CMMC compliance costs for government contractors range from $100,000 to $500,000 depending on company size and maturity level, but Amerifusion Bookkeeping finds the bigger risk sits in how contractors account for those costs, not how much they spend. Misclassifying CMMC expenses between direct and indirect cost pools, or failing to segregate assessment fees from implementation costs, creates questioned costs on top of an already expensive compliance investment [FAR 31.201-2].
A 60-person defense subcontractor in Virginia spent $187,000 on CMMC Level 2 preparation in 2025. The firm hired a Registered Practitioner Organization, purchased GCC High licenses, and upgraded its endpoint detection. All legitimate expenses. The bookkeeper coded everything to a single “Cybersecurity” line item in G&A.
When DCAA pulled the incurred cost submission, the auditor found consulting fees, software licenses, hardware, and assessment fees lumped together with no cost segregation. The auditor questioned $43,000 in costs that would have been allowable if properly documented and allocated. The contractor paid for CMMC twice: once to get certified, and again when misclassified costs inflated the questioned cost finding.
CMMC creates a category of expense that most GovCon accounting systems were never designed to handle. The costs cross multiple FAR subsections, touch multiple indirect pools, and require documentation standards that go beyond a receipt and a general ledger entry. Contractors who hold dual CPA and cybersecurity credentials recognize this intersection immediately. Everyone else discovers it at the audit.
CMMC Compliance Costs Breakdown for 2026
CMMC compliance costs break into four distinct categories, each with different accounting treatment under FAR Part 31. DoD’s own cost analysis estimates a three-year total of approximately $488,000 for a representative small business pursuing Level 2 certification, including $175,700 in first-year implementation and $103,800 in recurring annual costs [DFARS Case 2019-D041 Final Rule].
The actual numbers depend on your starting point. A firm with existing ISO 27001 or SOC 2 controls covers 60% to 80% of CMMC requirements before spending a dollar on remediation. A firm starting from scratch faces the full cost stack.
| Cost Category | Typical Range | Examples | FAR Treatment |
|---|---|---|---|
| Gap Assessment | $5,000 – $25,000 | RPO readiness review, NIST 800-171 gap analysis, SSP development | Allowable: professional services [FAR 31.205-33] |
| Remediation / Implementation | $50,000 – $300,000 | MFA deployment, SIEM/EDR tools, GCC High migration, encryption, access controls | Allowable: mix of IT costs, software, and professional services |
| C3PAO Assessment | $30,000 – $70,000 | Level 2 third-party certification assessment by accredited C3PAO | Allowable: professional services [FAR 31.205-33] |
| Ongoing Maintenance | $50,000 – $120,000/yr | Annual monitoring, POA&M management, annual affirmation, staff training | Allowable: recurring IT and compliance costs |
Level 1 self-assessment runs $4,000 to $6,000 for companies handling only Federal Contract Information (FCI). Level 2 self-assessment, available during Phase 1 (through November 2026), costs $37,000 to $49,000. The Phase 2 requirement for C3PAO certification pushes the assessment cost alone to $105,000 or more for firms handling Controlled Unclassified Information (CUI).
Which CMMC Costs Are Allowable Under FAR
CMMC compliance costs are generally allowable under FAR Part 31. No subsection of FAR 31.205 prohibits cybersecurity costs, and DoD confirmed in the 2013 DFARS 252.204-7012 rulemaking commentary that costs of complying with DFARS cybersecurity requirements are “likely allowable and chargeable to indirect cost pools.” The CMMC final rule does not change this position.
Allowability still requires passing the four-part test under FAR 31.201-2: the cost must be reasonable, allocable, conform to GAAP and CAS, and not be specifically prohibited under FAR 31.205. CMMC costs pass all four tests when properly documented. The problems start when contractors skip the documentation or misallocate.
Three FAR subsections govern the specific cost types within CMMC spending:
- FAR 31.205-33 (Professional and consultant services): Gap assessments, RPO consulting, C3PAO assessment fees, and vCISO services. Allowable when supported by evidence of the nature, scope, and necessity of services rendered. Retainer arrangements require proof that maintaining an in-house capability would cost more.
- FAR 31.205-36 (Rental costs) and related IT provisions: Cloud computing subscriptions for GCC High enclaves, managed security services, and SaaS-based compliance tools. Allowable when the rental rate is reasonable and the cost would not be less if the contractor owned the asset outright.
- FAR 31.205-25 (Manufacturing and production engineering): When CMMC-related system changes affect production environments or operational technology (OT) on manufacturing contracts, these costs flow through this subsection.
One cost category deserves a red flag. Penalties and fines for cybersecurity failures are expressly unallowable under FAR 31.205-15. A data breach fine, a False Claims Act settlement related to CMMC misrepresentation, or a penalty for failing to report a cyber incident within 72 hours [DFARS 252.204-7012(c)] cannot be charged to any government contract. Ever.
CMMC Accounting Treatment: Direct vs. Indirect Allocation
The accounting treatment of CMMC compliance costs determines whether you recover them through your indirect rates or absorb them as unrecoverable overhead. Most CMMC costs belong in indirect cost pools, but the specific pool depends on the scope of benefit. Misallocating between G&A and overhead creates questioned costs during the incurred cost audit [FAR 31.203].
DCAA auditors apply one test: does this cost benefit the whole company or a specific segment? CMMC infrastructure protects all CUI across the organization. That points to the G&A pool. A cybersecurity tool deployed for a single contract or division points to overhead. A CMMC assessment fee paid to a C3PAO for a specific facility or enclave could sit in either pool, depending on whether that facility serves one contract or many.
| CMMC Cost Type | Likely Allocation | Rationale |
|---|---|---|
| Enterprise SIEM/EDR software | G&A | Protects the entire organization’s IT environment |
| GCC High tenant licenses | G&A | Enterprise-wide email and collaboration platform |
| C3PAO assessment fee | G&A (or overhead if single-segment) | Certifies the organization, not a single contract |
| Enclave-specific hardware | Overhead (or direct if single-contract) | Benefits only the contracts using that enclave |
| RPO/vCISO consulting | G&A | Enterprise-level advisory services |
| Employee cybersecurity training | G&A | Benefits all employees across all contracts |
| Vulnerability scanning for one division | Overhead | Serves a single cost center or operating segment |
Do not charge CMMC costs as direct costs to a specific contract. DCAA treats direct-charged cybersecurity costs with suspicion because CMMC certification benefits all DoD contracts, not one. The exception: a contract specifically funds cybersecurity implementation as a deliverable (rare, and only on contracts with explicit cybersecurity CLINs).
CAS 418 (Allocation of Direct and Indirect Costs) requires consistency. Once you establish CMMC costs as G&A or overhead, maintain that treatment across all fiscal years. Switching pools mid-stream triggers a CAS noncompliance finding. Build the right cost structure before your first CMMC dollar hits the books.
CMMC Cost Recovery Strategies on Existing Contracts
Recovering CMMC compliance costs on existing contracts depends on contract type and pricing structure. Cost-reimbursable contracts allow recovery through indirect rates automatically, because allowable indirect costs flow through the provisional billing rate and settle at the final rate during the incurred cost submission. Fixed-price contracts absorb the cost increase unless the contractor negotiates an equitable adjustment.
Cost-reimbursable contracts (cost-plus-fixed-fee, T&M, cost-plus-award-fee): CMMC costs allocated to G&A or overhead increase the indirect rate. The government reimburses these costs as part of normal billing. No separate action required beyond proper cost pool allocation and documentation. The increase shows up in the provisional billing rate and settles at the final audited rate.
Fixed-price contracts: The contractor absorbs indirect rate increases. Recovery options are limited:
- Request for Equitable Adjustment (REA): If CMMC requirements were not included in the original solicitation and the government later imposes them through a contract modification, the Changes clause [FAR 52.243-1] or the Differing Site Conditions clause could support an REA. This is a narrow path. The government will argue DFARS 252.204-7012 already required the underlying security controls.
- Prospective pricing on new awards: Build CMMC maintenance costs into your forward-pricing indirect rates for all new proposals. Update your indirect rate structure to reflect recurring cybersecurity costs before the next proposal season.
- Contract re-compete: When existing fixed-price contracts come up for re-compete, price CMMC compliance into the new bid. Competitors face the same cost pressure. The playing field is level.
One additional funding source: state Manufacturing Extension Partnerships (MEPs) and SBA programs offer grants for small business cybersecurity upgrades. A pending House bill proposes a 25% tax credit for CMMC implementation costs. Track these programs through your local Procurement Technical Assistance Center (PTAC).
Documentation That Protects Your CMMC Cost Claims
DCAA auditors question CMMC costs not because they are unallowable, but because contractors fail to document the business purpose, scope of benefit, and allocation basis for each expense category. The documentation standard for cybersecurity consulting under FAR 31.205-33 is higher than most contractors realize: evidence of the nature and scope of services, proof that the fee is reasonable, and confirmation that the work could not be performed more economically in-house.
Build a CMMC cost documentation package that includes:
- Signed statements of work for every RPO, C3PAO, and consultant engagement. The SOW must describe the specific services, deliverables, and hourly rates. A one-page engagement letter is not enough.
- Cost-benefit analysis for major purchases. Why did you select GCC High over GCC? Why a managed SIEM instead of an in-house SOC? Document the alternatives considered and the rationale for the decision.
- Allocation memorandum mapping each CMMC cost category to its indirect pool. Describe the cost grouping logic, the allocation base, and the causal-beneficial relationship required by FAR 31.203.
- Contemporaneous records. Log consultant hours, software implementation dates, and training attendance at the time the cost is incurred. Reconstructing records during an audit is a red flag that invites deeper scrutiny.
One documentation gap sinks more CMMC cost claims than any other: the retainer fee justification. Contractors sign monthly retainers with MSSPs and vCISOs without documenting what services the retainer covers. FAR 31.205-33(c) requires proof that the retainer is reasonable compared to maintaining in-house capability. Without that comparison, the entire retainer becomes a questioned cost.
5 CMMC Cost Accounting Mistakes That Trigger Questioned Costs
Five accounting errors account for most CMMC-related questioned costs during incurred cost audits. Each one is preventable with proper chart of accounts setup and transaction-level coding from day one.
- Lumping all CMMC costs into one general ledger account. A single “Cybersecurity Compliance” line item tells DCAA nothing about the nature, purpose, or allocation basis of each cost. Break CMMC spending into sub-accounts: assessment fees, consulting, software licenses, hardware, training, and managed services. Each sub-account maps to a specific FAR subsection.
- Charging CMMC costs directly to a contract. Unless the contract explicitly funds cybersecurity implementation as a deliverable, CMMC costs are indirect. Direct-charging inflates the contract cost and triggers a mischarging investigation under FAR 31.205-15.
- Splitting costs between G&A and overhead without a documented basis. Allocating some CMMC costs to overhead and others to G&A is acceptable if the scope of benefit differs. Allocating them inconsistently across fiscal years, or without a written allocation memorandum, violates CAS 418.
- Failing to capitalize hardware and software. A $45,000 server or a multi-year software license with an upfront payment is a capital asset, not a period expense. Expensing capital items in year one inflates the current indirect rate and understates future periods. Follow your company’s capitalization threshold consistently.
- Missing the retainer documentation. Monthly retainers with MSSPs, vCISOs, and RPOs require documented evidence of services performed. An invoice showing “Monthly Retainer: $8,500” with no supporting detail fails the FAR 31.205-33 documentation test. Attach monthly service reports to every retainer invoice.
Correcting these CMMC compliance costs mistakes after the incurred cost submission is expensive and adversarial. Set up the cost structure before spending starts. If your indirect rates already reflect cybersecurity costs from pre-CMMC spending, map the existing accounts to the new CMMC cost categories and document the transition.
Frequently Asked Questions
Are CMMC compliance costs allowable on government contracts?
CMMC compliance costs are generally allowable under FAR Part 31. No FAR 31.205 subsection prohibits cybersecurity costs, and DoD has stated that costs of complying with DFARS 252.204-7012 cybersecurity requirements are allowable and chargeable to indirect cost pools. The costs must still pass the four-part allowability test: reasonable, allocable, GAAP/CAS-compliant, and not otherwise prohibited.
Should CMMC costs go in G&A or overhead?
Most CMMC costs belong in the G&A pool because they benefit the entire organization, not a single contract or operating segment. Enterprise security tools, C3PAO assessment fees, and cybersecurity training serve all DoD contracts. Costs benefiting a single division or enclave belong in overhead. The test is scope of benefit, documented in an allocation memorandum per FAR 31.203.
How much does CMMC Level 2 certification cost?
CMMC Level 2 certification costs between $100,000 and $300,000 for most small to mid-size contractors, including gap assessment, remediation, and C3PAO assessment fees. DoD estimates a three-year total of approximately $488,000 for a representative small business. Firms with existing ISO 27001 or SOC 2 controls reduce this total by 30% to 50%.
Can I recover CMMC costs on fixed-price contracts?
Recovery on fixed-price contracts is limited. If the government imposes new CMMC requirements through a contract modification not in the original solicitation, a Request for Equitable Adjustment under the Changes clause [FAR 52.243-1] is possible. Otherwise, the contractor absorbs the cost. Build CMMC expenses into forward-pricing rates for future proposals and re-competes.
What documentation does DCAA require for CMMC cost claims?
DCAA requires signed statements of work for all consultant engagements, cost-benefit analyses for major purchases, allocation memoranda mapping costs to indirect pools, and contemporaneous service records. Retainer arrangements need documented proof that the monthly fee is reasonable compared to in-house capability, per FAR 31.205-33. Missing documentation converts an allowable cost into a questioned cost.
When does the CMMC Level 2 C3PAO requirement take effect?
Phase 2 of the CMMC rollout begins November 10, 2026. Starting on that date, DoD will include Level 2 C3PAO certification requirements in applicable solicitations and contracts. Self-assessment remains available during Phase 1 (through November 2026). Contractors handling CUI on DoD contracts should plan for third-party assessment costs in their FY2026 budgets.
Key Takeaways
- CMMC costs are allowable under FAR Part 31, but only when properly documented, reasonably incurred, and allocated to the correct indirect pool. The accounting treatment matters as much as the amount.
- Allocate to G&A for enterprise-wide costs, overhead for segment-specific costs. Maintain consistency across fiscal years to avoid CAS 418 violations. Write the allocation memorandum before the first dollar is spent.
- Break CMMC spending into sub-accounts by cost type. A single “Cybersecurity” line item invites questioned costs. Separate assessment fees, consulting, software, hardware, training, and managed services into distinct accounts mapped to FAR subsections.
- Document consultant engagements to FAR 31.205-33 standards. Retainer justifications, statements of work, and monthly service reports protect your cost claims. Missing documentation is the most common reason allowable CMMC costs become questioned costs.
- Plan for Phase 2 (November 2026). C3PAO certification assessments add $30,000 to $70,000 to the cost stack. Build these into your forward-pricing indirect rates now, not after the solicitation drops.
CMMC compliance is a cybersecurity requirement with a significant accounting dimension. The firms that treat it as an IT project and hand the invoices to their bookkeeper at year-end lose money twice: once on the implementation and again on the questioned costs. The firms that build the cost structure first, document as they go, and allocate correctly recover every allowable dollar through their indirect rates.
Amerifusion Bookkeeping is the only CPA-managed firm that pairs a CISSP with government contract accounting expertise. We build your CMMC compliance costs structure, map expenses to the right FAR subsections, and prepare your incurred cost submission with documentation that holds up under DCAA examination. Review our DCAA compliance services for the full scope of what we cover. Take the Compliance Readiness Check to see where your CMMC accounting stands, or schedule a discovery call to get your cost pools set up before Phase 2 hits.
