Updated May 2026

CMMC Triennial Recertification: $30K to $200K

CMMC Level 2 certification is valid for three years. The first wave of contractors certified in 2026 will face recertification in 2029. Plan the recertification budget at 60-80 percent of the initial C3PAO assessment fee, plus ongoing maintenance through the intervening years. Material environmental change can push recertification cost back up to or above the original.

The triennial cycle under 32 CFR Part 170

The CMMC final rule at 32 CFR Part 170.13 establishes the certification lifecycle for Level 2. A C3PAO assessment, once completed and accepted, results in a certification valid for three years from the assessment date. Throughout the validity period, the contractor must file annual affirmations to the Supplier Performance Risk System (SPRS) attesting to continued compliance. The affirmation is signed by a senior official (typically the CEO, CIO, or CISO) and carries personal accountability under the False Claims Act for material misrepresentation.

At the three-year mark, the certification expires. To remain CMMC-certified and therefore eligible for solicitations requiring Level 2, the contractor must complete a fresh C3PAO assessment before the expiry date. The fresh assessment is procedurally identical to the initial assessment: scope confirmation, evidence review, on-site or remote assessor sessions, draft report, contractor response, final report, certification issuance. The difference is that the contractor is starting from an established SSP, policy library, and evidence platform rather than from scratch.

The full rule text is at ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-170. Pay particular attention to 170.13 (assessment frequency) and 170.15 (affirmation requirements).

Year-by-year cost across the triennial cycle

Cost element	Small (under 50)	Mid (50-200)	Large (200+)
Year 0: Initial C3PAO assessment	$40K - $80K	$60K - $130K	$100K - $200K
Year 1: Annual affirmation + maintenance	$32K - $62K	$52K - $122K	$102K - $202K
Year 2: Annual affirmation + mock assessment	$38K - $72K	$62K - $137K	$117K - $222K
Year 3: Recertification assessment + maintenance	$55K - $115K	$95K - $200K	$165K - $325K
4-year cumulative (Y0-Y3)	$165K - $329K	$269K - $589K	$484K - $949K

Year 1 and Year 2 maintenance includes ongoing tooling subscriptions, monitoring, training delivery, evidence-library upkeep, and annual affirmation preparation. Year 3 maintenance is lower than Y1/Y2 because some maintenance work absorbs into the recertification activity itself.

What drives recertification cost up versus down

Cost-down drivers (recertification cheaper than initial): SSP and policy library is current and accurate (saves 40-80 hours of authoring), evidence library is organised by control family and current within 30 days (saves 50-100 hours of collection), the technical environment is substantively unchanged from initial assessment (saves 20-40 assessor days), the same C3PAO is used and the assessment team has continuity (saves 10-20 hours of context-setting), the contractor has run an internal mock assessment in year 2 (surfaces gaps with time to remediate).

Cost-up drivers (recertification more expensive than initial): cloud platform change (moving from GCC High to Azure Government or adding AWS GovCloud adds 10-20 assessor days), identity provider change (federation, Entra ID upgrade, SSO consolidation adds 5-10 assessor days), new sites or new departments brought into scope (each adds 3-10 assessor days), major acquisition that integrated unfamiliar IT environment, significant user-count growth that materially expanded the assessment scope, regulatory transition from NIST SP 800-171 Rev 2 to Rev 3 (NIST published Rev 3 in 2024 with a transition path that the DoD has not yet finalised, but recertifications in 2029-2030 may need to address Rev 3 controls).

For contractors with stable environments and disciplined maintenance, recertification should land at 60-70 percent of the initial assessment fee. For contractors with material environmental change, plan for 100-130 percent of initial as a worst case. The single best predictor of recertification cost is how disciplined the year-1 and year-2 maintenance was.

Recertification project plan

Start recertification planning 12-15 months before the certification expiry date. At month 12, conduct an internal mock-assessment to baseline the state of controls and identify any drift. At month 9, engage a C3PAO (the same or a new firm) and execute the Statement of Work. At months 6-9, remediate any gaps identified in the mock assessment. At months 3-6, refresh evidence collection, update the SSP for any environmental changes since initial assessment, prepare for the formal assessment kick-off. At months 1-3, execute the formal C3PAO assessment. At certification expiry: receive the renewed certification and post to SPRS.

Working backward from the certification expiry date is essential because C3PAO scheduling backlogs in 2026 have been running 6-12 months. By 2029 the backlog may have eased (more C3PAOs authorised, more CCAs qualified), but planning for at least 9 months of lead time remains prudent. Letting certification lapse before recertification completes is a contract-eligibility problem; primes will not accept an expired certification.

Some C3PAOs offer multi-year engagement contracts at the time of initial certification that pre-book the year-3 recertification at a discounted rate. These can save 10-15 percent on the recertification fee but require commitment to a specific firm three years in advance. Whether to commit depends on confidence in the firm and the desire to preserve flexibility.

Related cost pages

Frequently asked questions

How often does CMMC require recertification?

CMMC Level 2 certification under 32 CFR Part 170 is valid for three years from the date of the C3PAO assessment, with annual affirmations to SPRS in years 1 and 2 confirming continued compliance. At year 3, the contractor must undergo a full reassessment by a C3PAO to maintain certification. Level 1 is annual self-assessment; Level 3 is also triennial but DIBCAC-led rather than C3PAO-led.

Will recertification cost the same as initial certification?

Usually less. Typical year-3 recertification fees run 60-80 percent of the initial C3PAO assessment fee. The discount comes from: the SSP and policy library is already in place (so authoring effort is lower), evidence collection patterns are established (so client-side labour is lower), the assessor team is often familiar with the environment (some C3PAOs offer rate discounts for repeat engagements), and the network and identity architecture has not fundamentally changed (so boundary discovery is faster).

What if my environment has changed significantly since the last assessment?

Then recertification looks more like a fresh assessment. If you have changed cloud platforms (moved from GCC High to Azure Government, or added an AWS GovCloud enclave), changed identity providers, opened new sites, gone through a major acquisition, or significantly grown the user count, the assessor will need to revisit the scope and re-examine controls in the changed areas. In this case the recertification fee can equal or exceed the initial fee.

Do I need to use the same C3PAO for recertification?

No. You can switch C3PAOs between certifications. Reasons contractors switch: dissatisfaction with the original assessor's approach, lower pricing from a competing firm, bundling opportunities with another framework (e.g., adding SOC 2 to the engagement), or geographic convenience. The switching cost is modest because the new assessor will use your existing SSP and policy library; you just need to provide the same evidence to a different reviewer.

What happens between year 1 and year 3?

You file annual affirmations to SPRS in year 1 and year 2 confirming continued compliance with the controls assessed at year 0. The affirmation is a senior-officer attestation, not a third-party assessment. Cost is minimal ($2K-$5K for internal preparation labour, $0 to SPRS) but the underlying obligation requires you to actually maintain compliance throughout the period. Lapsed monitoring, abandoned tooling, or failed annual training programmes between assessments can result in a year-3 reassessment that uncovers material gaps and either fails or requires significant remediation before recertification.

Are there shortcuts to recertification?

Some, but they are limited. The 32 CFR Part 170 final rule does not introduce a CMMC equivalent of FedRAMP's continuous monitoring with automated annual surveillance. Recertification is a full reassessment of the assessment scope. The shortcuts that exist are practical, not regulatory: keep your evidence library well-organised between assessments (saves 50-100 hours of recreation), maintain a documentation review cadence (quarterly SSP review, monthly policy review) so nothing has drifted by year 3, and conduct an internal mock-assessment in year 2 to surface gaps with time to remediate.