CMMCDocs.comWith the CMMC final rule effective since December 16, 2024, and Phase 1 underway, the first CMMC assessments are now being conducted. While Phase 1 focuses on self-assessments, several C3PAOs have begun conducting voluntary Level 2 assessments for contractors who want to be certified ahead of the Phase 2 mandate.
C3PAO Landscape
As of early 2025, the Cyber AB has authorized approximately 50 C3PAOs to conduct CMMC Level 2 assessments. This number continues to grow as organizations complete their own assessments and meet authorization requirements. However, the total capacity is still modest relative to the estimated 70,000+ defense contractors that may eventually need Level 2 certification.
C3PAOs vary significantly in size, geographic coverage, industry expertise, and pricing. Some are large cybersecurity firms with national reach. Others are boutique assessment organizations focused on specific sectors of the defense industrial base. Contractors should evaluate C3PAOs based on their experience with similar organizations, their assessor team qualifications, and their ability to schedule within your timeline.
Assessment Costs
Early market data shows Level 2 assessment costs ranging from approximately $30,000 to $150,000 or more, depending on the size of the organization, the complexity of the CUI boundary, the number of sites, and the assessment duration. A small contractor with a tightly scoped CUI environment and 50 employees might expect costs at the lower end. A large organization with multiple locations, complex network architectures, and hundreds of users will pay significantly more.
These costs cover the C3PAO's assessment team time, report preparation, and CMMC eMASS data entry. They do not include the contractor's internal preparation costs, remediation expenses, or any consulting fees for readiness work.
Early Assessment Findings
Anecdotal reports from early assessments reveal common themes. Documentation gaps remain the most frequent issue — contractors who have implemented controls but not documented them adequately in their SSP. Evidence quality is another common finding — assessors are seeing stale evidence, screenshots without timestamps, and evidence that does not clearly map to specific requirements.
On the positive side, contractors who invested in structured compliance programs and purpose-built platforms are progressing through assessments smoothly. The preparation difference between organizations with mature compliance processes and those with ad hoc approaches is stark.
Planning Your Assessment
Even though Phase 2 (mandatory C3PAO assessments) is approximately one year away, scheduling is already competitive. C3PAOs have limited assessor capacity, and demand will increase as Phase 2 approaches. If you plan to pursue voluntary assessment or want to be ready for Phase 2, begin engaging with C3PAOs now to understand their availability, requirements, and pricing. The contractors who schedule early will have the best selection and the most flexibility.