Updated May 2026
Methodology: how we build CMMC cost bands
Three input streams: regulatory and standard-setting bodies (DoD CIO, Cyber AB, NIST, DFARS, 32 CFR Part 170, DIBCAC); public C3PAO listings and ecosystem partner pricing; practitioner reports from the CMMC community. We triangulate across all three and publish bands wide enough to honestly reflect spread.
01 Primary sources
Every cost claim on the site is traceable to one or more of these primary sources. Refresh cadence and what we take from each source:
| Source | Refresh | What we take from it |
|---|---|---|
| Cyber AB authorised C3PAO and CCA registry | Monthly | Verifies which assessor organisations and individual assessors are actively authorised; the population determines C3PAO fee competition and scheduling backlog. |
| DoD CIO CMMC programme office | On programme-office release | Authoritative source for CMMC programme rules, implementation guidance, scoring methodology, and contractor obligations. |
| DFARS 252.204-7012 / 7019 / 7020 / 7021 | On Federal Register update | Contractual cybersecurity safeguarding clause (-7012), NIST 800-171 score requirement (-7019), DoD assessment requirements (-7020), and CMMC requirement (-7021). The clauses define what triggers cost (scope, score, certification level). |
| 32 CFR Part 170 final rule | On Federal Register amendment | Final rule (October 2025) establishing the CMMC 2.0 programme structure and phased implementation: Phase 1 (Nov 2025) self-assessments, Phase 2 (Nov 2026) C3PAO mandatory for Level 2, Phase 3 (Nov 2027) option exercises plus Level 3 DIBCAC, Phase 4 (Nov 2028) all contracts. |
| NIST SP 800-171 Rev 3 | On NIST revision | Source for the 110 security requirements that define Level 2 scope. Each requirement maps to a remediation cost line. |
| NIST SP 800-172 | On NIST revision | Source for the enhanced security requirements that define Level 3 scope. Drives the threat-hunting, advanced-SOC, and supply-chain risk-management cost adders for Level 3. |
| DCMA DIBCAC public guidance | Quarterly | Source for DIBCAC Level 3 assessment scope, scheduling reality, and the practitioner-reported DIBCAC backlog. No fee is charged by DIBCAC, but indirect cost (prep, downtime) is material. |
| SAM.gov / GSA federal contract data | Monthly | Federal contract awards with cybersecurity language give signal on solicitations that already require CMMC assertions, contractor scale of DoD prime / sub population, and procurement-process trajectory. |
| US Bureau of Labor Statistics OEWS occupation 15-1212 | Annual (May data, released April-May) | Wage anchor for Information Security Analysts. Drives the loaded-cost math for internal staff time (gap assessment, remediation execution, audit prep, ongoing monitoring). |
02 In scope and out of scope
In scope
- Cost ranges by company-size band for CMMC Level 1, 2, and 3 first-year total spend.
- C3PAO assessment fee tier bands (small / mid / larger).
- Per-component remediation cost ranges (SIEM, EDR, MFA, segmentation, FIPS encryption, backup).
- Three-year TCO including triennial reassessment.
- Per-employee cost decomposition and scope-reduction levers (enclaves, shared MSSP).
- Phase-by-phase cost ranges for the six-phase certification path.
- Phase 2 (Nov 2026) deadline implications for budget planning.
- Cross-framework overlap (CMMC vs SOC 2 vs FedRAMP vs ISO 27001 vs NIST SP 800-171).
Out of scope
- Per-firm C3PAO pricing (most C3PAOs do not publicly list fees and quoted prices vary with engagement scope).
- Legal advice on contractor obligations under DFARS, FAR, or 32 CFR Part 170.
- Negotiated enterprise pricing for SIEM, EDR, or GRC platforms (we publish list-price-band ranges only).
- State-level subcontractor flow-down rules.
- Export-control overlay (ITAR / EAR) cost effects beyond noting they exist.
- Foreign-jurisdiction certification cost (CMMC is a US DoD framework only).
- Predictions of contractor-eligibility outcomes from any specific cost choice.
03 Calculation framework
C3PAO assessment fee tier math
C3PAOs price by company size band, on-site days, asset count, CUI boundary complexity, and locations. Public C3PAO listings plus practitioner reports cluster fees in three bands: small (under 50 employees, single site) $30K-$50K, mid (50-200 employees) $50K-$80K, larger (200-500+ employees, multi-site) $80K-$200K+. We publish only tier-band ranges; we do not publish per-firm pricing because most C3PAOs do not publicly list fees and quoted prices vary with engagement scope.
Remediation cost composition
Level 2 remediation cost decomposes across NIST SP 800-171 control families. The five highest-cost lines (in approximate dollar share) are SIEM ($15K-$100K/yr), EDR ($30-$150/endpoint/yr), MFA + identity ($5-$15/user/month), network segmentation ($10K-$80K project), and FIPS-validated encryption (often bundled but $5K-$30K incremental). Lower-cost line items (backup, audit logging, policy/SSP) round out the 110-control coverage.
Three-year TCO math
CMMC certification is triennial: Year 1 initial assessment cost is the headline number; Years 2-3 are maintenance (software renewals, monitoring, training, annual SPRS affirmation); Year 4 is the next triennial reassessment. Our three-year TCO tables sum Year 1 + Year 2 (lower, no reassessment) + Year 3 (slight bump for reassessment prep). Real spend can shift if the contractor's CUI scope changes.
Per-employee cost math
Larger contractors spread fixed costs (C3PAO fees, SIEM platform, GRC stack) across more employees, so per-employee cost decreases with scale. For Level 2 first-year cost, the per-employee range walks from $3,200-$4,600 for sub-25-employee contractors to $700-$1,000 for 500+ contractors. This is the math that drives whether scope reduction (cloud enclaves) or shared MSSP arrangements pay off.
Phase-by-phase cost composition
Every Level 2 path follows six phases: gap assessment ($3.5K-$60K), SSP development ($5K-$25K), remediation ($25K-$300K), internal validation ($5K-$15K), C3PAO assessment ($30K-$200K), and ongoing maintenance ($30K-$120K/yr). The remediation phase is the largest variable; current security maturity determines whether it lands at the low or high end.
Loaded labour math for internal staff time
BLS OEWS occupation 15-1212 (Information Security Analysts) gives a US-national median annual wage anchor. We apply a 1.3x burden multiplier (taxes, benefits, overhead) for fully-loaded cost. A typical Level 2 implementation absorbs 400-1,200 internal staff hours across IT, security, and compliance; that is $40K-$120K of internal cost that lives outside the headline C3PAO + remediation lines.
04 Refresh cadence
First business week of each month we re-verify against primary sources, then roll the single-source LAST_VERIFIED_DATE constant forward across the entire site. Article schema dateModified, footer freshness paragraph, and per-page hero stamp all read from that constant.
Out-of-cycle refresh triggers:
- 32 CFR Part 170 amendment or DoD CIO programme-office rule revision.
- New DFARS clause amendment (252.204-7012, 7019, 7020, 7021).
- NIST SP 800-171 or 800-172 revision.
- Cyber AB C3PAO authorised registry composition change (new C3PAO authorisations, suspensions).
- DIBCAC scheduling or scope-guidance update.
- Vendor pricing page change for any named tool in our cost lines (more than 10 percent move).
- BLS OEWS 15-1212 wage data update (typically April-May annually).
05 Limitations
- Cost ranges are planning anchors, not quotes. A real C3PAO engagement quotes against your actual scope, asset count, and SSP readiness.
- The 32 CFR Part 170 final rule landed October 2025 and continues to evolve through programme-office guidance; rule clarifications may shift cost expectations.
- C3PAO ecosystem capacity is still ramping (population around 80 C3PAOs and around 600 CCAs as of early 2026); scheduling backlog adds indirect cost (delay, lost-bid risk) we do not put a dollar number on.
- Internal labour wage anchors are US-national medians from BLS OEWS 15-1212; regional cost-of-living adjustments are not applied. High-cost metros (DC, San Francisco, Boston, NYC) run materially higher.
- Vendor pricing on SIEM, EDR, and GRC platforms shifts; we publish bands wide enough to absorb six-month drift, but enterprise negotiation can move the floor.
- DIBCAC Level 3 assessments have no published fee schedule; indirect cost (prep, downtime, lost-bid risk during scheduling backlog) is real but not quantified here.
06 Corrections process
If you find a factual or sourcing error, contact us. We turn around corrections within five business days. Substantive cost-band changes get a footer note on the affected page (date + nature of change) so readers and downstream citations can audit the trail.
Nothing on this site is legal or compliance advice. Cost ranges are for budget planning only. Before you commit to a budget, scope decision, or contract action, consult a Cyber AB authorised C3PAO or RPO and your organisation's legal counsel. See about for full disclaimer.