For a typical 10–50 person U.S. defense subcontractor, getting to CMMC Level 2certified runs $40,000–$150,000 in year one and $25,000–$80,000/yr ongoing, on a realistic 9–12 month timeline from kickoff to a clean C3PAO assessment. The biggest variables are scope (how many laptops, servers, and SaaS services touch CUI), starting hygiene, and whether you migrate to GCC High / AWS GovCloud or try to retrofit commercial cloud (don't).
Where the money actually goes
- Cloud migration (GCC High or AWS GovCloud): $8k–$25k year one (licensing + tenant setup + data migration), $1k–$3k/user/yr ongoing.
- Endpoint management: $50–$120/endpoint/yr for a CMMC-aware MDM/EDR stack.
- SIEM and log retention: $5k–$20k/yr depending on log volume.
- SSP and POA&M: $10k–$40k for a consultant-built SSP, or $0–$5k if you build it in a platform.
- C3PAO assessment: $25k–$80k for the assessment itself, every 3 years.
- Remediation: the wildcard. Budget 20–40% on top of the first year for unanticipated control gaps.
A realistic 9–12 month timeline
Month 1 — Scope and decide
Decide the CUI boundary (enclave vs whole company). Stand up the GCC High / GovCloud tenant. Run a gap analysis against the 110 controls and get a baseline SPRS score posted.
Months 2–4 — Implement
Migrate users into the enclave. Deploy MDM, EDR, SIEM. Roll MFA everywhere. Write the first draft of the SSP as you go (not after).
Months 5–7 — Document and remediate
Tighten the SSP, close out POA&M items, build the evidence library (screenshots, configs, policy attestations). Run a tabletop incident response exercise.
Months 8–9 — Mock assessment
Hire an RPO (Registered Practitioner Organization) to do a dry run. Fix what they find.
Months 10–12 — C3PAO assessment
Book the C3PAO 4–6 months ahead — calendars are full. The assessment itself is typically a 1–2 week engagement.
What you can skip
- The $80k SSP consultant. A well-built platform can generate the SSP from your actual configuration.
- Boutique training programs. Free DCSA and CISA training meets the 800-171 awareness control.
- "AI-powered" compliance vaporware. If a vendor can't show you a body-of-evidence package, walk.
What you cannot skip
- GCC High / GovCloud if you handle CUI. The "equivalency" path for commercial cloud has not produced a single accepted body of evidence for the major hyperscalers in commercial regions.
- An honest SPRS score. DOJ's Civil Cyber-Fraud Initiative is actively pursuing False Claims Act cases on inflated scores.
- The C3PAO assessment itself. No path to certification without one.
- CMMC Level 1 vs Level 2
- SPRS score explained
- GCC High vs GovCloud
- How to choose a C3PAO
- Writing a CMMC POA&M
- SSP template
Frequently asked questions
- Can I claim CMMC costs back from the government?
- Indirectly. CMMC implementation costs are generally allowable as indirect costs under FAR Part 31, recoverable through your overhead and G&A rates on cost-type contracts. They are not directly billable to a specific contract, but they do show up in your wrap rate. Coordinate with your DCAA accountant.
- How long is a CMMC Level 2 certificate valid?
- Three years. You must also file an annual affirmation in SPRS in years 2 and 3 attesting that your security posture has not materially changed. A material change can trigger a reassessment.
- What's the cheapest legitimate path to Level 2 for a 10-person shop?
- Narrow the CUI boundary aggressively — ideally a single GCC High tenant with 3-5 named users, a dedicated managed laptop per user, and zero CUI on the rest of the network. This keeps the assessment scope small, which is the single biggest cost lever you have.
- How to Choose a C3PAO for Your CMMC Level 2 AssessmentAssessments · 8 min read
- CMMC Level 1 vs Level 2: Which Do You Actually Need?CMMC Basics · 7 min read
- NIST 800-171: All 110 Controls in Plain EnglishControls · 12 min read
- Responding to a Prime's CMMC Flow-Down Letter (Template Inside)Flow-Down · 7 min read