Essex Junction, VT802-335-2662dkoran@davidkoran.com
DK
David Koran& Associates
CMMC Executive Series · Part 4 of 6

What Level 2 really costs, and how long it really takes.

Every executive asks the same two questions first, and most of the answers available are useless: vendor numbers built to win the deal, or government numbers that quietly exclude the expensive part. This installment gives you the honest version of both: what actually drives your number, and the calendar math behind a realistic assessment date.

Home CMMC Executive Series Budget and Timeline

There is no single number for what CMMC Level 2 costs, and anyone who gives you one without seeing your operation is guessing or selling. But the range is not mysterious. It is driven by a handful of factors you can identify in your own company, and once you understand them, you can build a budget that survives contact with reality. The timeline works the same way, with one difference: budgets can be adjusted along the way, while the calendar cannot be bought back. Start with the money, end with the clock.

The Official Number

What DoD's estimate covers, and the part it leaves out

The Department of Defense published its own cost estimates with the CMMC rule, and they are worth knowing because your prime, your board, or your bank may quote them at you. For a small entity, DoD estimates a Level 2 certification at roughly $105,000 over a three year cycle, and about $118,000 for larger companies.1 The small entity figure breaks down approximately as follows.

$76,743
Conducting the C3PAO assessment
$20,699
Planning and preparing for it
$2,851
Reporting the results
$4,377
Annual affirmations over three years

Now the part that matters. DoD's estimate covers assessment, preparation, reporting, and affirmation. It deliberately excludes the cost of implementing the 110 security requirements themselves, because in DoD's view those costs were incurred years ago: NIST SP 800-171 has been a contractual requirement under DFARS 252.204-7012 since the end of 2017. In other words, the government's number is the cost of proving compliance, on the assumption that you already achieved it.

For a contractor whose implementation is genuinely complete, that assumption holds and the DoD figure is a reasonable planning number. For everyone else, the real budget is the DoD number plus the cost of closing the gap, and the gap is usually the larger line. Which is why no figure published on the internet, including this one, is your figure.

Your Number

What actually drives your cost

The internet is full of CMMC cost ranges, and I am not going to add another set, because a range built from other companies tells you very little about yours. What is worth knowing is what drives the number, because every driver is something you can see in your own operation.

Scope is the master lever. How much of your company sits inside the assessment boundary drives everything else: the remediation, the documentation, the technology, the internal hours, and the assessment fee, at certification and again at every three year reassessment. Fewer in-scope systems, users, and locations means a smaller number on every line. That is why scope reduction is the highest leverage work a contractor can do before spending serious money, and why it has to happen early. Scoped late, after remediation dollars have gone out enterprise-wide, the savings are gone.

After scope, three things set your number: the size of your actual gap against the 110 requirements, the technology path you choose (a contained CUI enclave versus bringing the whole enterprise into compliance), and how much of the work your own people can carry versus what you bring in. None of those can be read off a pricing page. All of them can be established in the first weeks of a readiness engagement, which is why I help contractors figure out what CMMC will actually cost them: an onsite look at where CUI really moves, a deliberate boundary decision, and a cost estimate built from your operation instead of an industry average.

The ranges published online are estimates of someone else's company. Your budget starts with your scope and your gap, and both are measurable.
Sample

The budget worksheet

What I will give you instead of ranges is the structure: the lines a complete budget contains, arranged the way a real plan tracks them. Highlighted cells get filled from your own gap assessment and scope decision; the point of the worksheet is that every line has an owner and nothing is invisible, including the internal hours that never appear on an invoice.

Sample · Level 2 Budget Worksheet
LineTypeEstimateOwnerDriven by
Gap assessmentOne time$[name]Scope, depth
Scope reduction and boundary designOne time$[name]CUI mapping effort; pays back on every line below
Remediation and implementationOne time$[name]Gap size, scope, technical debt
Documentation (SSP, policies, POA&M)One time, then maintained$[name]Scope, in-house writing capacity
Technology and environmentRecurring$ /mo[name]Enclave vs enterprise decision, user count
Internal laborOne time and recurring[hours] × loaded rate[name]Scope, program discipline
Consultant / outside helpOne time$[name]In-house capability; see Part 5
C3PAO assessmentTriennial$[name]In-scope assets, users, locations
Annual affirmations and maintenanceAnnual$[name]Ongoing control operation, evidence upkeep
Year one total / recurring annual$ / $
Two totals, not one. The year one number gets the program approved. The recurring annual number is what keeps it honest, because it is the line that appears in every budget after this one.
The Clock

The calendar math

Most small and midsize contractors need 12 to 18 months of readiness work before a C3PAO can successfully assess them. Executives hear that number and assume it is padded. It is not, and the reason is structural: two of the phases cannot be compressed with money.

Evidence has to age. An assessor does not check whether a control exists on assessment day. They check whether it has been operating: log history, completed training records, executed reviews, change tickets, visitor logs accumulated over months. A control implemented in March has no April evidence no matter what you spend. This is the phase executives most consistently underestimate, because it looks like waiting when it is actually the program proving itself.

Assessors have queues. The C3PAO ecosystem is small relative to the number of contractors who need certification. The 48 CFR acquisition rule took effect on November 10, 2025 and phases CMMC status requirements into solicitations and awards over four stages across three years: Phase 1 leans primarily on Level 1 and Level 2 self-assessments, Phase 2 brings broader Level 2 certification requirements beginning November 10, 2026, and full implementation begins November 10, 2028.2 Every quarter that passes, more contractors compete for the same assessment calendar. A company that finishes readiness in 2027 alongside everyone else who waited will discover that the constraint is no longer their own schedule.

The practical consequence: your target date should be driven by your contracts, not by the rule. The question is not "when does the regulation require it" but "when will a solicitation, an option year, or a prime's flowdown letter require it of us," and that date is usually earlier than the one in the news. Build the timeline backward from there.

Sample · Backward Timeline
MilestoneWhenWhy it sits there
Contract or flowdown date requiring certification[month, year]The date the business actually needs. Everything counts back from here.
C3PAO assessment window2 to 4 months beforeAllows for assessment scheduling lead time and resolving any conditional findings.
Pre-assessment review complete1 to 2 months before the assessmentThe last chance to catch what will not survive scrutiny while there is still time to fix it.
All controls operating, evidence accumulating4 to 6 months before the assessmentThe aging period. Controls must run and generate artifacts; this phase cannot be purchased.
Remediation executionThe middle 6 to 9 monthsSequenced from the gap assessment, heaviest items first.
Gap assessment and scope decisionMonths 1 to 2The plan and the boundary. Everything downstream is sized by these.
Program launch (see Part 3)Month 1Ownership assigned, company informed, calendar committed.
Run the arithmetic on your own contract date. If the backward count says the start date was last quarter, that is not a reason to panic. It is a reason to start this quarter and to be ruthless about scope.
Where to Start

The budget you can defend starts with a gap you have measured.

Every number on this page becomes specific the moment your actual gap and your actual scope are known. That is what the first weeks of a readiness engagement produce: an onsite look at where CUI really moves, a boundary decision made deliberately, and a cost and timeline estimate built from your operation instead of an industry average. From there, the worksheet above fills itself in.

← Previous · Part 3 Launch the Program Inside Your Company
References

Sources

  1. U.S. Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Program, 32 CFR Part 170, final rule, including the Department's published cost estimates for assessment, preparation, reporting, and affirmation activities by level and entity size. ecfr.gov
  2. DFARS 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements. acquisition.gov
About the Author

David W. Koran is a CyberAB Registered Practitioner Advanced and the author of The CMMC Decision, now in its second edition. He works onsite with defense contractors and their counsel, from the first leadership briefing through the pre-assessment review. Reach him at 802-335-2662 or dkoran@davidkoran.com.