CMMC Cost Breakdown: What Level 1 and Level 2 Compliance Actually Costs

Direct answer

How much does CMMC compliance cost?

CMMC Level 1 self-assessment work typically costs defense contractors between a few thousand dollars and roughly fifteen thousand dollars in internal labor and light external support, depending on how mature the organization already is. CMMC Level 2 is a different order of magnitude: the Department of Defense's published cost analysis for the CMMC Program (32 CFR Part 170, Federal Register final rule published October 15, 2024) estimates that a typical small entity pursuing Level 2 with a third-party assessment will spend on the order of tens of thousands of dollars on the assessment itself and significantly more on readiness, tooling, and recurring operational costs over the three-year certification cycle.

The CMMC final rule cost analysis published by the Department of Defense gives a public range for Level 2 third-party assessment fees alone of roughly 35,000 USD to over 200,000 USD for larger or more complex environments, with most small and mid-sized contractors falling in the 35,000 to 110,000 USD range for the assessment component of the program. Readiness remediation, which covers closing the National Institute of Standards and Technology Special Publication 800-171 Rev 2 control gaps, is almost always the larger line item, and the ongoing managed security operations required to keep Controlled Unclassified Information protected throughout the three-year certification window can equal or exceed the assessment cost each year.

The rest of this page breaks down where the dollars actually go. Read it end to end if you are budgeting for fiscal year planning, or skip to the section that matches the level you are pursuing.

Three-year total cost of ownership is the honest number

Most published CMMC cost estimates stop at the year-one project budget. The Department of Defense certification cycle is three years. Contractors who plan only for year one are consistently surprised in year two when continuous monitoring bills arrive, and again in year three when the full recertification kicks off. A realistic CMMC Level 2 budget should sum five components: readiness remediation in year one, the C3PAO assessment fee in year one, ongoing managed security operations in years one through three, annual affirmation preparation in years two and three, and a full reassessment plus any new-control remediation in year three. The Department of Defense cost analysis in 32 CFR Part 170 addresses the first two components directly; the last three components are where most real-world budgets expand beyond public estimates.

How public survey data lines up with the Department of Defense estimate

Several trade outlets, including MSSPAlert, GovConWire, and vendor-sponsored surveys from GCC High managed service providers, have published contractor-facing CMMC cost estimates in the same general range as the Department of Defense final rule analysis. Where public surveys differ is in the readiness remediation line, which trade outlets often report higher than the Department of Defense estimate because they sample contractors who are still early in their maturity journey. Both sets of numbers are directionally correct; the variance reflects the wide starting points across the defense industrial base. A contractor already mature on NIST SP 800-53 controls will land on the low end of every range. A contractor still operating a flat commercial Microsoft 365 tenant with unmanaged laptops will land on the high end.

Level 1

What drives CMMC Level 1 cost?

CMMC Level 1 applies to contractors that handle only Federal Contract Information and not Controlled Unclassified Information. It covers 17 basic safeguarding practices drawn from Federal Acquisition Regulation clause 52.204-21. Level 1 is a self-assessment. There is no third-party assessor fee, no CMMC Third Party Assessor Organization engagement, and no formal certification ceremony. Cost comes from four things.

1. Documentation and policy authoring

Even at Level 1 the contractor has to produce a System Security Plan, an acceptable use policy, basic incident response procedures, and evidence that the 17 practices are actually in place. If an internal technical writer handles this the cost shows up as labor. If an external consultant drafts it, expect a few thousand to about ten thousand dollars depending on the contractor's size and how much material already exists.

2. Supplier Performance Risk System score submission

Since November 2020 the Department of Defense has required contractors handling CUI to submit a Supplier Performance Risk System (SPRS) score under Defense Federal Acquisition Regulation Supplement clause 252.204-7019. Level 1 contractors do not strictly need a NIST SP 800-171 SPRS score, but many prime-contract flowdowns still ask for one. Producing an honest SPRS score requires a full NIST SP 800-171 Rev 2 gap assessment even at Level 1 if the contract requires it. That gap assessment is the single biggest Level 1 cost driver when it applies.

3. Basic technical controls

The 17 Level 1 practices map to things most small businesses already partially do: multi-factor authentication on systems that touch FCI, controlled physical access, limited and monitored public-facing information, sanitized media disposal, basic antivirus and endpoint protection, and basic boundary protection. If the contractor already runs Microsoft 365 Business Premium or a comparable stack the incremental technology cost is low. If the contractor is still on consumer email, unmanaged laptops, and no MFA, expect several thousand dollars in license upgrades, endpoint agents, and onboarding labor before the self-assessment can pass honestly.

4. Annual affirmation

Level 1 requires an annual affirmation by a senior company official that the 17 practices are still in place. That affirmation is free to file but carries real liability under the False Claims Act if it is not accurate, so most contractors pay for a low-cost annual review of the evidence package. A few hours of external review each year is a reasonable line item.

Taken together, a Level 1 contractor that is already operating a modern managed IT environment often spends in the low four figures to prepare and submit. A contractor starting from an unmanaged baseline can spend ten to fifteen thousand dollars closing gaps before the self-assessment can be affirmed honestly.

Level 2

What drives CMMC Level 2 cost?

CMMC Level 2 covers all 110 practices from NIST Special Publication 800-171 Rev 2 and is the compliance level most defense primes and subcontractors who touch Controlled Unclassified Information will need. The final rule confirms that the majority of Level 2 contracts will require a full CMMC Third Party Assessor Organization (C3PAO) assessment rather than self-assessment. Level 2 cost has five main buckets.

Readiness is almost always the larger number

The C3PAO fee is what gets headlines because it is paid to a third party and shows up as a discrete invoice. In practice the readiness phase (closing the 110 NIST SP 800-171 Rev 2 practice gaps) usually costs more than the assessment itself, especially for contractors who have grown organically without a formal identity, logging, and data classification program. The C3PAO will not give partial credit for best effort. Every practice either meets the objective in the NIST SP 800-171A assessment procedures or it does not.

Technical gap remediation varies by starting point

Contractors on modern Microsoft 365 Government Community Cloud High or Government Community Cloud environments with a managed security stack often have a shorter and less expensive remediation path. Contractors on hybrid on-premises, commercial cloud with inconsistent logging, and a patchwork of subcontractor enclaves have a longer path. The biggest cost surprises we see come from three places: insufficient log retention (NIST SP 800-171 practice 3.3.1 requires creating and retaining system audit logs), missing FIPS-validated cryptography for CUI transmission, and unmanaged mobile devices accessing in-scope environments.

Year two and year three are not free

The Department of Defense final rule requires annual affirmation in years 1 and 2 of the three-year certification cycle, plus a full C3PAO reassessment at year 3. That affirmation is more than a checkbox. The senior official signs under False Claims Act liability that the environment still meets every practice. Maintaining that truthfulness costs real money each year: continuous monitoring, quarterly policy reviews, drift remediation when controls degrade, and evidence archiving. Plan for year-over-year operating cost, not a one-time project line.

How the Level 2 scoring rubric moves your cost

Under the CMMC Level 2 self-assessment scoring methodology referenced in the Department of Defense final rule and DFARS 252.204-7020, every one of the 110 NIST SP 800-171 Rev 2 practices has an assigned point value of 1, 3, or 5 based on its weight in overall security posture. A perfect score is 110. The Supplier Performance Risk System stores a contractor's current score and any negative deductions for unmet practices. Two consequences for your budget follow directly from that scoring system. First, practices worth 5 points are almost never candidates for Plan of Action and Milestones deferral under the conditional certification process, because deferring a 5-point practice drops the overall score materially and can push the contractor below the threshold required for conditional status. That means the highest-weight practices must be fully remediated before the C3PAO arrives on site, which concentrates cost into the readiness phase rather than spreading it across the certification cycle. Second, practices with lower point values and lower technical complexity are often where remediation labor is recoverable from existing internal IT staff if the contractor plans early enough. A good readiness partner prices the remediation plan so that the highest-cost vendor work is targeted at the highest-weight gaps first, and lower-weight cleanup is scheduled for internal staff where possible.

Assessment scope

What is included in a CMMC Level 2 C3PAO assessment fee?

A Level 2 CMMC Third Party Assessor Organization engagement is not one flat purchase. The fee typically covers five things, each of which scales with scope.

• Pre-assessment planning. Review of the System Security Plan, Plan of Action and Milestones, asset inventory, and network diagrams. The assessor confirms the CMMC assessment boundary and negotiates the list of people who will be interviewed.
• On-site or remote evidence review. The assessor walks through every one of the 110 NIST SP 800-171 Rev 2 practices and verifies each using the objectives in NIST SP 800-171A. This is the longest and most labor-intensive part of the engagement.
• Interviews. System owners, administrators, HR, facilities, and executives are all typically interviewed. The assessor is verifying that practices exist not just on paper but in behavior.
• Observation and testing. The assessor will request live demonstration of controls, such as watching an administrator attempt a privileged action and confirming MFA is enforced, or tailing an audit log to confirm retention.
• Final report and certification record. The assessor produces an assessment report and, if the contractor passes, a CMMC Level 2 certification is recorded in the CMMC enterprise system. A limited number of practices can be placed on a Plan of Action and Milestones for up to 180 days with a conditional certification, subject to the final rule's eligibility and scoring criteria.

The assessor's fee does not usually include legal review of the final report, remediation of anything that fails, or re-assessment if the conditional certification lapses. Budget for those separately.

Hidden costs

What are the 7 hidden costs most contractors miss?

When contractors plan a CMMC Level 2 budget from public blog posts alone, these seven cost categories are the ones that usually blow the budget. Every single one shows up in real engagements.

Managed enclaves

Can you reduce CMMC cost with a managed enclave?

Yes, a purpose-built managed CUI enclave can reduce total CMMC cost for the right contractor, but not in every case, and the trade-offs matter. A managed enclave is a hardened cloud or hybrid environment, usually built on FedRAMP-authorized infrastructure, where the contractor processes CUI inside a tightly scoped boundary while keeping non-CUI operations in a lower-cost environment. Several vendors, including Summit7 and others, have built managed Microsoft 365 Government Community Cloud High offerings around this pattern.

When a managed enclave saves money

• The contractor's CUI data volume is small relative to the rest of the business.
• Only a subset of employees need CUI access, so licenses in the expensive enclave are limited.
• The contractor would otherwise need to rebuild a compliant logging, identity, and backup stack from scratch.
• Assessment scope shrinks because in-scope assets are confined to the enclave.

When a managed enclave does not save money

• The contractor already operates a modern managed IT environment close to 800-171 compliance.
• CUI flows across most of the business and most employees need access.
• Subcontractor interconnections bypass the enclave boundary and widen scope again.
• Per-seat licensing in GCC High for the full workforce exceeds the cost of hardening the existing environment.

Trade-offs to watch

Enclaves reduce assessment scope, but they introduce a new set of operational complexities. Users often have two mailboxes, two identities, and two sets of collaboration tools. Training and change management cost real money. Cross-boundary data transfer can accidentally re-widen scope if not carefully governed. And moving into a managed enclave makes the contractor dependent on the enclave vendor's own compliance posture; if the vendor has a bad assessment year, the contractor inherits the problem. Petronella Technology Group evaluates enclave-versus-in-place during the readiness phase and recommends the path with the lower total cost of ownership across the three-year certification cycle, not just the lowest year-one sticker price.

FedRAMP

When does FedRAMP-authorized cloud reduce cost?

FedRAMP is the federal government's standardized cloud security authorization program. A FedRAMP Moderate or FedRAMP High authorization for a cloud service means the cloud provider has already been assessed against a long list of NIST SP 800-53 controls. When a defense contractor processes CUI inside a FedRAMP-authorized cloud, many of the underlying infrastructure controls inherit from the cloud provider rather than being the contractor's responsibility.

That inheritance can materially reduce a contractor's Level 2 cost in three ways.

1. Shorter readiness remediation. Physical security, environmental controls, underlying network segmentation, and many infrastructure-layer requirements are already met by the cloud provider. The contractor only needs to document and operate the tenant-layer controls.
2. Lower assessment evidence volume. The C3PAO can rely on the FedRAMP authorization package for infrastructure-layer controls, reducing the number of artifacts the contractor must produce and maintain.
3. Simpler three-year maintenance. Infrastructure-layer drift is the cloud provider's problem. The contractor focuses its recurring compliance spend on identity, data classification, and user-facing behavior, which is where most drift happens anyway.

The cost tradeoff is that FedRAMP-authorized services typically cost more per user or per workload than their commercial equivalents. The contractor saves money in readiness and assessment but pays more in recurring license fees. For most small and mid-sized defense contractors, the net is still favorable over the three-year cycle, but the break-even point moves based on user count and CUI volume.

How we scope

How does Petronella Technology Group scope CMMC engagements?

Petronella Technology Group does not publish a flat CMMC price list. Every defense contractor we work with gets a custom scope after we spend time inside their environment, because flat pricing either overcharges the simple cases or undercharges the complex ones. Our published philosophy lives at /how-we-engage/; here is how it applies specifically to CMMC.

Step 1: Free 15-minute CMMC readiness call with Penny

Penny is our AI voice agent. She answers the phone at (919) 348-4912, books a free 15-minute readiness call onto a Petronella engineer's calendar, and confirms via text. The 15 minutes is not a sales pitch. It is a scoping conversation about the contractor's current contract flowdowns, employee count, CUI volume, cloud posture, and existing compliance work. At the end of the call the engineer gives an honest assessment of whether a paid readiness engagement is worth the spend, and if so, what tier of readiness is the right starting point.

Step 2: Paid readiness assessment with a fixed deliverable

If the contractor moves forward, we run a fixed-scope readiness assessment. That assessment produces three things: an updated System Security Plan aligned to NIST SP 800-171 Rev 2, a Plan of Action and Milestones with gap-by-gap remediation cost estimates, and an SPRS score the contractor can legitimately submit today. The readiness is priced as a fixed fee based on asset count and number of CUI enclaves. No surprise overages.

Step 3: Remediation with a clear budget

After readiness the contractor sees every line item required to close gaps, with a range for each and a total. They can choose to execute the remediation with Petronella Technology Group, in-house, or with another partner. We charge the same way regardless: fixed scope, fixed fee per line item, no hourly runaway.

Step 4: C3PAO assessment support

When the environment is ready we coordinate the contractor's engagement with an independent C3PAO. As a CMMC-AB Registered Provider Organization (RPO #1449), Petronella Technology Group cannot also act as the assessor for the same contractor; the assessment must come from an independent CMMC Third Party Assessor Organization to preserve the integrity of the certification. We prepare the contractor for the assessment, attend as observer, and help resolve any findings that surface.

Step 5: Continuous compliance managed service

After certification the contractor either keeps compliance operations in-house or subscribes to our continuous compliance managed service, which covers managed detection and response, log retention, quarterly control reviews, annual affirmation preparation, subcontractor flowdown tracking, and the year-3 recertification. Priced per asset, fixed monthly.

Further reading on the architecture behind the engagement:

• Full CMMC compliance pillar with service overview, case examples, and credentials
• NIST SP 800-171 Rev 2 control-by-control breakdown for contractors evaluating Level 2 scope
• NIST SP 800-53 baseline for contractors already operating FedRAMP Moderate or High
• CMMC wholesale for managed service providers who need to deliver Level 2 to their own defense-sector clients
• About Craig Petronella, a CMMC-RP with CCNA, CWNE, and Digital Forensics Examiner #604180

Next step

What is next: free CMMC readiness call with Penny

If the contract you are pursuing requires CMMC Level 1 or Level 2 in the next 12 months, the least expensive thing you can do this week is spend 15 minutes on the phone with a Petronella Technology Group engineer and get an honest read on where you stand. The call is free. Penny books it, a senior engineer joins, and you walk away with either a green light to stay the course, a scoped readiness proposal, or an honest referral if we are not the right fit.

The most expensive thing you can do is spend six months chasing flat-rate quotes from vendors who have not seen your environment, then discover in assessment that the quote missed half your scope. We have helped several defense contractors unwind exactly that situation. It is always cheaper to scope correctly on day one.