CMMC funding · For DoD contractors

CMMC will cost you between $75K and $300K. Most of that is recoverable.

Three things make the maths work — free federal advisors before you spend anything, state grants where they exist, and FAR Part 31 cost recovery on every contract you hold. Most contractors only know about one of these. Stacking them in the right order is what brings the out-of-pocket cost down sharply.

21
programmes verified
across federal & state
12
states with dedicated
CMMC programmes
$200K
single largest credit
(Maryland ESCC, annual)
Personalise this page
Pick your state to see what applies to you.
or
12 states with confirmed CMMC programmes last verified 17 April 2026
Phase 2 enforcement begins 10 November 2026 — most state programmes have application backlogs.
The stack

Most contractors look for one programme. The maths only works when you stack three.

Each tier does something different. The free federal advisors give you orientation and direction at zero cost. State grants put one-time money on the table where they exist. FAR Part 31 lets you recover compliance costs through your contract pricing on every contract you hold — and that one applies to everyone.

1
Tier 1 · Always start here
Free federal advisors
Applies to: every DIB contractor
Five DoD-funded programmes give you readiness guidance, gap orientation, and threat intelligence at zero cost. Use them before you sign any consultancy contract — they tell you what you actually need.
$0 5 programmes · 1,200+ access points nationwide
2
Tier 2 · One-time funding
State grants & tax credits
Applies to: contractors in 12 states + national CGA
Direct funding where it exists. Maryland leads with two tax credits worth up to $250K combined. Connecticut $35K cost-share, Massachusetts $25K + $30K grants, Virginia covers 80% of DFARS 7012 assessment costs. First-come, time-limited, often disqualifying once work has started.
$5K — $200K per programme · 15 state entries available
3
Tier 3 · The foundation
FAR Part 31 cost recovery
Applies to: every contract you hold
DCAA-recognised. Compliance costs — gap assessments, remediation, C3PAO fees — are allowable costs you can recover through contract pricing. Most contractors don't realise this is the largest recovery mechanism on the page.
Most of it recovered through cost-reimbursable, fixed-price & overhead
The right order matters. Start with Tier 1 to find out what you need. Apply to Tier 2 before you sign anything (most state grants disqualify you once you've contracted). Build Tier 3 cost recovery into every bid going forward.
Tier 3 · The foundation

FAR Part 31 makes CMMC costs recoverable on every contract you hold.

The largest recovery mechanism by far — and the most overlooked. The DoD has confirmed on the record that CMMC compliance costs are allowable under FAR Part 31. The mechanics differ by contract type, but every contract on your books has at least one path.

Federal · cost recovery

Federal cost recovery

CMMC costs are allowable under FAR Part 31. If you hold a DoD contract, you can recover most or all of these costs through your contract pricing. Most contractors don't.

Highest value · Every contract DCAA-recognised · 32 CFR 170 referenced
Cost-reimbursable
Charge them direct
Assessments, remediation, tools, C3PAO fees — direct or indirect. Talk to your contracts manager about recategorising what you've already spent and what you're about to.
Fixed-price
Build them into future bids
Won't help on existing fixed-price work. But every future bid should have CMMC costs factored into pricing. Caveat: see the pricing-risk note below.
Overhead rates
Spread them across the business
Put your remediation programme into your overhead rate. It stays off your bottom line and gets recovered across every cost-reimbursable contract you bill against.
One nuance
Pre-2017 vs post-2017 work
The DoD's position is that compliance was required since 2017 — so technically only the C3PAO assessment itself is "new" cost. In practice, most contractors include remediation in overhead and it stands. Talk to your contracts manager if you're DCAA-audited.
DFARS 252.204-7012 · 32 CFR 170 · DFARS Case 2019-D041
Read FAR Part 31 →

Pricing risk for existing vendors

If you've been self-attesting to all 110 controls since 2017, raising your bid by your CMMC cost can lose you the contract — DoD may treat those as costs you should already have absorbed. The safer path: put remediation into overhead rather than line-item it on a single bid. We work through this calculus on every engagement.

Tier 2 · State grants

Twelve states have dedicated CMMC programmes. Most contractors don't know about them.

State funding is one-time money — first-come, eligibility-restricted, and time-limited. If your state has a programme, apply early and apply before you sign any consultancy contract; many programmes disqualify you once work has started.

Maryland ESCC Tax Credit
$200,000
commerce.maryland.gov
Up to $200,000 per year for administrative expenses related to obtaining and maintaining federal security clearances in Maryland. Also covers SCIF construction (up to $200K single / $500K multiple) and first-year leasing costs for qualified small businesses. Eligibility: companies with 500 or fewer employees incurring eligible expenses in Maryland. $2M per calendar year across all applicants, pro-rata if oversubscribed.
Maryland Open programme →
Maryland BMC Tax Credit
$50,000
commerce.maryland.gov
50% tax credit on cybersecurity products or services purchased from a Qualified Maryland Cybersecurity Seller. Up to $50K per buyer per tax year, renewable annually — multi-year service contracts can claim credits each year. Eligibility: Maryland companies with fewer than 50 employees. The credit is nonrefundable. A $200K aggregate cap applies per Qualified Maryland Cybersecurity Seller per tax year. The Department of Commerce makes $4M of total credit available per tax year, awarded first-come. SB25 and its House crossfile HB290 (filed January 2026) proposed to remove the 50-employee cap, raise the per-seller aggregate from $200K to $1M, make the credit refundable, and add a 2030 sunset; SB25 passed the Senate 41-0 on 17 February 2026 but died in House Ways & Means with no further action through session end, and HB290 died on 13 April 2026. The current law — 50-employee cap, $50K per-buyer limit, $200K per-seller aggregate, nonrefundable — remains in effect for tax year 2026.

Watch for re-introduction of SB25/HB290 in the 2027 Maryland General Assembly session. Re-verify against commerce.maryland.gov and mgaleg.maryland.gov before planning around any expansion.

Maryland Open programme →
Connecticut CAP Grant
$35,000
grants.ccat.us
Connecticut matches your CMMC spend dollar for dollar. Up to $10K for your assessment, $25K for remediation. Lifetime cap $35K. You need to use a third-party vendor, and you must apply before starting work — but once you submit, you can begin immediately. Administered by CCAT, funded by the CT DECD Manufacturing Innovation Fund.
Connecticut Open programme →
Massachusetts Manufacturing Cybersecurity
$30,000
cam.masstech.org
Capital cost-share up to $30,000 for cybersecurity infrastructure (firewalls, badge readers, network upgrades, servers). Run by MassTech Center for Advanced Manufacturing under the MMAP umbrella. The official MCP page now describes the programme in past tense — "provided up to $30,000" and "assisted Massachusetts-based small- to medium-sized manufacturers" — with only the March 2025 award recipients listed and no announced 2026 round. The programme appears wound down or indefinitely paused. For active MA funding, the Cyber Resilient MA Grant ($25K for SOC/MDR) remains open under the 2026-Cyber-01 NOFO.

Confirm directly with MassTech CAM before planning around this programme. The Cyber Resilient MA Grant is the active MA alternative.

Massachusetts Open programme →
Massachusetts Cyber Resilient MA Grant
$25,000
masstech.org
Up to $25,000 for Security Operations Center (SOC) services from CyberTrust Massachusetts, including Managed Detection and Response (MDR). Funds services for up to three years. Eligibility includes small businesses and nonprofits in Massachusetts. Covers the monitoring layer of CMMC compliance rather than assessment/remediation — pair with other programmes for full coverage.
Massachusetts Open programme →
Michigan Defense Resiliency Program (MDRP/DCAP)
Varies
economicgrowth.umich.edu
Cost-share funding and consultant referrals for Michigan defense manufacturers. Formerly the Defense Cybersecurity Assurance Program (DCAP), now operating as the Michigan Defense Resiliency Program (MDRP) at the University of Michigan Economic Growth Institute. Covers cybersecurity compliance and succession planning. Eligibility: at least 10% of revenue from DoD contracts (current or within past five years). The separate Michigan Defense CyberSmart Program has ended.
Michigan Open programme →
Maryland MEP Cybersecurity Assistance
Varies
[email protected]
Gap analysis, SSP development, POA&M support, and cybersecurity training for Maryland manufacturers. The original DCAP federal grant (DoD OLDCC-funded) ran 2018–2022 and has ended. Maryland MEP continues to offer cybersecurity services and reports some funding availability — contact Sara Keith at MD MEP directly to confirm what's currently covered.

Original federal DCAP funding ended late 2022. MD MEP continues services on alternative funding — confirm scope before planning.

Maryland Open programme →
Virginia GENEDGE Alliance
Varies
genedge.org
Virginia's MEP centre and a CMMC Registered Provider Organization (RPO). Pre-qualified network of 25+ cybersecurity vendors delivering CMMC services at pre-negotiated rates. GENEDGE facilitates a DoD grant covering up to 80% of DFARS 252.204-7012 assessment costs for Virginia manufacturers. Contact directly to confirm current grant availability and eligibility.
Virginia Open programme →
Texas TMAC
Varies
tmac.org
Texas Manufacturing Assistance Center — the NIST MEP for Texas. Provides CMMC pre-assessments, compliance guidance, and support from CMMC Certified Professionals. Some services are cost-shared; this is not a direct cash grant programme. Contact directly to scope work and discuss cost-share availability.
Texas Open programme →
North Carolina MEP (NC State IES)
Varies
ies.ncsu.edu
Free CMMC consultations, Defense Industry Initiatives funding opportunities, and cybersecurity training from NC State's Industry Expansion Solutions (IES). Not a direct cash grant programme — DII funding is selective and project-based. Contact IES for current project funding opportunities.
North Carolina Open programme →
Ohio MEP
Varies
ohiomep.org
Ohio MEP operates through 6 regional partners across the state, offering cybersecurity cost-share and advisory support. Availability and terms vary by region — contact your regional partner directly to understand current funding and services.
Ohio Open programme →
Pennsylvania MEP (IRCs)
Varies
pamep.org
Pennsylvania MEP works through 7 Industrial Resource Centers offering cybersecurity cost-share and advisory support. Funding varies by IRC and project. Contact your local centre directly for current availability.
Pennsylvania Open programme →
New York NY MEP Cybersecurity Initiative (AIM at MVCC)
$6,000
AIM at MVCC
Up to $6,000 for phase one cybersecurity assessments for New York manufacturers. Part of the NY MEP Advanced Manufacturing Initiative, led by Advanced Institute for Manufacturing (AIM) at Mohawk Valley Community College. Initial programme funded 67 assessments across 320 cohort manufacturers. Note: FuzeHub's separate Manufacturing Grants (up to $65K) are general innovation grants, not CMMC-specific.

AIM at MVCC leads the CMMC-specific NY MEP funding. FuzeHub runs general manufacturing grants separately.

New York Open programme →
California CMTC
Free
cmtc.com
California Manufacturing Technology Consulting — the NIST MEP for California. Technical cybersecurity assistance, CMMC gap analysis, and compliance planning for California manufacturers. Contact directly to scope work.
California Open programme →
Indiana Purdue MEP
Historical
[email protected]
Purdue MEP previously offered free CMMC Level 1 assessments and implementation for Indiana small businesses through August 2025, funded by SBA grants via the Indiana Economic Development Corporation. That funding window has closed. Purdue MEP still provides paid CMMC advisory services, Level 1 and Level 2 assessments, and vCISO support — contact Gene Jones for current rates and any new funding announcements.

SBA/IEDC funding ran through August 2025 or until funds ran out. No new funded round announced.

Indiana Open programme →
Tier 1 · Always start here

Five DoD-funded advisors. Free. Underused. Most contractors haven't heard of them.

Use these before you sign any consultancy contract. They tell you what you actually need, not what someone wants to sell you. Each one does something different — most contractors should engage at least three.

Free · 97 centres

APEX Accelerators

Formerly PTACs · DoD-funded

Talk to these people first. Free government contracting counseling and CMMC guidance at 300+ offices across 97 centres nationally. DoD-funded through the Office of Small Business Programs. They're the bridge between DIB contractors and federal contracting — most people simply don't know they exist. APEX counselors can help with SPRS scores, compliance planning, and referrals to RPOs and C3PAOs.

Find your office → apexaccelerators.us
Free · DoD OSBP

Project Spectrum

DoD Office of Small Business Programs

A DoD Office of Small Business Programs initiative. Free cyber readiness checks aligned to NIST 800-171 and CMMC Levels 1–2, plus training modules and Cyber Advisor technical support. Won't replace a professional assessment but gives you a starting picture at zero cost. Create an account to begin.

Create free account → projectspectrum.io
Free · 900+ locations

Small Business Development Centers

SBDCs · SBA-backed

Free business advisers at 900+ locations nationally, SBA-backed. They can help you understand how to structure CMMC costs as allowable under your contracts, think through whether grants or indirect cost recovery is the right primary strategy, and connect you to state and local programmes. If you're not sure how FAR Part 31 applies to your situation, this is where to ask.

Find your SBDC → americassbdc.org
4 hrs free per inquiry

CSIAC

Cybersecurity & Information Systems IAC

Send any cybersecurity question to DoD analysts at the Cybersecurity & Information Systems Information Analysis Center. They'll research and respond — up to 4 hours of work, free. Response typically takes about 10 business days. You'll need a CAC, ECA, or PIV credential to submit (most DIB contractors qualify for ECA).

Submit inquiry → csiac.org
Free · DIB membership

DCISE (DC3)

DoD Cyber Crime Center

Threat intelligence sharing from the Defense Cyber Crime Center's DIB Collaborative Information Sharing Environment. Free to join. Most useful once your security programme is operational — not a starting point, but a valuable ongoing resource for threat awareness and incident response coordination.

Learn more at dc3.mil → dc3.mil
Your action plan

If you started today, here's what the first 90 days look like.

Concrete sequence — not a marketing funnel. Each step is something you can do this week, and each one unlocks the next. You don't need a consultant to start; you need to start.

1
This week
Book APEX + Project Spectrum
Free, fast, low-commitment. APEX gives you a local advisor; Project Spectrum gives you a cyber readiness check you can run yourself. Combined, you'll know roughly where you stand within two weeks.
2
Week 2–3
Apply for state grants if eligible
If you're in CA, CT, IN, MD, MA, MI, NY, NC, OH, PA, TX, or VA — apply before contracting any consultancy. Most state grants disqualify you once work has started. Apply for Cyber Grants Alliance ($5K) regardless of state.
3
Week 4–6
Talk to your contracts manager
Categorise existing CMMC spend (if any) under FAR Part 31. Decide on direct vs overhead rate. If you're DCAA-audited, get this in writing. This sets up cost recovery for everything that comes next.
4
Month 2–3
Engage an RPO for the gap to assessment
Once you know your baseline, your funding sources, and your cost-recovery mechanism, scope a remediation engagement. By this point you'll know what you actually need — and what you don't.
Q01

What's the smartest overall funding strategy for a small defence contractor?

Stack three layers

For a typical 20–80 person DIB contractor pursuing CMMC Level 2, the sustainable strategy is to stack three funding layers, in this order:

  1. One-time grants for assessment costs (federal CGA grant; state-level if you're in one of the 12 ★ states). Real money, but limited and time-bound. These pay for the gap assessment and sometimes early remediation.
  2. Tax credits for technology and service spend (Maryland BMC, Maryland ESCC, federal small-business tax credit if it ever passes Congress). Reduce your effective spend without changing how you contract.
  3. FAR Part 31 indirect cost recovery for everything else. This is the sustainable, repeatable mechanism: cybersecurity is an allowable indirect cost on cost-reimbursement and flexibly-priced contracts. You build it into G&A or overhead, the government pays for it through your indirect rates, and it covers ongoing CMMC costs across all your active DoD work — not just one-time spend.
The mistake most small contractors make: they go hunting for grants and miss FAR Part 31 entirely. Grants are one-shot. Indirect cost recovery is forever, applies to every active contract, and survives the next budget cycle.

Layer 1 is opportunistic. Layer 2 is strategic. Layer 3 is structural — and structural usually wins.

Sources:FAR 31.201-2 (Allowability) · Cyber Grants Alliance · Maryland Commerce — BMC Tax Credit
Q02

Are CMMC compliance costs recoverable through federal contracts?

Yes, through indirect rates.

Yes. The Department of Defense has confirmed on the record that CMMC compliance costs are allowable indirect costs under FAR Part 31, recoverable through your G&A pool or overhead rate on cost-reimbursement and flexibly-priced contracts.

In its response to public comments on the original DFARS 252.204-7012 interim rule (78 FR 69275, 18 November 2013, Comment 7), the DoD stated that there is "nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable" if the costs are incurred in accordance with FAR 31.201-2. The 2025 DFARS Case 2019-D041 final rule (Section 30 of the comment responses) explicitly placed cost-allowability questions outside its scope, leaving the 2013 rulemaking as the still-governing federal position on cybersecurity cost allowability.

For cost-reimbursable contracts, CMMC costs can be included as direct or indirect charges. For fixed-price contractors, CMMC costs should be factored into pricing for future proposals.

Costs don't have to land on a single contract. FAR Part 31 allocability rules let you spread them across every contract that benefits — parallel contracts running at the same time and sequential contracts awarded later. The questions below break down each mechanism, and how to combine them.
Sources:78 FR 69275 (DFARS interim rule, Nov 2013, Comment 7) · FAR 31.201-2 Allowability · 90 FR 43560 (DFARS Case 2019-D041, Section 30)
Q03

Are these grants actually loans that have to be paid back?

No. None of them.

No. The programmes on the Ancitus Funding Finder are grants and tax credits — not loans.

Grants (Connecticut CAP, Massachusetts Cyber Resilient MA, Michigan MDRP) are cost-share programmes. You pay your half, the state pays its half. No repayment obligation.

Tax credits (Maryland BMC and ESCC) reduce your state tax liability. You spend the money, then claim a credit against taxes owed. Nothing to repay.

The only mechanism that involves "repayment" is FAR Part 31 — but that isn't repayment in the conventional sense. It's the normal flow of costs through contract pricing, the same way rent, utilities, and salaries flow through.

Sources:Connecticut CAP Grant FAQ · MassTech Cyber Resilient MA NOFO · University of Michigan MDRP terms
Q04

Do I have to pay anything upfront, or are these grants reimbursement-based?

Mostly reimbursement.

It depends on the programme. Most state programmes like Connecticut CAP reimburse after the work is completed. Some federal programmes provide funds upfront (e.g. Cyber Grants Alliance is in-kind). During the triage we match you to specific programmes and explain the payment timeline for each so there are no surprises.

Sources:CCAT Grants Portal (reimbursement structure) · Cyber Grants Alliance (in-kind upfront)
Q05

Are there federal grants that actually pay for CMMC, not just free services?

Mostly no. CGA + FAR Part 31.

Honest answer: few direct federal CMMC grants exist. Most "federal money" for CMMC historically flowed through state partners rather than directly to contractors, and much of that pass-through funding has ended.

Direct federal grants available now:

  • Cyber Grants Alliance. $5,000 in-kind gap assessment grants covering all 110 NIST 800-171 controls. A new round of 100 grants launched March 4, 2026 ($500K total, sponsored by CMMC Ready Now). First-come, first-served. This is the one programme currently delivering direct federal CMMC funding to small contractors in any state.

Proposed but NOT enacted:

  • Federal CMMC Tax Credit (30%). For contractors under 50 employees, up to $50,000. Publicly backed by DoD leadership since late 2024. Has not passed. Not safe to plan around.

Federal money that previously flowed through state partners (mostly ended or uncertain):

  • DoD Office of Local Defense Community Cooperation (OLDCC) previously funded Maryland DCAP (ended 2022) and regional programmes. Current state-level federal pass-through funding is limited.
  • NIST MEP federal appropriation continues to fund state MEP centres (Connecticut CCAT, Maryland MEP, Virginia GENEDGE, California CMTC, Texas TMAC and others). State MEPs exist because federal dollars pass through them — but MEP services are primarily advisory, not direct cash grants to contractors.
  • SBA-funded state programmes (like Indiana's Purdue MEP CMMC Level 1 initiative) have been time-bounded and are currently inactive.

The big federal mechanism isn't a grant. FAR Part 31 indirect cost recovery is the primary structural way federal contracts pay for CMMC. Not cash, not an application — compliance costs flow through contract pricing automatically. Covered in Section 04.

Why direct federal CMMC grants are scarce: DoD's position is that compliance cost should flow through indirect rates (FAR Part 31), not be subsidised by direct grants. DFARS 7012 has required NIST 800-171 compliance since 2017 — from DoD's perspective, this is already "the cost of doing business," not a new cost warranting federal subsidy. Grants are primarily a state-level phenomenon because states want to retain defense contractors. The federal posture is: you absorb it, you recover via contract pricing.

Sources:Cyber Grants Alliance press release (March 4, 2026); Proposed Federal CMMC Tax Credit legislative tracking; DoD OLDCC fact sheet; NIST MEP federal appropriation via NIST budget justification; DFARS Case 2019-D041; DFARS 252.204-7012; FAR Part 31; Purdue MEP / IEDC SBA-funded programme announcements.
Q06

My state has no strong MEP support — what federal programs can I use anywhere?

APEX, Project Spectrum, SBDCs, CGA.

Federal programs work in every state, regardless of local MEP funding. The full list, grouped by what they actually do:

Free advisory and readiness services:

  • APEX Accelerators — 97 centres operating 300+ offices nationally, DoD-funded. Free one-on-one CMMC counseling, gap assessment guidance, bid matching, and referrals to RPOs and C3PAOs.
  • Project Spectrum — DoD OSBP initiative, free to all DIB contractors. Cyber readiness checks aligned to NIST 800-171 and CMMC Levels 1–2, plus training and Cyber Advisor technical support.
  • Small Business Development Centers (SBDCs) — roughly 900 locations nationally. Free and low-cost CMMC planning and referrals.
  • CSIAC — up to 4 hours free technical advisory per inquiry. Requires a CAC, ECA, or PIV to log in.

Free threat intelligence (ongoing, post-certification):

  • DCISE (DC3) — Defense Cyber Crime Center's DIB Collaborative Information Sharing Environment. Free threat intelligence sharing for DIB contractors. Not a starting point, but a valuable ongoing resource once your programme is up and running.

Direct federal grants (currently available):

  • Cyber Grants Alliance — $5,000 in-kind gap assessment grants covering all 110 NIST 800-171 controls. New round of 100 grants launched March 2026 ($500K total, sponsored by CMMC Ready Now). First-come, first-served. Interest is surging — apply early.

Proposed but not enacted:

  • Federal CMMC Tax Credit (30%) — up to $50,000 for contractors under 50 employees. Publicly backed by DoD leadership. Not yet law. The next FAQ goes deeper on federal grants.

Structural federal recovery (the biggest lever):

  • FAR Part 31 indirect cost allocation — available to any federal contractor regardless of state. Not a grant, but the mechanism that recovers ongoing compliance cost through contract pricing. See Section 04.
Sources:Virginia APEX Accelerator official page; Project Spectrum official site; DoD Office of Small Business Programs; Cyber Grants Alliance press release (March 4, 2026); CSIAC DoD advisory service; DoD Cyber Crime Center (DC3) / DCISE; Proposed Federal CMMC Tax Credit legislative tracking.
Not sure which apply to you?

Funding triage is now part of every Gap Assessment we run.

We map every grant, tax credit, and FAR Part 31 mechanism that applies to your contract pipeline as part of the Gap Assessment — no separate engagement, no extra invoice. Or just talk to us if you want to scope it first. UK/US time zones coordinated manually, no Calendly link.

See the Gap Assessment scope → Read the funding FAQs
What the funding map includes
  • Programme-by-programme eligibility scorecard for your business
  • Application sequence ordered by deadline and disqualification risk
  • FAR Part 31 strategy mapped to each active contract
  • Pricing-risk assessment for fixed-price work
  • Delivered alongside your SPRS score, SSP, POA&M and remediation roadmap
All programme details verified 17 April 2026. Programme details and funding change — verify with each programme before making financial decisions. Ancitus is not a financial, tax, or legal adviser.