How much does a CMMC Level 2 C3PAO assessment cost?

C3PAO assessment fees for CMMC Level 2 generally run from about $30,000 to $150,000 depending on organization size and scope, with small businesses often in the $30,000–$50,000 range. The DoD's own estimate places a Level 2 certification near $105,000 across the three-year cycle, including the triennial assessment and two annual affirmations.

What is the total cost of CMMC Level 2 compliance?

All-in costs — readiness and gap remediation plus the assessment — commonly land between $75,000 and $300,000 for Level 2, with small businesses averaging around $138,000. The assessment fee itself is only about 25–40% of the total; most of the spend is getting the environment ready.

Does the government pay for CMMC certification?

No. The contractor bears the cost of becoming compliant and of the assessment. Some compliance costs may be allowable/allocable on certain contracts, but there is no government reimbursement program that covers CMMC for you.

How Much Does CMMC Cost? Level 1 & Level 2 Pricing (2026)

Q: Is CMMC Level 2 self-assessment free?

There is no third-party assessor fee for a Level 2 self-assessment, which a subset of lower-risk CUI contracts allow. Your real costs are the internal time to assess and document, plus any remediation needed to actually meet the 110 NIST SP 800-171 controls. The SPRS score and SSP can be produced with free tools.

"How much will CMMC cost me?" is the first question almost every small defense contractor asks — and the honest answer is: it depends far more on what you have to fix than on the assessment itself. The assessment fee is the visible number; the real spend is getting your environment ready. Here's the realistic picture for 2026.

The short answer, by level

Path	Third-party fee	Typical all-in
Level 1 (FCI) — self-assessment	$0	Internal time + basic IT hygiene
Level 2 — self-assessment*	$0	Readiness + internal time
Level 2 — C3PAO certification	~$30K–$150K	~$75K–$300K
Level 3 (DIBCAC)	Government-led	Highest — for the most sensitive programs

*A subset of lower-risk CUI contracts permit a Level 2 self-assessment instead of a C3PAO. See CMMC Level 2 self-assessment for who qualifies.

The C3PAO assessment fee

If your contract requires a Level 2 certification, a Certified Third-Party Assessment Organization (C3PAO) performs the assessment, and they set their own fees. In 2026, those fees generally run from about $30,000 to $150,000, driven by your size and scope — small businesses (under ~50 people) often land in the $30,000–$50,000 range. The DoD's own published estimate puts a Level 2 certification near $105,000 across the three-year cycle — that figure includes the triennial assessment plus two annual affirmations. Because demand for assessors currently outstrips supply, expect fees to stay firm or rise.

Reality check: the C3PAO fee is usually only 25–40% of your total CMMC spend. The other 60–75% is readiness — the work to actually meet the 110 controls before an assessor ever shows up.

Where the money actually goes

Total Level 2 programs commonly land between $75,000 and $300,000, with small businesses averaging around $138,000. That breaks into three buckets:

1. Readiness & gap remediation (the big one)

This is everything you have to fix to satisfy the controls: phishing-resistant multifactor authentication, FIPS-validated encryption, audit logging and a SIEM, vulnerability management, and — for many shops — migrating CUI into a compliant enclave such as Microsoft 365 GCC High. The bigger the gap between where you are and the standard, the bigger this number.

2. The assessment

The C3PAO fee above (Level 2 certification), or essentially $0 in third-party fees if you qualify to self-assess.

3. Documentation & ongoing cost

Your System Security Plan and POA&M, plus the recurring cost of annual affirmations, continuous monitoring, and a triennial reassessment. CMMC is not one-and-done.

Cut the biggest cost line for free

The two documents consultants charge five figures for — your SPRS score and your SSP — you can produce yourself. Start with the free calculator to see exactly which gaps cost you the most.

Calculate your SPRS score free →

How small contractors keep the bill down

Scope tightly. The single biggest cost lever is shrinking what's in scope — put CUI in a small enclave so fewer systems must meet the controls. See asset scoping.
Self-assess where you're allowed. If your contracts permit a Level 2 self-assessment, you avoid the C3PAO fee entirely.
Do your own SSP and SPRS score. Don't pay a consultant $10K+ to write what free tools produce. Use the SPRS calculator and SSP generator.
Fix the high-impact gaps first. A handful of 5-point controls move your score the most — see the 5-point controls to fix first so you spend on what matters.

CMMC cost — frequently asked

Is CMMC Level 2 self-assessment free?

There's no assessor fee for a self-assessment, which a subset of lower-risk CUI contracts allow. Your costs are internal time and any remediation needed to actually meet the controls — and the SPRS score and SSP can be produced with free tools.

Does the government pay for CMMC?

No. You bear the cost of compliance and the assessment. Some costs may be allowable on certain contracts, but there's no reimbursement program that covers CMMC for you.

How often do you pay?

A Level 2 C3PAO certification runs on a three-year cycle (the assessment plus an annual affirmation each year), and readiness/monitoring costs are ongoing. Budget for recurring spend, not a one-time hit.

Can I write the SSP myself?

Yes. Nothing requires a consultant. Our free SSP generator drafts assessor-ready narrative; you own and edit it.

Start where it's free

Before you spend a dollar on consultants, find out exactly where you stand: calculate your SPRS score, then turn those gaps into a documented plan with the SSP generator. Both are free and run in your browser — and they're the most expensive line items when you pay someone else for them.