You’re a small or medium-sized business within the Defense Industrial Base (DIB) and need to become compliant with CMMC 2.0 to get certified and stay competitive within the Department of Defense (DoD) supplier pool.
The Cybersecurity Maturity Model Certification (CMMC) is designed to strengthen the security of the DoD supply chain and provide greater accountability and transparency in the certification process.
To do this, the government developed a tiered compliance and assessment program that divides DIB contractors and subcontractors into three levels.
Each level builds on the previous level to require increasingly tougher security measures to protect federal contract information (FCI) and controlled unclassified information (CUI). Businesses must also meet different assessment requirements, depending on their level.
Level 1 (Foundational) businesses that only handle FCI must meet 17 basic cyber hygiene requirements that line up with 15 controls from (Federal Acquisition Regulation) FAR 52.204-21.
Level 2 companies (Advanced) must prove they’ve implemented safeguards to satisfy the 110 security controls outlined in the (National Institute of Standards & Technology) NIST SP 800-171 to protect FCI and CUI.
The government requires Level 3 organizations at the Expert level to demonstrate the most stringent security controls to fight against advanced persistent threats (APTs). Level 3 businesses must satisfy the Level 2 requirements, plus additional controls from NIST SP 800-172.
While the end goal for the government is to strengthen its supply chain, meeting those requirements will mean a significant investment of both time and money for DIB companies.
In this article, we’ll outline different funding resources available to help ease the financial burden of becoming compliant and getting audited.
How Much Will It Cost To Become CMMC Compliant And Get Assessed For Certification?
To become CMMC compliant, you need to ensure you have the right security controls, documents, and other resources in place, including cybersecurity software, hardware, an incident response plan, and employee security awareness training.
Related Article: CMMC Step 2: How A Gap Analysis Can Help You Find Your Security Risks
These and other security controls are a necessary part of your organization’s comprehensive strategy to protect the sensitive federal information you store, process, or transmit.
Total costs will vary depending on a number of different factors, including the size and complexity of your organization, your current security posture, the frequency and type of the assessment required, and your CMMC level.
According to the DoD, small to mid-sized Level 1 organizations that only handle FCI can expect to spend around $3,000 to $6,000, on average, for their annual self-assessments and self-attestations.
Businesses at all three levels must self-attest annually to confirm ongoing compliance.
For the select few Level 2 contractors that will be allowed to perform a self-assessment, estimated audit and self-attestation costs range from $37,000 to $49,000 for SMBs, according to DoD estimates.
Most Level 2 businesses will be required to get assessed by a certified third-party assessor organization (C3PAO), however, with estimated expenses related to your C3PAO audit rising to roughly $50,000 or more.
Keep in mind that depending on where the assessor organization you hire is located, you may be on the hook for covering the travel and accommodation expenses incurred by your assessment team to travel to your location.
Related Article: How To Choose A C3PAO For Your CMMC Audit: 7 Factors To Consider
Of course, your costs for a CMMC assessment are separate from what it will cost you to implement the security controls needed to become compliant with the regulation.
Expenses for your pre-assessment compliance readiness measures can add up quickly.
For instance, companies with around 250 employees are looking at spending roughly $15,000 to $35,000 for a preliminary readiness assessment to get a baseline of their current security posture, according to one estimate.
Completing the other required steps for compliance, including identifying your CUI boundary, performing a gap analysis, implementing the right remediation controls, and creating a comprehensive system security plan (SSP) document could push total readiness costs north of $100,000 for small and mid-sized organizations.
CMMC compliance cost estimates for large enterprises range anywhere from $500,000 to over $2 million.
State Funding Programs To Reduce CMMC Compliance Costs
While these numbers may seem daunting, there is money available to help lessen the financial pain of meeting the regulatory requirements.
If you’re just starting out on your compliance journey and you haven’t started working with an external IT provider to help you meet compliance requirements, that could work in your favor in at least one respect.
Connecticut offers the Cybersecurity Adoption Program (CAP). The grant program is open to state manufacturing companies or related business that need to get assessed for CMMC certification. An allied service provider is a company that modifies existing products to add value.
In an effort to help companies achieve CMMC compliance, the CAP program offers grants of up to $35,000 to cover half of your total project cost. Businesses will be required to pay the other half. Of that total, up to $10,000 can be used to offset the cost of your CMMC assessment.
There is a $5,000 project minimum to qualify.
The money is intended to help Connecticut businesses ease some of the financial burden of remediation, training, documentation and other required security measures needed to satisfy the requirements of CMMC 2.0.
To be eligible for the funding, one key stipulation you should be aware of is that you must not have already made a prior commitment to work with an external IT services provider for your CMMC readiness; doing so automatically disqualifies you.
According the grant guidelines, “If a proposal has been signed, a PO placed, or a deposit made, the project WILL NOT be considered.”
As soon as the state receives your application, you’ll get an immediate email acknowledgement. Once that happens, you’re allowed to proceed with hiring an outside company to steer you through your compliance journey.
To be eligible for the state program, business must also:
- Be registered with the Connecticut Secretary of State as a recognized business for at least 3 years and must be generating manufacturing revenue
- Be located in Connecticut or in the process of moving some or all of your manufacturing operations here
- More than half of your revenue must come from the sale of products that you make or from allied services provided to your business
- Must have no fewer than 3 full-time employees and a maximum of 300 employees in Connecticut
- Total proposed project value must be at least $5,000
- Any previous funding you received from the program must be less than $35,000
- Proposed projects must be completed within a 12-month period
- Must hire a third-party vendor or IT service provider to do the compliance preparation
- Must be in good standing with both the CT Department of Revenue Services and CT Department of Labor and other relevant state or local agencies when you apply
It’s important to note that if your application is unsuccessful, you will be responsible for paying your full compliance preparation and assessment costs.
If you’re not a Connecticut business, you should know that other states are also providing funding to help in-state SMBs implement the right hardware, software, documentation, and other security resources they need to satisfy the compliance requirements for their CMMC level.
For instance, Michigan SMBs can apply for grants up to $22,500 to cover some of their compliance costs through the state’s Michigan Defense CyberSmart program.
Other Financial Assistance Programs To Help Businesses Achieve Compliance
There are several other avenues businesses can pursue to help defray the cost of compliance and certification.
1. Federal Assistance Programs
SBIR grants
Small Business Innovation Research (SBIR) grants are designed to stimulate technological innovation by rewarding DIB businesses and others that create new or improved cybersecurity tools to fight growing cyber threats.
The highly competitive program allows small businesses to research and develop new technologies, which could then be counted toward their CMMC compliance measures.
STTR grants
In a similar program also run by the U.S. Small Business Administration (SBA), Small Business Technology Transfer (STTR) grants are provided through several different federal agencies, including the DoD.
Grants are awarded to startups and small businesses that collaborate with research institutions, such as universities, to research and develop new cybersecurity technologies that could also be used to satisfy compliance requirements.
It should be noted that a federal funding freeze went into effect in January 2025. So, businesses interested in applying for the grants should verify with the SBA beforehand.
Allowable costs
In the past, the DoD had indicated that it would allow businesses to fold their CMMC compliance and assessment costs into their contract bid proposals as allowable expenses.
Businesses would not automatically receive payment for the covered costs, but would be reimbursed instead. It is unclear at this time, however, if this provision is still available following the funding freeze.
2. Managed IT Service Provider (MSP)
An MSP, or third-party IT service provider, is also a viable option if you’re trying to cut costs.
For starters, by hiring an MSP, you instantly gain a team of IT and cybersecurity experts with the specialized skills and know-how to develop a customized compliance roadmap tailored to your business.
This allows you to save money since it eliminates the need for you hire an internal IT team or bring on others with the cybersecurity and regulatory knowledge you need to help drive your compliance strategy.
At the same time, your IT service provider will identify the parts of your environment that touch FCI or CUI and scope out a CUI boundary.
Related Article: CMMC Step 5: Ensure CMMC Readiness With Pre-Audit Review & Mock Audit
This will allow you to focus your remediation efforts to only that targeted area. So, you won’t end up wasting money buying or upgrading unnecessary security tools for out-of-scope parts of your environment.
Finally, using an MSP also allows you to break the compliance process up into manageable stages, so you won’t have to budget for everything at once.
In addition, some grant programs require you to work with an outside IT provider for compliance readiness to be eligible for funding, such as Connecticut’s CAP program mentioned earlier.
3. The Cyber AB
Although it’s not a direct funding source, The Cyber AB is the government-selected CMMC accreditation organization for certified third-party assessor organizations (C3PAOs).
Its website features the official CMMC Marketplace of approved auditors for CMMC Level 2 businesses that require C3PAO assessments. The organization can help you narrow your search to auditors in your area. It’s also a good source to answer frequently asked questions about CMMC, along with the DoD itself.
Keep in mind that your total assessment costs can also be significantly affected by the C3PAO you hire.
Some cost variables to consider include: the number of physical locations your business has, the size of your assessment scope perimeter, and where the assessors who will be conducting your audit are located.
The Bottom Line With Resources To Reduce CMMC Compliance And Audit Costs
After reading this article, you now know the estimated costs to become CMMC compliant and get assessed. You've also discovered several funding opportunities and resources to help absorb some of the financial strain.
Although the cost of becoming compliant with the security framework and getting assessed is significant, image the costs you would suffer if you were hit by a cyberattack.
A ransomware attack or data loss from a data breach, for instance, could result in a debilitation blow to your business, including reputational harm, customer defections, legal fallout, and significant financial loss.
In addition, you could lose your federal contracts and face substantial government fines and penalties for noncompliance.
For these reasons, you can't afford to put off starting your CMMC compliance journey.
We write articles like this to make sure you're armed with the information you need make the best IT decisions that are right for your business, whether you choose to work with us or not.
That said, at Kelser, we have decades of experience helping businesses like yours become compliant with various regulations, including NIST and DFARS.
If you haven’t started on your CMMC compliance journey, or you’re unsure how to jumpstart your stalled process, we’re here to help.
