Funding FAQs.

Requirements vary by program. Here's what's actually required where:

State cybersecurity grants:

• Connecticut CAP — No contract required. Open to manufacturers "currently participating in the DoD supply chain, or those who wish to do so in the future."
• Michigan DCAP — Contract required. Requires at least 10% of annual revenue from DoD contracts currently or within the past five years.
• Maryland BMC Tax Credit — No DoD contract required. Eligibility is based on being a Qualified Maryland Company making purchases from a Qualified Maryland Cybersecurity Seller.
• Illinois IMEC Cyber-Safe — Manufacturer status required, not DoD contract. Must be primarily engaged in manufacturing (validated by NAICS codes).

Federal programs (different rules entirely):

• Cyber Grants Alliance — DIB contractor status, not active contract. Open to contractors and subcontractors in the defense industrial base.
• APEX Accelerators, Project Spectrum, SBDCs, CSIAC — No contract or DoD relationship required. Open to any small or mid-sized business pursuing federal work.
• FAR Part 31 cost recovery — Active federal contract required. This is the one federal mechanism that requires you to actually hold a contract, because recovery flows through contract pricing.

No. The programs on the Ancitus Funding Finder are grants and tax credits — not loans.

Grants (CT CAP, Michigan CyberSmart, Illinois IMEC) are cost-share programs. You pay your half, the state pays its half. No repayment obligation.

Tax credits (Maryland BMC and ESCC) reduce your state tax liability. You spend the money, then claim a credit against taxes owed. Nothing to repay.

The only mechanism that involves "repayment" is FAR Part 31 — but that isn't repayment in the conventional sense. It's the normal flow of costs through contract pricing, the same way rent, utilities, and salaries flow through.

Yes. Most CMMC grant programs pay for approved vendors to do the remediation work. Ancitus positions as the vendor the grant pays for — you apply for the grant, and if approved, the grant funds cover part or all of the remediation sprint cost. We help you identify which grants you qualify for during the triage.

It depends on the program. Most state programs like Connecticut CAP reimburse after the work is completed. Some federal programs provide funds upfront. During the triage, we match you with specific programs and explain the payment timeline for each one so there are no surprises.

• Connecticut: CAP grant (up to $35K matching) + CONNSTEP CMMC Bootcamp
• Maryland: BMC Tax Credit ($50K/year, renewable), ESCC Tax Credit ($200K/year), DCAP via MD MEP
• Illinois: IMEC Cyber-Safe Program (up to $25K, 50% match)
• Virginia: GENEDGE Alliance (pre-qualified vendor network)
• Michigan: DCAP via University of Michigan Economic Growth Institute
• Indiana / Ohio: Purdue MEP, Ohio MEP, APEX CMMC consulting (15 hrs free)
• Massachusetts: Manufacturing Cybersecurity Program ($30K capital cost-share)
• South Carolina: Cybersecurity Assistance Program (up to $25K for L3 path)

Program: Cybersecurity Adoption Program (CAP), administered by CCAT, funded by the CT DECD Manufacturing Innovation Fund.

Structure: 50% matching grant, up to a lifetime total of $35,000. Up to $10,000 for initial Cybersecurity Assessment and up to $25,000 for remediation.

Eligibility:

• Connecticut-based manufacturer
• 3–300 full-time employees in Connecticut
• Total proposed project value of at least $5,000
• Project completed within 12 months
• Must hire a third-party vendor

Critical timing: You cannot apply for a project that has already started. Apply first, get acknowledgment, then start work.

Administered by the Maryland Department of Commerce under Maryland Code Tax-General § 10-733.1.

Benefit: 50% of the net purchase price of cybersecurity technologies or services purchased from a Qualified Maryland Cybersecurity Seller, capped at $50,000 per tax year per buyer.

Annual renewal: The credit can be claimed every year. Maryland's FAQ explicitly addresses this: a multi-year service contract can claim credits for each year's payments.

Funding cap: Subject to annual funding availability. First-come, first-served. 25% of annual funding is earmarked for services; 75% for technology.

Application sequence: Apply to Maryland Commerce BEFORE making the purchase.

Three related credits for businesses incurring federal security clearance-related costs in Maryland:

• Security Clearance Administrative Expense: 100% of eligible expenses for obtaining AND maintaining clearances, up to $200,000/year
• SCIF Costs: 50% of construction/renovation up to $200,000 single / $500,000 multiple
• First Year Leasing Costs: Up to $200,000 for qualified small business

Eligibility: Companies with 500 or fewer employees, incurring eligible expenses in Maryland.

Funding cap: $2 million per calendar year across all applicants (pro-rata if oversubscribed).

Yes, through the Cyber-Safe Incentive Program. Originally launched 2023, reopened 2024.

Structure: Up to $25,000 per manufacturer to reimburse documented expenditures on contractual services, infrastructure costs, and other approved costs. Award amounts are no more than 50% of documented expenditures.

Eligibility: Primarily engaged in manufacturing (validated by NAICS codes), Illinois manufacturing establishments, documented gap assessment against NIST and/or CMMC.

Note: Program availability is subject to funding cycles. Verify directly with IMEC before planning around it.

GENEDGE Alliance is the Virginia MEP and a CMMC Registered Provider Organisation (RPO). GENEDGE has a pre-qualified network of 25+ cybersecurity vendors delivering services at pre-negotiated rates.

Virginia APEX Accelerator at George Mason University provides free government contracting counseling across 108 jurisdictions — CMMC guidance, SPRS help, bid matching.

Virginia Community College System offers up to $15,000 in cybersecurity certification scholarships for Virginia residents.

Yes, through the Defense Cybersecurity Assurance Program (DCAP) at the University of Michigan Economic Growth Institute. DCAP provides cost-share funding to support defense supply chain manufacturers.

DCAP is funded primarily by DoD Office of Local Defense Community Cooperation (OLDCC) in partnership with Purdue and Ohio State.

The separate Michigan Defense CyberSmart Program (Phase 1 reduced-price assessment, Phase 2 up to $22,500 grant) has ended.

Federal programs work in every state, regardless of local MEP funding. The full list, grouped by what they actually do:

Free advisory and readiness services:

• APEX Accelerators — 97 centres operating 300+ offices nationally, DoD-funded. Free one-on-one CMMC counseling, gap assessment guidance, bid matching, and referrals to RPOs and C3PAOs.
• Project Spectrum — DoD OSBP initiative, free to all DIB contractors. Cyber readiness checks aligned to NIST 800-171 and CMMC Levels 1–2, plus training and Cyber Advisor technical support.
• Small Business Development Centers (SBDCs) — roughly 900 locations nationally. Free and low-cost CMMC planning and referrals.
• CSIAC — up to 4 hours free technical advisory per inquiry. Requires a CAC, ECA, or PIV to log in.

Free threat intelligence (ongoing, post-certification):

• DCISE (DC3) — Defense Cyber Crime Center's DIB Collaborative Information Sharing Environment. Free threat intelligence sharing for DIB contractors. Not a starting point, but a valuable ongoing resource once your programme is up and running.

Direct federal grants (limited):

• Cyber Grants Alliance — $5,000 in-kind gap assessment grants covering all 110 NIST 800-171 controls. 100 grants issued; most likely allocated but availability worth checking.

Proposed but not enacted:

• Federal CMMC Tax Credit (30%) — up to $50,000 for contractors under 50 employees. Publicly backed by DoD leadership. Not yet law. The next FAQ goes deeper on federal grants.

Structural federal recovery (the biggest lever):

• FAR Part 31 indirect cost allocation — available to any federal contractor regardless of state. Not a grant, but the mechanism that recovers ongoing compliance cost through contract pricing. See Section 4.

Honest answer: few direct federal CMMC grants exist. Most "federal money" for CMMC flows through state partners rather than directly to contractors.

Direct federal grants available now:

• Cyber Grants Alliance. $5,000 in-kind gap assessment grants covering all 110 NIST 800-171 controls. Federal non-profit initiative, 100 grants issued. Most are likely allocated by now, but availability is worth checking before ruling it out.

Proposed but NOT enacted:

• Federal CMMC Tax Credit (30%). For contractors under 50 employees, up to $50,000. Publicly backed by DoD leadership. Has not passed. Not safe to plan around.

Federal money flowing through state partners (this is where most federal funding lives):

• DoD Office of Local Defense Community Cooperation (OLDCC) funds Maryland DCAP, Michigan DCAP, and regional cybersecurity programs. The cash is federal but administration and eligibility are state-managed.
• NIST MEP federal appropriation funds state MEP centres: Connecticut CCAT, Illinois IMEC, Virginia GENEDGE, Maryland MEP. State programs exist because federal dollars pass through them.

The big federal mechanism isn't a grant. FAR Part 31 indirect cost recovery is the primary structural way federal contracts pay for CMMC. Not cash, not an application — compliance costs flow through contract pricing automatically. Covered in Section 4.

Why direct federal CMMC grants are scarce: DoD's position is that compliance cost should flow through indirect rates (FAR Part 31), not be subsidised by direct grants. DFARS 7012 has required NIST 800-171 compliance since 2017 — from DoD's perspective, this is already "the cost of doing business," not a new cost warranting federal subsidy. Grants are primarily a state-level phenomenon because states want to retain defense contractors. The federal posture is: you absorb it, you recover via contract pricing.

Yes. The Department of Defense has confirmed on the record that CMMC compliance costs are allowable under FAR Part 31 and can be recovered through contract pricing.

In the DFARS Case 2019-D041 final rulemaking, the DoD stated that there is "nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable" if the costs are incurred in accordance with FAR 31.201-2.

For cost-reimbursable contracts, CMMC costs can be included as direct or indirect charges. For fixed-price contractors, CMMC costs should be factored into pricing for future proposals.

Costs don't have to land on a single contract. FAR Part 31 allocability rules let you spread them across every contract that benefits — parallel contracts running at the same time and sequential contracts awarded later. The questions below break down each mechanism, and how to combine them.

Yes. This is the core mechanism of indirect cost allocation under FAR 31.201-4 and CAS 405 — the horizontal lever.

When CMMC compliance costs sit in your G&A pool or overhead pool, they are allocated proportionally across all active contracts based on the allocation base (typically total cost input or direct labour). If you have five active contracts and $100K of compliance cost in a given year, each contract absorbs roughly $20K weighted by its share of the base — not the full $100K.

This is standard cost accounting practice, not a workaround. DCAA expects indirect costs to be allocated equitably across all cost objectives that benefit from them.

Yes — the vertical lever. A three-year budget cycle aligns naturally with the CMMC recertification timeline:

• Year 1: Gap assessment, documentation, early remediation (50–60% of total cost)
• Year 2: Technology implementation, policy rollout, training (15–25%)
• Year 3: Final remediation and C3PAO assessment (15–25%)

Each year's indirect rate reflects only that year's incurred costs. The result is a gradual, manageable increase in overhead rates rather than a single disruptive spike. A $100K compliance program phased 50/25/25 becomes $50K / $25K / $25K flowing through three separate fiscal-year rates.

Yes. That's the standard approach among mature GovCons, and it's where the real leverage lives.

The two mechanisms multiply. Here's the math on a $100K compliance program across a 5-contract book of work:

• Horizontal only (allocate $100K across 5 active contracts in one year): each contract absorbs ~$20K.
• Vertical only (phase $100K across 3 fiscal years, single contract): ~$33K per year.
• Combined (phase $100K across 3 years, allocate each year across 5 contracts): ~$6.5K per contract per year.

Same total compliance cost. Fifteen contract-years (5 contracts × 3 years) absorbing it instead of one contract taking the full hit. Rate impact on any individual proposal becomes minimal.

This is why mature GovCons treat CMMC as a routine overhead line item rather than a crisis. They're letting standard FAR Part 31 allocation plus annual rate math do the distribution work.

The math requires: a cost accounting system that supports indirect pool allocation (most DCAA-audited contractors already have this), clean multi-year budgeting with phased spend, and a steady book of active federal contracts in each year to absorb the allocated cost.

Once you understand the combined allocation math above — spreading costs across parallel contracts and phasing them over multiple years for as little as $6.5K per contract per year — the competitive concern largely dissolves. But it's worth naming directly.

Every competitor bidding on CUI work faces the same cost. CMMC is universal for contractors handling CUI. Your competitors are either absorbing the same overhead increase now, preparing to absorb it later, or getting eliminated from the bidding altogether. Once compliance is standard across the DIB, the overhead increase is priced into every proposal equally — no single contractor loses ground, because the cost is reflected across the whole market.

The real competitive loss is for non-compliant contractors. Phase 2 enforcement begins November 10, 2026. After that date, contractors without CMMC can't bid on CUI solicitations at all. The question stops being "whose overhead rate is lower" and becomes "who's on the eligible list."

Between 33,000 and 44,000 companies — 15–20% of the Defense Industrial Base — are expected to exit the defense market between 2025 and 2027 because they can't or won't achieve CMMC certification. That exit redistributes contract revenue to the companies that remain. Being compliant while competitors aren't isn't a disadvantage. It's a consolidation tailwind.

Stacy Bostjanick, then Chief DIB Cybersecurity for the U.S. Department of Defense, stated on the record:

"Up to [CMMC] Level 3 will be included in your indirect rates. So, you don't get a direct charge to do it, but you do get to recoup the cost over time; you have to spread it across all of your business."

Legal analysis from Bass Berry Sims confirms: "Contractors will likely be able to recover ongoing CMMC compliance costs following award through indirect costs."

The concern is legitimate. In April 2026, the FY 2027 Presidential Budget Request proposed eliminating the NIST MEP program entirely, as part of a $993 million NIST budget reduction.

Three factors moderate the risk:

• Congressional pushback. In 2025, the House Appropriations Committee rejected similar cuts and continued MEP funding at $175 million for FY 2026.
• State-funded programs are separate. Connecticut's CAP is funded by the CT Manufacturing Innovation Fund. Maryland's BMC tax credit is state tax policy. These aren't subject to federal budget cuts.
• The real sustainability strategy is indirect cost recovery, not grants. Grants are best for the upfront spike. Ongoing costs should flow through your G&A pool via FAR Part 31, regardless of whether any grant program survives.

Permanent overhead. CMMC is not a one-time cost.

The DoD's own cost modeling assumes a three-year recertification cycle, annual affirmations, evidence collection, continuous monitoring, and ongoing documentation. Published industry data shows ongoing annual compliance costs of $15,000–$50,000 per year for a small-to-mid-sized organisation.

Grants are most effective for the upfront spike. Ongoing costs should be built into your cost accounting as permanent indirect costs that flow through contract pricing year after year.

Yes, though most state AND federal grant programs are one-time. Here's what actually offsets ongoing spend:

State tax credits with annual renewability (Maryland has the strongest coverage):

Buy Maryland Cybersecurity Tax Credit (BMC). Up to $50,000 per tax year in credits for 50% of cybersecurity tech and services purchased from Qualified Maryland Cybersecurity Sellers. Maryland's own documentation confirms this is renewable annually — a multi-year service contract can claim the credit each year for that year's payments.

Maryland Employer Security Clearance Costs (ESCC) Tax Credit. Up to $200,000 per year for administrative expenses related to obtaining AND maintaining federal security clearances.

The primary federal mechanism for ongoing recovery isn't a grant — it's structural. FAR Part 31 indirect cost allocation flows compliance costs through contract pricing automatically, every year, as long as you hold federal contracts. No application, no annual renewal. See Section 4.

Free federal advisory that reduces ongoing cost: APEX Accelerators, Project Spectrum, SBDCs, and CSIAC all provide free cybersecurity advisory on a continuing basis. Not cash, but equivalent to $5,000–$25,000/year in consulting fees you don't pay. Available nationwide.

That's the "money pit" spiral contractors describe on Reddit threads and at industry events. It's not a controls problem. It's a scoping problem wearing controls-problem clothing.

CMMC Level 2 requires you to protect CUI. Any system that processes, stores, or transmits CUI is in scope. Critically, any system CONNECTED to in-scope systems can also become in scope, because connections represent attack vectors for CUI compromise.

Here's the spiral in practice. You find CUI in one user's inbox, so you harden that user's laptop. But the laptop connects to the shared file server — now the file server is in scope. Harden the file server, and the backup system that touches it is in scope. Harden the backup, and the identity provider authenticating both is in scope. Harden the identity provider, and every device that uses it is in scope. By the time you've followed the trail, half your network is in scope and the budget has doubled.

The fix isn't to keep chasing controls. The fix is to redefine the boundary so CUI lives inside a defined, isolated portion of your environment — an enclave. CUI flows in through a single controlled door, lives in a hardened space, and never touches your shared infrastructure. Everything outside the enclave drops out of scope. The spiral stops.

See the next question for how much this actually saves — published estimates range from 20% to 90% of total compliance cost.

Published industry estimates range from 20% to 90%:

• Elevate Consult (RPO): cloud-based enclaves reduce compliance costs by approximately 20% vs. hybrid setups.
• DefenseCompliance.ai: properly designed enclaves reduce assessment scope by 70–90%.
• PreVeil case study: small-to-mid contractor achieved perfect 110/110 compliance with an enclave covering fewer than 50 employees.

Mechanism: fewer in-scope systems = fewer licenses, less documentation, less evidence, faster C3PAO assessment.

Tradeoff: dual-environment management adds complexity. For organisations where defense is central, full enterprise migration may be simpler.

It depends on three factors: size of your IT/security team, percentage of business that's defense-related, and tolerance for dual-environment complexity.

In-house makes sense when: existing security staff, defense-central business, desire for max control, large enough for dedicated compliance personnel.

MSP makes sense when: small-to-mid contractor without in-house compliance expertise, only a subset handles CUI, faster path to compliance wanted.

Industry analysis consistently shows MSPs save 55–70% vs. in-house implementation for small contractors, because they amortise compliance infrastructure across multiple clients.

Enclave approach: Only CUI-handling users move to GCC High. Rest stays on commercial Microsoft 365. Compliance boundary surrounds just the enclave.

Full migration: Every user moves to GCC High. Compliance boundary is the entire company.

Cost comparison: GCC High Business Premium for L2 is $60–$93/user/month vs. commercial at $22/user/month. If only 20% of workforce handles CUI, enclave saves 80% of the premium.

Decision factors: Workforce %handling CUI, revenue mix, IT capacity, SaaS compatibility.

A three-layer approach:

Layer 1 — Grants for the upfront spike. Combine state programs (CT CAP, Maryland BMC/ESCC, Illinois IMEC, Michigan DCAP) with federal programs (Cyber Grants Alliance, free APEX/Project Spectrum/SBDC advisory) to cover 30–50% of initial costs: gap assessment, remediation, tooling, assessment fee.

Layer 2 — FAR Part 31 for steady state. Build ongoing compliance costs into G&A pool. Annual affirmations, monitoring, evidence, reassessment — permanent overhead that flows through contract pricing.

Layer 3 — Scope reduction as the multiplier. A well-designed enclave reduces absolute compliance cost by 20–90%, which means Layer 1 grants go further and Layer 2 overhead recovery is smaller per contract.

Contractors who struggle most rely on a single layer — either depending entirely on grants (risky if programs get cut) or absorbing unrationalised compliance cost without scope reduction (prices them out of competitive bids).