There is no single price tag for CPCSC or CMMC compliance, and any consultancy that quotes one before scoping your environment is guessing. The real number is set by four factors, and once you understand them, you can estimate your own budget within a defensible range before you ever take a sales call.
This guide covers both programs together because most Canadian defence suppliers eventually face both. Canada's Canadian Program for Cyber Security Certification (CPCSC) governs eligibility in the Department of National Defence supply chain. The U.S. Cybersecurity Maturity Model Certification (CMMC) governs eligibility in the Department of Defense supply chain. They share roughly 90 percent of their underlying controls because both descend from NIST SP 800-171, which means the cost drivers are largely the same on both sides of the border.
TL;DR: What does CPCSC and CMMC compliance cost?
CPCSC Level 1 is an annual self-assessment of 13 baseline controls, so the cost is mostly internal time plus any readiness support you choose to bring in; Canadian consultancies offer this on an inquiry basis rather than published rates. CMMC Level 2 readiness consulting commonly runs US$75,000 to US$300,000 depending on organization size, and preparation typically costs three to four times the third-party assessment fee itself. Four factors determine where you land: which certification level you need, the size of your current security gap, the scope of your infrastructure and where controlled information lives, and whether your level requires only a self-assessment or a third-party assessment.
The four cost factors at a glance
Your budget is set by your certification level, the size of your current security gap, your infrastructure and controlled-information scope, and whether your level needs a self-assessment or a third-party assessment. None of these is a fixed number; together they explain why no two suppliers cost the same.
The rest of this guide breaks down each factor and shows how to estimate your own range.
Factor 1: Which level do you need?
Level is the single largest determinant of cost, and the jump from a self-assessed level to a certified one is where budgets multiply.
On the Canadian side, CPCSC Level 1 became available on April 1, 2026 and begins appearing as a mandatory requirement in select DND contracts starting in summer 2026. It is not yet a universal requirement across the Canadian defence supply chain. Level 1 is an annual self-assessment against 13 baseline controls drawn from ITSP.10.171, the CCCS technical standard that contains 97 controls in total. Levels 2 (third-party assessment) and 3 (DND-conducted assessment) are defined in the program but roll out later.
On the U.S. side, CMMC Level 1 covers basic Federal Contract Information through an annual self-assessment. CMMC Level 2 covers all 110 NIST SP 800-171 requirements and, for most contracts involving Controlled Unclassified Information, requires certification by a third-party assessment organization, known as a C3PAO.
The cost gap between these tiers is not linear. A Level 1 self-assessment is bounded work: read the control list, confirm you meet each control, document the evidence, attest. A Level 2 certification is an open-ended program build, because you are not just meeting controls, you are producing the evidence that an external assessor will scrutinize. That shift from self-attestation to external scrutiny is what turns a manageable internal project into a six-figure engagement.
Factor 2: How big is your current security gap?
The same certification costs one company a fraction of what it costs another, and the difference is maturity. Compliance cost is really the cost of closing the distance between where your security program is today and where the standard expects it to be.
A company already running multi-factor authentication everywhere, centralized logging, documented incident response, quarterly access reviews, and configuration baselines is doing most of what NIST SP 800-171 asks. Their gap is largely evidentiary: the controls run, but the proof is scattered across tickets and tribal knowledge rather than assembled into an assessment package. That is a documentation and operations exercise, not a rebuild.
A company that has been treating security as an occasional project, with inconsistent logging, no formal incident response plan, and access reviews that happen only when someone remembers, faces the full build. Every missing control is design, implementation, and then the evidence trail on top. This is the most common reason two suppliers seeking the same CMMC Level 2 certification receive wildly different quotes.
Compliance as a byproduct
Teams that build effective security operations first and treat the certificate as the output of that work spend far less than teams that try to reverse-engineer a passing assessment from a weak foundation. The gap assessment is the first thing any competent readiness engagement produces, and it is the number that should anchor your budget, not the level alone.
Factor 3: What is your infrastructure and CUI scope?
Scope is the factor most often underestimated, and it compounds the first two. The question is not only what controls you need, but how much of your environment they apply to.
Every system that stores, processes, or transmits controlled information falls inside the assessment boundary, and every system inside that boundary must meet the controls and produce evidence. A supplier that has carefully segmented controlled information into a single enclave, a dedicated environment walled off from the rest of the business, has a small boundary and a correspondingly contained cost. A supplier where controlled information flows freely across the general corporate network has pulled the entire environment into scope, multiplying the systems, endpoints, and people that must be assessed.
The scoping exercise differs between the two programs and must be done independently for each. CMMC distinguishes Federal Contract Information from Controlled Unclassified Information. CPCSC frames its boundary around specified and controlled information under the Canadian procurement model. The categories do not map one to one, so a clean scope on one side does not guarantee a clean scope on the other.
Scope reduction is the biggest cost lever
Architecting an enclave, restricting where controlled information can travel, and shrinking the boundary often saves more than any negotiation on consulting rates. It is far cheaper to certify a small, well-defined environment than to certify everything because the data was never contained.
Factor 4: Self-assessment or third-party assessment?
The final factor is the assessment model your level demands, because it splits your cost into two distinct buckets: preparation and assessment.
For self-assessed levels, CPCSC Level 1 and CMMC Level 1, there is no external assessor fee. The cost is internal effort plus any readiness support you choose to engage. You confirm your controls, assemble evidence, and attest. The work is real but bounded.
For certified levels, CPCSC Level 2 and CMMC Level 2 with a C3PAO, you pay for both buckets. Preparation is the readiness work that gets you assessment-ready, and the assessment is the external evaluation itself. The pattern in the CMMC market is consistent: preparation typically costs three to four times the assessment fee. The C3PAO does not fix your gaps; it verifies that you already closed them. Most of your budget goes to the closing, not the verifying.
Two market realities shape this factor in 2026. First, assessment capacity is constrained. As of early 2026, only around one percent of the roughly 76,600 organizations expected to need CMMC certification were certified, against an ecosystem of roughly 80 C3PAOs, and typical preparation runs six to twelve months. Second, professional CMMC consulting rates commonly fall in the US$250 to US$400 per hour range, so the size of your gap (Factor 2) and your scope (Factor 3) translate directly into billable hours. On the Canadian side, CPCSC readiness pricing is not publicly published; firms such as PwC Canada and Plurilock offer readiness support on an inquiry basis, which is typical for a program still in its first year.
How do CPCSC and CMMC compare on cost and timing?
| Element | CPCSC (Canada) | CMMC (United States) |
| Governing department | National Defence (DND) via PSPC | Department of Defense (DoD) |
| Level 1 | Annual self-assessment, 13 baseline controls from ITSP.10.171 | Annual self-assessment, basic FCI safeguarding |
| Level 2 | Third-party assessment (rolls out after Level 1) | C3PAO certification, all 110 NIST SP 800-171 requirements |
| Level 3 | DND-conducted assessment | Government-led assessment |
| Level 1 status | Available April 1, 2026; mandatory in select DND contracts from summer 2026 | In effect under phased rollout |
| Level 2 milestone | Follows Level 1; date not yet fixed | Phase 2 begins November 10, 2026 |
| Self-assessed cost | Mainly internal time; readiness support inquiry-only | Internal time plus optional readiness support |
| Certified cost | Preparation plus third-party fee (CAD, scoped per level) | Readiness commonly US$75K-$300K; prep 3-4x assessment fee |
| Underlying standard | ITSP.10.171 (97 controls) | NIST SP 800-171 |
The roughly 90 percent control overlap is the planning insight that matters: the security work that earns one certificate does most of the work for the other. What differs is packaging, scoping, attestation routes, and timing, not the underlying operations.
One program, two supply chains
For suppliers operating in both markets, the costly mistake is building two separate compliance programs. Because both frameworks rest on the same NIST SP 800-171 foundation, a single effective security program produces the evidence for both. One access review process, one incident response plan, one set of configuration baselines, assembled into two assessment packages.
This is how Truvo approaches CPCSC and CMMC readiness: one program design that serves both the Canadian and U.S. defence supply chains, scoped per level under our ABO model rather than priced as a fixed package, because the four factors above mean no two suppliers cost the same. Pricing is in USD and Canadian clients are billable in CAD. You can see how engagements are structured on our pricing page and read more about the Canadian program on our CPCSC compliance service and in our CPCSC vs CMMC comparison.
Turn the four factors into a number
We scope your level, gap, and infrastructure into a defensible budget, built around an effective security program that serves both supply chains.
If you want a defensible budget rather than a guess, two starting points help. Run the Truvo scorecard to see roughly where your program sits against the controls, then book a scope call to turn that into a number tied to your actual level, gap, and scope.
Frequently Asked Questions
How much does CPCSC Level 1 cost?
CPCSC Level 1 is an annual self-assessment of 13 baseline controls drawn from ITSP.10.171, so there is no third-party assessor fee. The cost is mostly internal staff time plus any readiness support you bring in. Canadian consultancies offer that support on an inquiry basis, as published rates do not yet exist for this first-year program.
How much does CMMC Level 2 cost?
CMMC Level 2 readiness consulting commonly runs US$75,000 to US$300,000 depending on organization size, scope, and current maturity. Preparation typically costs three to four times the C3PAO assessment fee, because the assessor verifies your controls rather than building them. Professional consulting rates commonly fall between US$250 and US$400 per hour.
Does a CMMC certificate satisfy CPCSC, or the reverse?
No. There is no mutual recognition between the two programs as of mid-2026. Each requires independent scoping, evidence, and attestation. The roughly 90 percent control overlap means the underlying security work transfers, but you assemble and submit two separate assessment packages and satisfy each program on its own terms.
When are the key deadlines?
CPCSC Level 1 became available April 1, 2026 and starts appearing in select DND contracts from summer 2026; it is not yet universal. CMMC Phase 2 begins November 10, 2026, introducing mandatory C3PAO Level 2 certification for most DoD contracts involving Controlled Unclassified Information. Treat these as planning windows, since typical Level 2 preparation runs six to twelve months.
Why do two suppliers get such different quotes for the same certification?
Because the certificate is identical but the work is not. The size of your security gap and the scope of your infrastructure determine the billable hours, and both vary enormously between organizations. A supplier with mature controls and a contained data enclave pays a fraction of what a supplier with scattered controls and an unsegmented network pays for the same Level 2 certificate.
Can one security program cover both CPCSC and CMMC?
Yes, and it is the most cost-effective approach for dual-jurisdiction suppliers. Both frameworks derive from NIST SP 800-171 and share roughly 90 percent of their controls, so one effective security program produces evidence for both. The efficiency comes from building security operations once and packaging the output into two assessment submissions.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
Ready for CPCSC Level 1?
Score your readiness across the 6 expected control families. Free.
Take the Scorecard