← All guides

CMMC Compliance for a 20-Person Shop: What It Actually Costs in 2026

Fortline Cyber · 2026-07-07

If you've gotten a CMMC consulting quote recently, you may have done the math and wondered whether staying in defense work is even worth it. Before you decide, it helps to know what you're actually buying — because "CMMC compliance" isn't one cost. It's four or five different costs bundled together, and some of them are far more negotiable than others.

Here's the honest breakdown for a small shop — 10 to 50 people, a machine shop or engineering firm or small supplier handling Controlled Unclassified Information.

The Real Cost Components

1. The C3PAO assessment itself (not negotiable, not skippable)

To get CMMC Level 2 certified, a certified third-party assessment organization (C3PAO) has to assess you. Industry reporting puts assessment fees for a small, single-site business roughly in the $30,000–$60,000 range, with complex or multi-site environments running higher. Nobody escapes this cost — it exists whether you used a consultant, a platform, or did everything yourself. With fewer than 100 authorized C3PAOs serving a market of roughly 76,600 companies that need Level 2, don't expect these prices to fall soon.

2. Remediation (varies wildly — this is where your gaps live)

This is the cost of actually fixing what's missing: multi-factor authentication, encryption, access controls, logging, backups. For a 20-person shop it can range from a few thousand dollars (if your IT is already decent) to tens of thousands (if you need to restructure how CUI moves through your systems). The single biggest cost lever here is scoping: if you can confine CUI to a small, well-controlled part of your environment instead of your whole network, you shrink what has to be assessed — and what has to be fixed.

3. Documentation (cheap in dollars, expensive in hours)

CMMC Level 2 covers 110 controls across 14 families, and an assessor needs to see evidence and written policies for them. The System Security Plan is the big one — without it, an assessment literally cannot be conducted. Documentation is mostly labor, not licenses. It's the component small shops most often overpay for, and the one most realistic to do largely in-house with good templates.

4. Ongoing costs

Compliance isn't a one-time purchase. Budget for maintaining the controls, annual affirmations, and re-assessment every three years. If you adopt a GRC (governance, risk, compliance) platform, those typically run $10,000–$30,000 per year — useful for some shops, overkill for a 20-person operation that could track 110 controls in a well-organized spreadsheet.

What the $75K Consultant Is Actually Selling

Full-service CMMC consultants typically charge $75,000–$150,000. That's not pure markup — but it's a bundle, and it's worth knowing what's inside it:

  • A gap assessment (figuring out where you stand)
  • Documentation drafting (SSP, policies, procedures)
  • Remediation project management (telling your IT people what to fix, in what order)
  • Assessment preparation (mock assessments, evidence organization)

Each piece has value. But notice what the bundle mostly is: structured labor and know-how, not technology. A shop with a capable office manager and a decent IT provider can do a real share of this internally — especially the gap assessment and the first drafts of documentation — and bring in targeted help only for the parts that are genuinely technical.

That's not a knock on every consultant. Some shops, especially those with messy environments or no IT support at all, genuinely need the full bundle. But you should buy it because you need it, not because you were scared into it.

What You Can Do Cheaply

  • Know your score before you pay anyone. A gap assessment is largely a structured questionnaire against 110 known controls. You can get an honest first estimate for free.
  • Scope aggressively. Fewer systems touching CUI means less to secure, document, and assess.
  • Use partial credit intelligently. The scoring methodology (5/3/1 points per control) tells you exactly which fixes move your score most. Fixing MFA is worth five points; a missing procedure document is worth one. Sequence accordingly.
  • Draft documents from templates, then refine. A first-draft SSP you wrote yourself and had reviewed costs a fraction of one written from scratch by a firm.
  • Put your 1-point gaps on a POA&M. Only 1-point controls can remain open at assessment (with one narrow encryption exception), you need a score of at least 88, and the POA&M must close within 180 days — but used correctly, this legitimately lets you certify before every last item is done.

Where You Must Not Cut Corners

One place, above all: the truth of what's in your documents and your SPRS score.

Submitting a score you know is inflated, or an SSP that describes controls you don't actually have, isn't a gray area. It's False Claims Act exposure, and the Department of Justice's Civil Cyber-Fraud Initiative pursues exactly these cases. Here's the detail that should stick with you: most of these cases begin with employee whistleblowers — your own people, who know what's really implemented and what isn't. A 20-person shop has no anonymity. Everyone knows whether MFA is actually turned on.

An honest 60 with a plan is a business asset. A dishonest 110 is a legal time bomb. This is the one line item where the cheap option and the expensive option are the same: just tell the truth.

A Realistic Budget for a 20-Person Shop

Every shop differs, but a sane planning frame looks like: the C3PAO assessment fee (the fixed, unavoidable chunk), plus remediation that depends entirely on your starting point and scope, plus documentation that costs mostly time if you do it smart — and none of the panic-priced extras. For many small shops, the total lands meaningfully below the headline consultant quotes, if they start early enough to do the labor-heavy parts themselves. Start late, and you'll pay rush rates for all of it.

Start With the Free Part

The first step — finding out where you stand — shouldn't cost anything. We built fortlinecyber.com/assess for exactly this: plain-English questions, an estimated SPRS score, your gaps sorted into certification-blockers vs. POA&M-eligible items, and free document drafts to start from. No signup to start. Then you can decide what help you actually need, with numbers instead of fear.

FAQ

How much does CMMC Level 2 certification cost a small business? The C3PAO assessment alone typically runs $30,000–$60,000 for a small single-site shop per industry reporting. Total cost depends heavily on your remediation gaps and how much work you do in-house.

Do I need a consultant to get CMMC certified? No. You need to implement 110 controls, document them honestly, and pass a C3PAO assessment. Consultants make that faster and easier; they aren't a requirement.

Can I get certified with open gaps? Only 1-point controls may remain open on a POA&M (plus one narrow encryption exception), your score must be at least 88, and the POA&M must close within 180 days.

What's the cheapest way to start? A free self-assessment. Know your estimated score and which gaps are blockers before you spend anything.

Fortline Cyber does readiness work only — we prepare you for assessment, we don't certify anyone. Certification is performed by an independent C3PAO; assessing our own work would be a conflict of interest.

Know your number in about 20 minutes.

Check my SPRS score — free