The Department of Defense put a number on CMMC Level 2 cost. In the 32 CFR Part 170 final rule published October 15, 2024, the DoD estimated that a small entity pursuing CMMC (Cybersecurity Maturity Model Certification) Level 2 certification would spend $104,670 over three years. Industry practitioners widely report that small contractors significantly underestimate compliance costs before running a gap assessment. The gap between what contractors expect and what certification actually costs is the subject of this article.
The short answer: The DoD’s 32 CFR Part 170 final rule puts the three-year CMMC Level 2 cost for a small entity at $104,670, covering a third-party assessment in Year 1, readiness and remediation work, and two annual affirmations in Years 2 and 3. Scope reduction strategies can bring the floor below $40,000 for the smallest defense contractors.
What the DoD’s $104,670 CMMC Level 2 Cost Actually Covers
The $104,670 figure comes from the DoD’s regulatory impact analysis published in 32 CFR Part 170, the final rule governing the CMMC (Cybersecurity Maturity Model Certification) program. It is a small-entity estimate covering three years of compliance costs. It is not a vendor quote. It is not a worst-case scenario. It is the government’s own median projection for what a small business in the Defense Industrial Base (DIB) pays to achieve and maintain Level 2 status.
The number has three components:
| Cost Component | Timing | Estimated Range | Notes |
|---|---|---|---|
| Third-Party Assessment (C3PAO) | Year 1 | ~$50,000 (small entity median) | Estimates; actual quote will vary by environment complexity. C3PAO = CMMC Third Party Assessment Organization, accredited by Cyber AB. |
| Readiness & Remediation Work | Year 1 (pre-assessment) | $20,000–$80,000 typical range | Estimates; actual quote will vary by environment complexity. This is the variable that separates a $60,000 project from a $200,000 one. |
| Annual Affirmation (Year 2) | Year 2 | $5,000–$15,000 | Estimates; actual quote will vary by environment complexity. Covers self-attestation and supporting documentation review. |
| Annual Affirmation (Year 3) | Year 3 | $5,000–$15,000 | Estimates; actual quote will vary by environment complexity. Cycle resets at Year 3 end; next triennial assessment begins. |
| Total (DoD three-year estimate) | Years 1–3 | $104,670 | Source: 32 CFR Part 170 final rule, October 2024. Defense Scoop coverage (December 2023) noted the DoD CIO cost estimate methodology. |
The $50,000 assessment figure is the median for small entities. A 20-person defense contractor handling Controlled Unclassified Information (CUI) across multiple systems pays more than a 5-person shop with CUI confined to one application. The assessment fee is set by each accredited C3PAO (CMMC Third Party Assessment Organization), and fees vary. The Cyber AB (Cybersecurity Accreditation Body, at cyberab.org) maintains the list of accredited C3PAOs.
The affirmation costs in Years 2 and 3 are lower because they do not require a full third-party reassessment. They require an authorized company representative to formally attest that the company’s security posture has not degraded. Maintaining that posture is where the ongoing cost lives.
Why Most Vendor Estimates Run Higher
Vendor quotes for CMMC Level 2 implementation range from $50,000 to $400,000 or more. The DoD’s $104,670 and a vendor’s $300,000 quote can both be honest numbers. They cover different things.
The DoD’s estimate captures assessment cost plus a baseline assumption about remediation. It does not account for a company starting from zero. Most small defense contractors have not implemented NIST SP 800-171, the 110-control framework that underpins CMMC Level 2. NIST 800-171 (National Institute of Standards and Technology Special Publication 800-171) defines how contractors must protect CUI in non-federal systems. A company that has never touched 800-171 needs to build compliance from scratch before an assessor ever shows up. That build-out is the remediation cost, and it is the variable that makes vendor quotes look wildly different from the government figure.
Four factors drive remediation cost up:
- CUI footprint size. How many systems, users, and locations handle CUI (Controlled Unclassified Information)? Every endpoint, every application, every user with access to CUI is in scope for assessment. More scope means more remediation.
- Current security posture. A contractor with no multi-factor authentication, no endpoint detection, and no documented incident response plan starts much further back than one that has already implemented basic controls.
- System complexity. A company running a mix of on-premises servers, cloud services, and personal devices has more attack surface to lock down than one on a single, well-managed cloud platform.
- Documentation debt. CMMC Level 2 requires a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and documented policies for 110 practices. Writing those from scratch is labor-intensive even when the technical controls are already in place.
When a vendor bundles remediation and assessment into a single quote, you get a number that looks nothing like $104,670. That does not mean the vendor is wrong. It means the DoD’s estimate assumed more baseline maturity than many small contractors actually have.
The Four Moves That Bring the Small-Business Floor Lower
The $104,670 is a median, not a floor. For the smallest DIB (Defense Industrial Base) contractors, four strategies can reduce total three-year cost below $40,000. None of them are shortcuts around certification. All of them are legitimate scope-management techniques.
1. Build and Assess Only an Enclave
An enclave is a walled-off segment of your IT environment where all CUI lives. This section covers the cost-decision lever; the detailed enclave architecture and configuration content is covered in a separate technical guide (see Related Reading below). Instead of certifying your entire company network, you certify only the enclave. The rest of your environment is out of scope.
Enclave strategies can cut assessment scope by 40% to 60%, according to CMMC implementation practitioners (see PreVeil’s reference guide on enclave approaches). If your full environment would have cost $50,000 to assess, a well-designed enclave assessment may cost $20,000–$30,000. The enclave itself requires investment to build and harden, but that capital expense is a one-time cost, not a recurring one.
A practical enclave for a small shop often means: one or two dedicated workstations for CUI work, a separate email account used only for CUI, and cloud storage in a FedRAMP Moderate or equivalent authorized environment per DFARS 252.204-7012(b)(2)(ii)(D). The key is that no CUI ever leaves the enclave. Once it does, the enclave boundary breaks and scope expands.
2. Reduce Your CUI Footprint Before Assessment
Work with your contracting officer to receive less CUI. Some prime contractors send CUI by default because it is easier than sorting out what is actually sensitive. Ask specifically: does my subcontract work require CUI access? If not, request that CUI be withheld or limited to what is strictly necessary.
For CUI you must handle, implement a print-and-shred protocol for physical documents and strict access controls for digital files. Every person removed from CUI access is one less user in scope. Every system removed from CUI handling is one fewer system to certify. Scope reduction before assessment day is the cheapest compliance dollar you will spend.
3. Outsource CUI Handling to a CMMC-Certified MSP
A CMMC-certified MSP (Managed Service Provider) that already holds Level 2 certification can host your CUI environment and carry the infrastructure-side compliance obligation. Important to understand the shared-responsibility split before signing: the MSP’s CMMC certification covers their managed infrastructure (the systems, networks, and services they operate for you). You still own your user behavior, access governance decisions, configuration choices within their environment, and the policy documentation your assessor will examine. Your assessment scope shrinks substantially (verifying you use the MSP’s environment correctly, rather than building your own from scratch) but does not disappear.
This is sometimes called “renting compliance.” You pay a monthly fee to operate in a compliant environment rather than paying to build and maintain one yourself. For a small contractor processing CUI for one or two contracts, this model often costs less than self-built certification over a three-year window. Get the MSP’s CMMC certification documentation in writing before signing any agreement, and confirm their authorized scope covers your work type.
4. Exit Defense Work Entirely (Do the Math First)
This one belongs in the conversation. Some small business owners treat defense revenue as untouchable. It is not. Run the numbers before committing to a multi-year compliance investment.
If your defense contracts generate $300,000 in annual revenue and you are looking at $100,000 or more in Year 1 compliance costs plus ongoing maintenance, you need to know your net margin on that revenue. A 10% margin on $300,000 is $30,000 in profit. Year 1 compliance at $100,000 wipes out more than three years of that profit. The math may still favor staying in defense if the revenue trajectory grows. But it may not. That is a legitimate business decision, not a failure.
Strikegraph CEO Justin Beals predicted in a January 2026 blog post that between 33,000 and 44,000 small defense contractors (15–20% of the DIB) may exit the market by 2027 as CMMC costs phase in. The prediction frames this as industry consolidation, not catastrophe: larger primes absorb some of that work, and contractors who exit can redeploy to commercial markets where compliance costs are lower. This is not an official DoD projection; it is one industry commentator’s cost-pressure model, and the DoD’s own regulatory impact analysis assumes zero attrition.
When the Math Doesn’t Work and That’s OK
Not every small business should pursue CMMC Level 2. The certification exists to protect sensitive defense information. The compliance cost exists because protecting that information is genuinely expensive. Those two facts together mean that some contracts simply are not worth pursuing for some businesses at some points in their growth.
The honest calculation looks like this: take your current defense revenue, subtract your actual (not hoped-for) profit margin, and compare that net to the total three-year cost of certification. If the certification cost exceeds three to four years of defense net profit, you need a clear line of sight to revenue growth that justifies the investment. A pipeline of future defense work at higher contract values changes the math. One small recurring contract does not.
Three situations where exiting or deferring is the rational choice:
- Your defense revenue is below $500,000 annually and you have no strong pipeline of larger defense opportunities.
- Your CUI footprint is extensive and would require a full-environment rebuild to certify, with costs well above the DoD median.
- Your prime contractor has not yet issued a CMMC compliance deadline, and Phase 2 enforcement timelines mean you have 12 or more months before it matters. (A companion article on CMMC Phase 2 November 2026 timelines is coming soon.)
Deferring is not the same as ignoring. Start with NIST 800-171 self-assessment now. The companion article on NIST 800-171 self-assessment checklists walks through how to score your current posture without hiring a consultant. That baseline tells you exactly how far you are from Level 2 readiness, which is the input your cost estimate needs.
The 12-Month Rollup: What to Spend and When
If you decide to pursue Level 2, here is how to sequence your spending across 12 months before your first assessment date.
Months 1–3: Assess Your Gap, Not the Vendor’s Pitch
Run a NIST 800-171 self-assessment before talking to any C3PAO or consultant. The DoD’s SPRS (Supplier Performance Risk System) scoring tool is free. You score yourself against all 110 practices, identify your gaps, and build a POA&M (Plan of Action and Milestones) documenting how you will close them. This step costs time, not money, and it is the most important work you do.
With a gap assessment in hand, you can get meaningful quotes from C3PAOs and consultants because you can tell them exactly what you need. Without it, every quote is a guess padded for uncertainty.
Budget for this phase: $0–$5,000 (staff time, possible fractional CISO hour to review your self-assessment). (Estimates; actual costs will vary.)
Months 4–9: Build and Document
This is where the real spend happens. Implement the missing technical controls identified in your gap assessment. Harden your enclave if you are using that approach. Write your SSP (System Security Plan). Document your policies. Train your staff on CUI handling.
If you are using a CMMC-certified MSP, this phase is shorter. You are configuring your use of their environment, not building controls from scratch. If you are building your own environment, this phase takes the full six months for most small contractors.
Budget for this phase: $15,000–$60,000 depending on starting posture and approach. (Estimates; actual costs will vary by environment complexity.)
Months 10–12: Assessment Readiness and Formal Assessment
Conduct an internal readiness review or hire a Registered Practitioner (RP) for a pre-assessment gap check. An RP is not authorized to conduct the official assessment, but they can tell you if you are ready for one. This step prevents the most expensive outcome: failing your C3PAO assessment and paying for a second one.
Schedule your C3PAO assessment. Provide them with your SSP, POA&M, and evidence packages. The assessment itself typically takes two to four weeks of documentation review plus a shorter on-site or virtual review period.
Budget for this phase: $25,000–$60,000 for the formal C3PAO assessment (small entity range). (Estimates; actual quote will vary by environment complexity.)
Frequently Asked Questions
Does the $104,670 DoD figure include the cost of fixing my security gaps?
Partially. The DoD estimate includes a baseline remediation assumption. But it does not account for contractors starting from zero. A company that has never implemented NIST 800-171 controls faces significantly higher remediation costs than the DoD median assumes. Use the DoD figure as a reference point, not a budget ceiling. Run your own gap assessment first to get a realistic number for your specific environment.
What is a C3PAO and why do I need one for CMMC Level 2?
A C3PAO (CMMC Third Party Assessment Organization) is a company accredited by the Cyber AB (Cybersecurity Accreditation Body) to conduct official CMMC assessments. For most CMMC Level 2 contracts (those involving CUI on prioritized programs), DoD requires a third-party C3PAO assessment.
Self-assessment is permitted on a small subset of Level 2 contracts that DoD specifically designates as non-prioritized per 32 CFR 170.16. If your contract includes DFARS 252.204-7021 with a Level 2 requirement, assume you need a C3PAO assessment unless your contracting officer documents otherwise. You cannot self-attest for the typical Level 2 CUI contract the way you can for every Level 1 contract. The Cyber AB maintains an active list of accredited C3PAOs at cyberab.org. Get quotes from at least three before committing.
Can I get CMMC Level 2 certified as a company with five employees?
Yes, if your work involves CUI and your defense prime requires it. Company size does not disqualify you. What matters is the scope of your CUI environment. A five-person shop with CUI confined to two workstations and one FedRAMP cloud environment can achieve Level 2 at the lower end of the cost range. The enclave approach is particularly well-suited to very small contractors because a small, well-controlled environment is faster and cheaper to assess than a sprawling one.
What happens if I miss the CMMC deadline my prime contractor set?
You lose access to contracts requiring CMMC Level 2. Prime contractors are required to flow down CMMC requirements to subcontractors handling CUI or FCI (Federal Contract Information). If you cannot meet the deadline, notify your prime early and discuss whether the contract scope can be modified to remove CUI handling. Ignoring the deadline is not an option; it results in losing the work.
Is the CMMC Level 2 certification valid across all DoD contracts?
Yes. A Level 2 certification issued by an accredited C3PAO is recognized across DoD contracts. You do not certify per contract. Your certification covers your organization’s assessed environment. If you expand your CUI environment after certification (adding systems, users, or locations), consult your C3PAO about whether the expansion triggers a new assessment or can be addressed through your annual affirmation process.
What is the difference between CUI and FCI?
CUI (Controlled Unclassified Information) is information the government designates as sensitive but not classified, such as technical specifications, contract details, or personnel data. FCI (Federal Contract Information) is information provided by or generated for the government under a contract but not intended for public release. CMMC Level 1 covers FCI. Level 2 covers CUI. If you handle CUI, Level 2 applies to you. If you handle only FCI, Level 1 (annual self-attestation) is your requirement.
Should I hire a consultant or go directly to a C3PAO?
Do your NIST 800-171 self-assessment first, then decide. If your gap assessment shows you are close to 110-practice compliance, you may be able to go directly to a C3PAO. If you have significant gaps, a consultant (specifically a Registered Practitioner or Registered Practitioner Organization) can help you close them before paying for an official assessment. Paying for a C3PAO assessment before you are ready is the most expensive mistake in this process.
Your Next Step
The $104,670 is a starting point, not a sentence. Some small contractors will spend less by managing scope carefully. Some will spend more because their starting posture is weaker than the DoD median assumed. The variable you control is how well you understand your own environment before committing to a certification path.
Start with the self-assessment. The companion article on NIST 800-171 self-assessment checklists (coming soon) walks through the scoring process step by step. If you are earlier in the CMMC journey and want the full picture on certification requirements, the CMMC certification guide for small businesses covers the program structure, Level 1 vs. Level 2 requirements, and which contracts trigger which level. A detailed look at CMMC Phase 2 enforcement and the November 2026 timeline is also coming soon.
