The new CMMC rule proposal is out, and some organizations are getting their first introductions to the cost of doing business in the federal sector. This new rule includes several estimates for the total costs of adopting the framework for small and larger businesses.
But is this the final word? We break down some of these costs, where they come from, and how we can help you reduce expenses on CMMC.
The New CMMC Rule (CMMC 2.0)
The proposed Cybersecurity Maturity Model Certification (CMMC) rule released by the Department of Defense in December 2023 aims to ensure that defense contractors and subcontractors comply with existing information protection requirements for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The key aspects of the CMMC 2.0 program include:
The CMMC 2.0 framework has been streamlined to allow for self-assessment at some levels. Specifically, contractors handling FCI at CMMC Level 1 can perform self-assessments annually, as can some (very limited) Level 2 contractors.
CMMC also crystallized the three levels of maturity that make up the standard:
- Level 1: This level requires basic safeguarding of FCI, verified through self-assessment.
- Level 2: This level focuses on protecting CUI and requires adherence to the 110 security requirements of NIST SP 800-171. Depending on the contract, Level 2 compliance can be verified through either self-assessment or certification by a third-party assessment organization (C3PAO), with self-assessments needing to be performed triannually.
- Level 3: This level is for the highest priority CUI and includes the 24 security requirements of NIST SP 800-172 and NIST SP 800-171.
Flexibility and Cost Reduction: Self-assessments for Levels 1 and some Level 2 contracts are intended to reduce overall program costs. For Level 3, government assessors will conduct assessments to minimize costs to the industry.
The Ongoing Costs of CMMC Compliance
Costs will be one of the more important aspects of working toward CMMC compliance. As part of the new proposed rule, the Department of Defense provides several estimates for ongoing costs for small and larger businesses. For this report, these designations follow the Small Business Administration’s definition of a “small business” as one with 500 or less falling under particular revenue requirements.
These estimates reflect feedback received during the CMMC 1.0 cycle when contractors reported that original estimates were significantly underestimated.
The numbers here are revealing:
- The DoD expects most organizations (over 56,000 small entities and over 19,000 larger entities) to enter Level 2 Certification.
- The expected costs for Level 2 Certification (non-self-assessment) are expected to top $100,000 for small businesses and $117,000 for larger businesses.
These estimates aren’t particularly surprising. Organizations cannot handle Controlled Unclassified Information (the primary goal of CMMC) until they reach Level 2. While self-assessments are allowed under certain circumstances, most businesses entering Level 2 will work with a C3PAO of certification. The massive jump in costs for a Level 2 certification reflects these facts and the leap in requirements (an almost tenfold increase from Level 1).
| Estimated Number of Entities Seeking Compliance | ||||
| Assessment Context | Small | Other than Small | Total | Percent |
| Total, Small Entities | 103,010 | 36,191 | 139,201 | 63% |
| Level 2 Self-Assessment | 2,961 | 1,039 | 4,000 | 2% |
| Level 2 Certification Assessment | 56,689 | 19,909 | 76,598 | 35% |
| Level 3 Certification Assessment | 1,327 | 160 | 1,487 | 1% |
| Total | 163,987 | 57,299 | 221,286 | 100% |
| Percent | 74% | 26% | 100% | |
| CMMC Certification Costs | ||||
| Level 1 Self-Assessment (Annual) | Level 2 Self-Assessment (Triennial) | Level 2 Certification (Triennial) | Level 3 Certification (Triennial) | |
| Total Estimated Cost, Small Entities | $5,977 | $37,196 | $104,670 | $12,802 |
| Total Estimated Cost, Larger Entities | $4,042 | $48,827 | $117,768 | $44,444 |
Revising the Cost of Compliance
Are These Final Costs that every business should expect? No.
These costs reflect several different issues that the DoD recognizes as challenges for compliance:
- Outsourced IT Services: External IT service providers are allowed, but depending on the extent of the services required, they can add significant costs.
- Increased Preparation Time: The total time contractors spend preparing for the assessment has increased. This includes time allocated for understanding and learning the reporting and affirmation processes necessary for compliance.
- Consulting Firms Assistance: Provision for consulting firms to assist with the assessment process, including preparation and execution phases.
- Senior Management Review: A senior-level manager will review the assessment and affirmation results before submission, ensuring the findings are accurate and comprehensive.
- Updated Labor Rates: We have updated government and contractor labor rates to include applicable burden costs, reflecting more accurate current market conditions.
By incorporating these elements, the CMMC 2.0 cost estimates aim to provide a more accurate and realistic picture of the financial impact on organizations seeking certification.
Cutting CMMC Certification Costs in Half with Lazarus Alliance
That being said, we understand that seeing the hard numbers can raise some eyebrows. Even as the DoD estimates an explosion of small businesses adopting CMMC requirements, these businesses may see these costs as too high, too much, or not worth the cost of doing business.
These costs don’t reflect modernization in compliance, innovations that will save time and money. Cloud compliance and managed security are the cornerstones of modern CMMC alignment, and organizations looking at the DoD figures would do well to understand the landscape.
Lazarus Alliance and Continuum GRC lead the industry in expert, streamlined services, including:
- Deep Security Expertise: We have decades of collective experience working with cybersecurity and compliance in the federal sector, and we’ve led the way in pursuing our status as a fully automated C3PAO.
- Cloud- and AI-Powered Tools: With the Continuum GRC platform, you can streamline compliance through always-on reporting and monitoring tools and our internal A.ITAMS system that automates technical writing for compliance.
- Competitive Rates: Due to our experience and automation tools, we can significantly cut the estimated prices for CMMC compliance.
To learn more, contact us.
- FedRAMP
- StateRAMP
- NIST 800-53
- FARS NIST 800-171
- CMMC
- SOC 1 & SOC 2
- HIPAA, HITECH, & Meaningful Use
- PCI DSS RoC & SAQ
- IRS 1075 & 4812
- ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
- NIAP Common Criteria – Lazarus Alliance Laboratories
- And dozens more!
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts