An IT Director at a 200-person defense manufacturer receives the CMMC flowdown from their prime contractor in January 2026. By February, they have three MSP proposals on the desk. The average quote: $487,000 in year one for a full GCC High enclave buildout, plus a C3PAO assessment, plus ongoing managed services.
The question they bring to their CFO isn't "can we afford this?" — it's "is this what CMMC actually costs, or is this what someone charges to build the wrong architecture for the right regulation?"
That's the right question. And the answer matters significantly because CMMC Level 2 doesn't require an enclave. It requires that your Controlled Unclassified Information (CUI) stay under cryptographic control at all times. That's a different problem. Before you sign off on a six-figure infrastructure spend, you should understand exactly what each dollar is buying and what the November 10, 2026, enforcement deadline means for the math.
A Downloaded File Breaks a Six-Figure Enclave
Traditional security attempts to lock down your network location. But CMMC Level 2 requires continuous control over the data itself. If your security doesn't travel with the file, your compliance posture evaporates the second a document leaves the perimeter.
What Does CMMC Level 2 Require?
CMMC Level 2 maps directly to NIST SP 800-171 — 110 security practices across 14 domains. The domains you'll spend the most money on: Access Control (AC), Identification and Authentication (IA), System and Communications Protection (SC), and Media Protection (MP).
Before any cost figure is meaningful, you need to understand scope. Your CUI Assessment Scope defines which systems, people, and locations are subject to CMMC assessment. The smaller your scope, the lower your assessment and remediation costs — but scoping down creates its own hidden costs (more on that below).
The DoD's baseline estimate for a small business achieving CMMC Level 2 compliance: $487,970 over three years. That figure assumes a 50-person company with a defined CUI environment. For mid-size defense contractors with 200–500 employees and distributed operations, the three-year number climbs well beyond that.
The Real CMMC Level 2 Cost Breakdown
There is no single "CMMC compliance cost." What you actually pay depends on your current NIST 800-171 score, how much CUI you handle, your existing technology stack, and which architecture your MSP recommends. Here's what each layer actually costs.
C3PAO Assessment: What Assessors Charge
A Certified Third-Party Assessment Organization (C3PAO) assessment is non-negotiable for CMMC Level 2. You cannot self-attest. The DoD's baseline estimate for the assessment itself: $104,670. In practice:
| Assessment Type | Low | High | Notes |
|---|---|---|---|
| Gap/Readiness Assessment (pre-C3PAO) | $5,000 | $40,000 | Recommended before formal assessment |
| C3PAO Level 2 Assessment | $35,000 | $200,000 | Size and complexity dependent |
| Reassessment (failed controls) | $15,000 | $75,000 | Not uncommon on first attempt |
The $35,000 floor applies to the smallest, simplest environments — a 25-person contractor with a tightly scoped CUI system that has already remediated all 110 practices. Most contractors with 100+ employees and distributed file environments are looking at $75,000–$150,000 for the assessment alone.
Technology Stack: The Enclave Path vs. the Alternative
This is where costs diverge most sharply, and where the architecture decision you make determines your three-year spend.
The Enclave / GCC High Path
The most commonly sold CMMC compliance architecture: migrate your CUI environment into a Microsoft 365 GCC High or Azure Government enclave, apply the required security controls within that enclave, and scope your C3PAO assessment to that environment only.
| Technology Component | Annual Cost |
|---|---|
| Microsoft 365 GCC High (Business Premium) | ~$60/user/month ($720/user/year) |
| Azure Government (if applicable) | Variable by usage |
| Enclave buildout (labor) | $50,000–$150,000 one-time |
| Endpoint management (MDM, Intune) | Included in M365 BP or $8–12/user/month |
| Ongoing managed CMMC services (MSP) | $15,000–$100,000/year |
For a 100-person contractor where 80 users touch CUI: GCC High licensing alone runs $57,600/year. Add the buildout, the managed services, and the assessment, and year one approaches $300,000–$400,000.
The critical question this architecture doesn't answer: What happens when CUI leaves the enclave? The SharePoint document a contractor downloads to their laptop before traveling. The Excel file forwarded to a subcontractor via personal email. The PDF exported before offboarding. The enclave controls the location. It does not control the file once the file leaves.
Remediation Costs: The Gap Determines the Gap
Your current NIST 800-171 score is the single biggest driver of remediation spend. CyberSheath's 2025 State of the Defense Industrial Base report found that only 1% of contractors are fully prepared for a CMMC Level 2 assessment today. The average contractor's NIST score hovers below 50 out of 110.
| Gap Category | Typical Remediation Cost |
|---|---|
| MFA deployment (all users, all systems) | $5,000–$25,000 |
| Endpoint detection and response (EDR) | $8–15/endpoint/month |
| SIEM / log management | $20,000–$80,000/year |
| Vulnerability management | $10,000–$40,000/year |
| Incident response plan + documentation | $10,000–$30,000 |
| Encryption for CUI at rest and in transit | Variable (see below) |
| Personnel training (all CUI handlers) | $2,000–$10,000/year |
Note: MorseCorp's NIST 800-171 score was negative 142 when they submitted false compliance attestations to the DoD. They settled for $4.6 million under the False Claims Act in March 2025. Remediation costs are significantly cheaper than that outcome.
The November 2026 Math Problem
Phase 2 CMMC enforcement begins November 10, 2026. From that date, new DoD contracts above the simplified acquisition threshold require CMMC Level 2 certification for any contractor that handles CUI. That's not a target date; it's a contractual gate.
Here's the problem with the math:
- ~80,000–118,000 defense contractors need CMMC Level 2 (DoD estimate)
- 83 authorized C3PAOs are currently authorized to perform assessments (CMMC AB, June 2026)
- ~270 organizations hold final CMMC Level 2 certificates as of June 2026
- Current C3PAO waitlists: 6–9 months for assessment scheduling
- Projected waitlists by Q3 2026: 18+ months for many authorized assessors
If you haven't engaged a C3PAO already, you may not get an assessment slot before the deadline, regardless of your readiness. The bottleneck isn't your compliance posture; it's assessor capacity.
What this means practically: Every month you delay remediation is a month closer to either missing the enforcement deadline or scrambling to find an assessor who can fit you in. Neither outcome is acceptable.
What You Cannot Defer with a POA&M
CMMC Level 2 allows Plan of Action & Milestones (POA&Ms) for certain unmet practices — a grace period to remediate specific gaps after assessment. But three categories of controls are not deferrable to POA&M:
SC.3.177 — FIPS 140-3 Validated Encryption: Encryption of CUI using FIPS 140-3 validated cryptographic modules is a hard requirement. You cannot receive a conditional pass with this control unmet. If your file storage, collaboration tools, or endpoint encryption rely on non-FIPS modules, that is a blocker.
SC.3.187 — Organization-Controlled Key Management: Key management must remain under your organization's control. Shared-key architectures — where a cloud provider or third-party vendor manages encryption keys on your behalf — may not satisfy this control. If the provider can decrypt your CUI without your active authorization, your keys are not organization-controlled.
Multi-Factor Authentication (MFA): MFA for all privileged users and all access to CUI systems is non-deferrable. This is also the most commonly failed control in pre-assessment gap analyses.
These aren't administrative controls you can document your way around. Assessors check them. They are pass/fail.
The Hidden Cost of Enclave Architecture
The enclave approach has an internal logic: if you contain all CUI handling within a CMMC-compliant environment, you only need to secure that environment. Scope reduction is a legitimate strategy.
The problem is that enclave scope is difficult to maintain in practice. CUI doesn't respect container boundaries. Your engineers download schematics to work offline. Your program managers forward contract documents before getting on a plane. Your outgoing subcontractor has 15 files cached locally that your SharePoint revocation cannot reach — Microsoft's own documentation confirms that files downloaded before access removal remain accessible on the device.
Each instance of CUI outside the enclave is either an undeclared scope expansion or a compliance gap. Neither is free.
The CMMC scoping logic doesn't allow you to exclude those files from assessment because they exist outside your enclave. It requires you to demonstrate that CUI is controlled wherever it lives. That's not a location problem; that's a control problem.
This is the architectural distinction that the cost conversation rarely reaches: you're paying for a location-based architecture when the regulation is asking for control-based architecture. An enclave controls where CUI can be accessed. Per-file encryption — specifically FIPS 140-3 validated encryption applied at the file level — controls the CUI itself, regardless of where the file travels.
That doesn't mean you skip the enclave. It means the enclave alone doesn't solve SC.3.177, SC.3.187, or the edge cases that live outside it.
What Does a Control-Based Approach Actually Cost?
This isn't a pitch for a specific tool; it's a framework question about where you spend your compliance budget.
If your FIPS 140-3 encryption capability is applied at the file level, the control travels with the data. When a contractor downloads a schematic and leaves the company, you can revoke access to that file, not just the SharePoint folder it came from. When CUI leaves your enclave for a subcontractor, it remains under your cryptographic control. The file defends itself.
The compliance cost implication: per-file encryption can reduce your CMMC assessment scope. Files that are encrypted with organization-controlled keys are, by definition, protected even when outside your primary CUI boundary. That changes what the assessor has to examine. A smaller assessed scope = a lower assessment cost and a shorter assessment timeline.
The architecture question — enclave-only vs. per-file control — has a real dollar amount attached. Get your MSP to model both before you commit to infrastructure spend.
Revocation is Not Deletion
Standard offboarding is a door lock; it does nothing for the copies a contractor made weeks before they left. Don't wait for a C3PAO audit failure to realize your data protection architecture stopped at the platform level. To lock down files, enforce zero-trust control, and instantly generate the audit evidence assessors demand.
FAQs: CMMC Level 2 Compliance Cost
How do I find an authorized C3PAO?
See a list of authorized C3PAOs at the Cyber AB Marketplace. Get on their waitlists now; assessment slots are booking fast.
Can I use a POA&M to defer encryption and MFA controls?
No. SC.3.177 (FIPS 140-3 validated encryption), SC.3.187 (organization-controlled key management), and MFA are non-deferrable. They must be met at time of assessment or you will not receive a conditional certificate. There is no workaround.
Does achieving CMMC Level 2 require a full GCC High deployment?
No. GCC High is one path to CMMC compliance; a popular one because it provides a pre-configured environment for many required controls. But CMMC does not mandate any specific technology. What it mandates is that the 110 practices are met. How you meet them is an architectural decision. Some contractors use GCC High. Others use on-premise environments with compliant controls. Others combine approaches. The architecture should follow the risk and cost analysis, not the other way around.
What's the False Claims Act risk for contractors who self-attest incorrectly?
Significant. The Department of Justice's Civil Cyber-Fraud Initiative uses the False Claims Act to pursue defense contractors who knowingly misrepresent their cybersecurity posture. MorseCorp's $4.6M settlement in March 2025 was the first major settlement, but it won't be the last. If you self-attest to a NIST 800-171 score you haven't verified, you are accepting personal liability as well as corporate liability.