Ancitus. Learn

Grants that pay for CMMC.

CMMC Level 2 costs $75K–$300K. But between federal cost recovery, state grants, and free programmes, most of that doesn't have to come out of pocket. Select your state to see what's available to you.

8 programs available nationwide
* Some states offer dedicated CMMC grants — select yours to check
Phase 2 enforcement begins November 10, 2026 — state grant funding is first-come, first-served
Highest value
100%

Federal cost recovery Federal

CMMC costs are allowable under FAR Part 31. If you hold a DoD contract, you can recover most or all of these costs through your contract pricing. Most contractors don't.

Cost-reimbursable
Assessments, remediation, tools, C3PAO fees — charge them to the contract. Direct or indirect.
Fixed-price
Won't help on existing work. But every future bid should have CMMC costs built in.
Overhead rates
Put remediation in your overhead rate. It stays off your bottom line.
One nuance
The DoD's position is that compliance was required since 2017 — so technically only the C3PAO assessment is "new" cost. In practice, most contractors include remediation in overhead. Talk to your contracts manager if you're DCAA-audited.
Read FAR Part 31 →
Ordered by value — highest first

Proposed Federal Tax Credit Federal

A 30% tax credit on cybersecurity spending for companies with fewer than 50 employees. The DoD has backed it publicly. It hasn't passed yet — worth watching, not worth planning around.
Not enacted
$50,000
Read source →

Cyber Grants Alliance Federal

A $5K gap assessment covering all 110 NIST 800-171 controls. 100 grants were issued — most are likely gone. Runs on the CMMC Ready Now platform. Good as a starting point, not a full assessment.
Likely fully allocated
$5,000
Check availability →

APEX Accelerators Federal

Talk to these people first. Before you hire a consultant, before you buy software, before you do anything. Free CMMC guidance, documentation help, and compliance planning at 300+ offices. DoD-funded. They're specifically there to help defence contractors — most people just don't know about them.
Open — 300+ offices
Free
Find your office →

Project Spectrum Federal

A free readiness check and training from the DoD — covers CUI handling, SSP basics, and POA&M development. Won't replace a professional assessment, but it gives you a starting picture at zero cost.
Open
Free
Create free account →

SBDCs Federal

Free business advisers at 900+ locations who can help you understand how to structure CMMC costs as allowable under your contracts. If you're not sure how FAR Part 31 applies to your situation, this is where to ask.
Open — 900+ locations
Free
Find your SBDC →

CSIAC Federal

Send any cybersecurity question to DoD analysts. They'll research it and send you an answer — up to 4 hours of work, free. Takes about 10 business days. You'll need a CAC, ECA, or PIV to log in.
Open
4 hrs free
Submit inquiry →

DCISE (DC3) Federal

Threat intelligence from the Defense Cyber Crime Center. Free to join. Most useful once your security programme is up and running — not a starting point, but a good ongoing resource.
Free to join
Free
Learn more at dc3.mil →
Your next steps

How to stack these

1
Start with free programs
APEX Accelerator + Project Spectrum readiness check + SBDC for cost recovery planning.
2
Apply for state funding
Check if your state MEP offers CMMC-specific funding. Many do.
3
Recover the rest through contract pricing
FAR Part 31. Build CMMC costs into future bids. It doesn't have to come out of profit.
COMMON QUESTIONS

Questions contractors actually ask.

A few of the questions contractors raise most. Full answers below — no truncation.

See all 28 questions →

Yes. The Department of Defense has confirmed on the record that CMMC compliance costs are allowable under FAR Part 31 and can be recovered through contract pricing.

In the DFARS Case 2019-D041 final rulemaking, the DoD stated that there is "nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable" if the costs are incurred in accordance with FAR 31.201-2.

For cost-reimbursable contracts, CMMC costs can be included as direct or indirect charges. For fixed-price contractors, CMMC costs should be factored into pricing for future proposals.

Costs don't have to land on a single contract. FAR Part 31 allocability rules let you spread them across every contract that benefits — parallel contracts running at the same time and sequential contracts awarded later. The questions below break down each mechanism, and how to combine them.

Yes. This is the core mechanism of indirect cost allocation under FAR 31.201-4 and CAS 405 — the horizontal lever.

When CMMC compliance costs sit in your G&A pool or overhead pool, they are allocated proportionally across all active contracts based on the allocation base (typically total cost input or direct labour). If you have five active contracts and $100K of compliance cost in a given year, each contract absorbs roughly $20K weighted by its share of the base — not the full $100K.

This is standard cost accounting practice, not a workaround. DCAA expects indirect costs to be allocated equitably across all cost objectives that benefit from them.

Federal programs work in every state, regardless of local MEP funding. The full list, grouped by what they actually do:

Free advisory and readiness services:

  • APEX Accelerators — 97 centres operating 300+ offices nationally, DoD-funded. Free one-on-one CMMC counseling, gap assessment guidance, bid matching, and referrals to RPOs and C3PAOs.
  • Project Spectrum — DoD OSBP initiative, free to all DIB contractors. Cyber readiness checks aligned to NIST 800-171 and CMMC Levels 1–2, plus training and Cyber Advisor technical support.
  • Small Business Development Centers (SBDCs) — roughly 900 locations nationally. Free and low-cost CMMC planning and referrals.
  • CSIAC — up to 4 hours free technical advisory per inquiry. Requires a CAC, ECA, or PIV to log in.

Free threat intelligence (ongoing, post-certification):

  • DCISE (DC3) — Defense Cyber Crime Center's DIB Collaborative Information Sharing Environment. Free threat intelligence sharing for DIB contractors. Not a starting point, but a valuable ongoing resource once your programme is up and running.

Direct federal grants (limited):

  • Cyber Grants Alliance — $5,000 in-kind gap assessment grants covering all 110 NIST 800-171 controls. 100 grants issued; most likely allocated but availability worth checking.

Proposed but not enacted:

  • Federal CMMC Tax Credit (30%) — up to $50,000 for contractors under 50 employees. Publicly backed by DoD leadership. Not yet law. The next FAQ goes deeper on federal grants.

Structural federal recovery (the biggest lever):

  • FAR Part 31 indirect cost allocation — available to any federal contractor regardless of state. Not a grant, but the mechanism that recovers ongoing compliance cost through contract pricing. See Section 4.

Have a different question? See all funding FAQs →

Not sure which of these apply to you?

Our triage tells you where you stand, what you'll actually pay after applying these programmes, and whether it's worth the investment — in 5 business days.

Talk to us →
All links verified April 2026. Programme details and funding change — verify with each programme before making financial decisions. Ancitus is not a financial, tax, or legal adviser.