Your C3PAO assessment invoice lands at $115,000. Which general ledger account do you code it to?
Every CMMC article written in the past two years answers the cybersecurity question: which 110 controls to implement, how to prepare for an assessment, which level your contracts require. None of them answer the accounting question. The one sitting on your controller’s desk right now.
The contractors who get CMMC right on the technical side and wrong on the books still end up with questioned costs. The classification, the cost pool assignment, and the documentation trail determine whether DCAA considers $150,000 in cybersecurity spending as a legitimate indirect expense or a finding waiting to happen.
CMMC accounting requirements for government contractors come down to three decisions: which cost pool absorbs the expense, how the new costs change your indirect rates, and what documentation DCAA expects during an incurred cost audit. Get these three right, and CMMC compliance becomes a recoverable business cost. Get them wrong, and you pay twice: once for the cybersecurity program and again for the audit remediation. Amerifusion Bookkeeping breaks down all three below.
CMMC 2.0 in 2026: The Financial Scale
CMMC 2.0 requires defense contractors to achieve certified cybersecurity maturity levels as a condition of contract award. Published DoD estimates, cited in the 2024 regulatory record, place Level 1 self-assessment costs at approximately $4,000 and Level 2 C3PAO third-party certification costs at $105,000 or more [32 CFR Part 170]. Per the published rollout schedule, Phase 1 requirements took effect November 10, 2025, with full implementation reaching all covered contracts by November 2028 [32 CFR Part 170].
The DoD’s Regulatory Impact Analysis estimated a Level 2 C3PAO assessment alone at $105,000 to $118,000. Industry practitioners report that real-world total compliance costs, including gap assessments, remediation, GCC High migration, and security tooling, often exceed these baseline figures for mid-size contractors. These totals represent a financial planning event, not a line item. A $150,000 addition to any cost pool changes your indirect rate structure, your forward pricing, and every proposal you submit for the next three years.
| CMMC Phase | Start Date | Requirement |
|---|---|---|
| Phase 1 | November 10, 2025 | Level 1 and Level 2 self-assessments (at CMMC Program Office discretion) |
| Phase 2 | November 10, 2026 | Level 2 C3PAO third-party assessments required |
| Phase 3 | November 10, 2027 | Level 2 C3PAO + Level 3 DIBCAC assessments; option exercises included |
| Phase 4 | November 10, 2028 | Full implementation across all covered contracts |
CMMC Cost Allowability Under FAR
Nothing in FAR Part 31 or DFARS Part 231 makes costs of DFARS compliance categorically unallowable. Each CMMC-related cost qualifies as allowable when it satisfies all five criteria in FAR 31.201-2: reasonableness, allocability, compliance with applicable Cost Accounting Standards or GAAP (whichever governs your contract), the terms of your contract, and any limitations set forth in FAR Subpart 31.2. The absence of an express prohibition is not sufficient on its own. Each cost must clear all five tests independently.
C3PAO assessment fees qualify as professional service costs under FAR 31.205-33. Consultant fees, gap assessments, and readiness reviews fall under the same provision. Security hardware, software licenses, and GCC High subscriptions follow standard accounting treatment for their asset type: capitalize and depreciate hardware above your capitalization threshold, expense recurring licenses in the period incurred.
Allowability is not automatic. Each CMMC-related cost must individually satisfy all five FAR criteria. A $300-per-hour cybersecurity consultant working 80 hours a week raises a reasonableness question under FAR 31.201-3.
A $50,000 security platform purchased from a company your program manager owns raises an allocability and conflict-of-interest question. Apply the same judgment to CMMC costs as any other indirect expense.
Cost Pool Classification for CMMC Expenses
Most CMMC compliance costs belong in the G&A (General and Administrative) cost pool. Among all CMMC accounting requirements for government contractors, cost pool classification drives the largest downstream impact on indirect rates, proposals, and audit outcomes. FAR 31.203(c) requires contractors to accumulate indirect costs in logical cost groupings, with due consideration of the reasons for incurring those costs, and to select an allocation base that distributes costs on the basis of benefits accruing to final cost objectives. An enterprise-wide cybersecurity compliance program, one that protects all contracts and all business units, fits the G&A definition under that standard.
For CAS-covered contractors, CAS 402 (48 CFR 9904.402) creates the consistency requirement. Once you classify CMMC costs in G&A, all costs “incurred for the same purpose in like circumstances” must receive the same treatment. You cannot put C3PAO assessment fees in G&A while coding CMMC-related IT hardware to overhead.
The classification must follow a documented, consistent rationale across all contracts and fiscal years. CAS-exempt small businesses must still maintain consistency under GAAP and FAR 31.203: the CAS exemption removes the CAS 402 mandate, but FAR 31.203’s logical cost grouping and consistency principles continue to apply.
One exception exists. If a specific contract uniquely requires a higher CMMC level than your baseline (Level 3 for a classified program when your standard is Level 2), the incremental cost above your baseline posture could be charged as a direct cost to that contract. This requires careful documentation showing the cost benefits only that contract.
| CMMC Cost Category | Classification | Cost Pool | Accounting Treatment |
|---|---|---|---|
| C3PAO assessment fees | Indirect | G&A | Expense in period incurred [FAR 31.205-33] |
| Gap assessment / readiness review | Indirect | G&A | Expense in period incurred |
| Cybersecurity consultant fees | Indirect | G&A | Professional service cost, period expense |
| Internal staff time (CMMC prep) | Indirect | G&A labor | Track hours to separate indirect charge code |
| Security hardware (firewalls, endpoints) | Indirect | G&A (depreciation) | Capitalize if above threshold; depreciate |
| Security software (SIEM, EDR) | Indirect | G&A | Expense annually as recurring subscription |
| GCC High migration (one-time) | Indirect | G&A | Capitalize as IT infrastructure; depreciate |
| GCC High licensing (recurring) | Indirect | G&A | Expense as incurred; verify current licensing rate with your Microsoft reseller |
| Employee security training | Indirect | G&A or Fringe | Follows existing training cost treatment |
| POA&M remediation | Indirect | G&A | Expense as incurred; close within 180 days |
How CMMC Costs Change Your Indirect Rates
Adding CMMC compliance costs to your G&A pool increases your G&A rate, and that rate increase flows into every cost-plus proposal, every T&M billing cycle, and every forward pricing rate agreement you negotiate. For a contractor with a $2 million total cost input base, $150,000 in new CMMC costs raises the G&A rate by 7.5 percentage points.
The math is direct. A pre-CMMC G&A pool of $500,000 on a $2 million base produces a 25% G&A rate. Add $150,000 in CMMC costs: $650,000 divided by $2 million equals 32.5%. Every proposal submitted at the old rate underprices the work. Every cost-plus contract billed at the old provisional rate under-recovers.
Fixed-Price vs. Cost-Plus Recovery
Cost-plus and T&M contractors recover CMMC costs through the indirect rate applied to direct costs. The government absorbs its proportional share. Fixed-price contractors bear the full burden. Existing fixed-price contracts lock in pricing, and CMMC costs increase the cost basis without any mechanism to adjust mid-period.
Contractors with mixed portfolios face the sharpest impact. CMMC costs are allocated across all contracts through the G&A rate, but recovery only occurs on cost-reimbursable work. A contractor doing 60% fixed-price work effectively subsidizes CMMC compliance from fixed-price margins. Model this before committing to a compliance timeline. Read more about setting up your books for each contract type.
Update Your Forward Pricing Rate Proposals
A G&A rate increase of 7 to 8 points demands updated Forward Pricing Rate Proposals (FPRPs). DCAA reviews FPRPs for reasonableness, and a sudden rate jump without supporting documentation triggers scrutiny. File updated FPRPs with your contracting officer before the new rate takes effect, and include the CMMC cost breakdown as supporting detail.
Request adjusted provisional billing rates at the same time. Billing at the old provisional rate while incurring CMMC costs creates a growing under-recovery balance. Left unaddressed, the under-recovery becomes a cash flow problem and an ICS reconciliation headache.
DCAA Documentation for CMMC Compliance Costs
Understanding CMMC accounting requirements for government contractors means knowing what DCAA expects to see during an incurred cost audit. In practice, DCAA audits CMMC costs the same way it audits any indirect expense: by examining whether costs are allowable, properly classified, consistently treated, and supported by adequate documentation. The same accounting system adequacy framework that applies to every other indirect cost category governs CMMC costs as well. No separate DCAA guidance exists for CMMC costs specifically, as of the date of this update, so existing standards apply without exception.
Seven Documentation Categories DCAA Expects
- Separate account coding. CMMC costs need distinct general ledger accounts or sub-accounts. Do not bury C3PAO fees in a generic “professional services” line. Create accounts specific enough for an auditor to isolate every CMMC dollar.
- Written cost allocation rationale. Document why CMMC costs are classified in G&A (or your chosen pool). Reference the FAR definition and your company’s cost accounting practice. Add this to your written accounting policies.
- CAS 402 consistency evidence. Demonstrate all cybersecurity compliance costs, across all contracts and fiscal years, receive the same pool classification. If your CMMC costs are in G&A, every similar IT security cost must be in G&A.
- Vendor invoices and contracts. Retain C3PAO assessment invoices, consultant engagement letters, software license agreements, and hardware purchase orders. DCAA traces costs back to source documents.
- Time records. Internal labor charged to CMMC compliance requires a separate indirect charge code in your timekeeping system. Track hours the same way you track any indirect labor category.
- Capital asset records. Security hardware above your capitalization threshold requires proper asset records, depreciation schedules, and useful life determinations.
- Management authorization. Evidence of board or executive approval for the CMMC investment. A memo, meeting minutes, or budget approval document shows the expense was deliberate and authorized.
Missing any of these creates a finding. DCAA auditors apply the same accounting system adequacy criteria to CMMC costs as to every other indirect expense.
False Claims Act Risk: SPRS Scores and Self-Assessments
The DOJ’s Civil Cyber-Fraud Initiative uses the False Claims Act to pursue contractors who misrepresent cybersecurity compliance on federal contracts. Three settlements since 2022, totaling $11.125 million, show the enforcement pattern is active, funded, and producing results. The accounting connection: inaccurate compliance certifications make every subsequent payment request a potentially false claim.
| Case | Year | Settlement | Allegation |
|---|---|---|---|
| Aerojet Rocketdyne | 2022 | $9 million | Misrepresented cybersecurity compliance across federal contracts |
| Penn State University | 2024 | $1.25 million | False self-attestations of NIST SP 800-171 compliance on 15 contracts |
| Georgia Tech Research Corp | 2025 | $875,000 | Failed to implement required controls; reported fictitious compliance scores |
The accounting connection is direct. SPRS scores submitted under DFARS 252.204-7019 become certifications on which the government relies for contract award. An inflated SPRS score is a material misrepresentation relied upon for contract award, making every subsequent payment request a potentially false claim. An honest score documented with supporting evidence is a defense.
Employees who discover false SPRS submissions have whistleblower standing under the FCA’s qui tam provision. The Aerojet case originated when a senior director refused to sign compliance certifications. Build your compliance documentation with the assumption both DCAA auditors and internal whistleblowers will review it.
The Pre-Award Cost Problem
CMMC certification is required before contract award, but no detailed DoD procedure addresses pre-award cost recovery. One defensible approach: classify pre-award CMMC spending as B&P (Bid and Proposal) or IR&D costs until a contract requiring your CMMC level is awarded. Consult with your CPA before committing to this treatment. Once you hold contracts requiring CMMC, ongoing maintenance costs shift to G&A.
Document this transition with specificity. The shift from B&P to G&A creates a CAS consistency question an auditor will ask. Written documentation showing when and why the classification changed provides the answer before the question arrives.
Frequently Asked Questions
Are CMMC compliance costs allowable on government contracts?
Each cost is allowable when it passes the FAR 31.201-2 five-criteria test independently: reasonableness, allocability, CAS or GAAP compliance, contract terms, and FAR Subpart 31.2 limitations. No blanket allowability determination exists. C3PAO assessment fees, for example, qualify as professional service costs under FAR 31.205-33. Security hardware follows your standard capitalization and depreciation policies. Document each cost category separately and classify it in the correct indirect pool before your first incurred cost submission.
Which cost pool do CMMC expenses belong in?
G&A for most contractors. CMMC compliance serves the entire business, not specific production activities or individual contracts. CAS 402 (48 CFR 9904.402) requires consistency: once you classify CMMC costs in G&A, all similar cybersecurity compliance costs must follow the same classification. Code them to distinct G&A sub-accounts for audit traceability.
How much does CMMC Level 2 certification cost?
Budget for two numbers: the assessment and the preparation. The DoD’s Regulatory Impact Analysis estimated the C3PAO assessment alone at $105,000 to $118,000. Preparation costs, covering gap analysis, remediation, GCC High migration, and security tooling, vary based on your starting security posture and the size of your controlled unclassified information environment. Consult your C3PAO and your CPA before finalizing budget projections.
How do CMMC costs affect indirect rates?
CMMC costs added to the G&A pool raise the G&A rate applied to every contract. A $150,000 addition to a $2 million cost input base increases the rate by 7.5 points. Update Forward Pricing Rate Proposals and request adjusted provisional billing rates from your contracting officer to prevent under-recovery on cost-reimbursable contracts.
Do fixed-price contractors recover CMMC costs?
Not on existing contracts. Fixed-price work locks in pricing, and contractors absorb CMMC-driven indirect rate increases from their margins. Cost-plus and T&M contractors recover through indirect rates applied to direct costs. Contractors with mixed portfolios should model the financial impact before committing to a CMMC compliance timeline.
What False Claims Act risks exist with CMMC self-assessments?
Submitting an inflated SPRS score under DFARS 252.204-7019 constitutes a false claim. The DOJ has settled three enforcement actions since 2022 totaling $11.125 million. Employees who discover inaccurate scores have whistleblower standing under the FCA’s qui tam provision. Accurate self-assessments with supporting documentation are the only defense.
Key Takeaways
- CMMC compliance costs are allowable under FAR 31.201-2 when each cost independently satisfies the five-criteria test: reasonableness, allocability, CAS or GAAP compliance, contract terms, and FAR Part 31 limitations. Classify most CMMC expenses in the G&A cost pool and maintain CAS 402 (48 CFR 9904.402) consistency across all contracts and fiscal years.
- A material addition to G&A raises your indirect rate applied to every contract. Update your FPRPs and provisional billing rates before the rate change hits your proposals.
- The same accounting system adequacy framework that governs every other indirect cost category applies to CMMC costs. Seven documentation categories matter: separate account codes, written allocation rationale, CAS consistency evidence, vendor invoices, labor time records, capital asset records, and management authorization. Missing any one creates a finding.
- The DOJ’s Civil Cyber-Fraud Initiative has produced $11.125 million in False Claims Act settlements against contractors who misrepresented cybersecurity compliance. Accurate SPRS scores and honest self-assessments are legal requirements, not suggestions.
- Pre-award CMMC costs are defensibly classified as B&P or IR&D. Post-award maintenance shifts to G&A. Document the transition and consult with your CPA on the classification.
CMMC changes your security posture and your cost structure simultaneously. The technical assessment determines whether you win contracts. The accounting treatment determines whether you keep the revenue. Run the Compliance Readiness Check to see where your current books stand against DCAA requirements. Need help classifying CMMC costs and adjusting your indirect rates? Book a discovery call with our CPA-managed team.
