Quick answer
The honest range is wide because your starting point matters more than almost anything else. Here's the summary before we go deeper:
CMMC Level 1
$5K–$30K Total first-year cost · 1–3 months- 17 basic controls only
- Annual self-assessment — no C3PAO
- Main cost: internal time + tech gaps
- Covers FCI (Federal Contract Information)
CMMC Level 2
$100K–$500K Total first-year cost · 9–18 months- All 110 NIST SP 800-171 controls
- C3PAO third-party assessment required
- Biggest variable: remediation depth
- Covers CUI (Controlled Unclassified Info)
The most important thing to understand: These ranges are wide because your current readiness determines most of your cost. An organization starting with an SPRS score of 85 and strong documentation will spend far less than one starting at 40 with no SSP. Before you can budget accurately, you need to know where you actually stand. A free gap assessment closes that uncertainty fast.
CMMC Level 1 cost breakdown
Level 1 covers the 17 basic cybersecurity practices from FAR 52.204-21. It applies to contractors handling Federal Contract Information (FCI) but not Controlled Unclassified Information. There is no C3PAO assessment — Level 1 is annual self-assessment with an authorized official affirming compliance.
Most organizations handling only FCI at Level 1 find that they're already meeting the majority of requirements. The 17 controls are basic hygiene: limit access to authorized users, sanitize or destroy media, limit physical access, scan for malware, maintain system security, and a handful of others. Total cost is mostly internal staff time.
| Cost Category | Level 1 Range |
|---|---|
| Gap assessment (internal time) 1–2 days of IT/compliance staff time | $500–$3,000 |
| Technology gaps MFA tools, endpoint protection, access controls | $1,000–$10,000 |
| Policy documentation Written policies if not already in place | $500–$5,000 |
| Consulting (optional) RPO help with assessment and documentation | $0–$15,000 |
| Total — Level 1 | $5,000–$30,000 |
CMMC Level 2 cost breakdown
Level 2 is the one that applies to most defense contractors handling CUI — and where the real cost and complexity lives. It requires all 110 NIST SP 800-171 controls and a formal assessment by a Certified Third-Party Assessment Organization (C3PAO).
| Cost Category | Typical Range |
|---|---|
| Gap assessment Internal or RPO-assisted; creates your remediation roadmap | $5,000–$25,000 |
| Remediation — technology SIEM, MFA, encryption, endpoint tools, GCC High if needed | $20,000–$150,000 |
| Remediation — consulting RPO or consultant to implement controls and build documentation | $20,000–$100,000 |
| Internal staff time IT, security, compliance staff hours across 9–18 months | $15,000–$75,000 |
| System Security Plan (SSP) and documentation Writing, reviewing, and maintaining the SSP and POA&M | $5,000–$20,000 |
| Compliance tooling GRC platform, continuous monitoring, policy management software | $5,000–$30,000/yr |
| C3PAO assessment fee Third-party assessment — required for most Level 2 contracts | $50,000–$150,000 |
| Total — Level 2 (first year) | $100,000–$500,000+ |
Where the range collapses: Organizations with a current SPRS score above 85, an existing SSP, and mature documentation spend toward the low end — often $100K–$150K total. Those starting from an SPRS score below 50 with no SSP and significant technology gaps spend toward the high end. The C3PAO fee is roughly fixed regardless of your readiness — remediation is the variable that drives the range.
What actually drives cost up or down
| Factor | Effect | Why it matters |
|---|---|---|
| Current SPRS score | Lower cost if high | Every unimplemented control costs money to remediate. A score of 90+ means minimal remediation work before assessment. |
| Existing SSP and documentation | Lower cost if exists | A complete, current SSP can save $15,000–$30,000 in consulting time and significantly speeds up fieldwork. |
| CUI environment scope | Higher cost if broad | Every system that touches CUI is in scope. Narrowing your CUI environment before assessment reduces complexity and assessor time. |
| Microsoft GCC High requirement | Higher cost if needed | If your contracts require GCC High for email and collaboration, licensing alone runs $20–$35 per user per month — significant for larger teams. |
| Organization size | Higher cost if larger | More systems, more users, more endpoints — all increase assessment scope, assessor time, and remediation complexity. |
| In-house security expertise | Lower cost if strong | Organizations with experienced internal security staff spend far less on consulting. External consultants run $150–$350/hour. |
| Prior NIST 800-171 or ISO 27001 work | Lower cost if done | Existing mature security programs map substantially to NIST 800-171. Less to build from scratch. |
Level 1 timeline
Level 1 is achievable in 4–12 weeks for most organizations. The 17 controls are not technically complex, and self-assessment is straightforward. The main delays are documentation (if policies don't exist) and closing any technology gaps found during assessment.
- Week 1–2: Self-assessment against all 17 FAR 52.204-21 controls
- Week 2–4: Remediate any gaps — technology, policy, access controls
- Week 4–6: Document your assessment, update SPRS submission, affirm compliance
Level 2 timeline: month by month
Level 2 is a 9–18 month commitment for most organizations. Here's the realistic breakdown:
Gap assessment and planning
Assess your current NIST SP 800-171 implementation, calculate your real SPRS score, and build a prioritized remediation roadmap. Define your CUI scope — which systems, people, and locations touch CUI. The smaller you can define this boundary legitimately, the faster and cheaper the rest of the process.
4–8 weeksRemediation
Implement missing controls in priority order — highest SPRS point value first. This is where most of the cost and time lives. Technology deployments (SIEM, MFA, encryption), policy and procedure documentation, SSP writing, and POA&M management. Organizations starting near 88 can move through this in 2–3 months; those starting at 40–60 typically need 6–10 months.
2–10 months depending on starting pointPre-assessment preparation and C3PAO selection
Book your C3PAO — slots fill up months in advance. Prepare your evidence package: SSP, POA&M, access review records, audit logs, configuration documentation, training records, and incident response artifacts. A well-organized evidence package materially speeds up fieldwork and reduces assessor hours billed.
4–8 weeks · book C3PAO earlyC3PAO assessment and certification
The assessment itself involves document review, personnel interviews, and technical testing. Fieldwork typically runs 1–4 weeks depending on organization size. After fieldwork, the C3PAO submits findings to the Cyber AB. Certification is issued after Cyber AB review — typically 4–8 weeks post-assessment. Your CMMC Level 2 certification is valid for 3 years.
8–16 weeks from assessment start to certificationThe C3PAO slot problem
This is the constraint most contractors don't plan for until it's too late. As CMMC requirements appear in more DoD solicitations, C3PAO demand is growing faster than assessor supply. Many C3PAOs are booked 3–6 months out. Some organizations complete all their remediation work and then wait months for an assessment slot — losing contract opportunities in the interim.
Don't wait until you're ready to book your C3PAO. Reach out to multiple C3PAOs as soon as you have a realistic remediation timeline — ideally 4–6 months before your target assessment date. Get on their calendar, understand their evidence package requirements, and build your pre-assessment prep around their process. Being on a waitlist early is far better than scrambling for a slot after remediation is complete.
How to reduce your CMMC costs
-
Scope your CUI environment as tightly as possible Every system in scope adds assessment complexity and cost. Work with legal and operations to understand exactly which systems, users, and locations legitimately need to touch CUI — and isolate CUI to that environment. Enclaves, segmentation, and GCC High can all help contain scope.
-
Invest in your SSP early A complete, accurate System Security Plan is the foundation for everything. Organizations with a well-maintained SSP move through C3PAO fieldwork significantly faster — reducing the assessor hours you're billed for. Sloppy or incomplete SSPs are one of the biggest sources of unexpected cost overruns.
-
Prioritize remediation by SPRS point value Don't fix easy controls first. Fix high-value controls first. Getting your SPRS score to 88+ opens POA&M eligibility, which lets you proceed to assessment before everything is perfect. See the SPRS score guide for the specific controls to prioritize.
-
Build internal capability instead of outsourcing everything Consultants bill $150–$350/hour. For CMMC, you'll need ongoing compliance capacity — not just a one-time engagement. Investing in training an internal resource or hiring a part-time CISO equivalent is often cheaper over a 3-year certification cycle than perpetual consulting.
-
Get quotes from multiple C3PAOs Assessment fees vary significantly between C3PAOs — sometimes by $30,000–$50,000 for similar scope. Get at least three quotes. Understand what's included, what's billed hourly, and what happens if additional issues are found during fieldwork.
Ongoing costs after certification
CMMC Level 2 certification lasts 3 years, but compliance is continuous. Budget for annual ongoing costs or you'll face a scramble before your triennial re-assessment:
- Annual affirmation: Authorized official affirms compliance status in SPRS each year — minimal cost but requires the controls to actually still be operating
- Compliance tooling: GRC platform, SIEM, endpoint tools — $10,000–$40,000/year depending on toolset
- Policy and documentation reviews: Annual review and update of SSP, POA&M, and policies — $3,000–$10,000/year in internal or consulting time
- Security awareness training: Annual training for all staff — $2,000–$8,000/year depending on platform and headcount
- Triennial re-assessment: Another C3PAO assessment in year 3 — budget $50,000–$150,000 again
Plan for $20,000–$60,000 per year in ongoing compliance costs between assessments, plus the triennial re-assessment. Over a 3-year cycle, the total cost of CMMC Level 2 is typically $160,000–$650,000 including initial certification and ongoing maintenance.
For a complete picture of what the certification process involves beyond cost and timeline, see our CMMC Level 2 guide. And for help understanding your current SPRS score and how to move it — including which specific controls give you the most points per hour of work — see the SPRS score guide.
Find out where you stand before you budget
Run a free gap assessment to see which NIST 800-171 controls you're missing — and get a realistic picture of what remediation will actually cost you.
Start Free Assessment →Frequently asked questions
CMMC Level 2 total costs typically range from $100,000 to $500,000 for small to mid-sized defense contractors, depending on your current readiness, organization size, and how much remediation is needed. The C3PAO assessment itself runs $50,000–$150,000. Remediation costs — technology, consulting, and internal time — are usually the larger variable, ranging from $50,000 to $300,000+ depending on how many of the 110 NIST SP 800-171 controls you still need to implement.
CMMC Level 2 certification typically takes 9–18 months from starting your gap assessment to receiving your certification. The breakdown: 1–3 months for gap assessment and planning, 3–12 months for remediation depending on your starting point, 4–8 weeks for C3PAO assessment fieldwork, and 4–8 weeks for the Cyber AB to review and issue certification. Organizations with mature NIST 800-171 programs can move faster; those starting from scratch take longer.
C3PAO assessment fees typically range from $50,000 to $150,000 for most small to mid-sized defense contractors. Larger organizations or those with complex CUI environments pay more. Fees vary by C3PAO firm, assessment scope, and your organization size. Get quotes from multiple C3PAOs — pricing varies significantly. Note that assessment fees are separate from remediation costs, consulting fees, and compliance tooling.
CMMC Level 1 is significantly cheaper — typically $5,000 to $30,000 total. Level 1 only requires 17 basic cybersecurity practices and annual self-assessment with no C3PAO. The main costs are internal staff time for the assessment, any technology gaps you need to close, documentation work, and policy updates. No third-party assessment fee applies at Level 1.
For Level 1, many organizations can self-assess without a consultant if they have internal IT and compliance resources. For Level 2, most organizations benefit significantly from consulting help — the 110 NIST SP 800-171 controls are technically complex and the documentation requirements are substantial. Registered Practitioner Organizations (RPOs) can help with gap assessments and remediation planning. Using an RPO does not replace the C3PAO assessment but can reduce the time and cost to get there.
Yes, increasingly so. As CMMC requirements appear in more DoD solicitations, demand for C3PAO assessments is outpacing supply. Many C3PAOs are booked 3–6 months out. The number of certified C3PAOs is growing but remains limited. Best practice is to identify your target assessment window and reach out to C3PAOs early — before you've completed remediation — to get on their schedule.
A Plan of Action and Milestones (POA&M) documents controls you haven't yet fully implemented and your plan to close those gaps. Under CMMC 2.0, if your SPRS score is 88 or above, you can proceed to C3PAO assessment with a POA&M for remaining items — but those gaps must be closed within 180 days of assessment. A POA&M doesn't reduce your total compliance costs, but it can allow you to sequence your assessment earlier while finishing remediation, potentially avoiding delays in contract eligibility.
CMMC Level 2 certifications are valid for three years, with annual affirmations required in the interim years. This means you need to maintain your controls continuously — not just at assessment time — and affirm your compliance status annually. Budget for ongoing compliance costs: tool subscriptions, policy reviews, access reviews, and periodic re-assessment preparation, in addition to the triennial C3PAO assessment fee.