Updated May 2026

Cost of NOT Doing CMMC: $500K to $10M in lost annual revenue

The CMMC budget conversation usually starts with the cost of compliance. The more important conversation starts with the cost of non-compliance: contract ineligibility, lost revenue, False Claims Act exposure for misrepresentation, and the strategic cost of being designed out of the defense industrial base. For most contractors with material DoD revenue, the math heavily favours compliance.

The three categories of non-compliance cost

Non-compliance has three distinct cost categories. First, direct revenue loss from contract ineligibility. Phase 2 (Nov 2026) makes C3PAO Level 2 certification mandatory for new solicitations at that level. Without certification, you cannot bid on those solicitations. Phase 3 (Nov 2027) extends the requirement to option exercises on existing contracts, meaning your existing DoD revenue starts dropping off as options come up for renewal. Phase 4 (Nov 2028) applies to all DoD contracts.

Second, False Claims Act exposure for misrepresentation. Misstating CMMC certification status, or posting a SPRS score that materially overstates compliance, can be prosecuted as a false claim under the False Claims Act. The Civil Cyber-Fraud Initiative launched by the DOJ in October 2021 has resulted in multiple settlements (Aerojet Rocketdyne $9M, others in progress). Penalties run $13,946-$27,894 per false claim (2025 indexed) plus treble damages. Senior officers face personal liability under the False Claims Act and the Yates Memo accountability framework.

Third, strategic positioning loss. Even contractors that ultimately decide to exit the DoD market face a loss of strategic optionality. A small contractor that holds a CMMC certification has visibility into DoD opportunities and can pivot back into defense work if commercial markets soften; a contractor that has let certification lapse cannot. For mid-size contractors with diverse customer bases, this strategic optionality has measurable value.

Revenue at risk by contractor profile

Contractor profile	Typical DoD revenue	CMMC compliance cost	Compliance as % of DoD revenue
Small consultancy, DoD-focused	$2M - $5M/yr	$50K - $120K/yr (TCO)	2 - 6%
Mid-size DIB sub-contractor	$8M - $20M/yr	$80K - $200K/yr (TCO)	1 - 2.5%
Large prime contractor	$100M - $5B/yr	$500K - $5M/yr (TCO)	under 0.5%
Diversified mid-market (20% DoD)	$5M - $15M/yr	$60K - $150K/yr (TCO)	0.4 - 3%

For every category except the diversified mid-market with limited DoD share, compliance cost is a small fraction of DoD revenue. The math overwhelmingly favours compliance. The exception is the diversified mid-market where DoD is genuinely a side business; for those firms the calculus depends on growth expectations.

False Claims Act exposure in detail

The False Claims Act (31 U.S.C. 3729) penalises submission of false claims for payment or approval to the federal government. Civil penalties are $13,946 to $27,894 per false claim (the 2025 range; updated annually). Damages are treble (three times the federal loss). Senior officers can face personal liability under the Yates Memo accountability framework.

The Civil Cyber-Fraud Initiative launched by the DOJ in October 2021 explicitly targets cybersecurity misrepresentation in federal contracts. The DOJ has stated it will use the False Claims Act to pursue contractors that knowingly provide deficient cybersecurity products or services, knowingly misrepresent their cybersecurity practices, or knowingly violate obligations to monitor and report cyber incidents. CMMC certification status, SPRS score accuracy, and DFARS 7012 incident reporting all fit squarely within this framework.

Notable enforcement actions: Aerojet Rocketdyne settled in 2022 for $9 million over allegations of cybersecurity misrepresentation. The Penn State University case (filed 2023, ongoing) alleges similar misrepresentation in NIST 800-171 implementation. Several smaller settlements have not been publicly named. The trend line is clear: cybersecurity misrepresentation is being prosecuted, and the penalties are large enough to materially threaten contractor viability. Real compliance and accurate self-attestation are the only safe positions.

The math when DoD is dominant revenue

For a 30-employee defense contractor with $8M in annual DoD revenue, the CMMC Level 2 first-year cost is roughly $80K-$150K (per the company-size table on the homepage). The 3-year total cost of ownership runs $200K-$450K. Over the same 3-year period, DoD revenue is $24M. The compliance cost is therefore 0.8-1.9 percent of DoD revenue over the certification lifecycle. Without certification, that $24M of DoD revenue evaporates as contracts come up for renewal. Even accounting for transition costs to commercial markets, the compliance investment pays back roughly 50-100x over the certification lifecycle.

For a 100-employee contractor with $25M in DoD revenue, the math is even more lopsided: $120K-$250K first-year compliance against $25M annual revenue. The compliance cost is 0.5-1 percent of annual revenue, and missing certification means losing the entire DoD revenue base. Few defensible business cases support skipping compliance at this scale.

The math when DoD is a side business

For a 40-employee firm with $10M total revenue and $1M in DoD work, the math gets harder. A $60K-$120K first-year compliance investment against $1M annual DoD revenue is 6-12 percent of the DoD revenue base. Over 3 years, $200K-$400K TCO against $3M of DoD revenue is 7-13 percent. That is a much harder business case, particularly if the DoD revenue is not strategic to the firm's growth trajectory.

For firms in this profile, the rational analysis often results in one of two paths. Path A: invest in compliance because the DoD market is strategic to long-term growth, even though current-period economics are tight. Path B: restructure the work portfolio to take only Level 1 DoD work (FCI only, no CUI) or exit DoD entirely and reinvest the compliance budget into commercial market expansion. Path B is being chosen by an estimated several thousand small defense contractors as the implementation timeline tightens. Neither path is wrong; the decision should be made deliberately and not by default.

Related cost pages

Frequently asked questions

What actually happens if I do not get CMMC certified?

You become ineligible for any DoD solicitation that requires the CMMC level you do not hold. Phase 1 (Nov 2025) already requires Level 1 and Level 2 self-assessments. Phase 2 (Nov 2026) makes C3PAO Level 2 certification mandatory for new solicitations at that level. Phase 3 (Nov 2027) extends the requirement to option exercises on existing contracts. Phase 4 (Nov 2028) applies to all DoD contracts. Without certification you cannot bid; without bidding you cannot win; without winning you exit that part of the DoD market.

Could I just claim to be certified and hope nobody checks?

No. CMMC certifications are recorded in the official CMMC eMASS Enterprise Mission Assurance Support Service and verifiable by contracting officers. Misrepresenting certification status is a False Claims Act violation, which carries treble damages plus penalties of $13,946 to $27,894 per false claim (the 2025 FCA penalty range, indexed annually). Senior officers who certify CMMC compliance face personal liability. Several large defense contractors have settled FCA cases related to cybersecurity misrepresentation for tens of millions of dollars.

What is the typical revenue loss?

For a contractor where DoD work represents the majority of revenue, the loss is total: typically $2M to $50M in annual revenue depending on company size. For diversified contractors where DoD is 20-40 percent of revenue, the loss is partial but still significant: $500K to $10M in annual DoD revenue. The CMMC compliance budget ($50K-$500K) is therefore a fraction of the revenue at risk for most defense-aligned contractors. The math heavily favours investing in compliance unless DoD is genuinely a small share of revenue.

What is the False Claims Act exposure for an incorrect SPRS score?

Posting a SPRS score that materially overstates compliance is treated as a false claim if the score influenced a contract award. The Civil Cyber-Fraud Initiative launched by the DOJ in October 2021 specifically targets cybersecurity misrepresentation in federal contracts. The Aerojet Rocketdyne case (2022) settled at $9 million over alleged misrepresentation of NIST 800-171 compliance. The Penn State University case (2024) is ongoing. Several other cases are working through the DOJ pipeline. The exposure is real and growing, not theoretical.

Can I delay CMMC and let the deadlines slip?

Not without consequences. Phase 1 is already in effect; new solicitations include the requirement. The DoD has not announced any delay to Phase 2 (Nov 2026) and has consistently emphasised the importance of the phased timeline. Even if specific solicitations defer the requirement, your competitors are likely investing in compliance now, which means by the time you need to bid you may be behind on a multi-year preparation cycle. Strategic delay is high-risk for any contractor with material DoD revenue.

Is there ever a case for exiting the DoD market rather than complying?

Yes. For sub-50-employee contractors where DoD revenue is less than 20 percent of total and where commercial markets are growing, the compliance cost may exceed the strategic value of the DoD work. Run the math: 3-year CMMC compliance cost versus 3-year DoD revenue minus other delivery costs. If the net is negative or near zero, exiting is rational. This decision is most common for small consultancies, niche product companies, and firms with a strong commercial pipeline. Exit math is covered in more detail on the small business and sub-contractor pages.