CMMC Level 2 pricing is opaque by design. Compliance platforms advertise “CMMC-ready in 30 days for $30K.” Boutique firms quote “six-figure engagements” without defining what’s in. Big 4 firms come in at seven figures with a three-inch statement of work that makes it impossible to tell what’s been scoped out. When a defense subcontractor asks “how much will this actually cost,” the honest answer is a range — but most published ranges are so wide ($50K to $2M) they’re not useful.
This article is the breakdown I give prospective clients in a scoping call. Specific dollar ranges. What drives cost up or down. Three real-world cost archetypes. And the operational costs in years two and three that most engagements forget to budget for.
What you’re actually paying for
A CMMC Level 2 program has six distinct cost lines. When a vendor quotes you a single number, ask them to unbundle it — the real cost lives in what they didn’t mention.
1. Engagement fees (firm, fractional consultant, or platform-plus-labor). The cost of someone who architects, implements, documents, and sits through the assessment with you. This ranges from $30K (platform template + minimal labor) to $1.2M (Big 4 partner-led engagement).
2. Software and licensing. GCC High Microsoft 365 or equivalent CUI-capable productivity stack. SIEM (Sentinel, Splunk, Panther). Endpoint detection (Defender for Endpoint, CrowdStrike, SentinelOne). Compliance platform subscription if you use one (Vanta Defense, Summit 7, Drata CMMC). Identity (Entra ID, Okta). This typically adds $25K–$150K in first-year licensing.
3. Infrastructure changes. GCC High migration, CUI enclave buildout, network segmentation, additional security tools. Varies enormously — a company already on GCC High with clean segmentation might spend $10K; a greenfield build from commercial M365 might spend $150K.
4. C3PAO assessment fee. The actual certification assessment by a Cyber AB-authorized C3PAO. $60K–$150K depending on scope. Non-negotiable if you want a CMMC Level 2 certificate.
5. Internal personnel time. Your own team’s hours on the engagement — not a line item you invoice, but real cost. Typically 0.5–1.5 FTE across the engagement (IT, security, compliance). At fully-loaded rates of $150K–$200K, that’s $75K–$300K of internal cost on a six-to-nine-month engagement.
6. Ongoing operations (year 2+). POA&M management, evidence refresh, tooling, surveillance audits, re-assessment. $80K–$250K per year.
When a vendor quotes you a number, be clear which of these six are included. A $50K “CMMC readiness” quote that covers only line item #1 is pointing at a $300K total cost once you add everything else.
Three cost archetypes
Most CMMC Level 2 engagements fit into one of three patterns. Each has a different first-year total, a different risk profile, and a different kind of buyer it serves.
Archetype A — Platform-led ($120K–$220K total first year)
A defense subcontractor with existing NIST 800-171 maturity, a small CUI enclave (20–60 users), and an internal security lead who’s done this before. The program runs primarily through a compliance platform (Vanta Defense, Summit 7, or similar), with a light consulting engagement ($20K–$60K) for gap-filling and assessor coordination.
Typical cost breakdown:
- Platform subscription: $30K–$60K first year
- Light advisory engagement: $30K–$60K
- GCC High migration (if not already on it): $40K–$80K (amortize over multi-year use)
- C3PAO assessment: $60K–$100K
- Internal time: $50K–$100K fully-loaded
When it works: The subcontractor is already close to the 110 practices, has an internal owner who can drive the program day-to-day, and the CUI scope is tight enough that platform templates cover most control implementations.
When it fails: First-time CMMC efforts where the team doesn’t yet know what it doesn’t know. Platform templates look complete until the C3PAO assessor asks “show me the evidence this control has operated continuously for the past six months” and the answer is “we’ll go run that report.” That answer doesn’t pass.
Perfect-score likelihood: Moderate. Platform-led engagements produce passes with 3–10 POA&M items. 110/110 is uncommon.
Archetype B — Firm-led ($280K–$600K total first year)
A defense subcontractor or prime commissioning a boutique compliance architecture firm (Fortinetics-shaped) to run the program end-to-end. The firm designs the architecture, implements controls, produces documentation, and sits through the assessment. Platform is used as a tool, not a substitute.
Typical cost breakdown:
- Engagement fee: $180K–$400K (6–9 month fixed-price or T&M with cap)
- Platform subscription: $30K–$60K
- GCC High migration or refinement: $30K–$150K
- Additional tooling (SIEM, endpoint, etc.): $40K–$120K first year
- C3PAO assessment: $80K–$130K
- Internal time: $40K–$100K (less than platform-led because firm absorbs more of the work)
When it works: First-time CMMC efforts, complex environments (multi-site, hybrid cloud, regulated-data overlays), tight timelines (under nine months), or where perfect score matters for prime-contract positioning.
When it fails: Overbuy for subcontractors with a simple environment and strong internal compliance capacity. Archetype A is cheaper and adequate for that profile.
Perfect-score likelihood: High. This is the shape of our 110/110 engagements.
Archetype C — Big 4 ($600K–$1.5M+ total first year)
Deloitte, PwC, EY, KPMG, or a large tech-consulting firm (Accenture Federal, IBM, Booz Allen). Partner-led pitch, blended-rate team of 8–15 consultants, formal deliverables pipeline, extensive status reporting.
Typical cost breakdown:
- Engagement fee: $500K–$1.2M+ (T&M at $300–$700/hr blended rates)
- Software, licensing, migration: similar to Archetype B ($100K–$300K)
- C3PAO assessment: $100K–$200K (often through a firm-affiliated C3PAO)
- Internal time: $30K–$80K (Big 4 absorbs most delivery)
When it works: Large-enterprise programs with board-level visibility, multi-business-unit CMMC rollouts, international corporate structures with cross-jurisdictional requirements, or programs where the Big 4 firm’s name on the contract is itself a political or procurement signal. Sometimes unavoidable when the parent company has a master services agreement dictating Big 4 use.
When it fails: Most single-entity mid-market defense subcontractors. The premium over Archetype B doesn’t buy meaningful incremental delivery quality — it buys process overhead and a logo. Honest Big 4 partners say this privately.
Perfect-score likelihood: Moderate-to-high. Big 4 programs typically pass with low POA&M counts, but 110/110 is not more common than in Archetype B.
What drives CMMC cost up or down
The three archetypes are averages. Specific engagements land high or low within their bands depending on five factors.
1. Starting maturity. A defense subcontractor that’s been serving DoD customers for five years, has existing NIST 800-171 documentation, and runs on GCC High already starts at ~70% of the practices implemented. A newly-defense-focused company or a pivot from commercial markets starts closer to 20%. The delta is easily $150K.
2. CUI enclave size. A tight enclave with 15 users, one production environment, and a single document-handling workflow costs a fraction of what a sprawling “everyone might see CUI” environment costs. We’ve seen subcontractors save $100K+ by scoping down the enclave before the engagement rather than after.
3. GCC High status. Already on GCC High → no migration cost. Needs migration from commercial M365 → $40K–$120K depending on mailbox, SharePoint, and Teams volume. Explicitly refusing GCC High and building a DIY CUI-capable environment → usually more expensive than GCC High over a five-year horizon, despite the upfront savings.
4. Timeline aggression. A nine-month engagement is cheaper than a six-month engagement. A six-month engagement is cheaper than a three-month rush. Compressed timelines require extra parallelism, senior-consultant leverage, and evidence-reconstruction work that seasoned timelines avoid. Rush fees can add 30–60% to engagement costs.
5. Assessor selection. C3PAO pricing is not uniform. Assessor firms vary from $60K (smaller firms, tight scope) to $200K (larger firms, complex multi-site scope). The right assessor for your environment isn’t always the cheapest — assessor rigor affects your POA&M size, which affects your post-assessment remediation cost. Often the mid-priced assessor with domain experience in your industry produces the best total cost of ownership.
Year 2 and 3 costs most engagements forget
The first-year number gets all the attention. Ongoing operational costs get almost none, and they’re the reason CMMC programs go over-budget in their second year when the “certification project” is over but the “compliance operating cost” starts being real.
Here’s what ongoing CMMC Level 2 operations typically cost per year after initial certification:
Platform subscription: $30K–$80K. Platform contracts are usually annual. Downgrading to save money after certification is possible but usually not meaningful — the platform is doing evidence collection that still has to happen.
GCC High Microsoft 365 licensing: $40–$60/user/month per E5 license. For a 50-person CUI-handling team, that’s $30K–$35K/year. Scale with headcount.
Additional tooling maintenance: SIEM ingestion, endpoint detection licensing, vulnerability scanning, backup — typically $20K–$80K/year depending on stack.
Internal compliance FTE: 0.3–1.0 FTE fully-loaded. A defense subcontractor without a dedicated compliance hire usually distributes the work across IT and security roles, which adds up to the same or more in actual time. $40K–$150K/year cost.
External surveillance / check-ins: Periodic engagement with a firm ($20K–$60K/year) for POA&M refresh, architecture change support, pre-audit dry runs, and assessor preparation. Optional but common.
Re-assessment at year 3: The full C3PAO assessment cost again ($80K–$130K), plus re-engagement cost ($50K–$200K if architecture has changed meaningfully). Budget this on the original engagement’s financial plan — it’s not an optional future expense.
Typical range across all years 2–3 line items: $150K–$350K per year.
Companies that budget only for the first-year certification sometimes treat this as a surprise. It’s not a surprise — it’s the steady-state cost of holding the certification. The three-year TCO of CMMC Level 2 typically lands between $750K and $1.8M depending on archetype.
The hidden costs most engagements underestimate
Three cost categories consistently blow up engagement budgets when they’re not explicitly planned for.
POA&M resolution overrun. A C3PAO assessment can find 0–25 findings. At 0, congratulations. At 25, each one takes 20–120 hours of remediation depending on scope, meaning 500–3000 hours of post-assessment work. Firms sometimes scope through the assessment and leave the POA&M on the client’s plate. Clarify before signing which party owns POA&M resolution cost.
Assessor re-engagement fees. If the assessment reveals gaps requiring a re-visit, some C3PAO firms charge for the re-visit ($20K–$60K). Not standard, not always needed, but real when it happens.
Staff retention tax post-certification. Once you have CMMC Level 2 certification, your compliance-capable staff become more marketable. Retention compensation after certification is a real line item for defense subcontractors — senior compliance engineers at defense subs can command $180K–$260K annual comp, and turnover after a successful program is common.
Prime contractor audit rights. Some prime contracts grant the prime the right to audit your CUI enclave annually. Responding to a prime audit requires evidence preparation, legal review, and potentially architecture documentation tailored to their specific concerns. Budget $15K–$40K per major-prime audit when it happens.
Where Fortinetics lands in this range
Our CMMC Level 2 engagements run $250K–$480K in engagement fees for 6–9 months, with perfect 110/110 C3PAO outcomes across multiple clients. Total first-year spend including licensing, migration, and C3PAO assessment typically lands in the $400K–$750K range for a mid-sized defense subcontractor (30–100 CUI-handling users).
We publish these numbers because the opacity of compliance pricing benefits vendors, not buyers. The range isn’t something you unlock by negotiating harder — it’s genuinely what the work costs when done by senior practitioners to a perfect-score standard. Companies with an appetite to run the program themselves save 30–50% by going Archetype A. Companies with broader requirements (multi-business-unit, international, multi-framework parallel) pay more and should expect to.
If you’re currently evaluating CMMC Level 2 budget for FY27 and want a scoping-call view of which archetype fits your situation — including whether Fortinetics is the right choice at all — book a 30-minute call. If we’re not the right archetype for your scope, we’ll say so directly. The honest version of this pricing conversation is the one we’d rather have.
Related reading: the CMMC Level 2 timeline article maps how the engagement unfolds month-by-month, and the CMMC POA&M examples piece explains what post-assessment remediation actually looks like.