Most GovCon contractors pricing a CMMC program focus on remediation: the firewall upgrades, the GCC High migration, the consultant retainer. The assessment fee itself gets treated as a rounding error on the compliance budget. That assumption costs contractors twice.
The CMMC assessment cost is not a vendor invoice. It is a cost accounting decision governed by FAR 31.201-2. Whether you recover it from the government, absorb it in your fixed-price margins, or lose it to a questioned cost depends on decisions made before the C3PAO invoice arrives. In the cost proposals we review at Amerifusion Bookkeeping, contractors with a clear understanding of assessment-level obligations price and recover compliance costs correctly. Those who price by guesswork or by copying a competitor’s approach pay once for the assessment and again when the incurred cost auditor flags the accounting.
The assessment fee belongs in a specific cost pool, and it survives FAR 31.201-2 allowability analysis on documentation you build before the C3PAO invoice arrives. That preparation separates the contractors who recover this cost from those who absorb it.
What is a CMMC assessment cost? The CMMC assessment cost is the fee paid for the formal evaluation of your cybersecurity controls: a self-assessment for Level 1 or Level 2 (where permitted), a third-party assessment by an accredited C3PAO (Certified Third-Party Assessment Organization) for Level 2, or a government-led DIBCAC assessment for Level 3. Assessment cost covers the evaluation event and associated affirmations only. It does not include remediation, security tooling, consulting, or GCC High migration, which belong to the separate category of CMMC compliance implementation costs.
Which CMMC Level Do You Need?
Your CMMC level is not a choice. It follows from the type of federal data your work touches, and from the specific requirements DoD inserts into the solicitation’s Sections L and M. Get this wrong and you either over-invest in assessment infrastructure you don’t need or under-invest and forfeit contract eligibility after Phase 2 [32 CFR Part 170, 89 FR 83092, Oct 15 2024].
| CMMC Level | Data Type | Standard | Controls | Assessment Type | Who Pays the Assessment Fee |
|---|---|---|---|---|---|
| Level 1 (Foundational) | FCI (Federal Contract Information) | FAR 52.204-21 | 15 | Annual self-assessment + affirmation posted to SPRS | Contractor (internal time only) |
| Level 2 (Advanced), self-assessment path | CUI outside DoD Organizational Index Grouping (rare in active defense programs) | NIST SP 800-171 Rev.2 | 110 | Self-assessment posted to SPRS; triennial cycle, annual affirmation | Contractor (internal time only) |
| Level 2 (Advanced), C3PAO path | CUI within DoD Organizational Index Grouping (CTI, NNPI, export-controlled data, covering most defense CUI) | NIST SP 800-171 Rev.2 | 110 | Third-party assessment by accredited C3PAO; triennial cycle | Contractor pays C3PAO directly |
| Level 3 (Expert) | CUI requiring protection from advanced persistent threats (APT) | NIST SP 800-171 + selected 800-172 controls | 134 | Government-led DIBCAC assessment; triennial cycle | Contractor (no C3PAO fee; internal labor only) |
The practical trigger for most defense contractors is the Phase 2 deadline of November 10, 2026. After that date, solicitations for contracts handling CUI in the DoD Organizational Index Grouping require Level 2 C3PAO certification, not self-assessment. If your work involves any of those data categories and you plan to bid after November 2026, the C3PAO assessment path and its cost apply to you [DFARS Case 2019-D041, 90 FR 43560, effective Nov 10 2025].
Phase 3 (November 10, 2027) introduces Level 3 DIBCAC assessments for the most sensitive programs. Phase 4 (November 10, 2028) reaches all remaining covered contracts. Check the solicitation; the applicable level is stated explicitly.
What Does Each Level’s CMMC Assessment Cost Actually Look Like?
DoD published per-entity cost estimates in the Regulatory Impact Analysis for the CMMC Program rule (32 CFR Part 170, 89 FR 83092, Oct 15 2024). These are DoD modeling estimates, not audited market figures, and the self-assessment and DIBCAC numbers represent internal-labor hours rather than external fees. Present them as ranges and verify against your actual C3PAO quotes before building them into a budget or a proposal.
| Level | Assessment Type | DoD Estimated Cost (Small Entity, 3-yr cycle) | DoD Estimated Cost (Large/Other Entity) | Basis |
|---|---|---|---|---|
| Level 1 | Annual self-assessment + affirmation | Approximately $6,000 assessment + ~$560 per affirmation | Approximately $4,000 + ~$584 per affirmation | DoD modeling estimate |
| Level 2 (self) | Triennial self-assessment | Approximately $37,000 (triennial cycle) | Approximately $49,000 | DoD modeling estimate |
| Level 2 (C3PAO) | Third-party C3PAO assessment; triennial + 2 annual affirmations | Approximately $105,000 (full triennial cycle) | Approximately $118,000 | DoD modeling estimate |
| Level 3 (DIBCAC) | Government-led assessment + affirmation | Approximately $7,000 + ~$1,900 per affirmation | Approximately $36,000 + ~$2,700 per affirmation | DoD modeling estimate |
One number requires closer attention: the DoD’s approximately $105,000 figure for a Level 2 C3PAO assessment is a triennial cycle total, not the C3PAO invoice amount. It includes internal labor for assessment preparation, the C3PAO assessment event, and two annual affirmations. Industry estimates for the C3PAO assessment event itself run approximately $31,000 to $75,000, though actual quotes vary significantly by firm size, CUI environment complexity, and C3PAO pricing. Treat those figures as industry estimates, not regulatory benchmarks. Get a quote from an accredited C3PAO before committing to a budget number.
Level 3 stands out for a different reason. The DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessment is government-led, which means there is no C3PAO invoice. The cost is internal labor and preparation time. DoD’s estimates show a wide range between small and large entities because DIBCAC scopes the assessment to the complexity of the CUI environment, and larger organizations carry larger environments.
Why Assessment Cost Is Not Total Compliance Cost
The most expensive mistake in CMMC financial planning is conflating the assessment fee with the total program cost. They are different numbers by an order of magnitude, and the confusion leads to inadequate proposal pricing and gaps in forward-pricing rate structures.
The assessment cost covers one thing: the formal evaluation. Everything that makes you ready for that evaluation sits in a separate category: gap assessments, remediation work, security tooling (SIEM, EDR, endpoint protection), GCC High migration, staff training, and ongoing POA&M management. Those costs flow through different FAR subsections, hit the books in different periods, and sometimes involve capital expenditure treatment that the assessment fee never triggers.
The DoD’s approximately $105,000 Level 2 C3PAO estimate does not include remediation. A contractor starting from a NIST SP 800-171 score in the 80s needs less remediation than one starting from the 40s. The assessment cost is a fixed variable determined by your level and your C3PAO. The remediation cost is driven by your security posture. Conflating the two means you price the assessment but not the preparation, and the preparation is almost always the larger number. For a deeper look at the full compliance cost structure and its accounting treatment, see our analysis of CMMC compliance costs and what the government will reimburse.
Is the CMMC Assessment Fee an Allowable Cost?
The CMMC assessment fee is allowable when it passes the five-part analysis under FAR 31.201-2. The DFARS rule that implements CMMC (DFARS Case 2019-D041, 90 FR 43560, effective Nov 10 2025) defers allowability to FAR 31.201-2 expressly: the rule’s preamble states that determining cost allowability rests with FAR 31.201-2, not with DFARS [90 FR 43560, Sept 10 2025].
The 32 CFR Part 170 rule accounts assessment costs in the regulatory record as an expected cost of compliance. That framing supports allowability, but it does not replace the FAR 31.201-2 test.
The five parts of the FAR 31.201-2 test:
- Reasonableness [FAR 31.201-3]: The C3PAO fee is reasonable when it reflects what a prudent person would pay in competitive circumstances. Document competitive quotes from multiple C3PAOs. A $75,000 assessment for a 50-person firm with a straightforward CUI environment requires more justification than a $40,000 quote for the same scope.
- Allocability [FAR 31.201-4]: The assessment fee is allocable to DoD contracts when your work requires CMMC certification. DFARS 252.204-7021 creates the contractual nexus. A firm performing only commercial work that voluntarily pursues CMMC certification faces an allocability challenge on government contracts that did not require certification.
- Accounting standards compliance: The cost must be accounted for consistently under CAS (for CAS-covered contractors) or GAAP. CAS 401 and 402 require consistency in cost accounting practices. Once you classify C3PAO assessment fees in a specific cost pool, all similar assessment fees must follow the same treatment.
- Compliance with the contract terms: The cost must not conflict with any express or implied term of the contract. CMMC assessment costs rarely trip this prong, but a contract that caps or bars specific cost categories controls.
- No applicable limitation: No subsection of FAR 31.205 prohibits cybersecurity assessment costs. The C3PAO fee qualifies as a professional and consultant service cost under FAR 31.205-33, which requires documentation of the nature, scope, and necessity of the services and evidence the fee is reasonable compared to performing the function in-house.
One cost category adjacent to the assessment fee is expressly unallowable: penalties and fines for cybersecurity failures [FAR 31.205-15]. A False Claims Act settlement related to misrepresented SPRS scores, or a penalty for failure to report a cyber incident under DFARS 252.204-7012(c), cannot be charged to any government contract under any circumstances.
For the deeper treatment of CMMC cost pool mechanics and the indirect rate implications of the full compliance spend, see CMMC accounting requirements for government contractors.
Which Cost Pool Recovers the CMMC Assessment Cost?
Recovery of the CMMC assessment cost depends on two variables: which cost pool absorbs it, and what contract types you hold. The pool question must be answered before the C3PAO invoice is paid. The contract type question determines whether the government reimburses you or you absorb the cost from your margin.
Cost pool placement: The C3PAO assessment fee certifies your organization’s cybersecurity posture, not a single contract. That scope of benefit points to the G&A (General and Administrative) pool under FAR 31.203(c) for most multi-contract defense contractors. G&A allocates across the total cost input base, meaning all contracts share the cost proportionally.
If your CUI environment serves a single contract or operating segment, overhead is defensible, but build the allocation memorandum before assigning the cost. CAS 402 (48 CFR 9904.402) prohibits reclassification mid-stream without disclosure. Write a policy and follow it from the first assessment fee forward.
For full guidance on sub-account coding, CAS consistency, and DCAA documentation requirements, see the detailed treatment in our CMMC accounting requirements guide.
Contract type and recovery:
- Cost-reimbursable contracts (CPFF, CPAF, T&M): Allowable G&A costs flow into the indirect rate and are billed to the government as part of normal cost recovery. The CMMC assessment fee, properly classified in G&A, increases your G&A rate and recovers through the incurred cost submission [ICS Schedule B tracks G&A pool costs]. No separate action is required beyond correct pool placement and documentation.
- Firm Fixed-Price (FFP) contracts: The government does not reimburse indirect rate increases on existing FFP awards. A C3PAO assessment fee that hits the books after FFP contract award either comes out of your margin or gets priced into future proposals. The critical discipline: update your forward-pricing indirect rates to reflect CMMC assessment costs before the next proposal season. Price it in before the solicitation closes, or absorb it after. There is no middle option on FFP.
Model the rate impact on your own numbers. If a contractor with a $2 million G&A base treats the full DoD triennial estimate of approximately $105,000 (about $35,000 per year) as new cost, the G&A rate rises by roughly 1.75 percentage points per year. Treat that as the ceiling.
In practice the increment is usually smaller: internal preparation labor already flows through the pool as salary, so the genuinely new out-of-pocket piece is closer to the C3PAO event invoice (industry estimates of approximately $31,000 to $75,000). On a $2 million base, that moves the rate by roughly half a point to a little over one point per year. Model your own figures with our indirect rate calculator, then update your Forward Pricing Rate Proposal (FPRP) before the change hits live cost-plus and T&M billing.
The Pre-Award Timing Problem
CMMC certification is required before contract award under Phase 2, which creates an accounting paradox: you pay for the assessment before any contract requires it. The government does not pay for costs that precede a contract obligation unless those costs meet a specific FAR test.
Some contractors argue that pre-award CMMC certification costs qualify as Bid and Proposal (B&P) costs under FAR 31.205-18. The argument: CMMC certification is a condition of receiving a contract award, placing it in the same category as proposal preparation costs. This position has surface logic, but DCAA has not issued guidance endorsing B&P treatment for CMMC assessment costs as of June 2026.
Frame this as a defensible argument with a documented rationale, not a settled recovery path. Consult your CPA before booking pre-award assessment costs as B&P.
The practical approach for most contractors: build the CMMC assessment cost into your forward-pricing rates starting with the first solicitation that lists the CMMC requirement. That pricing action documents the business nexus, creates the allocability hook for G&A treatment once contracts are awarded, and eliminates the pre-award recovery argument entirely by putting the cost where it belongs from the first moment a contract requires it.
Frequently Asked Questions
How much does a CMMC assessment cost?
CMMC assessment cost varies by level. DoD’s Regulatory Impact Analysis (32 CFR Part 170, 89 FR 83092) estimates the Level 1 annual self-assessment at approximately $4,000 to $6,000, Level 2 self-assessment at approximately $37,000 to $49,000 per triennial cycle, and Level 2 C3PAO assessment at approximately $105,000 to $118,000 for the full triennial cycle. These are DoD estimates; get a C3PAO quote for your specific environment.
How much does a CMMC Level 2 assessment cost?
DoD’s Regulatory Impact Analysis estimates the Level 2 C3PAO triennial cycle at approximately $105,000 for a small entity (including the assessment event, internal prep labor, and two annual affirmations). Industry estimates for the C3PAO assessment event alone run approximately $31,000 to $75,000. These are industry figures; actual C3PAO pricing varies by firm size and CUI environment complexity.
Which CMMC level do I need?
Level 1 applies to contractors handling only Federal Contract Information (FCI) under FAR 52.204-21. Level 2 C3PAO applies to contractors handling Controlled Unclassified Information (CUI) in the DoD Organizational Index Grouping, which covers most active defense programs. Level 3 applies to programs requiring protection against advanced persistent threats. Check the solicitation’s Sections L and M for the required level [32 CFR 170; DFARS 252.204-7021].
Is a CMMC assessment fee an allowable cost?
Yes, when it passes the FAR 31.201-2 five-part test: reasonable, allocable to DoD contracts requiring CMMC, consistent with CAS or GAAP, compliant with the contract terms, and not limited by FAR 31.205. The fee qualifies as a professional service cost under FAR 31.205-33. On cost-reimbursable contracts, it recovers through G&A indirect rates. On FFP contracts, it must be priced into the proposal before award.
Is Level 2 self-assessment an option, or is a C3PAO required?
Self-assessment is available for Level 2 only when the solicitation permits it and your CUI falls outside the DoD Organizational Index Grouping. Most defense contractors handling CUI require a C3PAO third-party assessment under Phase 2 (effective November 10, 2026). Check your solicitation’s CMMC requirements before assuming self-assessment applies [32 CFR Part 170].
What does a CMMC Level 1 or Level 3 assessment cost?
DoD’s Regulatory Impact Analysis estimates Level 1 annual self-assessment at approximately $4,000 to $6,000 per entity (internal labor; no external assessor fee). Level 3 involves a government-led DIBCAC assessment with no C3PAO invoice; DoD estimates approximately $7,000 for small entities and approximately $36,000 for larger entities per triennial cycle. Both figures are DoD estimates from the 32 CFR Part 170 rulemaking record.
Key Takeaways
- Your level is determined by data type, not choice. FCI requires Level 1. CUI in the DoD Organizational Index Grouping requires Level 2 C3PAO after November 10, 2026. Level 3 applies only to programs with APT-protection requirements. Read the solicitation’s Sections L and M before budgeting.
- The DoD’s approximately $105,000 Level 2 figure is a triennial cycle estimate, not a C3PAO invoice amount. It includes internal labor and affirmations. Industry quotes for the C3PAO assessment event alone run approximately $31,000 to $75,000. Get an actual quote before pricing a proposal.
- Assessment cost and compliance cost are separate numbers. Assessment covers the evaluation only. Remediation, tooling, and consulting are a different budget line, governed by different FAR subsections, and often far larger.
- Allowability is a FAR 31.201-2 analysis, not a DoD declaration. The DFARS rule defers to FAR 31.201-2 explicitly. Document reasonableness with competitive quotes, allocability through the DFARS 252.204-7021 contract nexus, and consistency through a written cost accounting policy before the first C3PAO dollar hits the books.
- Cost-reimbursable contracts recover through G&A indirect rates via the ICS. FFP contracts must price the assessment cost in before award. There is no post-award adjustment mechanism on FFP. Update your forward-pricing rates and FPRP before Phase 2 proposals go out.
- Pre-award B&P recovery is an argument, not settled law. DCAA has not endorsed B&P treatment for CMMC assessment costs. Build the cost into forward-pricing rates starting with the first CMMC-required solicitation to create a clean allocability trail.
Schedule a CMMC Cost Accounting Review
Amerifusion Bookkeeping pairs CPA credentials with CISSP cybersecurity expertise. We map your CMMC assessment costs to the right FAR subsection, set up the cost pool structure before the assessment invoice arrives, and build the forward-pricing rate model that recovers assessment costs on your next proposal cycle.
If Phase 2 is inside your planning window, the time to get the accounting right is before the C3PAO engagement letter is signed, not after the incurred cost submission is filed. Our Compliance Readiness Check takes 30 seconds and flags where your cost structure stands today. When you are ready to go deeper, book a discovery call to map your CMMC assessment costs to the right FAR subsection.
