CMMC 2.0 Compliance Guide: Requirements, Levels, and Costs

CMMC 2.0 compliance is now mandatory for defense contractors. The Cybersecurity Maturity Model Certification protects Controlled Unclassified Information (CUI) across the defense industrial base. Whether you are a startup or an established SMB, CMMC 2.0 compliance determines whether you can bid on DoD contracts. The final rule took effect December 16, 2024.

This CMMC 2.0 compliance guide covers all three certification levels, costs, and a practical 8-step roadmap. For context on how CMMC relates to NIST 800-171 and other cybersecurity compliance frameworks, see our related guides.

What Is CMMC 2.0?

CMMC 2.0 replaced the original five-level CMMC 1.0 model with a streamlined three-level structure. The Department of Defense developed CMMC to verify that contractors actually implement the cybersecurity practices they claim in their self-assessments. Before CMMC, contractors could self-attest to NIST 800-171 compliance with no verification. The result was widespread non-compliance that put sensitive defense information at risk.

According to the Department of Defense CIO, CMMC 2.0 compliance aligns directly with existing NIST standards:

Level 1 maps to 17 practices from FAR 52.204-21 (basic safeguarding)
Level 2 maps to all 110 controls in NIST SP 800-171 Rev 2
Level 3 adds 24 enhanced controls from NIST SP 800-172

📝 Note

CMMC 2.0 does not create new security requirements. It creates an accountability mechanism for requirements that already existed under DFARS 252.204-7012 and NIST 800-171.

The Three CMMC 2.0 Levels Explained

Level 1: Foundational

Level 1 applies to organizations handling Federal Contract Information (FCI) but not CUI. It requires implementation of 17 basic cybersecurity practices drawn from FAR 52.204-21.

Key practices include:

Limiting system access to authorized users
Controlling information posted on public systems
Identifying and authenticating users before granting access
Sanitizing or destroying media containing FCI before disposal
Physical access controls for organizational systems

Assessment: Annual self-assessment. No third-party audit required. Results must be uploaded to the Supplier Performance Risk System (SPRS).

Estimated cost: ,000 to ,000 for initial implementation, depending on organization size and existing security posture.

Level 2: Advanced

Level 2 targets organizations handling CUI and requires implementation of all 110 security controls from NIST SP 800-171 Rev 2. This is where most defense contractors will need to certify.

The 110 controls span 14 families:

Access Control (22 controls)
Awareness and Training (3 controls)
Audit and Accountability (9 controls)
Configuration Management (9 controls)
Identification and Authentication (11 controls)
Incident Response (3 controls)
Maintenance (6 controls)
Media Protection (9 controls)
Personnel Security (2 controls)
Physical Protection (6 controls)
Risk Assessment (3 controls)
Security Assessment (4 controls)
System and Communications Protection (16 controls)
System and Information Integrity (7 controls)

Assessment: For contracts involving prioritized CUI, a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) is required every three years. For non-prioritized CUI, annual self-assessment is permitted.

Estimated cost: ,000 to ,000 for full implementation. C3PAO assessments typically cost ,000 to ,000 depending on scope and organization complexity.

Level 3: Expert

Level 3 applies to organizations handling the most sensitive CUI and facing Advanced Persistent Threats (APTs). It builds on Level 2 by adding 24 controls from NIST SP 800-172.

These enhanced controls focus on:

Dual authorization for critical operations
Network segmentation to limit lateral movement
Threat hunting capabilities
Automated incident response actions
Hardware-based protections for CUI at rest

Assessment: Government-led assessment by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Estimated cost: ,000 to million or more. Only a small percentage of contractors will need Level 3 certification.

CMMC 2.0 vs NIST 800-171: What Is Different?

Many defense contractors and SMBs ask why CMMC 2.0 compliance is necessary when NIST 800-171 already defines the same controls. The answer is accountability.

| Aspect | NIST 800-171 Self-Assessment | CMMC 2.0 | |--------|------------------------------|----------| | Requirements | 110 controls | Same 110 controls (Level 2) | | Verification | Self-attestation | Third-party or government audit | | Consequences | Contract clause, rarely enforced | Cannot bid on contracts without certification | | POA&Ms | Unlimited open items allowed | Limited POA&Ms with 180-day remediation window | | Scoring | SPRS score (-203 to 110) | Pass/fail with conditional status |

⚠ Warning

Under CMMC 2.0, a Plan of Action and Milestones (POA&M) is allowed only for specific controls. Certain critical controls cannot have open POA&Ms, meaning they must be fully implemented before certification. The 180-day remediation window is strict.

How to Prepare for CMMC 2.0 Compliance: 8-Step Roadmap

Step 1: Determine Your Required CMMC Level

Review your current and target DoD contracts. The required CMMC level will be specified in the solicitation. If you handle only FCI, Level 1 is sufficient. If you handle CUI, you need Level 2 at minimum.

Step 2: Define Your CUI Boundary

Map exactly where CUI enters, is processed, stored, and exits your environment. This defines your assessment scope. A smaller, well-defined boundary reduces both implementation cost and assessment complexity.

Step 3: Conduct a Gap Assessment Against NIST 800-171

Use a compliance automation platform or manual assessment to score your current implementation against all 110 controls. Be honest about your gaps. The NIST SP 800-171A assessment guide provides detailed assessment objectives for each control. Calculate your SPRS score to understand your starting point.

Step 4: Build Your System Security Plan (SSP)

Document how each control is implemented in your environment. The SSP is not optional; it is a required artifact for your assessment. Include system boundaries, data flows, network diagrams, and control implementation descriptions.

Step 5: Create Your Plan of Action and Milestones (POA&M)

For any controls not yet fully implemented, document specific remediation actions with deadlines. Remember that under CMMC 2.0, certain controls cannot have open POA&Ms at the time of assessment.

Step 6: Implement Technical Controls

This is typically the most time-consuming and expensive step. Common gaps include:

Multi-factor authentication (MFA) for all CUI access
Encryption of CUI at rest and in transit (FIPS 140-2 validated)
Comprehensive audit logging and monitoring
Endpoint detection and response (EDR)
Vulnerability scanning and patch management processes

Step 7: Conduct an Internal Assessment

Before engaging a C3PAO, run a practice assessment using the CMMC assessment guide. Identify and fix any remaining gaps. Many organizations hire a Registered Practitioner (RP) or consultant to conduct a pre-assessment readiness review.

Step 8: Schedule Your C3PAO Assessment

Select a C3PAO from the Cyber AB marketplace. Plan ahead, as assessment availability can be limited. The assessment typically takes 1 to 3 weeks on-site depending on organization size. Results are valid for three years.

💡 Pro Tip

Start your CMMC preparation at least 12 to 18 months before you need certification. Organizations that rush implementation tend to spend more money and achieve weaker security outcomes. The average timeline from gap assessment to successful certification is 9 to 14 months.

Common CMMC 2.0 Compliance Mistakes

Underscoping the CUI boundary. Organizations often discover CUI in places they did not expect: email archives, shared drives, personal devices, and cloud storage. Conduct thorough data discovery before defining your scope.

Relying on self-assessment scores. Many contractors report SPRS scores of 90+ but would struggle under a third-party assessment. The gap between self-assessed and independently verified compliance is often significant.

Ignoring supply chain requirements. If your subcontractors handle CUI, they also need CMMC certification. Factor this into your timeline and contract negotiations.

Treating CMMC 2.0 compliance as an IT project. CMMC requires organizational commitment. Controls span hiring practices, physical security, training, incident response, and executive oversight. This is a business initiative, not just a technology deployment.

CMMC 2.0 Timeline and Key Dates

December 16, 2024: CMMC 2.0 final rule effective
Q1 2025: CMMC requirements begin appearing in new DoD solicitations (phased rollout)
2025-2026: Increasing number of contracts require CMMC certification
2028 (projected): Full implementation across all applicable DoD contracts

The DoD is implementing CMMC in phases. Not every contract will require certification immediately, but the trend is clear: contractors without certification will be excluded from an expanding range of opportunities.

How Much Does CMMC 2.0 Compliance Cost?

Total costs depend heavily on your starting point, organization size, and target level:

| Cost Category | Level 1 | Level 2 | Level 3 | |--------------|---------|---------|---------| | Gap Assessment | ,000-,000 | ,000-,000 | ,000-,000 | | Remediation/Implementation | ,000-,000 | ,000-,000 | ,000-M+ | | Technology (tools, software) | ,000-,000/yr | ,000-,000/yr | ,000-,000/yr | | C3PAO Assessment | N/A (self-assess) | ,000-,000 | Government-led | | Ongoing Maintenance | ,000-,000/yr | ,000-,000/yr | ,000-,000/yr | | Typical Total (Year 1) | ,000-,000 | ,000-,000 | ,000-M+ |

✅ Key Takeaway

For small to mid-size defense contractors, the most cost-effective approach to CMMC Level 2 is using a managed security service provider (MSSP) that specializes in CMMC. An MSSP can typically reduce implementation costs by 30 to 50% compared to building everything in-house, while providing ongoing monitoring and maintenance.

Frequently Asked Questions

Who needs CMMC 2.0 compliance?

Any organization that contracts with the Department of Defense and handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This includes prime contractors and subcontractors at all tiers. CMMC 2.0 compliance applies to the entire defense supply chain.

Can I self-assess for CMMC Level 2?

Only for contracts involving non-prioritized CUI. Contracts involving prioritized CUI require a third-party C3PAO assessment. The DoD determines the assessment type in each solicitation.

How long does CMMC certification take?

Most organizations need 9 to 14 months from initial gap assessment to successful certification at Level 2. Level 1 self-assessment can be completed in 1 to 3 months. The C3PAO assessment itself takes 1 to 3 weeks.

What happens if I fail a CMMC assessment?

You can develop a POA&M to address gaps (for allowed controls) and receive a conditional certification status. You then have 180 days to remediate and pass a reassessment. During this period, you can still compete for contracts.

How often do I need to recertify?

Level 1 requires annual self-assessment. Level 2 C3PAO assessments are valid for three years, with annual affirmation required. Level 3 government assessments follow a similar three-year cycle.

Does CMMC apply to commercial off-the-shelf (COTS) products?

No. COTS suppliers are generally exempt from CMMC requirements. The certification applies to organizations that handle CUI or FCI as part of contract performance, not to commercial product sales.