Skip to main content
New InterSec is now ISO/IEC 42001 certified for AI management systems Read the announcement
cmmc

What CMMC Certification Actually Costs in 2026

Real CMMC cost ranges for the Defense Industrial Base, broken down by level and by your SPRS starting point, plus what drives the price and how to keep it down.

InterSec Team Cybersecurity & Compliance April 19, 2026 Article
CMMC Certification Cost in 2026, What DIB Contractors Actually Pay
Share
Quick answer

CMMC cost depends on your level and your scope, not a single sticker price. Level 1 is a self-assessment, so it is the cheaper path. Level 2 adds gap work, remediation, tooling, and annual upkeep, plus an assessment that is either self-performed or done by a third-party C3PAO, depending on your contract. The two biggest drivers are scope and gap depth. The more systems and users that touch CUI, the larger your assessment boundary and your bill, and the further your environment sits from the 110 controls, the more remediation you pay for.

What actually drives CMMC cost up or down

Before any number means anything, you need to know what moves it. A few factors dominate, and the rest adjust from there.

The first is your CMMC level. Level 1 is a self-assessment with no external audit. Level 2 brings the 110 controls of NIST SP 800-171 and, for most contracts, a third-party assessment. Within Level 2, two things set the number. The first is scope, meaning how many systems and people touch CUI and therefore fall inside the assessment. The second is gap depth, meaning how far your current environment sits from the 110 controls. Your SPRS score measures that gap. A contractor close to passing pays for a light touch. A contractor deep in the negative pays to close real gaps.

Beyond scope and gap depth, the rest of the dial includes how much CUI you hold and how many people touch it, your existing security maturity (an ISO 27001 program earns you real credit), how tightly you scope (an enclave keeps most of your company out of the assessment), whether you run multiple sites or a joint venture, and whether you build the program in-house or bring in an RPO or managed provider.

Each of these pushes the number up or down. None of them is fixed. That is the good news, because it means you have levers to pull.

CMMC cost by level, Level 1 versus Level 2

Level 1 is the floor. It covers 15 basic requirements, it is self-assessed, and there is no external auditor to pay. For a small shop that only handles Federal Contract Information, the cost is mostly internal time plus modest tooling. Published 2026 estimates for a Level 1 self-assessment and annual affirmation run from a few thousand dollars into the low five figures, depending on tooling and outside help.

Level 2 is where the real spend lives. It covers all 110 controls of NIST SP 800-171 Revision 2, and for most contracts it is assessed by an accredited C3PAO. Note what we are not covering in depth here. Level 3 is also a CUI level, but it covers only the most sensitive slice of CUI on high-risk programs facing advanced persistent threats, and the government assesses it directly. For the large majority of contractors who handle CUI, the target is Level 2, so this article focuses on Level 1 and Level 2.

A Level 2 budget has a handful of moving parts. Here are the typical 2026 market ranges by component. Treat them as ranges, because scope changes everything.

Cost componentWhat it coversTypical 2026 range
Readiness / gap assessmentBaseline against the controls, SPRS score, prioritized roadmap$3,500 to $20,000
Remediation / implementationClosing gaps (MFA, encryption, segmentation, policy work)$35,000 to $115,000+
Tooling and managed servicesEDR, SIEM, vulnerability scanning, GCC licensing$10,000 to $50,000+ per year
C3PAO Level 2 assessmentThe official third-party assessment fee (C3PAOs set their own)$20,000 to $100,000+
Annual maintenanceMonitoring, annual affirmation, reassessment upkeep$6,500 to $50,000 per year

One honest caveat on the official numbers. DoD’s published Level 2 estimate of roughly $105,000 to $118,000 over three years covers the assessment and affirmation, not the remediation work to implement the controls. Once you add implementation, tooling, and recurring upkeep, real all-in totals for a small business commonly climb into the mid six figures over three years. The assessment fee is the visible part. The work to get ready is the bigger part. Remember which is which when someone quotes you a low headline number.

CMMC cost by your SPRS starting point

Here is the cost part most skip. Two contractors at the same level can pay very different amounts, because your bill scales with the gap between where you are and where you need to be. Your SPRS score measures that gap.

Think in three bands. A contractor near a passing score needs light remediation and can move quickly to assessment. A moderately negative score means meaningful but targeted work, closing specific control families. A deeply negative score means building real capability, and that is where remediation costs climb.

We have watched this play out. For a multi-site Navy prime, the starting SPRS score sat around minus 203, deep in the negative across five sites. The work to move that score toward assessment-ready, not the assessment itself, was the bulk of the effort and the cost. That is the lesson. Your level sets the rules. Your scope and your starting score set the bill.

An itemized 2026 budget by contractor size

So what does this add up to? It depends on scope, but you can size it roughly by profile. The ranges below are built from the component costs above. Your real number depends on your starting SPRS score and how tightly you scope.

Contractor profileTypical postureRough initial range to reach Level 2
Solo or 1 to 2 personSmall CUI footprint, aggressively scoped enclave$40,000 to $75,000
Small to midA handful of CUI users, a few systems$75,000 to $200,000
Multi-site or joint ventureCUI across sites, more users, more complexity$200,000 and up

Two notes keep these honest. First, these are initial ranges to reach a defensible Level 2, not lifetime costs. Annual maintenance and reassessment add to them. Second, real all-in three-year Level 2 costs for a small business commonly reach the mid six figures once implementation and recurring upkeep are included, well above the bare assessment fee.

That sounds high until you remember it covers everything, for three years. The single biggest way to land at the low end of any of these rows is to scope small and start close to a passing SPRS score, where remediation, tooling, and the assessment itself all sit at the bottom of the component ranges above.

Once you know the number, the next step is to phase it. Here is how to build a CMMC budget you can defend across your fiscal year.

Is CMMC a reimbursable or allowable cost?

This question comes up early, and the answer has nuance. In general, CMMC compliance costs are treated as allowable under the Federal Acquisition Regulation when they are reasonable and allocable, per FAR 31.201-2. In practice that usually means they are recovered as an indirect cost through your overhead rates on the contracts you win, not reimbursed as a separate line item, and not recovered on bids you lose.

That is the framework, not a ruling on your books. DoD’s own CMMC guidance does not publish an allowability answer and points back to the FAR cost principles. How CMMC costs land in your specific indirect rates, and what your auditor will accept, depends on your accounting and your contracts. Consult your compliance, contracts, or accounting team, ideally one familiar with DCAA, for the final interpretation before you book anything.

How to reduce your CMMC cost

You have more control over the number than the headlines suggest. Four levers do most of the work.

Scope is the biggest. Most of your cost scales with the number of systems and people in the assessment, so isolating CUI into a CMMC enclave keeps the rest of your company out of scope and out of the bill. Reuse is the second. If you already run ISO 27001 or a mature security program, many controls are partly met, so you pay to map rather than build. Pricing model is the third. Milestone pricing tied to SPRS gates spreads cost to match progress. Right-sizing the cloud is the fourth. GCC works for many Level 1 and FCI-only environments, while GCC High is the common answer for CUI. Buying GCC High when you do not need it is one of the most common avoidable expenses. The fastest way to know which levers apply to you is a CMMC readiness assessment.

Start with a readiness assessment

The only way to get a real number is to baseline where you stand. A readiness assessment measures you against the controls, sets your SPRS starting point, and tells you what the job actually costs for your environment. Everything in this guide is a range until you have that baseline. Book a 30-minute consultation and we will give you an honest, SPRS-based estimate, not a guess. Start with a CMMC readiness assessment, and you stop budgeting blind.

Frequently Asked Questions

How much does CMMC Level 2 cost?

There is no single price. Level 2 cost depends on how tightly you scope, your CUI footprint, and how far your environment sits from the controls. Typical 2026 components run a few thousand for a gap assessment, tens of thousands for remediation, a C3PAO assessment fee that varies widely, and annual upkeep. The two biggest drivers are scope and gap depth, and your SPRS score measures that gap. A CMMC readiness assessment gives you a real number for your environment.

Is CMMC a reimbursable or allowable cost?

Generally, CMMC costs are allowable under FAR 31.201-2 when they are reasonable and allocable, usually recovered as an indirect cost through your overhead rates on awarded contracts rather than as a separate reimbursement. DoD’s CMMC guidance points to the FAR cost principles rather than publishing an answer. Confirm the treatment with a DCAA-aware accountant for your specific books.

What drives CMMC cost up or down?

Your level sets the baseline, since Level 1 is a self-assessment and Level 2 brings 110 controls and usually a third-party assessment. Within Level 2, the two biggest drivers are how tightly you scope and how far your environment sits from the controls, which your SPRS score measures. After those come the size of your CUI footprint, how many people touch CUI, your existing security maturity, multi-site or joint-venture complexity, and whether you build in-house or hire an RPO. Scope is the single biggest lever you control.

What drives the difference in cost between Level 1 and Level 2?

Level 1 is a self-assessment against 15 requirements with no external auditor, so it is the cheaper path. Level 2 covers all 110 NIST 800-171 controls and adds a third-party C3PAO assessment, plus deeper remediation, tooling, and evidence work. How much of that Level 2 work you pay for then depends on how tightly you scope and how far your environment sits from the controls, which your SPRS score measures.

Will waiting until November 2026 cost more?

Often, yes. Level 2 prep can take 6 to 18 months, and C3PAO assessor capacity is finite. As the November 10, 2026 deadline nears, contractors competing for scarce assessment slots and rushing remediation tend to pay more, not less. Starting early is the cheaper and calmer path.

Get an honest CMMC cost estimate

The only way to get a real number is to baseline where you stand. Book a 30-minute consultation and we will give you an honest, SPRS-based estimate for your environment. We are a Cyber-AB RPO, so we prepare you for the assessment. Your C3PAO runs it.