What Is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense's framework for verifying that the contractors and subcontractors it works with adequately protect sensitive government information from cyber threats.
Before CMMC, DoD contractors were required to self-attest their compliance with NIST SP 800-171. The problem was that many contractors overstated their readiness, leaving critical defense supply chains vulnerable. CMMC fixes this by requiring verified, third-party certification for organizations handling the most sensitive data.
CMMC 2.0, the current version, simplified the original five-level model down to three levels and aligned requirements directly with established NIST standards. It is not a new set of controls. It is a verification mechanism for standards that DoD contractors were already supposed to be meeting.
Why this matters for your contracts: DFARS clause 252.204-7021 is being added to DoD contracts. If your contract includes this clause and you cannot demonstrate CMMC compliance, you risk losing the contract or being unable to bid on future awards.
CMMC Levels Explained
CMMC 2.0 has three certification levels. The level required for your organization depends on the type of information you handle and the nature of your DoD contracts.
- 17 basic security practices
- Annual self-assessment
- Senior official affirmation
- Based on FAR 52.204-21
- No third-party assessor required
- 110 security practices
- Triennial third-party assessment
- Annual affirmation between assessments
- Based on NIST SP 800-171 Rev. 2
- All 320 objectives must be met
- 110+ enhanced security practices
- Government-led assessments (DIBCAC)
- Triennial reassessment
- Based on NIST SP 800-172
- Highest-priority DoD programs only
Important: Most defense subcontractors will be required to meet Level 2. If your organization receives, processes, stores, or transmits Controlled Unclassified Information (CUI) as part of a DoD contract, Level 2 certification is likely required from you and your subcontractors.
Who Must Comply?
CMMC applies to any organization that works within the defense industrial base (DIB) and handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This includes both prime contractors and their subcontractors at every tier.
If you manufacture components for defense programs, provide professional services to defense agencies, offer IT or cybersecurity support to defense contractors, or supply logistics and materials to the defense supply chain, CMMC likely applies to your organization.
The flow-down requirement is critical: Prime contractors are responsible for ensuring that their subcontractors also meet the appropriate CMMC level. This means compliance pressure flows down through every tier of the supply chain. If your prime contractor handles CUI, expect to be required to meet Level 2.
Industries commonly affected include aerospace and defense manufacturing, precision machining, electronics manufacturing, software and IT services, engineering and testing laboratories, logistics and warehousing, and professional consulting firms supporting defense programs.
CMMC Timeline: When Does It Take Effect?
CMMC requirements are being phased into DoD contracts through the DFARS rulemaking process. The timeline below outlines the key milestones that defense contractors need to track.
Final Rule Published
DoD published the 32 CFR and 48 CFR final rules establishing CMMC program requirements. The framework is now finalized and the phased rollout has begun.
Self-Assessment Requirements in New Contracts
CMMC Level 1 self-assessments and Level 2 self-assessments are required in new DoD contracts. Organizations must complete assessments and upload results to SPRS.
Third-Party Assessments Begin
CMMC Level 2 third-party assessments (C3PAO) required for contracts involving CUI. Organizations that have not begun preparation now face significant risk of contract loss.
Full Rollout Across All Applicable Contracts
CMMC requirements embedded in all applicable DoD contracts at all tiers. Organizations without certification will be ineligible to bid on or perform covered contracts.
Begin Your Gap Assessment Immediately
Preparation takes 6 to 18 months. Organizations that start today have the best chance of meeting certification requirements before their contracts require it. CGA's grant program covers the gap assessment cost.
Why not wait? Remediation timelines are long. Finding and fixing gaps in your cybersecurity posture across 110 controls, then engaging a C3PAO for assessment, can easily take 12 to 18 months. Prime contractors are already asking subcontractors for proof of CMMC readiness before awarding subcontracts.
How Much Does CMMC Compliance Cost?
CMMC compliance is a significant investment. The DoD's own estimates acknowledge that compliance costs are substantial, and for most small and mid-sized defense contractors, the financial burden is real. Understanding what you will spend helps you plan and identify where grants can offset costs.
| Cost Category | What It Covers | Estimated Range |
|---|---|---|
| Gap Assessment | Evaluating current posture against 110 NIST controls; producing remediation roadmap | $5,000 – $25,000 |
| Remediation / Implementation | Fixing identified gaps: policy development, technical controls, documentation | $50,000 – $200,000+ |
| Technology / Licensing | Compliant cloud environment (e.g., Microsoft GCC High), endpoint protection, MFA | $15,000 – $80,000/yr |
| C3PAO Assessment | Third-party CMMC Level 2 certification assessment by an authorized assessor | $30,000 – $100,000 |
| Ongoing Maintenance | Annual affirmation, continuous monitoring, policy updates, staff training | $20,000 – $60,000/yr |
| Total (DoD Estimate) | Initial + triennial assessment + annual affirmation over assessment cycle | ~$104,670+ |
The gap assessment is the most critical first step and also the one CGA can help fund. Before spending on remediation, you need to know exactly where you stand. A professional gap assessment maps your current state against all 110 controls and produces a prioritized, costed remediation plan. Without it, organizations often waste money fixing the wrong things.
How Cyber Grants Alliance Helps
Cyber Grants Alliance operates grant programs that fund critical cybersecurity services for defense contractors, manufacturers, and small businesses. Our programs are specifically designed to remove the financial barrier at the beginning of the compliance journey, when organizations need the most help and have the least clarity on what to do next.
We do not sell cybersecurity services. We fund access to them through vetted providers so that cost is never the reason a defense contractor fails to start their CMMC compliance journey.
7 Steps to CMMC Level 2 Compliance
CMMC compliance is a multi-step process that takes most organizations 6 to 18 months to complete. The steps below represent the recommended sequence for defense contractors pursuing Level 2 certification.
Review your current and anticipated DoD contracts for DFARS 252.204-7012 and 252.204-7021 clauses. Identify whether you handle FCI only (Level 1) or CUI (Level 2). Consult your prime contractor if you are a subcontractor.
Engage a qualified assessor to evaluate your current cybersecurity posture against all 110 NIST SP 800-171 Rev. 2 controls. The output is a gap report and prioritized remediation roadmap. This step is essential before any remediation spending.
CGA Gap Assessment Grant can fund thisIdentify all systems, data flows, and assets that touch CUI. The smaller and better-defined your CUI boundary, the lower your compliance cost and assessment scope. Document everything in a System Security Plan (SSP).
Execute your remediation plan. This includes technical controls (MFA, endpoint protection, encryption, logging), administrative controls (policies, procedures, incident response plans), and physical controls (access restrictions, visitor logs).
CGA Training Grant can fund staff security trainingBefore your formal assessment, run a professional penetration test to identify exploitable vulnerabilities your team may have missed. Addressing these before the C3PAO assessment prevents costly delays and findings.
CGA Pen Testing Grant can fund thisEngage a DoD-authorized Certified Third-Party Assessor Organization (C3PAO) to perform your formal CMMC Level 2 assessment. Results are submitted to the DoD's CMMC Enterprise Mission Assurance Support Service (eMASS) portal.
CMMC Level 2 requires a senior official affirmation annually between triennial assessments. Maintain your SSP, policies, and controls. Plan for your next third-party assessment before your certification expires.