Ancitus. Learn

Grants that pay for CMMC.

CMMC Level 2 costs $75K–$300K. But between federal cost recovery, state grants, and free programmes, most of that doesn't have to come out of pocket. Select your state below to see what applies to you.

★ = state has dedicated CMMC programmes
8 programs available nationwide
Phase 2 enforcement begins November 10, 2026
Highest value
Every contract

Federal cost recovery Federal

CMMC costs are allowable under FAR Part 31. If you hold a DoD contract, you can recover most or all of these costs through your contract pricing. Most contractors don't.

Cost-reimbursable
Assessments, remediation, tools, C3PAO fees — charge them to the contract. Direct or indirect.
Fixed-price
Won't help on existing work. But every future bid should have CMMC costs built in.
Overhead rates
Put remediation in your overhead rate. It stays off your bottom line.
One nuance
The DoD's position is that compliance was required since 2017 — so technically only the C3PAO assessment is "new" cost. In practice, most contractors include remediation in overhead. Talk to your contracts manager if you're DCAA-audited.
Read FAR Part 31 →
Ordered by value — highest first

Proposed Federal Tax Credit Federal

A 30% tax credit on cybersecurity spending for companies with fewer than 50 employees. DoD has backed it publicly. The legislation has not passed since first floated in late 2024. Worth watching, not worth planning around — treat it as zero in any compliance budget until it becomes law.
Tracking: no legislative movement since late 2024. Re-verify every 6 months.
Not enacted — legislation pending
Verified 17 April 2026
$50,000
Read source →

Cyber Grants Alliance Federal

A $5,000 in-kind gap assessment covering all 110 NIST 800-171 controls. New round of 100 grants launched March 4, 2026 ($500K total, sponsored by CMMC Ready Now). First-come, first-served. Interest is surging — apply early. Good starting point for identifying gaps, not a full certification assessment. Recipients are under no obligation to use any specific provider for remediation.
Open — new round launched March 2026
Verified 17 April 2026
$5,000
Apply at cybergrantsalliance.org →

APEX Accelerators Federal

Talk to these people first. Free government contracting counseling and CMMC guidance at 300+ offices across 97 centres nationally. DoD-funded through the Office of Small Business Programs. They're the bridge between DIB contractors and federal contracting — most people simply don't know they exist. APEX counselors can help with SPRS scores, compliance planning, and referrals to RPOs and C3PAOs.
Advisory — 300+ offices nationwide
Verified 17 April 2026
Free
Find your office →

Project Spectrum Federal

A DoD Office of Small Business Programs initiative. Free cyber readiness checks aligned to NIST 800-171 and CMMC Levels 1–2, plus training modules and Cyber Advisor technical support. Won't replace a professional assessment but gives you a starting picture at zero cost. Create an account to begin.
Advisory — DoD OSBP programme
Verified 17 April 2026
Free
Create free account →

Small Business Development Centers (SBDCs) Federal

Free business advisers at 900+ locations nationally, SBA-backed. They can help you understand how to structure CMMC costs as allowable under your contracts, think through whether grants or indirect cost recovery is the right primary strategy, and connect you to state and local programmes. If you're not sure how FAR Part 31 applies to your situation, this is where to ask.
Advisory — 900+ locations nationwide
Verified 17 April 2026
Free
Find your SBDC →

CSIAC Federal

Send any cybersecurity question to DoD analysts at the Cybersecurity & Information Systems Information Analysis Center. They'll research and respond — up to 4 hours of work, free. Response typically takes about 10 business days. You'll need a CAC, ECA, or PIV credential to submit (most DIB contractors qualify for ECA).
Advisory — up to 4 hours per inquiry
Verified 17 April 2026
4 hrs free
Submit inquiry →

DCISE (DC3) Federal

Threat intelligence sharing from the Defense Cyber Crime Center's DIB Collaborative Information Sharing Environment. Free to join. Most useful once your security programme is operational — not a starting point, but a valuable ongoing resource for threat awareness and incident response coordination.
Advisory — free membership for DIB
Verified 17 April 2026
Free
Learn more at dc3.mil →
Your next steps

How to stack these

1
Start with free programs
APEX Accelerator + Project Spectrum readiness check + SBDC for cost recovery planning.
2
Apply for state funding
Check if your state MEP offers CMMC-specific funding. Many do.
3
Recover the rest through contract pricing
FAR Part 31. Build CMMC costs into future bids. It doesn't have to come out of profit.
COMMON QUESTIONS

Questions contractors actually ask.

A few of the questions contractors raise most. Full answers below — no truncation.

See all 32 questions →

Yes. The Department of Defense has confirmed on the record that CMMC compliance costs are allowable under FAR Part 31 and can be recovered through contract pricing.

In the DFARS Case 2019-D041 final rulemaking, the DoD stated that there is "nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable" if the costs are incurred in accordance with FAR 31.201-2.

For cost-reimbursable contracts, CMMC costs can be included as direct or indirect charges. For fixed-price contractors, CMMC costs should be factored into pricing for future proposals.

Costs don't have to land on a single contract. FAR Part 31 allocability rules let you spread them across every contract that benefits — parallel contracts running at the same time and sequential contracts awarded later. The questions below break down each mechanism, and how to combine them.

Yes. This is the core mechanism of indirect cost allocation under FAR 31.201-4 and CAS 405 — the horizontal lever.

When CMMC compliance costs sit in your G&A pool or overhead pool, they are allocated proportionally across all active contracts based on the allocation base (typically total cost input or direct labour). If you have five active contracts and $100K of compliance cost in a given year, each contract absorbs roughly $20K weighted by its share of the base — not the full $100K.

This is standard cost accounting practice, not a workaround. DCAA expects indirect costs to be allocated equitably across all cost objectives that benefit from them.

Federal programs work in every state, regardless of local MEP funding. The full list, grouped by what they actually do:

Free advisory and readiness services:

  • APEX Accelerators — 97 centres operating 300+ offices nationally, DoD-funded. Free one-on-one CMMC counseling, gap assessment guidance, bid matching, and referrals to RPOs and C3PAOs.
  • Project Spectrum — DoD OSBP initiative, free to all DIB contractors. Cyber readiness checks aligned to NIST 800-171 and CMMC Levels 1–2, plus training and Cyber Advisor technical support.
  • Small Business Development Centers (SBDCs) — roughly 900 locations nationally. Free and low-cost CMMC planning and referrals.
  • CSIAC — up to 4 hours free technical advisory per inquiry. Requires a CAC, ECA, or PIV to log in.

Free threat intelligence (ongoing, post-certification):

  • DCISE (DC3) — Defense Cyber Crime Center's DIB Collaborative Information Sharing Environment. Free threat intelligence sharing for DIB contractors. Not a starting point, but a valuable ongoing resource once your programme is up and running.

Direct federal grants (currently available):

  • Cyber Grants Alliance — $5,000 in-kind gap assessment grants covering all 110 NIST 800-171 controls. New round of 100 grants launched March 2026 ($500K total, sponsored by CMMC Ready Now). First-come, first-served. Interest is surging — apply early.

Proposed but not enacted:

  • Federal CMMC Tax Credit (30%) — up to $50,000 for contractors under 50 employees. Publicly backed by DoD leadership. Not yet law. The next FAQ goes deeper on federal grants.

Structural federal recovery (the biggest lever):

  • FAR Part 31 indirect cost allocation — available to any federal contractor regardless of state. Not a grant, but the mechanism that recovers ongoing compliance cost through contract pricing. See Section 4.

Have a different question? See all funding FAQs →

Not sure which of these apply to you?

Our triage tells you where you stand, what you'll actually pay after applying these programmes, and whether it's worth the investment — in 5 business days.

Talk to us →
All links verified April 2026. Programme details and funding change — verify with each programme before making financial decisions. Ancitus is not a financial, tax, or legal adviser.