The CMMC framework is now a contractual requirement, not a recommendation. As of November 10, 2025, the Department of Defense began inserting CMMC clauses into new contracts and solicitations under the finalized 48 CFR DFARS rule. Defense contractors that handle Federal Contract Information or Controlled Unclassified Information must hold a current CMMC certification at the required level to win awards. The big inflection point comes November 10, 2026, when most contracts touching CUI will require third-party CMMC Level 2 certification before award.
If you supply the DoD, directly or as a subcontractor, CMMC compliance now sits on the critical path between you and your next contract. This guide explains what the CMMC framework is, where it came from, what each level requires, what assessment actually looks like, what it costs, and where contractors trip up.
What the CMMC framework actually is
CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense’s framework for verifying that contractors in the Defense Industrial Base (DIB) protect two categories of sensitive information. The framework defines the maturity levels, the control sets contractors must implement, the assessment methodology, the scoring system, and the certification roles. It then becomes a compliance obligation when DFARS clauses embed it into specific contracts.
The framework protects two information categories. The first is Federal Contract Information (FCI) — information provided by or generated for the government under a contract that is not intended for public release. The second is Controlled Unclassified Information (CUI) — information the government creates or possesses that requires safeguarding under law, regulation, or government-wide policy. CUI is unclassified but sensitive. Examples include technical drawings, export-controlled data, and procurement details.
The CMMC framework does three things existing rules did not. It requires independent verification through third-party assessment for most contracts handling CUI. It assigns a specific maturity level to each contract based on the sensitivity of information involved. And it ties contract eligibility directly to a contractor’s CMMC status posted in the Supplier Performance Risk System (SPRS).
The framework formalizes what the DoD has wanted for years: a way to confirm that contractors actually implement the security controls they have been self-attesting to since DFARS 252.204-7012 took effect in 2017.
Why the CMMC framework exists
The DoD built CMMC because the honor system stopped working. Defense contractors had been required to implement the 110 security controls in NIST SP 800-171 since 2017 under DFARS 252.204-7012, but they only had to self-attest. Audits revealed widespread gaps. Cyber incidents in the defense supply chain kept escalating. Adversary nation-states harvested technical data from cleared contractors who claimed compliance they did not have.
The first version of CMMC launched in January 2020 with five levels and mandatory third-party assessment for everyone. Industry pushback over cost and complexity led the DoD to redesign the program. CMMC 2.0, announced in November 2021, collapsed five levels to three and reintroduced self-assessment for the lowest tier and a subset of Level 2 contracts.
The program rule (32 CFR Part 170) was finalized in October 2024 and took effect December 2024. The acquisition rule (48 CFR, codified in DFARS) was finalized September 10, 2025 and became effective November 10, 2025. That second rule is what made CMMC compliance a legally enforceable contract condition.
The three CMMC framework levels
The CMMC framework assigns each contract one of three levels based on the type and sensitivity of information involved. The level determines which controls you must implement and how the DoD verifies your implementation.
Level 1 in practice
Level 1 is the floor. It applies to contracts where you handle FCI but no CUI. The 15 controls cover password use, restricting access to authorized users, escorting visitors, sanitizing media before disposal, and basic network protection. You self-assess annually, score yourself, and post the result to SPRS along with a senior official’s affirmation. There is no audit, but there is also no slack — the affirmation is a legal attestation, and false attestations expose your company to False Claims Act liability.
Level 2 is where most contractors land
Level 2 is the heart of CMMC compliance. It maps directly to NIST SP 800-171 Revision 2 — all 110 controls across 14 families, with 320 specific assessment objectives. The DoD splits Level 2 into two assessment pathways.
Level 2 (C3PAO) is a triennial assessment by an accredited Certified Third-Party Assessment Organization. The vast majority of Level 2 contracts will require this. Certifications are valid for three years, and you submit annual continuous-compliance affirmations to SPRS during that window.
Level 2 (Self) is an annual self-assessment, permitted only for a smaller subset of contracts that the program office designates as lower-risk. Self-assessment results also post to SPRS with senior official affirmation. Critically, DFARS 252.204-7012 has already required NIST 800-171 self-assessment since 2017 — if you have a DoD contract today, you already owe the underlying technical work. CMMC just adds verification on top.
Level 3 is rare and government-assessed
Level 3 targets contracts involving CUI most sensitive to national security — typically prime contractors on high-priority programs. It requires all 110 Level 2 controls plus 24 enhanced requirements from NIST SP 800-172, which addresses advanced persistent threats specifically. Assessment is government-led: the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) at the Defense Contract Management Agency conducts the audit. A C3PAO cannot certify you at Level 3. You must already hold Final Level 2 (C3PAO) status for the same scope before attempting Level 3.
The 14 control families behind CMMC Level 2
The CMMC framework organizes its Level 2 controls into 14 families inherited directly from NIST SP 800-171 Rev. 2. Understanding the families gives you a map of what assessors will look at and where contractors typically have gaps.
Where contractors fail most often: Access Control (AC) and System & Communications Protection (SC) are the largest families and the deepest gap areas. Multi-factor authentication coverage is the single most common gap. Boundary protection — proper segmentation between CUI and non-CUI systems — runs a close second.
How CMMC assessments actually work
The assessment process has structure you can plan around. Most contractors targeting Level 2 (C3PAO) follow roughly the same path.
Step 1: Define your assessment scope
Scope is the first decision and the one most contractors get wrong. CMMC assessment scope is not “everything in your company.” It is the set of information systems and assets that process, store, or transmit FCI or CUI, plus systems that provide security functions to those systems. Defining a tight, well-segmented scope can cut your control implementation burden dramatically. Defining it poorly inflates your costs by an order of magnitude.
Step 2: Build your System Security Plan and POA&M
Your System Security Plan (SSP) documents how you implement each of the 110 controls. The SSP is the central artifact assessors review. A weak SSP fails assessments before any technical review begins. The Plan of Action and Milestones (POA&M) documents controls not yet fully implemented and your timeline to close them.
Step 3: Run a pre-assessment gap analysis
Run a NIST 800-171 self-assessment using the DoD assessment methodology. Score yourself honestly. The methodology assigns point values — 5 points for high-impact requirements, 3 for medium, 1 for standard — starting from a maximum of 110 and deducting for unmet controls. For Level 2, the minimum score required to pursue conditional certification is 88 out of 110, with full implementation required for final status.
Step 4: Engage a C3PAO
A C3PAO is an organization accredited by The Cyber AB (formerly the CMMC Accreditation Body) to conduct CMMC Level 2 assessments. The list of authorized C3PAOs is published and growing. Choose based on industry experience, scheduling availability, and price — assessment quality varies, and the assessor’s familiarity with your sector matters.
Step 5: Complete the assessment
A C3PAO assessment reviews evidence, conducts interviews, and tests technical controls against the 110 requirements and 320 objectives. Findings result in one of three outcomes.
Final Level 2 (C3PAO) — all controls met, certificate valid three years.
Conditional Level 2 (C3PAO) — minimum 80% of objectives met, remaining gaps documented in a POA&M that must be closed within 180 days. After closure, a POA&M closeout assessment converts conditional status to final.
Failure — score below threshold or critical controls unmet. Re-assessment required.
Six controls are not allowed on a POA&M at any score, including the SSP itself. These are designated “high-value” requirements that must be fully implemented before any conditional certification.
Step 6: Post status to SPRS and affirm continuously
Your certification status, CMMC Unique Identifier (UID), and annual continuous-compliance affirmations all live in the Supplier Performance Risk System (SPRS). Contracting officers check SPRS before awarding contracts. No current status in SPRS at the required level means no award. The affirming official at your company is legally responsible for the affirmations, and false affirmations expose the company to False Claims Act liability — a risk that has already produced settlements against contractors who lied about NIST 800-171 compliance.
The phased rollout timeline
The DoD designed CMMC compliance to phase in over three years rather than land all at once. Understanding which phase applies to your contract type determines how urgent your preparation is.
The phased rollout creates a strategic question for every contractor: do you wait until your contract type triggers CMMC, or get certified early? Three factors push toward early certification. First, prime contractors are flowing requirements down ahead of the formal timeline — many primes are already requiring proof of Level 2 readiness from subs to stay on their bid lists. Second, C3PAO capacity is finite. There are not enough authorized assessors to certify every contractor in the DIB simultaneously, and the queue lengthens as deadlines approach. Third, certification takes 6 to 18 months of preparation if you are starting from a NIST 800-171 baseline that is not yet fully implemented. Waiting until Phase 2 to start is already late.
What CMMC compliance costs
Cost ranges widely based on your starting posture, scope, and target level. The most honest numbers from current assessment firms break down roughly as follows.
Level 1 self-assessment costs are minimal if you already have basic IT security in place — primarily staff time to document and submit. Plan on $5,000 to $15,000 in consulting or internal labor for a clean submission.
Level 2 self-assessment runs $20,000 to $50,000 for gap analysis, remediation, and documentation, with no audit fee. This path is only available for the subset of contracts the DoD designates lower-risk.
Level 2 C3PAO assessment is where most contractors will land. Total cost over the three-year certification cycle ranges from $34,000 to $112,000 for the assessment itself, plus often substantial remediation costs to close gaps before the audit. For a small contractor starting near zero, total Year 1 cost — gap analysis, technology investments, documentation, training, and the assessment — frequently runs $100,000 to $250,000.
Level 3 DIBCAC assessment runs into the hundreds of thousands to low millions, driven primarily by the 24 enhanced NIST 800-172 controls. This is enterprise-scale spending appropriate to the prime contractor scale of most Level 3 candidates.
Cloud service providers handling CUI must meet FedRAMP Moderate authorization or demonstrate FedRAMP Equivalent security. This is a material consideration for any contractor using Microsoft 365, Google Workspace, or similar — the standard commercial tenants do not meet the requirement, and migration to GCC High or equivalent adds significant cost.
How to prepare for CMMC compliance
A practical preparation path looks like this.
Map your information flow
Identify every system that processes, stores, or transmits FCI or CUI. Walk the data physically and logically. Email, file shares, project management tools, CAD systems, manufacturing equipment, contractor laptops — anywhere CUI touches is in scope.
Run a NIST 800-171 gap assessment
Use the DoD assessment methodology and score yourself against the 110 controls. The output is your current SPRS score and a prioritized remediation list. If you have not done this since 2017, you owe it under DFARS 252.204-7012 regardless of CMMC.
Build the SSP and POA&M
These are not optional and not bureaucratic theater. The SSP is the single most-reviewed artifact in any assessment. A complete SSP describes how each of the 110 controls is implemented in your specific environment — not a copy-pasted template. The POA&M catalogs gaps and your timeline to close them.
Consider scope reduction strategies
The single biggest cost lever in CMMC compliance is scope. Many contractors significantly reduce their assessment burden by creating a dedicated enclave — often using FedRAMP-authorized cloud environments like Microsoft GCC High — where CUI lives and the rest of the company stays out of scope. This is more expensive in cloud spend but dramatically cheaper in audit scope.
Engage support early
Consider a Registered Provider Organization (RPO) for preparation help. RPOs are accredited by The Cyber AB to provide consulting services, though they cannot conduct certification assessments. A Certified CMMC Professional (CCP) or Certified CMMC Assessor (CCA) brings individual expertise to your team.
Verify subcontractor compliance
If you are a prime, you are responsible for ensuring subcontractors hold the required CMMC level. The DoD will not share subcontractor SPRS data with you, so verification falls on the relationship between prime and sub. Build this into your subcontract templates and supplier qualification processes now.
Where contractors trip up
Three patterns repeat across failed or delayed CMMC assessments :
Underestimating scope
Contractors define scope based on what they want to be in scope rather than where CUI actually flows. Email systems that handle attachments with CUI are in scope. Employee laptops that touch those emails are in scope. Personal mobile devices used for work email — almost always in scope, almost always overlooked.
Treating documentation as paperwork
The SSP, POA&M, policies, and procedures are not afterthoughts. Assessors test whether documented processes match operational reality. A polished SSP describing controls you do not actually implement is worse than no documentation — it constitutes a false affirmation.
Confusing Rev. 2 and Rev. 3 of NIST 800-171
NIST published NIST SP 800-171 Revision 3 in May 2024, restructuring control families and updating requirements. CMMC compliance still uses Revision 2 as the assessment baseline. Contractors who built programs against Rev. 3 first will find “unmet” controls under Rev. 2 during assessment. DoD has signaled that a future rulemaking will migrate CMMC to Rev. 3, but no timeline exists. Implement Rev. 2 now, track Rev. 3 changes for future readiness.
FAQ
Who needs CMMC compliance? Any organization in the Defense Industrial Base that holds, will hold, or wants to bid on DoD contracts involving FCI or CUI. This includes primes, subcontractors at every tier, and most cloud and managed service providers serving DoD contractors. Commercial off-the-shelf-only contracts are exempt.
Does the CMMC framework apply to non-DoD federal contracts? Not directly, though similar requirements are spreading. NIST SP 800-171 itself applies broadly to CUI on nonfederal systems regardless of agency. Several civilian agencies have moved toward CMMC-like verification, but as of 2026 CMMC is a DoD program.
What if I already have ISO 27001 or SOC 2? Neither maps cleanly to CMMC Level 2. ISO 27001 is broader and less prescriptive about specific controls. SOC 2 is built around the AICPA Trust Services Criteria, not NIST 800-171. The certifications signal mature security practice but do not substitute for CMMC assessment.
Can I become a C3PAO myself? C3PAO accreditation is awarded by The Cyber AB after a rigorous application process including independent audit. Individual practitioners earn the Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) designations through training and exams administered by The Cyber AB.
What happens if I lose certification mid-contract? A lapse in CMMC status during contract performance creates non-compliance risk and potential contract termination. The contract clause requires you to maintain current certification at the required level throughout the contract period of performance.
Will CMMC apply to FedRAMP cloud providers? Cloud service providers that store, process, or transmit CUI for DoD contractors must meet FedRAMP Moderate authorization or demonstrate FedRAMP Equivalent security. This is separate from CMMC certification but often required alongside it.
The bottom line on CMMC compliance
The CMMC framework is the rule now. The window for treating it as a future concern closed November 10, 2025. The window for treating it as manageable rather than urgent closes November 10, 2026 — eighteen months from this article’s publication — when most contracts touching CUI will require third-party certification before award.
If you handle FCI only, Level 1 is straightforward and you should have self-assessed and posted to SPRS already. If you handle CUI and have not begun preparing, start with a NIST 800-171 gap assessment this quarter. C3PAO scheduling, remediation work, and documentation cycles consume time you do not have to spare. Subcontractors should expect prime contractors to require proof of readiness well ahead of the formal Phase 2 deadline.
The defense supply chain is the most heavily attacked sector of the U.S. economy. The CMMC framework is the DoD’s bet that verified security across that supply chain will close gaps that decades of self-attestation never did. Whether the bet pays off in better national security outcomes is debatable. What is not debatable is that contractors who treat the program as optional will lose business.
