirement interpretation, gap assessment, scoping, SSP/POA&M structure, readiness | 24/7 security operations; a formal C3PAO assessment | For a sample gap report and scoping deliverable |
| MSSP (Managed Security Service Provider) | Implementing and running controls — identity, endpoint, monitoring, logging, backup; cloud administration | Contract interpretation; legal advice; independent assessment | Exactly which requirements they own vs. leave to you |
| GRC platform | Mapping requirements, evidence workflows, SSP/POA&M, affirmation calendars | Technical implementation or scoping judgment on its own — software alone does not make you compliant | Whether it produces assessor-ready evidence, not just checklists |
| CUI enclave | Deliberate scope reduction — isolating CUI into a bounded, defensible environment | Contractors whose CUI already lives everywhere, or who haven't confirmed they handle CUI | The shared-responsibility matrix, in writing |
| C3PAO (Certified Third-Party Assessment Organization) | Formal Level 2 certification when validly required | A current Level 1 or Level 2 (Self) requirement — and new C3PAO designations are paused during the 2026 review | Their active Cyber AB Marketplace status |
One rule the program enforces, and you should too: keep readiness help and formal assessment separate. Under 32 CFR 170.8(b)(17) and the CMMC Code of Professional Conduct, a CMMC Ecosystem member may not participate in the Level 2 certification assessment for an organization it served as a consultant within the prior three years— and that bar applies regardless of which level the earlier consulting prepared you for. If a vendor offers to “get you ready and certify you,” that’s a conflict worth questioning.
This is the logic behind The CMMC Path Framework — our named method for mapping your required CMMC level, FCI vs. CUI handling, assessment type, IT and cloud environment, and contract timeline to the category of help you need. It routes to a category, never a named provider, and it is not a score, a ranking, or compliance advice.
Get matched with source-checked provider options.
Find My CMMC Path →Calculate your own CMMC self-assessment cost
Start with the government’s model, then make it yours. The DoD’s estimate is built on assumed labor for assessment, reporting, and affirmation. Swap in your own loaded internal and external rates, then add the implementation and operating costs the rule excludes. That gives you a defensible planning budget instead of a generic range that fits nobody.
The official figures to start from GOV-PUBLISHED (2023 dollars):
| Path & size | Initial assessment + affirmation | Full three-year cycle | What’s excluded (add separately) |
|---|---|---|---|
| Level 1 (Self) — other-than-small | ~$4,042 / yr | ~$4,042 each year | Implementing the 15 requirements; tooling |
| Level 1 (Self) — small | ~$5,977 / yr | ~$5,977 each year | Same |
| Level 2 (Self) — small | ~$34,277 | ~$37,196 | Remediation, tools, enclave, staff hours |
| Level 2 (Self) — other-than-small | ~$43,403 | ~$48,827 | Same |
Then build your real number in five steps:
- Pick your path— Level 1 (Self), Level 2 (Self), or “not sure” (which routes you to Find My CMMC Path before it shows you a misleading number).
- Pick your size model — SBA small entity or other-than-small, using the SBA size standard for your NAICS code, not a headcount rule.
- Enter your own labor ratesfor the roles that do the work (leadership, IT/security staff, and any outside provider), starting from the government’s model rates as clearly labeled 2023-dollar defaults.
- Add the excluded buckets — gap assessment, documentation, remediation, tooling, cloud/enclave, managed services, training, and contingency.
- Review by year and cycle— your assessment burden, your annual-affirmation burden, your three-year total, the excluded implementation total, and how far your real budget sits from the government’s figure.
What we actually verified
We built this page from primary sources and dated our checks. Where a figure is the government’s, we labeled it Government-published; where it’s an aggregate of provider guides, we labeled it market-reported; where it’s our judgment, we called it editorial.
Verified , against primary sources:
- The Phase II suspension, the continuing self-assessment requirement, the permitted Level 1/Level 2 (Self) designations, and continued DFARS 252.204-7012 obligations — against the Department of War release and its implementation memorandum.
- The government cost estimates by level and by initial-year vs. three-year cycle — against the CMMC Program Rule (32 CFR Part 170) Regulatory Impact Analysis, in 2023 dollars — including the rule’s stated exclusion of Level 1 and Level 2 implementation and remediation.
- Level 1 (15 requirements; annual; no POA&Ms), Level 2 (110 requirements across 14 families; 320 assessment objectives; triennial; annual affirmation), the SPRS scoring methodology (110 to −203, with the two adjusted-deduction requirements), the 88/110 POA&M threshold and 180-day closeout, the minimum SPRS inputs, and six-year artifact retention — against 32 CFR 170.15, 170.16, 170.21, and 170.24.
- The three-year consultant conflict-of-interest bar — against 32 CFR 170.8(b)(17) and the CMMC Code of Professional Conduct.
- That CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3, unless and until the rule changes.
- The MORSECORP $4.6M settlement facts — against the DOJ Office of Public Affairs press release.
CMMC self-assessment cost FAQ
- Is a CMMC self-assessment free?
- What does the DoD estimate for a CMMC Level 1 self-assessment?
- What does the DoD estimate for a CMMC Level 2 self-assessment?
- Does the DoD figure include getting compliant with NIST 800-171?
- Why is the Level 1 estimate higher for small businesses?
- Is "small" just under 500 employees?
- Is a Level 2 self-assessment done every year?
- Can I use a POA&M for Level 2, and what score do I need?
- Does the July 2026 suspension mean I can stop?
- Do I currently need a C3PAO?
- Can the government still check my work?
- Does outsourcing IT to an MSP or cloud provider remove it from my scope?
- Is Level 2 (Self) the same as the old NIST 800-171 Basic Assessment?
- Does CMMC Level 2 use NIST 800-171 Rev. 2 or Rev. 3?
- How long must I keep my assessment records?
Need help deciding what type of CMMC provider you need?
Related resources
- CMMC Level 2 Cost: DoD vs. Real Market ($37K–$300K+)
- CMMC Certification Cost Guide
- CMMC Level 2 Assessment Guide
- SPRS Score: How to Calculate and Submit
- CMMC Phase 2 Suspended: What Still Binds You
- Is CMMC Still Required After the Suspension?
- False Claims Act Risk and CMMC
- CMMC Annual Affirmation Legal Liability
- CMMC Readiness Checklist (Download)
- CMMC Self-Assessment Services & Consultant Guide
- CMMC 2.0 Explained
- What Is CMMC?