If you work with the Department of Defense (redesignated the Department of War by executive order, September 2025) and someone handed you a solicitation with "CMMC Level 2" written in the requirements, this guide is for you.
CMMC stands for Cybersecurity Maturity Model Certification. As of November 10, 2025, it is a legal requirement under DFARS 252.204-7021. If your contract involves sensitive government data and you do not meet the applicable CMMC level, you cannot perform on that contract. That is the stakes.
This guide covers everything you need to understand the program: what it is, which level applies to your organization, how the timeline works, what an assessment looks like, how to prepare, and what it costs. Every section links to a deeper companion article for readers who want to go further on a specific topic.
CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense's program for verifying that defense contractors have implemented the cybersecurity controls required to protect sensitive government information.
The key word is "verifying." Before CMMC, contractors were required to implement security controls under DFARS 252.204-7012, but verification was largely self-reported. A contractor signed a contract clause, submitted a score into a government database, and the government mostly had to take their word for it. CMMC changes that model. For contracts involving the most sensitive data, contractors must now be assessed by an independent third party, not just self-certify.
The defense supply chain includes over 300,000 companies. These range from the large prime contractors to small machine shops, software developers, IT service providers, MSSPs, and specialty manufacturers that make up the broader Defense Industrial Base (DIB).
Many of these companies were handling sensitive government data on systems with minimal security controls. Nation-state adversaries, particularly China and Russia, identified the defense supply chain as a softer target than the DoD's own classified networks. By penetrating small and mid-sized contractors, they could gain access to technical designs, acquisition data, and operational information without ever touching a classified system.
The F-35 program is the canonical example. Intelligence reporting indicated that adversaries obtained technical data about the aircraft through defense contractor networks. The DoD needed a way to verify that contractors were actually protecting this data, not just checking a box. CMMC is that verification mechanism.
CMMC is all about protecting data. CMMC is built around two categories of sensitive government data:
The type of data you handle determines which CMMC level applies to your organization. For a deeper analysis of the distinction and how to identify your data types, read FCI vs CUI: How to Know Which Type of Data You Handle.
The CMMC program was established through a process that started with the National Defense Authorization Act (NDAA) for Fiscal Year 2020. After years of development and revision (CMMC 1.0 in 2020, CMMC 2.0 announced in 2021), the final rule was published in 32 CFR Part 170 and DFARS 252.204-7021 took effect on November 10, 2025.
From that date forward, CMMC requirements can appear in DoD solicitations and contracts. If your contract includes DFARS 252.204-7021, you are in scope for CMMC. For the full explanation of what CMMC is and why it exists, read What Is CMMC? A Plain-English Guide for Defense Contractors.
CMMC 2.0 organizes requirements into three levels:
Level 1 applies to organizations that handle FCI but not CUI. It requires 15 security practices derived directly from FAR Clause 52.204-21, distributed across six security domains: Access Control (4 practices), Identification and Authentication (2), Media Protection (1), Physical Protection (2), System and Communications Protection (2), and System and Information Integrity (4).
Compliance is verified through an annual self-assessment. Your organization scores itself against each of the 15 practices, submits the score to SPRS, and a senior official affirms the accuracy of the submission. There is no third-party assessment requirement for Level 1.
For a detailed breakdown of all 15 practices with implementation guidance, read The 15 CMMC Level 1 Practices: What They Are and How to Implement Them.
Level 2 applies to organizations that handle CUI. It requires full implementation of NIST Special Publication 800-171 Revision 2, which contains 110 security requirements across 14 security families. This is a substantially more demanding standard than Level 1, covering comprehensive audit logging, configuration management, incident response, multi-factor authentication, FIPS-validated encryption, and more.
Level 2 verification depends on contract sensitivity. Some contracts allow self-assessment; others require an independent third-party assessment by a Certified Third-Party Assessment Organization (C3PAO). C3PAO certifications are valid for three years, with the result being either Final (all requirements Met) or Conditional (open POA&M items, 180 days to close).
The weighted scoring system assigns 5, 3, or 1 points per requirement, with a maximum of 110. Organizations need a minimum of 88 points (80%) for Conditional certification.
Level 3 applies to the most sensitive DoD programs. It requires all 110 Level 2 requirements plus 24 additional requirements from NIST SP 800-172, for a total of 134. The additional requirements address Advanced Persistent Threat (APT) defenses including enhanced access control, penetration testing, threat hunting, and supply chain risk management.
Level 3 assessments are conducted exclusively by DIBCAC, the DoD's own assessment team. Before pursuing Level 3, an organization must have a current, valid Level 2 C3PAO certification. Level 3 certifications are valid for three years.
The determination is contract-driven:
For the complete breakdown of all three levels, read CMMC Level 1 vs Level 2 vs Level 3: Which One Do You Need?.
CMMC applies to both prime contractors and subcontractors throughout the defense supply chain. If you hold a DoD contract that includes DFARS 252.204-7012, you are already subject to CMMC requirements or will be shortly.
Prime contractors are responsible for flowing CMMC requirements down to subcontractors. If you are a prime handling CUI and you pass that CUI to a subcontractor, that subcontractor needs at minimum Level 2 certification. Before sharing CUI with any subcontractor, you are required to verify their SPRS submission. For the full picture of flow-down requirements, read CMMC Flow-Down Requirements: What Primes Must Require from Subs.
CMMC applies to all companies performing under applicable DoD contracts regardless of tier. Company size is not an exemption factor. A five-person machine shop that receives CUI from a prime contractor has the same Level 2 requirements as the prime itself. The requirement attaches to the data, not the organization's size or revenue.
For small defense subcontractors, the practical challenge is that CMMC compliance costs are proportionally larger relative to revenue. However, the requirement is non-negotiable if CUI flows to your systems. Read What CMMC Means for Small Defense Subcontractors for strategies specific to smaller organizations.
CMMC does not apply to contracts outside the DoD, classified systems (which have their own requirements), or contracts where the only government data involved is hardcopy CUI that is never placed on an IT system. However, the moment hardcopy CUI is scanned, photographed, emailed, or otherwise digitized, all systems that could touch it come into scope.
The CMMC program rolls out in four phases from November 2025 through November 2028.
Phase 1 is the self-assessment phase. Contracting officers include CMMC requirements in new solicitations, with self-assessment as the primary compliance verification mode for Level 2. Organizations can demonstrate compliance by conducting their own assessment, calculating a weighted score, submitting to SPRS, and having a senior official legally affirm accuracy.
C3PAO third-party assessments during Phase 1 are at the contracting officer's discretion, but in most cases Phase 1 means self-assessments.
Phase 1 is not a grace period. Organizations without an active, accurate SPRS submission can be excluded from contract awards today.
Phase 2 is when mandatory C3PAO third-party assessments begin appearing in new solicitations. This is the inflection point where self-assessment is no longer sufficient for many Level 2 contracts. Level 3 requirements also begin to appear. Organizations pursuing Level 3 must first achieve a full Level 2 C3PAO certification.
If you start your readiness program in October 2026 because a Phase 2 solicitation landed on your desk, you will almost certainly miss the award. C3PAO assessments require scheduling, preparation, and completion time.
C3PAO requirements extend more broadly across the DoD contract base. Certification becomes standard rather than exceptional for Level 2 CUI contracts. The C3PAO capacity constraint becomes more acute as demand surges.
Full CMMC implementation. All applicable contracts have full enforcement in place.
CMMC certifications are not permanent. Level 1 requires annual self-assessment and affirmation. Level 2 and Level 3 certifications are valid for three years, with annual affirmations required throughout. Three events can trigger early reassessment: a major technology change, cyber intelligence reporting, or a merger/acquisition that materially changes the environment.
For the complete phase-by-phase breakdown with action items, read The CMMC Timeline: What's Happening and When (2025-2028). For the assessor capacity challenge, read The CMMC Assessor Shortage: What It Means for Your Timeline.
NIST SP 800-171 is the security requirements catalog. CMMC Level 2 is the verification and certification program built on top of it. If you implement all 110 NIST SP 800-171 Revision 2 requirements and can demonstrate that implementation to a C3PAO assessor, you will pass a CMMC Level 2 assessment.
CMMC Level 2 uses the same 110 technical requirements as NIST 800-171 Rev 2, but adds several elements:
NIST published Revision 3 of SP 800-171 in May 2024, significantly restructuring the publication. However, a DoD class deviation keeps CMMC assessments locked to Revision 2 until new rulemaking formally incorporates Rev 3. If you are preparing for a C3PAO assessment, implement Rev 2 fully. Building your program around Rev 3 creates risk of gaps relative to the current assessment standard.
For the complete analysis of the NIST/CMMC relationship, read CMMC and NIST 800-171: What's the Same, What's Different.
Every organization subject to CMMC must have an active, accurate score in the Supplier Performance Risk System (SPRS) before a contracting officer can award an applicable DoD contract. That requirement has been in effect since November 2020 under DFARS 252.204-7012, and it remains true under CMMC.
SPRS is a DoD web application that stores contractor performance data, including CMMC self-assessment scores and affirmations. Contracting officers query SPRS to verify compliance status before awarding contracts. Prime contractors can review SPRS submissions from potential subcontractors before sharing CUI or awarding subcontracts.
Level 1 scoring is binary. Each of the 15 practices is either Met (1 point) or Not Met (0 points). Maximum score: 15.
Level 2 scoring is weighted. Each of the 110 requirements carries one of three point values:
Maximum possible score is 110 points. Organizations need a minimum of 88 points (80%) to qualify for Conditional certification. A score below 88, or any of six prohibited controls on the POA&M, results in "No Status."
Before any Level 2 SPRS submission, CA.L2-3.12.4 (the System Security Plan requirement) must be Met. If the SSP is Not Met, SPRS returns "No Score." No assessment can be completed without a current SSP.
After entering the score, a senior official must affirm its accuracy. This is a legal attestation under the False Claims Act. The affirmation must be renewed annually for Level 1, and annually plus at each assessment event for Level 2.
For the complete SPRS submission process, read SPRS 101: How to Submit Your CMMC Self-Assessment Score. For the affirmation implications, read CMMC Affirmation: What It Means to Sign on the Dotted Line.
For Level 2 contracts requiring third-party assessment, a Cyber AB-accredited C3PAO conducts an independent evaluation of your environment against all 110 NIST SP 800-171 Rev 2 requirements.
The C3PAO reviews your SSP, POA&M, and supporting documentation before arriving on site. Pre-assessment activities include verifying the CMMC Assessment Boundary, reviewing evidence packages, and confirming personnel availability for interviews.
C3PAO assessors evaluate each requirement using three methods:
A requirement is only Met when all used methods are consistent. If the documentation says MFA is enforced but a test shows an account can authenticate with just a password, the requirement is Not Met regardless of what the policy says.
For the detailed assessment process, read What a CMMC Gap Assessment Actually Looks Like (Step by Step). For evidence expectations, read CMMC Evidence Collection: What Assessors Actually Want to See and What DIBCAC Assessors Actually Want to See: Evidence by Domain.
Preparation for CMMC certification is a structured program, not a one-time project. The organizations that pass C3PAO assessments are the ones that built their programs methodically.
A professional gap assessment evaluates your current security posture against all applicable requirements. The output is a scored picture of your current state, a projected SPRS score, and a prioritized remediation roadmap.
A thorough gap assessment includes document review, technical testing, and personnel interviews. Gap assessments that skip technical testing will miss implementation gaps that a C3PAO will find.
The SSP is the CMMC hard gate. It must describe your information system, define the assessment boundary, and document how each requirement is implemented. Implementation descriptions must be specific: name the technology, reference the configuration, describe the enforcement mechanism.
Build the SSP to reflect your current, actual security posture. Aspirational language ("the organization will implement") signals to assessors that the control is Planned, not Implemented. Read Building Your System Security Plan (SSP) for CMMC for the complete SSP development guide.
Work through your remediation roadmap in priority order:
Evidence must be specific, dated, and traceable to your actual environment. Organize evidence by domain and requirement, following the DIBCAC Objective Evidence Lists as the authoritative reference. All eMASS artifacts require SHA-256 hashing.
Calculate your accurate score, submit to SPRS, and have your senior official execute the affirmation. If pursuing Conditional certification, ensure your POA&M is realistic and excludes prohibited controls.
Step 7: Engage a C3PAO
Schedule your assessment with adequate lead time. Most organizations need 30 to 90 days of intensive preparation between completing remediation and beginning the assessment. Solicit quotes from multiple C3PAOs via the Cyber AB marketplace at cyberab.org/marketplace.
For choosing a readiness partner, read How to Choose a CMMC RPO: 7 Questions to Ask. For automation opportunities, read CMMC Compliance Automation: What You Can Automate (and What You Cannot).
CMMC costs vary significantly based on organization size, existing security posture, IT complexity, and scope. But there are structural facts every contractor should know.
CMMC compliance costs are allowable costs under DoD contracts. Remediation costs can be included in overhead rates, assessment fees can be proposed as direct costs, and ongoing compliance costs can be built into bid pricing. The full cost does not come out of margin.
For the complete cost analysis, read The Cost of CMMC Compliance: What to Budget and Where to Save. For government assistance programs, read How the DoD Is Helping Small DIB Companies Afford CMMC.
Common Mistakes That Derail CMMC Programs
The Aerojet Rocketdyne settlement was $9 million. A former employee filed a qui tam lawsuit alleging the company misrepresented its cybersecurity compliance on DoD and NASA contracts. That case established that cybersecurity compliance is a material contract requirement under the False Claims Act.
Most CMMC failures are not intentional fraud. They are predictable, preventable mistakes:
Choosing the wrong partner. An RPO that produces a gap assessment without technical testing leaves you unprepared for a C3PAO that will conduct technical testing. Vet your RPO on credentials, methodology, and references from similar organizations.
For the full analysis, read The 5 CMMC Mistakes That Cost Contractors Millions. For False Claims Act exposure, read The False Claims Act and CMMC: What Defense Contractors Need to Know and The Aerojet Rocketdyne Case: What Every Defense Contractor Should Learn.
Work With NR Labs
NR Labs provides CMMC readiness and ongoing advisory services with certified professionals who have direct experience moving defense contractors from gap assessment through C3PAO certification.
What we provide:
We work with defense contractors at every level of the supply chain, from small subcontractors pursuing Level 1 to the largest primes preparing for or maintaining their Level 2 C3PAO certification.
Ready to understand where your organization stands? Contact us to schedule a CMMC readiness conversation.
