The Department of Defense started requiring contractors to prove their cybersecurity posture in 2020. What began as a self-attestation process has evolved into something far more rigorous: the Cybersecurity Maturity Model Certification, now in its 2.0 version. If you hold or want to hold DoD contracts, CMMC compliance isn't optional anymore. It's a condition of doing business.
I've worked with defense contractors through every iteration of this framework. The confusion hasn't diminished with CMMC 2.0—if anything, it's gotten more specific and more consequential. Contractors who thought they could check boxes and move on are discovering that assessments are real, timelines are compressed, and the cost of non-compliance is exclusion from the contract pipeline.
This guide explains what CMMC actually is, who needs which level, what the assessment process involves, and what it takes to get ready. No vendor promises, no shortcuts.
What CMMC Is and Why It Exists
CMMC is a unified cybersecurity standard for the defense industrial base. It exists because the DoD has a contractor problem: sensitive defense information keeps ending up in the hands of adversaries. For years, contractors were required to self-certify compliance with NIST 800-171, a framework of 110 security controls designed to protect Controlled Unclassified Information (CUI). Compliance rates were abysmal. Self-attestation didn't work.
CMMC changes the game by requiring third-party assessment. Instead of contractors saying they're compliant, they have to prove it to an independent assessor. The framework also introduces tiered levels: not every contractor needs the same level of maturity, but everyone needs to demonstrate what they claim.
The program is managed by the DoD's CMMC Accreditation Body, which certifies the organizations (C3PAOs) that conduct assessments. CMMC 2.0, finalized in 2024, streamlined the original five-level model down to three levels, aligned more closely with existing NIST frameworks, and clarified which contracts require which level of certification.
The Three Levels of CMMC 2.0
CMMC 2.0 defines three maturity levels. Each corresponds to a different type of information and a different risk profile. Understanding which level applies to your contracts is the starting point for everything else.
Level 1: Foundational Cyber Hygiene
Level 1 corresponds to the protection of Federal Contract Information (FCI), which is information provided by or generated for the government under a contract that is not intended for public release. This is basic stuff: procurement data, technical specifications, financial information related to the contract.
Level 1 requires 17 security practices drawn from FAR 52.204-21. These are fundamental controls—access control, identification and authentication, media protection, physical protection, system and communications protection. Think password policies, antivirus, physical access controls, and incident response procedures.
The key difference at Level 1: you can self-assess annually. No third-party assessor required. You affirm your compliance in the Supplier Performance Risk System (SPRS), and that affirmation is tied to your contract eligibility. Don't mistake simplicity for irrelevance. If you're wrong, the consequences are contractual.
Level 2: Protection of CUI
Level 2 is where most defense contractors will land. It requires full compliance with NIST 800-171, which means implementing all 110 controls across 14 families. If your contract involves CUI—technical data, blueprints, logistics information, anything marked or identified as controlled—you need Level 2.
At Level 2, the assessment requirement depends on contract value and criticality. For most contractors, a self-assessment is still allowed, but it must be more rigorous than Level 1. You submit a score to SPRS, and that score reflects any gaps or deficiencies you haven't yet closed. High-value or critical contracts require a third-party assessment by a certified C3PAO.
The pattern I see most often: contractors assume they're at Level 2 because they handle CUI, but they haven't actually mapped their environment to the 110 controls. They guess. When assessment time comes, the gaps are larger than expected, and the timeline to remediate is longer than the contract allows. This is avoidable if you start early.
Level 3: Advanced and Persistent Threats
Level 3 applies to a small subset of contractors working on the most sensitive programs. It requires a subset of controls from NIST 800-172, which addresses advanced persistent threats (APTs). Level 3 is not yet fully implemented as of early 2025, but when it is, it will involve government-led assessments, not third-party C3PAOs.
If you're not working on classified programs or very high-priority unclassified work, you won't need Level 3. If you are, you'll know—DoD will tell you.
Need to Brief Your Board or Leadership on CMMC?
Carl delivers practical, experience-based keynotes on CMMC compliance, defense contractor cybersecurity, and what leadership needs to understand before an assessment. No vendor pitches—just the reality of what it takes.
Book Carl to Speak
Who Needs CMMC Compliance and When
CMMC requirements are written into contracts. Starting in 2025, DoD contracts will specify the required CMMC level in the request for proposal (RFP). Prime contractors must meet the requirement themselves and flow it down to subcontractors who handle FCI or CUI.
If you're a prime, you're responsible for ensuring your subs are compliant. If you're a sub, you need certification before the prime can award you work. This is not a grace period situation. The requirement is binary: you either have the certification at the required level, or you're not eligible.
The rollout is phased. Not every contract immediately requires CMMC certification, but the expectation is that by 2026, the framework will be fully implemented across the defense industrial base. Contractors who wait until they see the requirement in an RFP are already behind.
The practical question is: which level do you need? The answer depends on what information you handle. If you only touch FCI, Level 1. If you handle CUI, Level 2. If DoD says Level 3, you'll know. For most small and mid-sized contractors, the real question is not whether you need CMMC compliance, but whether you need a third-party assessment for Level 2. That depends on contract value and the criticality determination made by the DoD program office.
There's a detailed breakdown of these distinctions in my article on CMMC Level 1 vs Level 2, but the short version is: if you're unsure, assume Level 2 with third-party assessment. Plan for the higher bar, and you won't be caught short.
What the CMMC Assessment Process Actually Looks Like
The assessment process depends on your level. At Level 1, you self-assess annually using a provided checklist and upload your attestation to SPRS. Straightforward, but not trivial—you're affirming compliance under penalty of False Claims Act liability.
At Level 2, if you're doing a self-assessment, you're scoring yourself against all 110 NIST 800-171 controls. Each control is scored on a 0-5 scale based on implementation and maturity. Your total score, out of 110 possible points, is submitted to SPRS. Gaps and deficiencies are documented in a Plan of Action and Milestones (POA&M), which I've written about in detail here.
If you require a third-party assessment at Level 2, the process is more involved:
- Scoping: You define the assessment boundary—what systems, networks, and processes are in scope. This is critical. If CUI touches it, it's in scope. Contractors who try to narrow the boundary artificially get caught during the assessment.
- Engagement with a C3PAO: You hire a certified third-party assessment organization. They review your System Security Plan (SSP), interview personnel, examine configurations, and test controls. This is not a document review. Assessors will ask for evidence, logs, screenshots, policies, and proof of implementation.
- Assessment: The C3PAO conducts the assessment over several days or weeks, depending on the size and complexity of your environment. They produce a report detailing findings, gaps, and your overall compliance posture.
- Certification: If you meet the required threshold, the C3PAO issues a certification, which is valid for three years. If you don't meet the threshold, you remediate and reassess.
Assessments are not pass-fail in the traditional sense. You receive a score. Whether that score is sufficient depends on DoD's threshold for the contract. Some contracts may accept a lower score with a POA&M; others require full compliance. This ambiguity frustrates contractors, but it reflects the reality that not all CUI is equal in sensitivity.
Common Gaps and Where Contractors Struggle
I've reviewed dozens of CMMC readiness assessments, and the same issues surface repeatedly. These aren't exotic problems. They're foundational gaps that contractors either didn't know about or chose to defer.
Incomplete asset inventory: You can't protect what you don't know exists. Contractors routinely discover devices, cloud instances, or network segments during scoping that they didn't realize were in scope. If CUI has ever been on it, emailed to it, or accessible from it, it's in scope.
Weak access control: Multi-factor authentication (MFA) is required for CUI systems. Many contractors have it for VPN but not for internal systems, cloud apps, or privileged accounts. Role-based access control (RBAC) is another common gap—users have access they don't need, and no one has reviewed permissions in years.
Lack of logging and monitoring: NIST 800-171 requires audit logging and continuous monitoring. Contractors often have logs, but they don't review them, don't retain them long enough, or don't correlate them across systems. If you can't show evidence of monitoring, you can't demonstrate the control.
Inadequate incident response: Contractors have a plan, but it's not tested, not documented, or not specific to the CUI environment. Incident response isn't theoretical. Assessors will ask when you last ran a tabletop exercise and what you learned from it.
System Security Plan (SSP) disconnected from reality: The SSP is supposed to describe how your environment is configured and how you implement each control. Too often, it's a template document that doesn't reflect actual practice. Assessors compare the SSP to what they observe. Discrepancies are findings.
These gaps are fixable, but they take time. Contractors who start remediation six months before a contract deadline usually don't make it. The realistic timeline for Level 2 readiness, starting from a typical small contractor baseline, is 12-18 months. That includes scoping, gap analysis, remediation, documentation, and internal validation before you ever engage a C3PAO.
Planning a Conference or Event on Federal Contractor Security?
Carl speaks on CMMC, NIST 800-171, and defense industrial base cybersecurity from a practitioner's perspective. His sessions are built for decision-makers who need to understand what compliance actually requires. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventHow to Prepare for CMMC Compliance
Preparation starts with understanding what you're actually required to do. Read the contract language. Identify which level applies. Understand whether you need third-party assessment or can self-assess. Don't guess.
Next, conduct a gap assessment. This is not a compliance audit. It's an honest internal review of where you are against the required controls. If you're aiming for Level 2, map your environment to all 110 NIST 800-171 controls. Document what's implemented, what's partially implemented, and what's missing. Be specific. "We have a firewall" is not evidence of AC.3.008 (limit network traffic). You need to show how the firewall is configured, how rules are managed, and how you validate that only authorized traffic is allowed.
Build or update your System Security Plan. The SSP is the cornerstone document for CMMC assessment. It describes your environment, your security boundaries, how CUI flows through your systems, and how each control is implemented. Assessors will live in this document. If it's generic, incomplete, or incorrect, the assessment will surface that immediately.
Remediate gaps in priority order. Start with the controls that are completely missing or that represent the highest risk. Access control, MFA, logging, and incident response are almost always priorities. Don't try to fix everything at once. Focus on getting the high-impact controls implemented and documented.
Test your controls before the assessment. Run internal audits. Conduct tabletop exercises. Review logs. Validate configurations. If you find something broken, fix it before the assessor does.
When you're ready, engage a C3PAO if third-party assessment is required. Don't wait until you're perfect—you won't be—but wait until you're confident that your environment reflects your documentation and that your score will meet the contract threshold.
For a more detailed breakdown of what readiness looks like in practice, I've written a separate guide on CMMC readiness that walks through the preparation process step by step.
What CMMC Compliance Costs and How Long It Takes
Cost and timeline depend on where you're starting from and which level you need. Level 1 self-assessment is inexpensive—mostly internal labor to review and document the 17 practices. Level 2 is a different story.
For a third-party Level 2 assessment, expect to pay a C3PAO between $15,000 and $50,000, depending on the size and complexity of your environment. That's just the assessment fee. The larger cost is remediation: hiring consultants, upgrading infrastructure, implementing tools, training staff, and building documentation. For small contractors starting from a low baseline, total cost to achieve Level 2 compliance can range from $100,000 to $300,000 or more.
Timeline is typically 12-18 months from decision to certification, assuming you're starting from a reasonable baseline. If you have significant infrastructure gaps—no MFA, no logging, no asset inventory—add time. If you're trying to compress the timeline because a contract is imminent, expect higher cost and more risk.
I've seen contractors try to shortcut this process. It doesn't work. Assessors are trained to spot shortcuts, and the consequences of a failed assessment are worse than the cost of doing it right the first time. You lose time, money, and contract eligibility.
There's a longer discussion of cost and timeline considerations in my article on CMMC compliance cost and timeline, but the bottom line is: plan early, budget realistically, and don't assume you can compress a 12-month process into three months because a contract appeared.
What Leadership Needs to Understand About CMMC
CMMC is not an IT problem. It's a business problem. If you're a defense contractor and you can't demonstrate CMMC compliance at the required level, you can't compete for contracts. That's not a technical issue—it's a strategic one.
Leadership needs to understand three things:
First, CMMC compliance is a prerequisite, not a differentiator. You don't win contracts because you're compliant. You lose them because you're not. The compliance threshold is rising, and contractors who were used to self-attestation are discovering that third-party assessment is far more rigorous. The companies that treated this as a checklist exercise are struggling. The ones that invested early are positioned to compete.
Second, this is a multi-year commitment. CMMC certification is valid for three years, but the controls have to be maintained continuously. You can't turn them on for the assessment and turn them off afterward. Surveillance assessments and contract audits will verify ongoing compliance. If you drift, you'll get caught, and the cost of remediation under contract pressure is far higher than maintaining compliance from the start.
Third, this affects your entire supply chain. If you're a prime, you're responsible for ensuring your subs are compliant. If you're a sub, you need certification before the prime can include you in a proposal. This creates a cascading requirement that flows down through multiple tiers. Contractors who don't take this seriously will find themselves excluded not just from prime contracts, but from subcontracting opportunities as well.
CMMC is forcing a maturity shift across the defense industrial base. The contractors who treat it as a compliance checkbox will struggle. The ones who build real security programs around it will be better positioned not just for DoD work, but for any regulated industry that demands demonstrated security maturity. That's the strategic opportunity embedded in this requirement—if you're willing to see it that way.