CMMC 2.0 Compliance Guide: Requirements, Levels, and Costs

CMMC 2.0 Compliance Guide: Requirements, Levels, and Costs

TL;DR

• CMMC 2.0 has three levels: Level 1 (17 practices, self-assessment), Level 2 (110 NIST 800-171 controls, C3PAO or self-assessment depending on contract), Level 3 (NIST 800-172 enhanced controls, government-led DIBCAC assessment).
• The final rule under 32 CFR Part 170 took effect December 16, 2024; CMMC requirements are being introduced into contracts in phases through at least 2028.
• CMMC does not invent new controls. It adds mandatory verification on top of requirements that already existed under DFARS 252.204-7012 and NIST SP 800-171.
• A Plan of Action and Milestones (POA&M) is allowed for certain controls, but specific critical controls must be fully implemented before assessment. The remediation window for conditional certification is 180 days.
• Organizations with no prior compliance program should allow 12 to 18 months before the contract date when they need certification.

Who this is for

This guide is for defense contractors, subcontractors, and their compliance teams who handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and need to understand what CMMC 2.0 requires, which level applies to their contracts, and how to plan a realistic path to certification.

What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is a DoD program that verifies defense contractors actually implement the cybersecurity controls they claim to have in place.

Before CMMC, contractors self-attested to compliance with NIST SP 800-171 under the existing DFARS 252.204-7012 clause. That self-attestation model produced widespread non-compliance, with contractors reporting high SPRS scores that third-party assessors later contradicted. CMMC replaces self-attestation with third-party verification for higher-risk contracts.

CMMC 2.0 streamlined the original five-level CMMC 1.0 model into three levels and closely aligned requirements with existing NIST publications:

• Level 1 maps to the 17 practices in FAR 52.204-21
• Level 2 maps to all 110 controls in NIST SP 800-171 Rev. 2 (with Rev. 3 as a future reference)
• Level 3 builds on Level 2 using enhanced controls from NIST SP 800-172

The CMMC Program Office at DoD CIO is the authoritative source for current policy. The accreditation body overseeing C3PAO certification is the Cyber AB.

FCI vs. CUI: The Scope Question

Before determining your CMMC level, you need to know what type of information you handle.

Federal Contract Information (FCI) is information provided by or generated for the government under a contract to develop or deliver a product or service to the government, not intended for public release. Most organizations that have any DoD contract handle at least some FCI.

Controlled Unclassified Information (CUI) is government-created or government-owned information that requires safeguarding per law, regulation, or government-wide policy. CUI categories include technical data, export-controlled information, and sensitive contract information. The National Archives CUI Registry defines the full list of categories.

Which of these you handle determines your minimum CMMC level:

• FCI only, no CUI: Level 1
• CUI present anywhere in scope: Level 2 minimum
• High-value CUI with APT exposure: Level 3 (government-designated)

The Three CMMC 2.0 Levels Explained

Level 1: Foundational

Level 1 applies to organizations handling FCI but not CUI. The requirement is to implement 17 basic practices drawn from FAR 52.204-21.

Those practices cover:

• Limiting system access to authorized users and processes
• Controlling information posted or processed on publicly accessible systems
• Identifying and authenticating users before granting system access
• Sanitizing or destroying media containing FCI before disposal or reuse
• Maintaining physical access controls for organizational systems

Assessment method: Annual self-assessment. No third-party audit is required. The contractor's senior official must affirm the assessment results and submit the score to the Supplier Performance Risk System (SPRS).

Cost range: Implementation costs are typically the lowest at this level, driven primarily by staff time and any missing basic access controls. No C3PAO fee applies.

Level 2: Advanced

Level 2 applies to organizations handling CUI. It requires full implementation of all 110 security controls across 14 domains from NIST SP 800-171 Rev. 2:

1. Access Control (22 controls)
2. Awareness and Training (3 controls)
3. Audit and Accountability (9 controls)
4. Configuration Management (9 controls)
5. Identification and Authentication (11 controls)
6. Incident Response (3 controls)
7. Maintenance (6 controls)
8. Media Protection (9 controls)
9. Personnel Security (2 controls)
10. Physical Protection (6 controls)
11. Risk Assessment (3 controls)
12. Security Assessment (4 controls)
13. System and Communications Protection (16 controls)
14. System and Information Integrity (7 controls)

Assessment method: Two paths exist under 32 CFR Part 170:

• Prioritized acquisition contracts (those the DoD designates as involving sensitive CUI): third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) authorized by the Cyber AB. Certification is valid for three years, with annual affirmation required.
• Non-prioritized contracts: annual self-assessment remains available. Results still go to SPRS.

Whether your contract requires a C3PAO assessment is specified in the solicitation. If it is not specified, assume you will need one for any contract involving sensitive defense programs.

Note on NIST SP 800-171 Rev. 3: NIST published Rev. 3 in May 2024, expanding to 17 control families. The 32 CFR Part 170 rule references Rev. 2 as the baseline, but contractors preparing for long-term compliance should review Rev. 3 to understand where requirements are heading.

Level 3: Expert

Level 3 applies to organizations handling the most sensitive CUI and operating in environments with exposure to Advanced Persistent Threats (APTs). The DoD designates which programs require Level 3; contractors do not self-select into it.

Level 3 builds on all 110 Level 2 controls and adds enhanced requirements from NIST SP 800-172, which was published in February 2021. The DoD identified a subset of those enhanced requirements for CMMC Level 3 during the rulemaking process.

Enhanced controls at Level 3 focus on:

• Dual authorization requirements for specific sensitive operations
• Network segmentation to limit lateral movement after a breach
• Proactive threat hunting capabilities
• Automated or expedited incident response actions
• Hardware-based protection mechanisms for CUI at rest

Assessment method: Government-led assessment conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The contractor must hold a valid Level 2 C3PAO certification before a Level 3 assessment can proceed. Only a small fraction of DoD contractors will be required to pursue Level 3.

CMMC 2.0 vs. NIST SP 800-171 Self-Assessment

Many contractors ask why CMMC 2.0 is necessary when NIST SP 800-171 already applies through DFARS 252.204-7012. The controls are the same. What changed is the enforcement mechanism.

The DFARS clauses that work alongside CMMC are:

• DFARS 252.204-7012: Core CUI safeguarding + 72-hour cyber incident reporting to dibnet.dod.mil. Applies to nearly all DoD contracts. Requires cloud services for covered defense information to meet FedRAMP Moderate equivalent.
• DFARS 252.204-7019: Notice of NIST SP 800-171 assessment requirements. Requires contractors to have a current SPRS score on file.
• DFARS 252.204-7020: Requires the contracting officer to verify SPRS score before award.
• DFARS 252.204-7021: The CMMC requirement clause. Requires the contractor to have the appropriate CMMC certification level before contract award, phased in over the rollout period.

CMMC 2.0 Implementation Roadmap: 8 Steps

Step 1: Determine Your Required CMMC Level

Review the CMMC clause in any current or target DoD contracts. The required level will appear in the solicitation under DFARS 252.204-7021. If you handle only FCI, Level 1 applies. If you handle CUI anywhere in your systems, processes, or physical locations, Level 2 applies at minimum.

Step 2: Define Your CUI Scope Boundary

Map every place CUI enters, is processed, stored, or transmitted across your environment. This includes email archives, shared network drives, cloud storage, mobile devices, and third-party vendor systems. A well-defined, documented CUI boundary reduces both implementation complexity and C3PAO assessment fees, because assessors examine only systems within scope.

Data discovery at this stage regularly surfaces CUI in unexpected locations, particularly in email systems and shared file services that predated formal data handling policies. Address those locations before building your System Security Plan.

Step 3: Conduct a Gap Assessment Against NIST SP 800-171

Score your current control implementation against all 110 controls using the assessment objectives in NIST SP 800-171A. Calculate your SPRS score, which runs from -203 (all 110 controls missing) to 110 (all controls implemented). DFARS 252.204-7019 requires that score to be in SPRS before many contracts can be awarded.

Be accurate in your self-assessment. The gap between honest self-scoring and what a C3PAO finds during assessment is a significant cost driver. Organizations that overstate their SPRS score face False Claims Act exposure if the government later discovers the discrepancy.

Step 4: Build Your System Security Plan (SSP)

The SSP documents how each of the 110 controls is implemented, partially implemented, or not yet implemented in your specific environment. It is a required artifact for Level 2 and Level 3 assessments. A credible SSP includes system boundaries, network diagrams, data flow maps, and a description of each control's implementation status.

Assessors use the SSP as their primary reference document. A vague SSP forces assessors to ask more questions and extend the assessment timeline.

Step 5: Create Your Plan of Action and Milestones (POA&M)

Document every control that is not fully implemented, with specific remediation actions, assigned owners, and completion dates. Under 32 CFR Part 170, certain controls cannot have open POA&Ms at the time of assessment. Identify those controls early, because they drive your critical-path timeline.

For controls where a POA&M is permitted, the 180-day remediation window begins at the time of the conditional certification, not the start of preparation. Do not plan to use POA&Ms as a long-term deferral strategy.

Step 6: Implement Technical Controls

The implementation phase takes most of the total calendar time. The most frequently unimplemented controls at Level 2 assessments involve:

• Multi-factor authentication for all CUI access points (MFA must use FIPS-validated mechanisms for Level 2 and above)
• Encryption of CUI at rest and in transit using FIPS 140-2 or 140-3 validated modules
• Audit logging that captures system events, user actions, and configuration changes with tamper-protected storage
• Endpoint detection and response (EDR) capability covering all systems in scope
• Documented vulnerability scanning and patch management processes with defined SLAs for critical patches

Step 7: Conduct an Internal Pre-Assessment

Before engaging a C3PAO, run an internal assessment using the assessment objectives from NIST SP 800-171A. Many organizations engage a Registered Practitioner (RP) from the Cyber AB marketplace for this pre-assessment. An RP is not authorized to certify, but they can identify gaps that a C3PAO would flag.

One pre-assessment finding that frequently surprises organizations: supply chain scope. If a subcontractor or vendor receives, transmits, or stores CUI on your behalf, they are in scope for CMMC. You cannot exclude them from your boundary by contract language alone.

Step 8: Schedule Your C3PAO Assessment

Select a C3PAO authorized through the Cyber AB marketplace. Request quotes from multiple organizations, as assessment fees vary based on scope, team size, and travel. The assessment involves document review, technical testing, and interviews with personnel responsible for each control domain. On-site time typically runs one to three weeks for a mid-size organization, though scope size is the primary driver.

Results are submitted to CMMC eMASS, which feeds certification status into SPRS. Level 2 C3PAO certifications are valid for three years. Annual affirmation of continued compliance is required between assessments.

Common Mistakes That Delay or Fail Certification

Underscoping the CUI boundary. Defining scope too narrowly is the most common error. Organizations that limit scope to their primary systems often discover during assessment that email, backup systems, or cloud storage also contain CUI. Reassessing with an expanded scope adds months and cost.

Relying on inflated self-assessment scores. Many contractors reported SPRS scores in the 80s and 90s based on controls they considered "mostly implemented." C3PAOs assess against the specific assessment objectives in NIST SP 800-171A, which are more granular than the control statements. A control that is 80% implemented scores as not implemented.

Ignoring subcontractors. If a subcontractor handles CUI as part of your contract performance, they need their own CMMC certification. Identifying and managing that dependency late in the process creates schedule risk.

Treating it as an IT project. The controls span hiring and personnel security, physical facility access, workforce training, incident response procedures, and executive governance. Organizations that delegate CMMC preparation entirely to IT typically find gaps in physical protection, personnel security, and training requirements during assessment.

Rollout Timeline

The phased rollout means not every contract will require C3PAO certification immediately. However, the DFARS 252.204-7019 requirement to have an SPRS score on file applies already. Starting a gap assessment and submitting an honest SPRS score is the minimum action for any organization with active DoD contracts.

Cost Ranges

Cost varies significantly based on starting security posture, organization size, and the number of systems in scope. The figures below reflect market ranges as of early 2025; no single published source covers the full range across all contractor sizes.

For organizations starting from a low SPRS score, Level 2 implementation is more expensive than for those already meeting most controls. The cost of a C3PAO assessment depends on the number of systems in scope, not just organization headcount.

Mini-FAQ

Who needs CMMC 2.0 certification?

Any organization that contracts with the Department of Defense and handles FCI or CUI. This includes prime contractors and all subcontractors at every tier who touch that information. CMMC 2.0 applies to the entire defense supply chain, not just prime contractors.

Can I still self-assess for Level 2?

Yes, for non-prioritized CUI contracts. Contracts involving prioritized CUI require a C3PAO assessment. The solicitation specifies which applies. Annual self-assessment still requires SPRS score submission and senior official affirmation.

What happens if my C3PAO assessment results in conditional certification?

A conditional certification means you passed most controls but have open POA&Ms on permitted items. You have 180 days to remediate those items and pass a follow-on assessment. During the 180-day window, you can compete for contracts that accept conditional status. Controls that are not eligible for POA&Ms must be resolved before a conditional certification is issued.

How long does Level 2 certification take?

The preparation timeline depends entirely on how far your current SPRS score is from 110. Organizations starting from a score below 50 typically need 18 months or more. Those already operating above 90 may complete the process in six to nine months. The C3PAO assessment itself runs one to three weeks. Assessment results are valid for three years.

Does CMMC apply to commercial off-the-shelf (COTS) products?

No. Suppliers of COTS items are generally exempt under 32 CFR Part 170. The requirement applies to organizations that handle CUI or FCI during contract performance, not to commercial product sellers. If your company both sells COTS products and performs services involving CUI, the service-performance portion is in scope.

Where do I find authorized C3PAOs?

The Cyber AB marketplace lists all authorized C3PAOs and Registered Practitioners. Only organizations on that list can conduct official CMMC assessments or assist with RP-level readiness reviews.

What is DFARS 252.204-7012 and why does it matter alongside CMMC?

DFARS 252.204-7012 is a contract clause requiring contractors to implement adequate security on covered defense information systems and to report cyber incidents to the DoD within 72 hours at dibnet.dod.mil. It predates CMMC and remains in effect. CMMC adds certification on top of the 7012 requirements; meeting CMMC does not eliminate your 7012 obligations, including incident reporting.

Sources Used

1. DoD CIO, "Cybersecurity Maturity Model Certification (CMMC)," https://dodcio.defense.gov/CMMC/, accessed 2026-05-12.
2. Federal Register, "Cybersecurity Maturity Model Certification 2.0 Program; Final Rule" (32 CFR Part 170), published October 15, 2024, effective December 16, 2024. https://www.federalregister.gov/documents/2024/10/15/2024-22505/cybersecurity-maturity-model-certification-20-program, accessed 2026-05-12.
3. NIST SP 800-171 Rev. 2, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," January 2021 (updated Jan. 28, 2021). https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final, accessed 2026-05-12.
4. NIST SP 800-171 Rev. 3, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," May 2024. https://csrc.nist.gov/pubs/sp/800/171/r3/final, accessed 2026-05-12.
5. NIST SP 800-171A, "Assessing Security Requirements for Controlled Unclassified Information," https://csrc.nist.gov/pubs/sp/800/171/a/final, accessed 2026-05-12.
6. NIST SP 800-172, "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171," February 2, 2021. https://csrc.nist.gov/pubs/sp/800/172/final, accessed 2026-05-12.
7. Cyber AB (CMMC Accreditation Body), https://cyberab.org/, accessed 2026-05-12.
8. DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting., accessed 2026-05-12.
9. FAR 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems," https://www.acquisition.gov/far/52.204-21, accessed 2026-05-12.
10. NIST Cryptographic Module Validation Program (CMVP), https://csrc.nist.gov/projects/cryptographic-module-validation-program, accessed 2026-05-12.
11. National Archives, CUI Registry, https://www.archives.gov/cui, accessed 2026-05-12.
12. Supplier Performance Risk System (SPRS), https://www.sprs.csd.disa.mil/, accessed 2026-05-12.
13. DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), https://www.dcma.mil/DIBCAC/, accessed 2026-05-12.

Sources used

1. 32 CFR Part 170 — accessed 2026-05-12
2. DFARS 252.204-7012 — accessed 2026-05-12
3. NIST SP 800-171 — accessed 2026-05-12
4. FAR 52.204-21 — accessed 2026-05-12
5. NIST SP 800-171 Rev. 2 — accessed 2026-05-12
6. NIST SP 800-172 — accessed 2026-05-12
7. CMMC Program Office at DoD CIO — accessed 2026-05-12
8. Cyber AB — accessed 2026-05-12
9. National Archives CUI Registry — accessed 2026-05-12
10. Supplier Performance Risk System (SPRS) — accessed 2026-05-12
11. Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — accessed 2026-05-12
12. dibnet.dod.mil — accessed 2026-05-12
13. NIST SP 800-171A — accessed 2026-05-12
14. FIPS 140-2 or 140-3 validated modules — accessed 2026-05-12

Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.