CMMC Level 2 Cost for Small Business: What the Proposed Grant Pays For (and What It Doesn't)
The headline says relief is coming. The fine print says it pays for the part you were least worried about.
A small defense contractor should plan for CMMC Level 2 to cost roughly $105,000 or more. The Department of Defense’s own estimate covers the assessment, not the security work behind it. Implementing the 110 NIST SP 800-171 controls, remediation, tooling, and documentation usually costs more than the assessment fee itself, and that larger half is the part no grant currently touches.
- DoD's final-rule estimate puts a small business's CMMC Level 2 certification at roughly $105,000 over the three-year cycle, and that figure is the assessment, not the cybersecurity program behind it.
- The Senate's proposed CMMC grant would cap at $100,000 per business, with $50 million total, and it can only offset the direct cost of a Level 2 third-party assessment.
- The assessment fee is the smaller, fixed part of the bill. Preparation, remediation, tooling, and documentation are the larger, variable part, and the grant does not cover them.
- The grant is a Senate bill, not law. If enacted, the program would not stand up until 2027, after the November 10, 2026 Phase 2 deadline that is driving the urgency.
- There is still no enacted federal tax credit for CMMC either. Planning your readiness around relief that has not passed is a timing bet, not a budget.
How much does CMMC Level 2 cost a small business?
The honest answer is two numbers, not one, and most coverage only gives you the smaller one.
The Department of Defense published cost estimates inside the CMMC program rule under 32 CFR Part 170. For a small business pursuing Level 2 through a third-party assessment, DoD’s estimate lands at roughly $105,000 across the three-year certification cycle. That cycle includes the assessment itself plus two annual affirmations. DoD’s published assessment estimates break down roughly like this:
| Path | What it is | DoD estimate |
|---|---|---|
| Level 1 self-assessment | FCI only, 15 FAR controls, annual self-assessment | ~$4,000 to $6,000 |
| Level 2 self-assessment | CUI, where the contract allows self-assessment | ~$37,000 to $49,000 |
| Level 2 third-party (C3PAO) | CUI, where the contract requires a C3PAO assessment | ~$105,000 to $118,000 |
Here is the part DoD states plainly and almost everyone skips: those numbers are assessment costs. They assume you have already implemented the security controls. The 110 controls in NIST SP 800-171 Revision 2 have been a contractual requirement since 2016 under DFARS 252.204-7012. DoD’s estimate does not include the cost of getting from where you actually are to where the standard says you should already be.
For a contractor that has been doing the work, the assessment fee may be most of the bill. For a contractor starting closer to the beginning, which describes a large share of the small subs in the supply chain, the preparation costs more than the assessment. Assessors and compliance vendors widely report first-year, all-in spend well above DoD’s figure, often two to three times the assessment fee, because remediation, tooling, an isolated CUI environment, policy and procedure development, and the System Security Plan dwarf the exam.
So when you search “CMMC Level 2 cost,” the right mental model is a stack: a fixed exam fee on top, and a much larger, variable readiness cost underneath it.
What the proposed CMMC grant covers, and what it doesn’t
On June 17, 2026, Federal News Network reported that the Senate Armed Services Committee included a CMMC grant program in its version of the fiscal 2027 National Defense Authorization Act. For small subcontractors watching the cost curve, it reads like relief. Read the actual provision and the picture narrows fast.
What the bill proposes:
- Grants for small businesses and new entrants to offset CMMC costs.
- A maximum of $100,000 per grant.
- A $50 million cap on the entire program.
- Priority for organizations that have not previously held a DoD contract or subcontract.
- A hard restriction: the money can only be used to offset the direct cost of a Level 2 third-party assessment.
That last line is the whole story. The grant is pointed at the assessment fee, which is the fixed, smaller, most predictable part of the bill. It does not fund the readiness work that decides whether you pass that assessment in the first place.
The proposed grant targets the assessment fee. The preparation and remediation underneath it, usually the larger cost, stays on the contractor.
There is also the matter of scale. A $50 million cap, divided into grants of up to $100,000, funds on the order of 500 assessments in full. DoD estimates the defense industrial base at more than 220,000 organizations, with tens of thousands needing Level 2. The program, as written, is a targeted cushion for the smallest and newest firms, not a broad subsidy for the supply chain.
The timeline problem nobody is pricing in
Even if the grant were generous enough to cover your readiness, the calendar does not cooperate.
CMMC Phase 2 begins November 10, 2026. That is the point at which contracts involving CUI can require a Level 2 assessment by a C3PAO, under 32 CFR Part 170 and the DFARS clause 252.204-7021 that has been live since November 2025. The deadline driving every contractor’s urgency right now is this one.
The grant is a Senate bill. It has not passed. The two chambers still have to reconcile their NDAA versions, the provision has to survive that process, and then DoD has to write the rules to run the program. Reporting on the bill points to the program being established in 2027, not this year.
Line those two facts up. The pressure is November 2026. The earliest possible relief is sometime in 2027. For a contractor facing a Phase 2 contract requirement, a grant that arrives after the deadline does nothing for the decision in front of them. “Wait for the grant” is this year’s version of “wait for the deadline,” and it fails for the same reason: the clock is the constraint, not the budget line.
Is there a CMMC tax credit instead?
This question shows up constantly, and the answer is the same as the grant’s: not yet, and not in time to plan around.
There is no enacted federal tax credit for CMMC expenses. Congress drafted the Small Business Cybersecurity Act of 2024, which proposed a credit of up to $50,000 for businesses with 50 or fewer employees. It has not passed into law. A handful of states run their own programs, and a few private gap-assessment grants exist, but none of that is a reliable line item you can put in a 2026 readiness budget.
The pattern is worth naming. Relief for small contractors has been proposed in several forms, a tax credit, now a grant, and each one polls well and moves slowly. It may eventually arrive. It is not a plan.
What a small contractor should actually do now
The cost reality does not change based on what Congress does this fall. The work that determines whether you pass a Level 2 assessment is the same work, and it is the part you control.
A practical sequence for a small sub facing a Phase 2 requirement:
- Scope first, because scope sets the price. The single biggest lever on cost is how much of your environment touches CUI. Isolating CUI into a defined enclave shrinks the boundary, the number of systems assessed, and the bill. Scoping is decided under 32 CFR 170.19.
- Score yourself honestly against all 110 controls. Your SPRS score is a representation to the government, and an inaccurate one carries False Claims Act exposure independent of any breach. Know the real number before an assessor does.
- Build the System Security Plan and a defensible POA&M. Documentation is assessed as rigorously as the technical controls. A thin SSP is one of the most common reasons a small business that “feels ready” is not.
- Then schedule the assessment. Capacity is finite. The fixed fee is the last step, not the first, and it is the only step the proposed grant would ever touch.
If you are starting that sequence and want the tools that do not exist as free, credible downloads anywhere else, the CMMC Level 2 Readiness Kit: 5 NIST 800-171 Tools ($147) is the asset-scoping worksheet, SPRS score workbook, SSP template, POA&M tracker, and evidence tracker in one package, with a Start Here guide that runs them in the order above. It is built for the contractor doing this without a dedicated compliance team, on the current timeline, with their own money.
The bottom line
CMMC Level 2 costs a small business somewhere north of $105,000, and the assessment fee is the smaller, more predictable half of that. The proposed grant, if it survives the NDAA process and stands up in 2027, would help with that smaller half for a few hundred of the smallest firms. It would not pay for the readiness work, and it would not arrive before the November 2026 deadline. The contractors who come out ahead are the ones treating the grant as a possible rebate on a bill they were always going to pay, not as a reason to wait.
Sources
- Federal News Network, “Senate NDAA proposes CMMC grant program,” June 17, 2026.
- U.S. Department of Defense, CMMC Program final rule, 32 CFR Part 170, including published assessment cost estimates.
- DFARS clause 252.204-7012 and 252.204-7021, acquisition.gov.
- NIST Special Publication 800-171, Revision 2, csrc.nist.gov.
- Federal News Network, “DoD, Hill eye CMMC tax credit for smaller defense contractors,” on the Small Business Cybersecurity Act of 2024.