Every executive asks the same two questions first, and most of the answers available are useless: vendor numbers built to win the deal, or government numbers that quietly exclude the expensive part. This installment gives you the honest version of both: what actually drives your number, and the calendar math behind a realistic assessment date.
There is no single number for what CMMC Level 2 costs, and anyone who gives you one without seeing your operation is guessing or selling. But the range is not mysterious. It is driven by a handful of factors you can identify in your own company, and once you understand them, you can build a budget that survives contact with reality. The timeline works the same way, with one difference: budgets can be adjusted along the way, while the calendar cannot be bought back. Start with the money, end with the clock.
The Department of Defense published its own cost estimates with the CMMC rule, and they are worth knowing because your prime, your board, or your bank may quote them at you. For a small entity, DoD estimates a Level 2 certification at roughly $105,000 over a three year cycle, and about $118,000 for larger companies.1 The small entity figure breaks down approximately as follows.
Now the part that matters. DoD's estimate covers assessment, preparation, reporting, and affirmation. It deliberately excludes the cost of implementing the 110 security requirements themselves, because in DoD's view those costs were incurred years ago: NIST SP 800-171 has been a contractual requirement under DFARS 252.204-7012 since the end of 2017. In other words, the government's number is the cost of proving compliance, on the assumption that you already achieved it.
For a contractor whose implementation is genuinely complete, that assumption holds and the DoD figure is a reasonable planning number. For everyone else, the real budget is the DoD number plus the cost of closing the gap, and the gap is usually the larger line. Which is why no figure published on the internet, including this one, is your figure.
The internet is full of CMMC cost ranges, and I am not going to add another set, because a range built from other companies tells you very little about yours. What is worth knowing is what drives the number, because every driver is something you can see in your own operation.
Scope is the master lever. How much of your company sits inside the assessment boundary drives everything else: the remediation, the documentation, the technology, the internal hours, and the assessment fee, at certification and again at every three year reassessment. Fewer in-scope systems, users, and locations means a smaller number on every line. That is why scope reduction is the highest leverage work a contractor can do before spending serious money, and why it has to happen early. Scoped late, after remediation dollars have gone out enterprise-wide, the savings are gone.
After scope, three things set your number: the size of your actual gap against the 110 requirements, the technology path you choose (a contained CUI enclave versus bringing the whole enterprise into compliance), and how much of the work your own people can carry versus what you bring in. None of those can be read off a pricing page. All of them can be established in the first weeks of a readiness engagement, which is why I help contractors figure out what CMMC will actually cost them: an onsite look at where CUI really moves, a deliberate boundary decision, and a cost estimate built from your operation instead of an industry average.
What I will give you instead of ranges is the structure: the lines a complete budget contains, arranged the way a real plan tracks them. Highlighted cells get filled from your own gap assessment and scope decision; the point of the worksheet is that every line has an owner and nothing is invisible, including the internal hours that never appear on an invoice.
| Line | Type | Estimate | Owner | Driven by |
|---|---|---|---|---|
| Gap assessment | One time | $ | [name] | Scope, depth |
| Scope reduction and boundary design | One time | $ | [name] | CUI mapping effort; pays back on every line below |
| Remediation and implementation | One time | $ | [name] | Gap size, scope, technical debt |
| Documentation (SSP, policies, POA&M) | One time, then maintained | $ | [name] | Scope, in-house writing capacity |
| Technology and environment | Recurring | $ /mo | [name] | Enclave vs enterprise decision, user count |
| Internal labor | One time and recurring | [hours] × loaded rate | [name] | Scope, program discipline |
| Consultant / outside help | One time | $ | [name] | In-house capability; see Part 5 |
| C3PAO assessment | Triennial | $ | [name] | In-scope assets, users, locations |
| Annual affirmations and maintenance | Annual | $ | [name] | Ongoing control operation, evidence upkeep |
| Year one total / recurring annual | $ / $ |
Most small and midsize contractors need 12 to 18 months of readiness work before a C3PAO can successfully assess them. Executives hear that number and assume it is padded. It is not, and the reason is structural: two of the phases cannot be compressed with money.
Evidence has to age. An assessor does not check whether a control exists on assessment day. They check whether it has been operating: log history, completed training records, executed reviews, change tickets, visitor logs accumulated over months. A control implemented in March has no April evidence no matter what you spend. This is the phase executives most consistently underestimate, because it looks like waiting when it is actually the program proving itself.
Assessors have queues. The C3PAO ecosystem is small relative to the number of contractors who need certification. The 48 CFR acquisition rule took effect on November 10, 2025 and phases CMMC status requirements into solicitations and awards over four stages across three years: Phase 1 leans primarily on Level 1 and Level 2 self-assessments, Phase 2 brings broader Level 2 certification requirements beginning November 10, 2026, and full implementation begins November 10, 2028.2 Every quarter that passes, more contractors compete for the same assessment calendar. A company that finishes readiness in 2027 alongside everyone else who waited will discover that the constraint is no longer their own schedule.
The practical consequence: your target date should be driven by your contracts, not by the rule. The question is not "when does the regulation require it" but "when will a solicitation, an option year, or a prime's flowdown letter require it of us," and that date is usually earlier than the one in the news. Build the timeline backward from there.
| Milestone | When | Why it sits there |
|---|---|---|
| Contract or flowdown date requiring certification | [month, year] | The date the business actually needs. Everything counts back from here. |
| C3PAO assessment window | 2 to 4 months before | Allows for assessment scheduling lead time and resolving any conditional findings. |
| Pre-assessment review complete | 1 to 2 months before the assessment | The last chance to catch what will not survive scrutiny while there is still time to fix it. |
| All controls operating, evidence accumulating | 4 to 6 months before the assessment | The aging period. Controls must run and generate artifacts; this phase cannot be purchased. |
| Remediation execution | The middle 6 to 9 months | Sequenced from the gap assessment, heaviest items first. |
| Gap assessment and scope decision | Months 1 to 2 | The plan and the boundary. Everything downstream is sized by these. |
| Program launch (see Part 3) | Month 1 | Ownership assigned, company informed, calendar committed. |
Every number on this page becomes specific the moment your actual gap and your actual scope are known. That is what the first weeks of a readiness engagement produce: an onsite look at where CUI really moves, a boundary decision made deliberately, and a cost and timeline estimate built from your operation instead of an industry average. From there, the worksheet above fills itself in.