The assessment fee is 20–30% of the real number. Here’s the full line-item stack, the ranges behind each one, and the three decisions that move the total.
First-cycle CMMC Level 2 certification typically runs $75,000–$300,000 all-in, with small contractors clustering toward the lower end. The DoD's own estimate for the triennial certification cycle is $105,000–$118,000 — yet surveys show roughly 70% of contractors budgeted less than $100,000. The C3PAO assessment fee is only 20–30% of the real number; preparation, remediation, and documentation are where budgets break.
CMMC cost questions usually get answered with the assessment fee, which is a bit like quoting a wedding by the officiant's rate. The assessment is the visible line item. The total is a stack of workstreams, each with its own range and its own drivers. Here's the full stack, with 2026 market figures.
| Cost component | 2026 range | What drives it |
|---|---|---|
| Gap assessment | $5,000–$15,000 | Scope size; whether done internally, by a consultant, or via platform tooling. |
| Remediation & implementation | $20,000–$150,000+ | The widest range on the list. Driven entirely by your starting posture: missing MFA, logging, segmentation, or encryption means real infrastructure spend. |
| Documentation & SSP | $12,000–$60,000 | System Security Plan, policies and procedures for 110 requirements, evidence collection and mapping. Priced as consultant labor in most engagements. |
| C3PAO assessment | $30,000–$150,000 (commonly $35K–$75K) | Scope complexity, organization size, geography, and—increasingly—queue scarcity. C3PAOs set their own fees, and demand exceeds capacity. |
| Annual affirmations | ~$1,500–$3,000/yr | Required attestations between triennial assessments. |
| Triennial recertification | $40,000–$230,000 | Reassessment, gap review, documentation refresh, and remediation of drift. Continuous-compliance practices cut this 25–35%. |
Three patterns show up consistently in the contractors who blow their estimates:
Every dollar scales with the CUI boundary. A tightly-scoped enclave — segregating CUI processing into a defined environment rather than certifying the whole enterprise — can cut remediation, documentation, and assessment costs simultaneously. This is the single highest-leverage decision in the program, and it happens at the very beginning.
Remediation is only expensive when it's real. Organizations sometimes buy tooling for controls they substantially already meet, because nobody mapped existing practice against the 110 requirements rigorously. Assess first, spend second.
Documentation and evidence is the line item where technology has genuinely changed the math. The work is information processing — mapping existing documents against requirements, generating missing policies, linking evidence to controls — and AI-assisted platforms now do the heavy lifting with humans reviewing rather than authoring. One sub-50-person technology company completed its entire Level 2 evidence workstream in 18 hours on PRISM: evidence upload, AI-customized policy templates, and human-in-the-loop review of every evidence-to-control link. Against a $12K–$60K consultant-labor line, that's not an optimization — it's a different cost structure. Read the case study.
Present CMMC as three numbers, not one: (1) first-cycle certification cost, (2) annual run-rate including affirmations and compliance maintenance, and (3) the triennial recertification reserve. A small contractor's realistic picture is roughly $75K–$130K first cycle, low five figures annually, and a recertification reserve building toward year three. One number invites underbudgeting; three numbers invite a program.
The comparison that matters isn't CMMC cost versus zero — it's CMMC cost versus your CUI-dependent revenue. From November 10, 2026, applicable new solicitations require certification as a condition of award (see our Phase 2 explainer for which contracts and when). For a contractor with meaningful DoD CUI work, the certification investment is typically a low single-digit percentage of the revenue it protects. The expensive outcome isn't the program — it's discovering in 2027 that the queue is eighteen months long and your recompete is in six.
PRISM collapses the documentation and evidence workstream from a five-figure consultant engagement into AI-assisted processing with human review.