For small defense contractors · primary sources
CMMC for small business: the no-$100K-consultant path
A small defense contractor does not need a six-figure consultant to reach CMMC Level 2. The path: scope your CUI, run a free gap assessment, draft your own SSP and POA&M, fix the must-fix gaps, and post an honest SPRS score. Self-serve tooling does the documentation for a fraction of the $14,000–40,000 consultants quote — the separate C3PAO assessment fee is the one bill you cannot avoid.
Where the money actually goes
The honest way to think about CMMC cost is as two separate bills. Readiness — the gap assessment, the documentation, the remediation — is the part you control, and it is where consultants charge the most. The C3PAO assessment is a separate, fixed bill that applies no matter how you do the readiness work. The savings for a small business come almost entirely from the first bill.
| Cost item | Consultant-led | Self-serve small-business path |
|---|---|---|
| Gap assessment | $5,000–20,000 | $0 (free Muster Score) |
| SSP + POA&M documentation | $14,000–40,000 | A fraction, self-serve |
| Hourly advisory | $250–400/hr | Only where you need it (e.g. encryption, MFA) |
| C3PAO assessment | $30,000–75,000 | $30,000–75,000 (same — unavoidable, separate bill) |
Readiness figures (gap assessment $5,000–20,000; documentation $14,000–40,000; advisory $250–400/hr) are published consultant prices verified June 2026. The C3PAO assessment ($30,000–75,000 published range) is broken out in the CMMC Level 2 cost guide. The “no-$100K” framing refers to the readiness bill you can cut — not the assessment fee, which is real and separate.
The no-$100K path, step by step
The “DIY?” column is the honest part: most of this is contractor work, some of it needs targeted help, and exactly one step you cannot do yourself.
| Step | DIY? | What it involves |
|---|---|---|
| Scope your CUI | Yes | Map where Controlled Unclassified Information actually lives in your systems. Scope is the single biggest cost driver — the smaller and cleaner your CUI boundary, the less you have to protect and document. This is contractor work; nobody knows your data flows better than you. |
| Run a free gap assessment | Yes | Walk all 110 NIST SP 800-171 Rev 2 requirements and compute an honest SPRS score. This replaces the $5,000–20,000 a consultant charges for a gap assessment. The free Muster Score is a gap assessment — it gives you the delta to a passing posture and an SSP skeleton. |
| Draft your SSP | Mostly | The System Security Plan (requirement 3.12.4) is mandatory — no SSP, no assessment. Drafting it is documentation work that self-serve tooling can generate from your own answers, instead of the $14,000–40,000 a consultant bills for the document set. |
| Build a prioritized POA&M | Mostly | List every gap, classify it as POA&M-eligible or must-fix under 32 CFR 170.21, and sequence the work. This tells you exactly what to spend remediation money on first, and what can be deferred (within the 88-point and 180-day rules). |
| Remediate the must-fix gaps | Partly | Implement the controls. Policy and procedure work you can do in-house; some technical controls — FIPS-validated encryption (3.13.11), multifactor authentication (3.5.3), boundary protection — may need an MSP or IT partner. This is where targeted spending beats a blanket consultant retainer. |
| Post an honest SPRS score | Yes | Submit your self-assessment score through the PIEE portal to SPRS. A current, honest score is what makes you eligible to bid under DFARS 252.204-7019/7020 — and Phase 1 has required it in new solicitations since November 10, 2025. |
| Book your C3PAO assessment | No | For Level 2 involving CUI, a third-party C3PAO assessment becomes the default under Phase 2 (November 10, 2026). This is the one bill you cannot do yourself or skip — and with long scheduling waitlists, you book the slot while remediation is still underway. |
Sources: NIST SP 800-171 Rev 2 (the 110 requirements; 3.12.4 SSP, 3.5.3 MFA, 3.13.11 encryption); 32 CFR 170.21 (POA&M eligibility and the 180-day closeout); 32 CFR 170.3(e) (Phase 2 begins November 10, 2026); DFARS 252.204-7019/7020 (current assessment, flow-down). The free Muster Score is the gap assessment in step two.
The catch nobody mentions: the C3PAO bill is separate
Be wary of any pitch that quotes a single all-in CMMC number. The third-party C3PAO assessment is its own bill ($30,000–75,000 published range), and it applies whether you spent $40,000 on a consultant or did the documentation yourself. The self-serve path does not make the assessment cheaper — it makes everything before the assessment cheaper, which for a small contractor is where the six-figure quotes actually come from.
There is no small-business exemption from CMMC — the requirements key to whether you handle CUI, not to your size — and the liability is real for subs too: the first False Claims Act settlement against a subcontractor landed in December 2025. The small-business advantage is not avoidance; it is efficiency. A tight CUI scope plus self-serve documentation gets a 20-person shop to the same posture a large prime reaches, without the same overhead.
Straight answers
Can a small business get CMMC certified without a consultant?
For most of the readiness work, yes. Scoping your CUI, running a gap assessment, drafting the SSP, and building the POA&M are documentation tasks a small contractor can do with self-serve tooling instead of paying the $14,000–40,000 consultants quote for the same document set. What you cannot do yourself is the C3PAO assessment itself — for Level 2 involving CUI it must be a third-party assessment. The realistic small-business path is: do the documentation yourself, pay only for the technical remediation you actually need, and budget separately for the C3PAO.
How much does CMMC Level 2 really cost a small contractor?
Two separate bills. Readiness — the gap assessment, SSP, POA&M, and remediation — is the part you control; consultant-led readiness runs $14,000–40,000 for documentation plus $250–400/hr advisory, while a self-serve path is a fraction of that. The C3PAO certification assessment is a separate $30,000–75,000 published range that applies no matter how you do the readiness work. The headline savings come from the readiness bill, not the assessment. See the cost guide for the full breakdown.
What is the cheapest path to CMMC Level 2?
Keep your CUI boundary small, do the documentation yourself with tooling that drafts the SSP and POA&M from your own answers, and pay for technical help only where you genuinely need it — typically FIPS-validated encryption, multifactor authentication, and boundary protection. The cheapest path is not skipping steps; it is not paying a blanket consultant retainer for documentation work you can do, while still budgeting honestly for the unavoidable C3PAO assessment.
Do subcontractors need CMMC too?
Yes, if you handle CUI. The DFARS clauses flow down: a prime must ensure its subcontractors have a current assessment at the required level (252.204-7020), and the first False Claims Act settlement against a subcontractor (a precision machining supplier, December 2025) confirmed liability runs through the supply chain, not just to primes. Being small does not exempt you — but it does mean a tight CUI scope and a self-serve readiness path are especially worth it.
Is there a CMMC small-business exemption?
No. There is no small-business carve-out from CMMC. The requirements key to the information you handle — Federal Contract Information points to Level 1, CUI to Level 2 — not to your headcount or revenue. Roughly 76,600–80,000 companies are obligated for Level 2, and the majority are small. The rule treats a 20-person shop and a large prime the same on what must be protected; the difference is how efficiently you get there.
Cost figures are published prices verified June 2026; regulatory claims cite NIST SP 800-171 Rev 2, 32 CFR part 170, and the DFARS clauses. This is compliance information, not legal advice. Muster drafts documentation you review and attest to and never accepts CUI; only an authorized C3PAO can certify you. For contract or False Claims Act questions, consult qualified counsel.
Related guides
Do you need GCC High for CMMC?
The honest scoping answer: the rule requires a FedRAMP-Moderate-equivalent cloud for CUI, never GCC High by name. When export-controlled (ITAR/EAR) data makes GCC High the answer, when it doesn’t, and how a CUI enclave cuts the bill.
NIST 800-171 SSP template
What an SSP must contain per 3.12.4, what assessors flag first, and a free blank template (Markdown or Word) — no email gate.
POA&M template (NIST 800-171)
The 32 CFR 170.21 eligibility rules — 88-point minimum, the never-eligible six, the 180-day clock — plus a worked example and a free blank template.
CMMC Level 2 cost
Real price bands by path — self-serve software, consultant-led, enclave route — with the C3PAO assessment fee separated out honestly.
Tools: SPRS score calculator · scoring methodology · CMMC Phase 2 deadline
The cheap path starts with your number.
The free Muster Score is the gap assessment consultants charge thousands for — exact SPRS math, your must-fix list, and the SSP skeleton, in about five minutes, no signup.
Get your free Muster ScoreThe free score is live now. Join the waitlist for early access to the done-for-you Level 2 Readiness Sprint and founding-cohort pricing.