CMMC pricing breakdown

How much does CMMC certification actually cost?

Short answer: anywhere from a few thousand dollars to several hundred thousand, depending on your level, your environment, and whether you do it yourself with software or hire a full consultant. Here is the honest breakdown.

The short answer

For a small defense contractor pursuing CMMC Level 2, total first year cost typically lands between $40,000 and $150,000. Level 1 is dramatically cheaper because you self attest, often under $5,000 in real out of pocket spend. The number that surprises people is the C3PAO assessment itself, which is $15,000 to $100,000 and unavoidable for Level 2.

You can compress the total by replacing a consultant with compliance software, but you cannot remove the C3PAO assessment fee.

The four cost buckets

Every CMMC compliance budget breaks into the same four buckets. Knowing what each one is keeps you from getting surprised.

  1. Preparation and documentation. Getting your environment described in an SSP that maps to all 110 controls. This is where software ($1,800 to $18,000/year) replaces or augments a consultant ($30,000 to $300,000).
  2. Remediation. Actually buying and configuring the controls you are missing. MFA, EDR, logging, encryption, training. Highly variable. A bare environment can require $5,000 to $50,000 of IT spend; a mostly mature environment can be near zero.
  3. The C3PAO assessment. A Certified Third Party Assessment Organization performs the official assessment. For Level 2 this is $15,000 to $100,000 depending on your size, the number of system enclaves, and the firm. Required.
  4. Ongoing maintenance. Re assessment every three years, plus continuous monitoring, evidence keeping, annual affirmations, and SSP updates. Budget roughly 25 to 40 percent of your first year prep cost annually.

CMMC Level 1 cost

Level 1 covers 17 basic safeguarding requirements and is self attested. There is no C3PAO involvement and no formal assessment fee. Realistic out of pocket spend looks like:

ItemTypical range
Self assessment tool or template$0 to $1,800/year
Basic remediation (MFA, AV, password policy)$500 to $3,000 one time
Annual affirmation submission$0 (you submit to SPRS yourself)
Realistic year one total$500 to $5,000

CMMC Level 2 cost

Level 2 covers all 110 NIST SP 800-171 Rev 2 controls and requires a C3PAO assessment for most contracts handling CUI. This is where the cost compression matters most.

ItemSoftware led pathConsultant led path
SSP, SPRS, POA&M, evidence (year 1)$1,800 to $18,000$30,000 to $150,000
Remediation IT spend$5,000 to $50,000 (variable)$5,000 to $50,000 (variable)
C3PAO assessment$15,000 to $100,000$15,000 to $100,000
Realistic year one total$21,800 to $168,000$50,000 to $300,000

C3PAO assessment cost, specifically

The C3PAO fee is the single line item people most often underestimate. It scales with your assessment scope (employees, systems, enclaves, sites). Public ranges from the Cyber AB marketplace as of 2026:

  • Small contractor (under 25 employees, single site, narrow scope): $15,000 to $35,000
  • Mid sized (25 to 100 employees, single enclave): $35,000 to $70,000
  • Larger or multi enclave (100 to 500 employees, multiple sites): $70,000 to $150,000
  • Enterprise scope: $150,000 and up

Some C3PAOs charge a pre assessment readiness review separately ($5,000 to $15,000). Ask before you sign.

Hidden costs people miss

  • Employee security awareness training. Required annually. $5 to $30 per user per year.
  • Logging and SIEM. If you do not have centralized logging, expect $200 to $1,500/month depending on size.
  • Vulnerability scanning. $1,000 to $10,000/year for scoped scanners.
  • Background checks and clearance work. Variable, often outside the cyber budget but real.
  • Lost contract opportunity cost while you wait. Often the largest hidden cost. Some buyers will not entertain a quote until you have at least a SPRS score on file.

Ongoing and annual costs

CMMC certifications last three years, but the work is not three year. You will be asked to affirm continued compliance annually, keep evidence current, update your SSP when systems change, and remediate any drift. A realistic annual ongoing cost looks like:

  • Compliance software renewal: $1,800 to $18,000
  • Annual training: $300 to $5,000
  • Continuous monitoring and tooling: $3,000 to $30,000
  • Re assessment in year three: half to full original C3PAO cost

How to bring it down

  • Right size the tool. Do not buy enterprise GRC software if you are a 20 person shop. Tools built for small contractors are 80 to 95 percent cheaper.
  • Use the free readiness checklist first. Score yourself before you spend anything. Verdiex publishes one free.
  • Narrow your assessment scope. If only one part of the business touches CUI, isolate it. A smaller scope means a smaller C3PAO bill.
  • Get a Registered Practitioner review, not a full engagement. A 6 to 10 hour expert review of your finished SSP is often $2,000 to $4,000 and catches what a tool misses.

Frequently asked questions

How much does CMMC Level 2 certification cost in 2026?

For a small contractor (under 25 employees), realistic first year totals are $21,800 to $50,000 on a software led path, or $50,000 to $150,000 with a full consulting engagement. Mid sized environments often land between $75,000 and $200,000. The C3PAO assessment itself is $15,000 to $100,000 depending on scope.

How much is a C3PAO assessment?

Most small contractors pay $15,000 to $35,000 for a Level 2 C3PAO assessment. Mid sized contractors are $35,000 to $70,000. Multi site or multi enclave environments are $70,000 to $150,000 or more. Some firms charge a separate pre assessment review of $5,000 to $15,000.

Do I have to pay for CMMC every year?

Yes, in two senses. Your CMMC certification itself lasts three years, but you submit an annual affirmation of continued compliance and you keep paying for software, training, monitoring, and the re assessment in year three. Expect roughly 25 to 40 percent of your first year prep cost annually.

What is the cheapest path to CMMC Level 2?

Use compliance software instead of a consultant, narrow your assessment scope so the C3PAO is only looking at the systems that touch CUI, and add a short Registered Practitioner review at the end rather than a full engagement. Most small contractors using this path come in well under $50,000 in prep, plus the C3PAO assessment.

Is CMMC Level 1 free?

Almost. There is no C3PAO assessment and no third party fee. You self attest. Your real cost is the few thousand dollars of basic IT spend to actually implement the 17 safeguarding requirements (MFA, antivirus, access control, password policy).

Get started

Ready to build your System Security Plan?

Verdiex walks you through the questionnaire, generates your SSP, calculates your SPRS score, and tracks your POA&M. Get on the early access list and we will notify you when it opens.

Get early access Free readiness checklist

Verdiex prepares you for assessment. A C3PAO performs the assessment and issues certification.