CMMC stands for Cybersecurity Maturity Model Certification, a Department of Defense program that requires defense contractors to meet specific cybersecurity standards before they can win or keep federal contracts. If your company handles sensitive government data, even as a subcontractor, CMMC determines what security controls you need in place and how you prove it. The first phase of implementation began on November 10, 2025, so this is no longer a future requirement.
Why CMMC Exists
Before CMMC, defense contractors were expected to self-certify that they met cybersecurity requirements. Many didn’t actually meet them. The DoD created CMMC to add verification to the process, ensuring that companies handling government information actually have the protections they claim. The program ties cybersecurity directly to contract eligibility: no certification, no contract.
The Three CMMC Levels
CMMC uses a tiered system. The level you need depends on the type of information your company handles.
Level 1: Basic Safeguarding
Level 1 applies to companies that handle Federal Contract Information (FCI), which is any information the government provides or generates under a contract that isn’t meant for public release. This covers the vast majority of DoD contractors. The requirements correspond to the basic safeguarding rules in FAR Clause 52.204-21, which includes things like limiting who can access your systems, using antivirus software, and training employees on security basics. Level 1 requires an annual self-assessment, meaning your company evaluates its own compliance and submits the results. No outside auditor is involved.
Level 2: Protecting Controlled Unclassified Information
Level 2 is where things get significantly more demanding. It applies to companies handling Controlled Unclassified Information (CUI), a broad category that includes technical drawings, engineering data, export-controlled information, and other sensitive but unclassified material. Level 2 requires compliance with all 110 security controls in NIST SP 800-171 Revision 2, a framework published by the National Institute of Standards and Technology. These controls cover 14 security domains including access control, incident response, system and communications protection, and audit logging.
The assessment method at Level 2 depends on what type of CUI you handle. If the CUI falls into a “Defense Organizational Index Grouping,” a category the DoD uses to flag more sensitive information, you need a certification assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). If your CUI doesn’t fall into that grouping, you can perform a self-assessment instead. Your contracting officer and the specific contract language will tell you which path applies.
Level 3: Enhanced Protection
Level 3 is reserved for contractors handling CUI that requires the highest level of protection, typically companies working on the most sensitive defense programs. It builds on Level 2 by adding requirements from a subset of NIST SP 800-172, which addresses advanced persistent threats (sophisticated, sustained cyberattacks often associated with nation-state actors). Level 3 assessments are conducted directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government body, not a third-party auditor.
How Assessments Work
Each CMMC level is assessed independently. You don’t “graduate” from one level to the next; you certify at the level your contracts require.
For Level 1, you conduct a self-assessment annually and submit the results to the Supplier Performance Risk System (SPRS), a DoD database. A senior company official must affirm the results. For Level 2 with a C3PAO assessment, the certification is valid for three years, with annual affirmations required in the interim. The C3PAO sends assessors to review your documentation, interview staff, and examine your technical environment. For Level 3, the government itself performs the assessment through DIBCAC, and the process is similarly triennial with annual affirmations.
Before any formal assessment, most companies conduct an internal gap analysis to identify where their current security posture falls short. This step is critical because failing an assessment doesn’t just delay certification. It can mean losing contract eligibility while you remediate and reassess.
Implementation Timeline
CMMC is rolling out in four phases over three years. Phase 1, which started November 10, 2025, focuses primarily on Level 1 and Level 2 self-assessments. This means CMMC clauses are already appearing in new DoD solicitations and contracts. Each subsequent phase adds requirements incrementally, with full implementation of all program requirements expected by Phase 4. If you’re a defense contractor or subcontractor, the time to prepare is now, not when a contracting officer tells you a specific contract requires it.
What Compliance Actually Costs
Costs vary enormously depending on your CMMC level, the size of your organization, and how far your current cybersecurity practices are from the requirements. The DoD itself has published estimated assessment costs that give a useful baseline.
For Level 1, the assessment alone runs an estimated $4,000 to $6,000. If you bring in a consultant to help prepare, expect around $9,000 for 36 to 40 hours of work at typical rates of $250 per hour, plus travel expenses. Annual maintenance costs for continuous monitoring services run $6,500 to $13,000.
Level 2 is where costs jump. A gap assessment typically runs $3,500 to $20,000. Remediation, the actual work of fixing security gaps and implementing missing controls, ranges from $35,000 to $115,000. If you need to create a CUI enclave (a segmented part of your network specifically configured to protect controlled information), expect to pay $300 to $400 per user per month, or $3,000 to $4,000 per month for more complex setups. The formal C3PAO certification assessment itself costs an estimated $105,000 to $118,000 over a three-year cycle, including the triennial assessment and two annual affirmations. Even the self-assessment path runs $37,000 to $49,000 over three years. Add $6,500 to $13,000 annually for monitoring tools and $15 to $25 per user for ongoing employee training.
Level 3 is the most expensive. Remediation and implementation alone can cost $50,000 to $250,000, with specialized consulting adding another $50,000 to $300,000. Annual maintenance runs $25,000 to $100,000, covering continuous monitoring, managed security providers, updates, and training. Including the Level 2 assessment costs that are a prerequisite, the DoD estimates total Level 3 assessment costs at $146,000 to $159,000.
All told, total CMMC certification costs range from roughly $21,000 for a small company at Level 1 to over $1 million for a large organization pursuing Level 3 with significant gaps to close.
Who Needs CMMC Certification
Any company that contracts directly with the DoD or serves as a subcontractor on a DoD contract will eventually need CMMC certification at some level. If your company touches FCI in any form, Level 1 is the floor. If you handle CUI, and many contractors do without fully realizing it, Level 2 or Level 3 applies. Prime contractors are responsible for flowing down CMMC requirements to their subcontractors, so even small firms deep in the supply chain are affected.
The specific level your company needs will be spelled out in individual contracts. You won’t see a single blanket requirement across all DoD work. Instead, each solicitation will include the CMMC level required based on the sensitivity of the information involved.
Steps to Prepare
Start by identifying what type of information you handle. If you’re unsure whether your company processes CUI, review your existing contracts for references to DFARS Clause 252.204-7012, which governs CUI protection requirements. Your contracting officer can clarify.
Next, scope your environment. Determine which systems, networks, and people interact with FCI or CUI. Many companies reduce compliance costs by segmenting their network so that CUI only flows through a defined enclave rather than the entire IT infrastructure. Fewer systems in scope means fewer controls to implement and maintain.
Conduct a gap assessment against the relevant standard. For Level 1, that means the 17 practices in FAR 52.204-21. For Level 2, it means all 110 controls in NIST SP 800-171 Rev 2. Document every gap and build a remediation plan with realistic timelines. Many of the 110 controls at Level 2 require not just technical tools but written policies, documented procedures, and evidence of consistent practice.
Finally, build compliance into your operations rather than treating it as a one-time project. CMMC requires ongoing maintenance: continuous monitoring, regular training, annual affirmations, and periodic reassessment. Companies that treat certification as a checkbox find themselves scrambling when reassessment time arrives.