Funding FAQs.

For a typical 20–80 person DIB contractor pursuing CMMC Level 2, the sustainable strategy is to stack three funding layers, in this order:

1. One-time grants for assessment costs (federal CGA grant; state-level if you're in one of the 12 ★ states). Real money, but limited and time-bound. These pay for the gap assessment and sometimes early remediation.
2. Tax credits for technology and service spend (Maryland BMC, Maryland ESCC, federal small-business tax credit if it ever passes Congress). Reduce your effective spend without changing how you contract.
3. FAR Part 31 indirect cost recovery for everything else. This is the sustainable, repeatable mechanism: cybersecurity is an allowable indirect cost on cost-reimbursement and flexibly-priced contracts. You build it into G&A or overhead, the government pays for it through your indirect rates, and it covers ongoing CMMC costs across all your active DoD work — not just one-time spend.

Layer 1 is opportunistic. Layer 2 is strategic. Layer 3 is structural — and structural usually wins.

Phase 2 of the DFARS rollout — when CMMC Level 2 with C3PAO certification becomes a hard gate to award on contracts involving CUI — starts 10 November 2026. Six months from now. The math doesn't work for "I'll wait."

The numbers as of February 2026:

• Roughly 1,042 organisations have completed Level 2 certification. The DoD estimates ~76,000 contractors need it.
• C3PAO assessment backlogs are already 3–6 months, and lengthening as the deadline approaches.
• From a clean-slate gap assessment to a passing C3PAO assessment, realistic timeline is 12–18 months for most small contractors. From an existing strong NIST 800-171 program, it can be 6–9 months.
• Primes are auditing subcontractor lists now, ahead of Phase 2. Subs without certification are being replaced before contracts hit Phase 2.

The only contractors safely waiting are those whose contracts genuinely don't involve CUI (Level 1 self-assessment is faster and cheaper). For everyone handling CUI on covered DoD work, May–June 2026 is already the late-start zone.

Three distinct categories, each with different mechanics:

1. State grants and tax credits. Direct state funding (Connecticut CAP, Massachusetts Cyber Resilient MA, Michigan MDRP) or state tax credits (Maryland BMC, Maryland ESCC). You apply, get approved, spend the money, receive reimbursement or a credit against state tax liability. Money comes from state economic development funds, manufacturing innovation funds, or state tax policy.

2. Federal grants. Direct federal programmes (Cyber Grants Alliance $5K gap assessment grants) or federal dollars flowing through state partners (DoD OLDCC funding for regional DCAP programs, NIST MEP appropriation funding state MEP centres). Cash or in-kind. Availability fluctuates year to year — much of this federal pass-through funding has ended or is uncertain. Most direct federal CMMC grants are one-time and award-capped.

3. FAR Part 31 cost recovery. Not a grant. Allocates compliance costs across your active federal contracts. The government doesn't reimburse you separately — your costs are built into contract pricing. Recovers continuously, automatically, across every contract active in a given year. This is the sustainable federal mechanism.

On paper, no. DFARS 252.204-7012 has required NIST SP 800-171 implementation since 2017. The 110 controls didn't change. So in theory, the only new cost from CMMC is the third-party assessment.

In practice, the gap is usually larger than contractors expect. Three reasons:

• Self-attested SPRS scores were generous. When DIBCAC actually started auditing, contractors who reported scores in the 90s often turned out to be in the 30s–60s. The Raytheon ($8.4M) and MORSECORP ($4.6M) settlements both involved gaps between self-reported and actual compliance.
• Evidence requirements are now hard. 7012 self-attestation could be done from memory. CMMC C3PAO assessments require dated, traceable evidence for every control. Most contractors have never built an evidence library.
• Scoping documentation is now scrutinised. CMMC assessors will examine your CUI boundary diagram, your asset inventory, and your data-flow documentation. If your "scope" was vague before, it has to be precise now.

Their own. Per 32 CFR 170.23, CMMC requirements flow down based on what each subcontractor actually handles, not on the prime's certification. Subcontractors cannot inherit, share, or piggyback on a prime's assessment.

The level depends on data type:

• Sub handles FCI only → Level 1 (annual self-assessment)
• Sub handles CUI → Level 2 minimum (self-assessment for non-prioritised contracts; C3PAO assessment for prioritised contracts)
• Prime is Level 3 → minimum sub level is Level 2 (C3PAO)

Primes are required to validate sub certifications before subcontracting. Many primes are auditing their subcontractor lists right now, ahead of Phase 2. Subcontractors without certification are being replaced — primes won't risk their own award eligibility on a non-compliant sub.

Requirements vary by program. Here's what's actually required where:

State cybersecurity grants:

• Connecticut CAP — No contract required. Open to manufacturers "currently participating in the DoD supply chain, or those who wish to do so in the future."
• Michigan MDRP (formerly DCAP) — Contract required. At least 10% of annual revenue from DoD contracts, currently or within the past five years.
• Maryland BMC Tax Credit — No DoD contract required. Eligibility is based on being a Qualified Maryland Company (fewer than 50 employees) making purchases from a Qualified Maryland Cybersecurity Seller.
• Massachusetts Cyber Resilient MA — No contract required. Open to Massachusetts small businesses, nonprofits, and municipalities.
• Virginia GENEDGE — No contract required. GENEDGE facilitates DoD grants covering up to 80% of DFARS 252.204-7012 assessment costs for Virginia manufacturers where applicable.

Federal programs (different rules entirely):

• Cyber Grants Alliance — DIB contractor status, not active contract. Open to contractors and subcontractors in the defense industrial base.
• APEX Accelerators, Project Spectrum, SBDCs, CSIAC — No contract or DoD relationship required. Open to any small or mid-sized business pursuing federal work.
• FAR Part 31 cost recovery — Active federal contract required. This is the one federal mechanism that requires you to actually hold a contract, because recovery flows through contract pricing.

No. The programmes on the Ancitus Funding Finder are grants and tax credits — not loans.

Grants (Connecticut CAP, Massachusetts Cyber Resilient MA, Michigan MDRP) are cost-share programmes. You pay your half, the state pays its half. No repayment obligation.

Tax credits (Maryland BMC and ESCC) reduce your state tax liability. You spend the money, then claim a credit against taxes owed. Nothing to repay.

The only mechanism that involves "repayment" is FAR Part 31 — but that isn't repayment in the conventional sense. It's the normal flow of costs through contract pricing, the same way rent, utilities, and salaries flow through.

It depends on the programme. Most state programmes like Connecticut CAP reimburse after the work is completed. Some federal programmes provide funds upfront (e.g. Cyber Grants Alliance is in-kind). During the triage we match you to specific programmes and explain the payment timeline for each so there are no surprises.

The Connecticut Cybersecurity Adoption Program (CAP) is administered by the Connecticut Center for Advanced Technology (CCAT). It's a 50/50 matching grant up to $35,000 lifetime per company. Up to $10,000 of that can fund the assessment; the remaining $25,000 can fund remediation through a qualified third-party vendor.

To qualify, your company must:

• Be registered with the CT Secretary of State for at least 3 years
• Have 3–300 employees in Connecticut
• Generate more than 50% of revenue from manufacturing or allied services
• Be a current or aspiring DoD supply-chain contractor

The BMC Tax Credit gives qualified Maryland companies a 50% income tax credit on cybersecurity products and services purchased from a Qualified Maryland Cybersecurity Seller (QMCS). The credit is capped at $50,000 per company per tax year and the company must have 50 or fewer employees.

The programme has a $4M annual statewide pool, awarded first-come-first-served. A separate $200K aggregate cap applies per Qualified Maryland Cybersecurity Seller per tax year.

Massachusetts has had two main CMMC-relevant programmes. As of 6 May 2026 the picture is mixed:

Cyber Resilient Massachusetts Grant Program (active). Up to $25,000 to fund SOC services from CyberTrust Massachusetts, including Managed Detection and Response (MDR). Open to small businesses, non-profits, and municipalities. NOFO 2026-Cyber-01 is currently live.

MMAP Manufacturing Cybersecurity Round (status uncertain). Previously offered up to $30,000 for cybersecurity infrastructure. Last round awarded March 2025 (20 manufacturers, $540K total). The official MassTech page now uses past tense — "provided up to $30,000" rather than "provides" — and no 2026 round has been announced. Treat as functionally unavailable until officially reopened.

California's primary CMMC-relevant resource is California Manufacturing Technology Consulting (CMTC) — the NIST MEP centre for the state. CMTC offers technical cybersecurity assistance, CMMC gap analysis, and compliance planning for California manufacturers. The work is advisory and free at the point of use; CMTC does not run a dedicated cash grant programme for CMMC.

For California contractors, the practical funding path is: federal Cyber Grants Alliance ($5K in-kind gap assessment) + FAR Part 31 indirect cost recovery on active DoD contracts. Use CMTC for the advisory layer.

From 2021 onwards, Purdue MEP (in partnership with the Indiana Economic Development Corporation) offered free CMMC Level 1 assessments and implementation to Indiana small businesses, funded by SBA grants passed through the IEDC. The most recent funded window ran through August 2025 or until funds ran out.

Current status: the SBA-funded free programme has ended. Purdue MEP continues to offer paid CMMC advisory services, CMMC Level 1 and Level 2 assessments, and vCISO support. Contact Gene Jones ([email protected]), Senior Services Manager for Cybersecurity and Defense at Purdue MEP, for current rates and to be notified of any future funded programmes.

Yes — through the Michigan Defense Resiliency Program (MDRP) at the University of Michigan Economic Growth Institute. MDRP incorporates the former Defense Cybersecurity Assurance Program (DCAP) and provides cost-share funding for defense supply chain manufacturers on cybersecurity compliance and succession planning.

Eligibility: at least 10% of annual revenue from DoD contracts, currently or within the past five years.

Structure: DCAP partners have historically completed cybersecurity assessments and remediation with cost-share funding. Contact the Economic Growth Institute directly for current cost-share amounts and timing.

What has ended: the separate Michigan Defense CyberSmart Program (which offered up to $22,500 in Phase 2 grants) has closed and is no longer accepting applications. That's a different programme from MDRP/DCAP.

North Carolina's CMMC support runs through NC State University's Industry Expansion Solutions (IES) — the state's NIST MEP centre. IES offers free CMMC consultations, Defense Industry Initiatives (DII) funding opportunities, and cybersecurity training. DII funding is selective and project-based rather than a standing cash grant.

For NC contractors, the typical path is: book an IES consultation to scope your situation, then layer the federal Cyber Grants Alliance ($5K) + FAR Part 31 indirect cost recovery for the structural recovery.

New York's CMMC-specific funding is routed through the NY MEP Cybersecurity Initiative led by Advanced Institute for Manufacturing (AIM) at Mohawk Valley Community College. The programme funds phase-one cybersecurity assessments — up to roughly $6,000 per recipient — for New York manufacturers. The initial cohort funded 67 assessments across 320 cohort manufacturers.

Important distinction: FuzeHub runs separate Manufacturing Grants (up to $65K) but those are general innovation grants, not CMMC-specific. For CMMC funding, AIM at MVCC is the right entry point.

Ohio MEP operates through six regional partners across the state, offering cybersecurity cost-share and advisory support. Availability and terms vary by region — there's no single statewide cash-grant programme.

Contact your regional partner directly via ohiomep.org to understand current funding and services in your area. As with most state MEPs, the practical recovery path for Ohio contractors layers federal Cyber Grants Alliance + FAR Part 31 indirect cost recovery on top of any regional MEP cost-share you can access.

Pennsylvania MEP works through seven Industrial Resource Centers (IRCs) offering cybersecurity cost-share and advisory support. Funding varies by IRC and by project — there is no single statewide cash grant. The Delaware Valley IRC (DVIRC) tends to be the strongest entry point for Philadelphia-area DIB contractors, but the right IRC for you depends on geography.

Contact your local IRC via pamep.org for current availability. Layer federal Cyber Grants Alliance + FAR Part 31 indirect cost recovery on top of any IRC cost-share.

Texas Manufacturing Assistance Center (TMAC) is the NIST MEP for Texas. TMAC provides CMMC pre-assessments, compliance guidance, and support from CMMC Certified Professionals. Some services are cost-shared; this is not a direct cash grant programme.

For Texas contractors the practical path is: book a TMAC pre-assessment to scope your gap, then layer federal Cyber Grants Alliance ($5K) + FAR Part 31 indirect cost recovery for ongoing recovery on active DoD contracts.

GENEDGE Alliance is the Virginia MEP and a CMMC Registered Provider Organisation (RPO). GENEDGE maintains a pre-qualified network of 25+ cybersecurity vendors delivering CMMC services at pre-negotiated rates. GENEDGE also facilitates a DoD grant that can cover up to 80% of DFARS 252.204-7012 compliance assessment costs for Virginia manufacturers — contact GENEDGE directly to confirm current grant availability and eligibility.

Virginia APEX Accelerator at George Mason University provides free government contracting counselling — CMMC guidance, SPRS help, bid matching — alongside GENEDGE.

Yes. The Department of Defense has confirmed on the record that CMMC compliance costs are allowable indirect costs under FAR Part 31, recoverable through your G&A pool or overhead rate on cost-reimbursement and flexibly-priced contracts.

In its response to public comments on the original DFARS 252.204-7012 interim rule (78 FR 69275, 18 November 2013, Comment 7), the DoD stated that there is "nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable" if the costs are incurred in accordance with FAR 31.201-2. The 2025 DFARS Case 2019-D041 final rule (Section 30 of the comment responses) explicitly placed cost-allowability questions outside its scope, leaving the 2013 rulemaking as the still-governing federal position on cybersecurity cost allowability.

For cost-reimbursable contracts, CMMC costs can be included as direct or indirect charges. For fixed-price contractors, CMMC costs should be factored into pricing for future proposals.

Yes. This is the core mechanism of indirect cost allocation under FAR 31.201-4 and CAS 405 — the horizontal lever.

When CMMC compliance costs sit in your G&A pool or overhead pool, they are allocated proportionally across all active contracts based on the allocation base (typically total cost input or direct labour). If you have five active contracts and $100K of compliance cost in a given year, each contract absorbs roughly $20K weighted by its share of the base — not the full $100K.

This is standard cost accounting practice, not a workaround. DCAA expects indirect costs to be allocated equitably across all cost objectives that benefit from them.

Yes — the vertical lever. A three-year budget cycle aligns naturally with the CMMC recertification timeline:

• Year 1: Gap assessment, documentation, early remediation (50–60% of total cost)
• Year 2: Technology implementation, policy rollout, training (15–25%)
• Year 3: Final remediation and C3PAO assessment (15–25%)

Each year's indirect rate reflects only that year's incurred costs. The result is a gradual, manageable increase in overhead rates rather than a single disruptive spike. A $100K compliance program phased 50/25/25 becomes $50K / $25K / $25K flowing through three separate fiscal-year rates.

Yes. That's the standard approach among mature GovCons, and it's where the real leverage lives.

The two mechanisms multiply. Here's the math on a $100K compliance program across a 5-contract book of work:

• Horizontal only (allocate $100K across 5 active contracts in one year): each contract absorbs ~$20K.
• Vertical only (phase $100K across 3 fiscal years, single contract): ~$33K per year.
• Combined (phase $100K across 3 years, allocate each year across 5 contracts): ~$6.5K per contract per year.

Same total compliance cost. Fifteen contract-years (5 contracts × 3 years) absorbing it instead of one contract taking the full hit. Rate impact on any individual proposal becomes minimal.

This is why mature GovCons treat CMMC as a routine overhead line item rather than a crisis. They're letting standard FAR Part 31 allocation plus annual rate math do the distribution work.

Once you understand the combined allocation math above — spreading costs across parallel contracts and phasing them over multiple years for as little as $6.5K per contract per year — the competitive concern largely dissolves. But it's worth naming directly.

Every competitor bidding on CUI work faces the same cost. CMMC is universal for contractors handling CUI. Your competitors are either absorbing the same overhead increase now, preparing to absorb it later, or getting eliminated from the bidding altogether. Once compliance is standard across the DIB, the overhead increase is priced into every proposal equally — no single contractor loses ground, because the cost is reflected across the whole market.

The real competitive loss is for non-compliant contractors. Phase 2 enforcement begins November 10, 2026. After that date, contractors without CMMC can't bid on CUI solicitations at all. The question stops being "whose overhead rate is lower" and becomes "who's on the eligible list."

Between 33,000 and 44,000 companies — 15–20% of the Defense Industrial Base — are expected to exit the defense market between 2025 and 2027 because they can't or won't achieve CMMC certification. That exit redistributes contract revenue to the companies that remain. Being compliant while competitors aren't isn't a disadvantage. It's a consolidation tailwind.

Real and growing. The DOJ recovered $52 million across nine cybersecurity False Claims Act settlements in FY2025 alone — and the trend is accelerating into FY2026. Real settlements include:

• Raytheon / Nightwing — $8.4M (2025), false NIST 800-171 compliance representations across 29 DoD contracts
• MORSECORP — $4.6M (April 2025), inflated SPRS score (allegedly knew score was wrong, left it uncorrected for years)
• TRICARE managed care provider — $11.25M (February 2025), false cybersecurity certifications
• Penn State — $1.25M (2024), inflated SPRS scores across 15 DoD/NASA contracts

Under 32 CFR 170.22, a senior company executive (the "affirming official") signs an annual SPRS attestation under penalty of law. The standard is "knew or should have known." Delegating it to IT and not verifying creates "reckless disregard" — sufficient to establish FCA liability personally for the executive who signed.

Funding implication: a $5K–$10K third-party SPRS validation before submitting an annual affirmation is structurally cheaper than the legal exposure of an inflated score. This isn't optional risk management — it's table stakes for any contractor who's submitted an SPRS attestation in the past three years.

Real risk, and worth understanding before planning. NIST Hollings MEP appropriation is voted annually. In April 2025, NIST briefly defunded 10 state MEP centres, with the decision reversed within two weeks after public pressure. The funding came back, but that episode showed how fragile the system is.

What this means for you:

• State programmes that depend on MEP federal pass-through (CT CCAT, MD MEP, MI MEP, OH MEP, PA MEP, TX TMAC, NC IES, CA CMTC, IN Purdue MEP, NY AIM at MVCC, VA GENEDGE) all sit on the same congressional appropriation cycle.
• Don't plan a multi-year compliance budget assuming a state grant will be re-funded next year — assume the worst-case it won't.
• Use grants for one-shot wins (gap assessment, initial remediation) and FAR Part 31 for sustainable, recurring cost recovery that doesn't depend on Congress.

Permanent overhead. CMMC is not a one-time cost.

The DoD's own cost modelling assumes a three-year recertification cycle, annual affirmations, evidence collection, continuous monitoring, and ongoing documentation. Published industry data shows ongoing annual compliance costs of $15,000–$50,000 per year for a small-to-mid-sized organisation.

Grants are most effective for the upfront spike. Ongoing costs should be built into your cost accounting as permanent indirect costs that flow through contract pricing year after year.

Yes, though most state AND federal grant programmes are one-time. Here's what actually offsets ongoing spend:

State tax credits with annual renewability (Maryland has the strongest coverage):

Buy Maryland Cybersecurity Tax Credit (BMC). Up to $50,000 per tax year in credits for 50% of cybersecurity tech and services purchased from Qualified Maryland Cybersecurity Sellers. Maryland's own documentation confirms this is renewable annually — a multi-year service contract can claim the credit each year for that year's payments.

Massachusetts Cyber Resilient MA Grant. Funds up to three years of SOC/MDR services from CyberTrust Massachusetts. Not strictly "ongoing" in the annual-renewal sense, but covers monitoring for multiple years with one application.

The primary federal mechanism for ongoing recovery isn't a grant — it's structural. FAR Part 31 indirect cost allocation flows compliance costs through contract pricing automatically, every year, as long as you hold federal contracts. No application, no annual renewal. See Section 04.

Free federal advisory that reduces ongoing cost: APEX Accelerators, Project Spectrum, SBDCs, and CSIAC all provide free cybersecurity advisory on a continuing basis. Not cash, but equivalent to $5,000–$25,000/year in consulting fees you don't pay. Available nationwide.

Because you're treating your whole company as in-scope when most of it shouldn't be. CMMC scope is determined by where CUI lives, not by what your company does. If CUI flows through your accounting system, your Slack, your shared OneDrive, and your developer laptops, then all of those are in scope and need to meet 110 NIST 800-171 controls. That's the money pit.

The architectural fix is a CUI enclave. Build a separate, isolated environment (typically GCC High, Azure Government, or a dedicated VDI) that is the only place CUI lives. Your main business systems stay out of scope. Your enclave gets all the controls. Your scope shrinks from "everything" to "the enclave," and so does your cost.

Two architecturally different choices that often get conflated. They cost very different amounts.

Enclave approach. A small, isolated environment — typically Microsoft GCC High, Azure Government, or a dedicated VDI — that is the only place CUI lives. Your main business systems (general email, accounting, sales, non-CUI engineering work) stay out of CMMC scope. Only the enclave gets all 110 controls. Typical enclave size: 5–25 users for a 60-person firm.

Full GCC High migration. Every business system runs on GCC High, regardless of whether that system handles CUI. Email, files, collaboration, even non-CUI work — all of it lives in the federal cloud. The whole company is in scope.

When enclave wins: small CUI footprint (a handful of programmes), most of your work is non-CUI commercial, and you can isolate CUI workflows to a defined team. This is the right answer for the majority of small DIB contractors.

When full migration makes sense: heavy CUI workflow across most teams, multiple programmes with overlapping CUI access, regulatory complexity that makes scope-policing impractical, or you're already running Microsoft 365 and want a clean cutover rather than a hybrid environment to maintain.

It depends on three factors: size of your IT/security team, percentage of business that's defense-related, and tolerance for dual-environment complexity.

In-house makes sense when: existing security staff, defense-central business, desire for max control, large enough for dedicated compliance personnel.

MSP makes sense when: small-to-mid contractor without in-house compliance expertise, only a subset handles CUI, faster path to compliance wanted.

Industry analysis consistently shows MSPs save 55–70% vs. in-house implementation for small contractors, because they amortise compliance infrastructure across multiple clients.

Your own. CMMC certification is non-transferable from MSP to client. Your MSP's CMMC status doesn't satisfy your assessment requirement — your company is the contractor of record, and your environment (whatever portion handles CUI) gets assessed.

What an MSP does get you: their CMMC-aligned services can be inherited as control implementations on the customer responsibility matrix. If your MSP runs your boundary firewall, your endpoint protection, or your SIEM, those controls flow through their service. You still need to document the inheritance, but the underlying control work has been done by the MSP for assessable evidence.