CMMC 2.0: Requirements, Levels, Timeline, Cost, and What to Do Next
Educational research, not legal, contractual, or compliance advice. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance, and is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, SPRS, or any U.S. government agency.
CMMC 2.0 is the Department of Defense program that verifies whether defense contractors protect federal information at the level their contract requires. It has three levels tied to the data you handle: Level 1 (15 requirements, Federal Contract Information only, annual self-assessment), Level 2 (110 requirements from NIST SP 800-171 Revision 2, for Controlled Unclassified Information, self- or C3PAO-assessed), and Level 3 (Level 2 plus 24 NIST SP 800-172 requirements, for the highest-risk programs, assessed by DCMA DIBCAC). The contract clause — not a vendor, not a checklist — sets your level. Phase 2 began November 10, 2026, expanding the Level 2 (C3PAO) requirement. As of early 2026, roughly 1% of the contractors who will eventually need Level 2 had achieved it.
That last date is why you're probably here. So let's get you oriented fast, then go as deep as you need.
Find your situation in this table. If you read nothing else, read this:
| If your situation is… | Likely CMMC path | Requirements | Who assesses | Where it's recorded | Your first move |
|---|---|---|---|---|---|
| You handle FCI only, no CUI | Level 1 (Self) | 15 (FAR 52.204-21) | You (annual) | SPRS + affirmation | Confirm no CUI is actually in scope |
| You handle CUI, solicitation says Self | Level 2 (Self) | 110 (NIST SP 800-171 Rev. 2) | You (every 3 yrs) | SPRS + annual affirmation | Build the SSP and score honestly |
| You handle CUI, solicitation requires certification | Level 2 (C3PAO) | 110 (NIST SP 800-171 Rev. 2) | Authorized C3PAO (every 3 yrs) | CMMC eMASS → SPRS; affirmation in SPRS | Get readiness help before scheduling |
| Most sensitive CUI / APT-targeted programs | Level 3 (DIBCAC) | Level 2 + 24 (NIST SP 800-172) | DCMA DIBCAC | CMMC eMASS → SPRS; affirmation in SPRS | Confirm the contract truly requires Level 3 |
Sources: DoD CIO CMMC program page; 32 CFR Part 170. "C3PAO" = Certified Third-Party Assessment Organization. "DIBCAC" = Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center. "SPRS" = Supplier Performance Risk System. "FCI" = Federal Contract Information. "CUI" = Controlled Unclassified Information.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor's level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
One honest caveat before we go further. This page cannot tell you your exact required level. Nobody's page can. The only documents that set your level are your solicitation, your contract, and your prime's flow-down. Anyone who hands you a definitive level without reading those is guessing — and in this program, guessing is expensive. What we can do is make the rules clear, show you where the real decision points are, and point you to the one thing that maps your specific situation to the right provider category before you request a quote.
What is CMMC 2.0?
CMMC 2.0 is the Cybersecurity Maturity Model Certification program the Department of Defense uses to verify that contractors and subcontractors have implemented required safeguards for FCI and CUI on their own information systems. It is codified in 32 CFR Part 170 and enforced in contracts through the DFARS clauses. It replaced the original five-level model with three levels and brought back limited self-assessment.
Here's the thing CMMC doesn't do: it doesn't invent a brand-new security standard. It verifies standards that already existed. Level 1 points to the 15 basic safeguards in FAR 52.204-21. Level 2 points to the 110 requirements in NIST SP 800-171 Revision 2 — the same controls defense contractors have been contractually obligated to follow under DFARS 252.204-7012 since late 2017. Level 3 layers on 24 selected requirements from NIST SP 800-172 for the highest-sensitivity programs.
So why create a whole certification program for rules that already existed? Because the old honor system wasn't working. In its own Regulatory Impact Analysis for the rule, DoD admitted the gap plainly: under the prior self-attestation model, a contractor could be considered "compliant" with NIST SP 800-171 while implementing only 10% of the requirements — as long as the other 90% were parked on a plan of action. CMMC closes that gap with scored assessments, a status in SPRS, and annual affirmations.
What CMMC 2.0 is not:
- It is not a replacement for your contract. The contract still governs.
- It does not mean every contractor needs a third-party assessment. Many will self-assess.
- It does not mean buying a software tool makes you compliant. Tools help; they don't certify.
- It does not make any vendor, consultant, or trade publication a government authority. Verify credentials against official sources.
Who has to comply with CMMC 2.0?
CMMC applies whenever a DoD solicitation, contract, task order, or subcontract requires a CMMC status for systems that process, store, or transmit FCI or CUI. More than 200,000 organizations in the defense industrial base could be affected, and DoD estimates roughly 8,350 medium and large entities will need a Level 2 C3PAO assessment specifically. You do not pick your level — the requiring activity does, and it appears in the solicitation.
If you make parts, write software, run logistics, provide professional services, or sit anywhere in a defense supply chain and you touch government information, this likely reaches you. A large share of the DIB is small businesses with no dedicated security staff. If that's you, you're the rule, not the exception.
The first fork: FCI vs CUI
This single distinction drives most of your obligation.
- FCI (Federal Contract Information) is non-public information provided by or generated for the government under a contract — think pricing, delivery schedules, basic performance details. FCI-only work generally points to Level 1.
- CUI (Controlled Unclassified Information) is information that law, regulation, or government-wide policy requires you to safeguard — technical drawings, engineering specs, certain program details. CUI generally pushes you to Level 2 or, rarely, Level 3.
If you're not sure whether what you handle is CUI, treat that uncertainty as a real project, not a footnote. Over-scoping (assuming everything is CUI) burns money; under-scoping (missing CUI you actually hold) costs you eligibility. Both are expensive mistakes in opposite directions.
Do subcontractors need CMMC 2.0?
Yes — and the rule is more specific than most people realize. Under 32 CFR 170.23, a prime must flow CMMC requirements down to subcontractors, and the subcontractor's required level follows the information it handles, not automatically the prime's level:
- Sub handles FCI only → minimum Level 1 (Self).
- Sub handles CUI → minimum Level 2 (Self).
- Prime has a Level 2 (C3PAO) requirement and the sub handles CUI → sub needs Level 2 (C3PAO).
- Prime has a Level 3 requirement and the sub handles CUI → sub needs at least Level 2 (C3PAO).
A prime's email saying "be Level 2 by [date]" is a signal, not a specification. The subcontract language, the data actually flowed to you, and your system scope decide the real requirement.
The right CMMC provider isn't the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to a provider category before you request a quote.
The CMMC 2.0 Requirement-to-Action Matrix
This is the table we wish existed when we started covering this program. Most guides explain the regulation. Almost none translate "the thing that just landed in my inbox" into "here's what it means, who assesses it, where it gets recorded, what category of help to look for, and the mistake that burns people in your exact spot." We built this by cross-walking 32 CFR Part 170, the DFARS clauses, DoD CIO guidance, SPRS documentation, and the program rule's Regulatory Impact Analysis.
Read it by the left column — find what triggered your search, then move right.
| What triggered your search | What to verify first | Likely CMMC path | Where status matters | Provider category to consider first | Costly mistake to avoid | Primary-source basis |
|---|---|---|---|---|---|---|
| "I saw Level 1 (Self) in a solicitation." | You handle FCI only, no CUI, for this work | Level 1 (Self): 15 FAR 52.204-21 requirements, annual | SPRS entry + annual affirmation | Internal IT owner; an RPO/RP if scope is unclear | Hiring a C3PAO when the contract only needs Level 1 Self | 32 CFR 170.14; DFARS 252.204-7025 |
| "I saw Level 2 (Self)." | You handle CUI but the solicitation specifies Self | 110 NIST SP 800-171 Rev. 2 requirements, every 3 yrs | SPRS + annual affirmation | RPO/RP for the gap and SSP; MSSP for operations | Assuming "Level 2" always means a C3PAO | 32 CFR 170.15–170.16; DFARS 252.204-7025 |
| "I saw Level 2 (C3PAO)." | You handle CUI and certification is required | 110 NIST SP 800-171 Rev. 2 requirements; authorized C3PAO, every 3 yrs | C3PAO posts to CMMC eMASS; status flows to SPRS | Readiness provider first; a C3PAO only when evidence is ready | Scheduling the assessment before scope, SSP, and evidence exist | 32 CFR 170.17; DFARS 252.204-7021 |
| "I saw Level 3 (DIBCAC)." | High-sensitivity CUI designated by DoD | Final Level 2 (C3PAO) first, then Level 3 + 24 NIST SP 800-172 requirements | CMMC eMASS → SPRS; ongoing affirmations | Advanced readiness, architecture/enclave strategy, federal-contracts counsel | Treating Level 3 as "Level 2 plus a few extra documents" | 32 CFR 170.18; 170.14(c)(4) |
| "My prime says be Level 2 by a date." | What information is actually flowed to you, and the subcontract terms | Could be Level 2 Self or C3PAO — prime language alone isn't enough | Prime may require current status before subcontract award | Contract + scope review (RPO/RP or attorney) before buying anything | Accepting an overbroad flow-down without clarifying FCI/CUI and assessment type | 32 CFR 170.23; DFARS 252.204-7021 |
| "We already posted a NIST/SPRS score — is that CMMC?" | A NIST SP 800-171 score is not a CMMC status by itself | Depends on the clause in your contract | SPRS holds both NIST scores and CMMC records | RPO/RP to reconcile your score, SSP, POA&M, and CMMC status | Telling a prime "we're certified" because you posted a NIST score | 32 CFR 170.15–170.17; SPRS documentation |
| "We use GCC High / GovCloud / an enclave." | Cloud choice does not settle scope or compliance by itself | Provider responsibilities must be documented and in assessment scope | SSP, responsibility matrix, inheritance evidence | CUI enclave provider, GCC High implementer, MSSP, GRC | Believing "GCC High = CMMC compliant" | 32 CFR 170.19 (scoping, ESP) |
Methodology: assembled by The Defense Compliance Report from the primary regulatory sources listed at the foot of this page and cited per row. It is an editorial decision aid, not a government dataset, and not legal advice. The CMMC Path Framework routes to a provider category, not a named provider, and is not a score or ranking.
This is the decision point most contractors reach. You can see your row, but you still can't tell whether your next call should be a readiness firm, a managed security provider, an enclave specialist, software, or a C3PAO — because that depends on details a table can't see.
Map your CMMC path before you request a single quote.
Tell us your required level, FCI/CUI scope, assessment type, environment, and timeline. The Defense Compliance Report's Find My CMMC Path tool maps your situation to the provider category to evaluate first — C3PAO, RPO/RP, MSSP, GRC platform, or CUI enclave — so you stop comparing vendors who solve different problems.
Do not submit CUI, drawings, contract numbers, or sensitive details — high-level routing inputs only. How our provider matching works; provider matching may generate a referral or lead-routing fee when disclosed.
What are the CMMC 2.0 levels?
CMMC 2.0 has three levels. Level 1 protects FCI with 15 requirements. Level 2 protects CUI with the 110 requirements in NIST SP 800-171 Revision 2, organized into 14 control families and measured against 320 assessment objectives. Level 3 adds 24 selected NIST SP 800-172 requirements (134 total) for the highest-risk programs. The level matters, but the assessment type — Self, C3PAO, or DIBCAC — drives your cost and timeline more than the level number does.
| Level 1 | Level 2 | Level 3 | |
|---|---|---|---|
| Protects | FCI | CUI | CUI on high-priority programs |
| Requirements | 15 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev. 2) | 134 (110 + 24 from NIST SP 800-172) |
| Assessment | Annual self-assessment | Self or C3PAO, per the solicitation | DCMA DIBCAC (government) |
| Frequency | Annual | Every 3 years | Every 3 years |
| POA&M allowed? | No | Limited | Limited |
| Results posted to | SPRS | SPRS (Self) / CMMC eMASS → SPRS (C3PAO) | CMMC eMASS → SPRS |
| Annual affirmation? | Yes | Yes | Yes |
| Prerequisite | None | None | Final Level 2 (C3PAO) for the same scope |
Source: DoD CIO CMMC program page; 32 CFR 170.14. "POA&M" = Plan of Action and Milestones.
Level 1 (Foundational)
Fifteen basic safeguards from FAR 52.204-21 — the cyber hygiene any company on a government network should already have. You self-assess once a year, and an affirming official affirms it in SPRS. No POA&M is allowed: all 15 must be met at the time of assessment. A point worth printing because the web gets it wrong constantly — Level 1 is 15 requirements, not 17. The "17" is a holdover from the old CMMC 1.0 model. The current rule lists exactly 15, at 48 CFR 52.204-21(b)(1)(i) through (xv), as incorporated into 32 CFR 170.14.
Level 2 (Advanced)
This is where most CUI contractors land, and it's the heart of the program. One hundred ten requirements from NIST SP 800-171 Revision 2, across 14 families, checked against 320 discrete assessment objectives. Two paths share that same baseline: a self-assessment (for a defined subset of contracts) or a C3PAO certification assessment(specified by the solicitation for CUI work). Same controls — different proof. Limited POA&Ms are allowed at the conditional stage.
Level 3 (Expert)
The smallest tier, for the most sensitive CUI on programs likely to draw advanced, well-funded attackers. Level 3 requires you to hold a Final Level 2 (C3PAO) status for the same assessment scope first, then adds 24 selected requirements from NIST SP 800-172. The assessment is government-led, performed by DCMA DIBCAC. You cannot initiate a Level 3 certification assessment until you have achieved Final Level 2 (C3PAO) for that same scope.
Is CMMC 2.0 mandatory now?
Yes — CMMC is live and phasing into contracts, not theoretical. The CMMC Program Rule (32 CFR Part 170) took effect December 16, 2024. The DFARS acquisition rule took effect November 10, 2025, which started Phase 1. The mandatory Level 2 third-party (C3PAO) requirement begins phasing in at Phase 2 on November 10, 2026.
Here's the four-phase schedule, straight from 32 CFR 170.3(e):
| Phase | Date | What changes | What it means for you |
|---|---|---|---|
| Program Rule effective | 32 CFR Part 170 in force | CMMC becomes a binding federal program | |
| DFARS rule / Phase 1 | – | CMMC starts appearing in solicitations | Mostly Level 1 (Self) and Level 2 (Self); DoD may require Level 2 (C3PAO) at its discretion |
| Phase 2 | Begins | Level 2 (C3PAO) expands | DoD intends to include Level 2 (C3PAO) as a condition of award for applicable solicitations; it may delay inclusion to an option period, and may add Level 3 (DIBCAC) at its discretion |
| Phase 3 | Begins | Level 2 (C3PAO) for applicable contracts + Level 3 expands | Fewer "wait and see" options remain |
| Phase 4 | Begins | Full implementation | CMMC applies in all applicable DoD solicitations and contracts |
Now, about that "deadline." Here's the uncomfortable truth, and it's the most important sentence in this section: "the CMMC 2.0 deadline" is not one date for every contractor. Your real deadline is the next solicitation, option exercise, or flow-down in front of you. That makes generic countdown advice genuinely dangerous — it pushes one company to panic and overspend a year early, and lulls another into waiting until they've already lost a bid.
But here's why the calendar still creates real pressure, and this part is not hype. If you need a Level 2 (C3PAO) assessment, you can't summon a certification on demand. Authorized assessors are a finite resource (more on that below), scheduling lead times are running roughly 6 to 12 months, and as of early 2026 only about 1% of the contractors who will eventually need Level 2 had achieved it. When the Phase 2 window tightens, that queue gets worse, not better. Early isn't paranoid here. Early is strategy.
What changed in 2026? The FAR Overhaul and DFARS clause renumbering
Effective February 1, 2026, the Department of Defense issued class deviations under the "Revolutionary FAR Overhaul" that eliminated DFARS 252.204-7019, renumbered DFARS 252.204-7020 to DFARS 252.240-7997, and moved FAR 52.204-21 to FAR 52.240-93. DFARS 252.204-7012 and 252.204-7021 are unchanged. No underlying cybersecurity requirement disappeared — but because these are class deviations, the Code of Federal Regulations still shows the old numbers, so you'll see both during the transition.
This is the section almost every other "CMMC 2.0" overview skips, and it's quietly tripping up contractors right now. We cross-checked the official DoD class-deviation list (Class Deviations 2026-O0043 and 2026-O0025, among others) against the live eCFR text of 32 CFR Part 170 on June 30, 2026, and confirmed the mismatch ourselves: the deviations changed which clauses contracting officers use, but the codified regulation hasn't caught up. So the rule text and your newest solicitations can cite different numbers for the same requirement.
Here's the crosswalk so you don't get whiplash:
| Legacy clause (still in the CFR) | What it does | Status under the Feb 1, 2026 FAR Overhaul | Codified yet? |
|---|---|---|---|
| DFARS 252.204-7012 | Safeguard covered defense info; report incidents within 72 hours; implement NIST SP 800-171 | Unchanged | Yes |
| DFARS 252.204-7019 | Submit your Basic NIST SP 800-171 self-assessment score to SPRS | Eliminated — the standalone "Basic" self-assessment concept is removed and absorbed into CMMC | Deviation only |
| DFARS 252.204-7020 | DoD's right to do a higher-level assessment; sub-score checks | Renumbered to DFARS 252.240-7997; "Basic" removed; now defines only Medium and High government assessments | Deviation only |
| DFARS 252.204-7021 | The CMMC requirement; ties contract eligibility to your CMMC status | Unchanged | Yes |
| DFARS 252.204-7025 | Notice that tells offerors the required CMMC level and assessment path | Unchanged | Yes |
| FAR 52.204-21 | The 15 basic safeguards (Level 1's source) | Renumbered to FAR 52.240-93 (CMMC still references 52.204-21) | Deviation only |
The takeaway, in plain terms: nothing got easier, and nothing went away. The government reorganized and renumbered its acquisition rules. And to be clear about the part that's easy to misread — self-assessment and SPRS did not disappear. The old DFARS 252.204-7019 "Basic" self-assessment provision is gone from new deviation-path solicitations, but CMMC self-assessments continue: Level 1 (Self) and Level 2 (Self) still require you to record results and submit annual affirmations in SPRS. The right move during this transition is to match the clause to the requirement, not to a number you memorized. If a solicitation cites 252.240-7997, that's the renumbered DoD assessment authority, and it means the government can validate your cybersecurity claims with a Medium or High assessment regardless of your CMMC self-assessment.
Does CMMC 2.0 use NIST SP 800-171 Rev. 2 or Rev. 3?
CMMC Level 2 is built on NIST SP 800-171 Revision 2 — its 110 requirements. NIST itself has moved on: it withdrew Revision 2 in favor of Revision 3 in May 2024, and on May 13, 2026 it withdrew the February 2021 version of SP 800-172 in favor of a new revision. But CMMC is still tied to Revision 2 — and, for Level 3, the February 2021 version of SP 800-172 — through the rule. Build to those until DoD amends it.
This trips up smart people, so let's be precise. If you read DFARS 252.204-7012 literally, it tells you to implement "the most current version" of NIST SP 800-171 — which would now be Revision 3. But CMMC's program rule incorporates Revision 2 specifically, and DoD issued Class Deviation 2024-O0013 to hold the requirement at Revision 2 so it matches CMMC. So for CMMC Level 2 today, Revision 2 is the controlling control set.
Here's the nuance almost no overview page keeps current. NIST now treats Revision 2 as superseded: it published SP 800-171 Revision 3 (final) on May 14, 2024 and withdrew Revision 2, and on May 13, 2026 it withdrew the February 2021 SP 800-172 in favor of Revision 3. Revision 3 is a real change — 97 requirements instead of 110, three new families (Planning, System and Services Acquisition, Supply Chain Risk Management), and organization-defined parameters. None of that is what CMMC assesses today. CMMC Level 2 remains pinned to Revision 2, and Level 3 to the February 2021 version of SP 800-172, as incorporated into 32 CFR Part 170. DoD is expected to move to Revision 3 eventually, through future rulemaking — but that hasn't happened, and it's likely years out. Anyone telling you to build Level 2 to Revision 3 right now is working from a version the program doesn't score.
Self-assessment vs C3PAO assessment (and the independence rule)
Level 1 and some Level 2 contracts allow a self-assessment with an annual affirmation in SPRS. Whether Level 2 is a self-assessment or a C3PAO certification is set by the solicitation, and Phase 2 expands the C3PAO path for applicable CUI contracts. Both Level 2 paths measure the same 110 requirements — the difference is who validates the result and where it's recorded. And a firm that prepares you for CMMC generally cannot also be your assessor for that same effort.
| Level 1 (Self) | Level 2 (Self) | Level 2 (C3PAO) | Level 3 (DIBCAC) | |
|---|---|---|---|---|
| Who performs it | You (OSA) | You (OSA) | Authorized C3PAO | DCMA DIBCAC |
| Requirement set | FAR 52.204-21 | NIST SP 800-171 Rev. 2 | NIST SP 800-171 Rev. 2 | Level 2 + 24 from SP 800-172 |
| Frequency | Annual | Every 3 years | Every 3 years | Every 3 years |
| Recorded in | SPRS | SPRS | CMMC eMASS → SPRS | CMMC eMASS → SPRS |
| When to bring in a provider | If scope is unclear | For gaps, SSP, evidence | Readiness first, then assess | Advanced program planning |
"OSA" = Organization Seeking Assessment. Which Level 2 path applies is specified in the solicitation under DFARS 252.204-7025.
The line to internalize: Level 2 Self and Level 2 C3PAO are not two different security standards. They're two validation paths against the same baseline. Same 110 requirements. The clause decides which path applies to you.
The independence rule — and why it has teeth
Here's a trap worth flagging before you sign anything. The same company often can help you get ready and cannot be your assessor for that engagement. Under the CMMC ecosystem's conflict-of-interest rules, an organization that served as a consultant preparing you for a Level 2 certification generally cannot participate in your certification assessment for that same effort. Keep readiness help and formal assessment cleanly separated, and get conflict-of-interest disclosures in writing.
This isn't bureaucratic theater. The DoD's own watchdog found the authorization process for assessors had real gaps. In Report DODIG-2025-056 (released January 2025), the DoD Office of Inspector General reviewed 11 C3PAOs and found two were authorized without a signed agreement and code of professional conduct, four without verified credentials for their quality-control leads, and that the program lacked a quality-assurance process to confirm assessors were qualified. The OIG issued 10 recommendations; DoD officials partially agreed. Legal analysts have since noted the stakes for you: now that Level 2 certification is a contractual prerequisite, relying on an improperly authorized assessor — or misrepresenting your status — could expose a contractor to False Claims Act liability.
The practical lesson is simple, and it's why we keep hammering verification: confirm your C3PAO's current authorization on the day you sign, directly at the source. No one in the program picks an assessor for you — the Cyber AB maintains the public Marketplace of authorized C3PAOs and their statuses, and vetting them is your job. A screenshot from six months ago proves nothing — authorizations can lapse.
Figure out whether you need readiness help or an assessor — they are not the same purchase.
If you still need to build controls, write your SSP, and gather evidence, you need a readiness category (RPO/RP, MSSP). If you're already implemented and just need certification, you need a C3PAO. Tell us where you actually are and we'll point you to the right category — without blurring the two.
No CUI in the form, please.
How much does CMMC 2.0 cost in 2026?
No page can quote your CMMC cost from a keyword, because cost depends on scope, current maturity, CUI flow, environment, assessment path, and how much you do in-house. DoD's official figures are useful anchors — but they are regulatory burden estimates, and they explicitly exclude the cost of implementing the controls. The most-cited figure, $104,670, is what DoD estimates it costs to prove Level 2 compliance, not to achieve it.
Let's separate the two numbers that get mashed together everywhere, because confusing them is how budgets blow up.
What DoD officially estimated (from the rule's Regulatory Impact Analysis):
| Path | DoD estimate | What it covers |
|---|---|---|
| Level 1 (Self) | ~$4,000–$6,000/yr | Self-assessment + affirmation |
| Level 2 (Self) | ~$37,000 over 3 years (small entity) | Assessment + affirmations |
| Level 2 (C3PAO) | ~$101,752 initial / ~$104,670 over 3 years (small); ~$117,768 (other-than-small) | The C3PAO assessment engagement (~$31,234 line item), planning/reporting, and affirmations |
| Level 3 (DIBCAC) | Level 2 cost + ~$13,000 (small) to ~$40,000+ (other-than-small) | The added Level 3 assessment and engineering |
Now read the fine print DoD wrote into the analysis itself: these estimates assume you already implemented NIST SP 800-171, because contractors have been obligated to do so since the 2017 DFARS 252.204-7012 deadline. In DoD's words, implementation costs "should already have been incurred and are not attributed to this rule." Translation: the $104,670 is the cost of the exam, not the cost of studying for it.
What the market actually reports. For a small-to-mid contractor that is not already fully implemented — which is most of them — 2026 industry cost analyses put realistic first-year, all-in spend at roughly $75,000 to $300,000+. These are market observations, not official figures, and they vary widely by scope; we keep the full methodology and source breakdown on our CMMC Level 2 cost analysis. The C3PAO's assessment fee alone is commonly $30,000–$75,000 (larger or more complex scopes go higher). The bigger money is everywhere else:
- The assessment fee is usually only about a quarter to a third of the total. Remediation and technology are the larger line items.
- Internal labor is the cost nobody budgets. Industry analyses put Level 2 preparation at roughly 400–800 hours of staff time.
- Industry reporting suggests a meaningful share of first-time Level 2 attempts leave open POA&M items requiring a closeout assessment — which adds cost and time.
- FIPS-validated encryption is one of the most commonly failed requirements; tooling that isn't FIPS-validated can quietly sink a score.
Three legitimate ways to spend less, none of which involve cutting corners:
- Scope down with a CUI enclave. Isolating CUI to a defined boundary can meaningfully cut technology and assessment costs, because fewer systems fall in scope. The difference between a flat network and a well-segmented one can be 15 systems in scope versus 150. (We break the numbers down on our CMMC enclave cost page.)
- Run a gap assessment before you engage a C3PAO. A few thousand dollars spent finding problems early almost always beats discovering them during the formal assessment.
- Bank your existing maturity. Organizations with ISO 27001 or SOC 2 programs already in place typically spend less on remediation, because much of the control work is already done.
Don't compare CMMC quotes until you know which category you need.
A C3PAO quote, an MSSP quote, and a compliance-software quote are not interchangeable — they solve different parts of the problem. Tell us your level, scope, environment, and timeline, and we'll map the provider category first, so you're comparing apples to apples.
What does CMMC Level 2 actually require?
CMMC Level 2 requires the 110 security requirements in NIST SP 800-171 Revision 2, grouped into 14 control families and measured against 320 assessment objectives. Both Level 2 paths use the same baseline. An assessor doesn't ask whether you have a policy — they ask whether you can demonstrate it in practice, with dated artifacts, logs, and records.
The 14 families are where the work lives. Here's each one in plain language, with the kind of evidence an assessor expects to see — because the single most common failure pattern isn't missing controls, it's controls you can't prove.
| Family | What it really asks | Evidence assessors look for |
|---|---|---|
| Access Control | Who can reach CUI, and how | Account lists, access approvals, least-privilege records |
| Awareness & Training | Whether your people are trained | Training completion records |
| Audit & Accountability | Whether logs exist and get reviewed | SIEM/log-review records |
| Configuration Management | Whether systems are baselined and controlled | Baselines, change records |
| Identification & Authentication | MFA and identity proof | Identity-provider settings, MFA policies |
| Incident Response | Whether you can detect and handle incidents | IR plan, test/exercise records |
| Maintenance | Controlled system maintenance | Maintenance logs |
| Media Protection | How CUI media is handled and destroyed | Sanitization/disposal records |
| Personnel Security | Screening and offboarding controls | HR/security records |
| Physical Protection | Facility and device access | Badge/access logs |
| Risk Assessment | Vulnerability and risk process | Scan reports, risk register |
| Security Assessment | SSP, control reviews, POA&M | SSP, POA&M, assessment records |
| System & Communications Protection | Network and encryption architecture | Diagrams, FIPS-validated encryption evidence |
| System & Information Integrity | Patching, malware, vulnerability response | Patch reports, EDR records |
Source: NIST SP 800-171 Rev. 2 as incorporated in 32 CFR Part 170; assessment objectives from NIST SP 800-171A.
The recurring theme assessors consistently report: access reviews happen but aren't documented; training is completed but no records are kept; incident response plans are written but never tested. A control you can't evidence is a control you don't get credit for.
How do POA&Ms and Conditional CMMC status work?
POA&Ms are limited under CMMC. Level 1 allows none. Level 2 and Level 3 allow limited POA&Ms only if your score divided by the total requirements is at least 0.8, certain high-value requirements are met (not deferred), and you close every open item within 180 days. Miss the 180-day window and a Conditional status expires.
A Plan of Action and Milestones is your documented plan to fix a gap — but in CMMC it's a narrow allowance, not a loophole. Per 32 CFR 170.21:
- Level 1:no POA&M, ever. All 15 must be met.
- Level 2 and Level 3: to earn a Conditional status, your assessment score divided by total requirements must be ≥ 0.8, and you must pass a POA&M closeout assessment within 180 days of your Conditional status date. Miss that window and the Conditional status — and your eligibility for the affected information system — expires.
And there's a specific catch worth knowing before you plan around POA&Ms. At Level 2, several requirements cannotgo on a POA&M at all — they must be fully met to earn a Conditional status:
| Requirement | What it covers |
|---|---|
| AC.L2-3.1.20 | External connections (CUI data) |
| AC.L2-3.1.22 | Control of public information (CUI data) |
| CA.L2-3.12.4 | System Security Plan |
| PE.L2-3.10.3 | Escort visitors (CUI data) |
| PE.L2-3.10.4 | Physical access logs (CUI data) |
| PE.L2-3.10.5 | Manage physical access (CUI data) |
Source: 32 CFR 170.21(a)(2).
On top of that, no requirement worth more than 1 point may be deferred to a POA&M — with a single exception: SC.L2-3.13.11 (CUI Encryption)may be on a POA&M only if you're encrypting CUI but not yet with FIPS-validated cryptography. (Level 3 has its own, separate list of non-deferrable requirements in the same section.) So if your plan quietly depends on "we'll fix it later," get a POA&M-specific review before you bid or schedule — not after. See our deep-dive on the 180-day POA&M closeout.
What changes if you use GCC High, AWS GovCloud, a CUI enclave, or an external service provider?
Cloud and enclave choices can help you reduce scope, but they don't make you compliant by themselves. CMMC requires you to document a cloud or service provider's responsibilities in your SSP and responsibility matrix, and to bring those responsibilities into your assessment scope. Cloud service providers that handle CUI generally must meet FedRAMP Moderate or a DoD-recognized equivalent.
This is where a lot of money gets spent on the wrong assumption. "We moved to GCC High, so we're CMMC compliant" is one of the most expensive sentences in the DIB. The cloud is a tool; the responsibility is still yours to document and prove.
| Environment | Why contractors choose it | The CMMC risk | Provider category that usually helps |
|---|---|---|---|
| Microsoft GCC High | CUI collaboration in the Microsoft ecosystem | Misconfigured tenant, missing evidence | GCC High implementer + MSSP |
| AWS GovCloud | Cloud workloads, engineering systems | Shared-responsibility misunderstanding | Cloud security + RPO/RP |
| CUI enclave | Shrinking assessment scope | Business process doesn't actually fit the enclave | CUI enclave provider |
| On-prem | Existing infrastructure | A bigger assessment boundary | MSP/MSSP + RPO/RP |
| Hybrid | Real-world mixed systems | Boundary confusion | Architecture/scoping help first |
Don't rely on a product or tenant name to prove compliance. Standard commercial cloud tenants generally aren't authorized to hold CUI — which is why GCC High is common in the DIB — but the name alone settles nothing. For your specific scope, verify the exact cloud service offering's FedRAMP Moderate authorization (or DoD-recognized equivalency), the customer responsibility matrix, your SSP boundary, and how CUI actually flows through the environment. Confirm the details against your contract and a qualified advisor.
How many C3PAOs are there? (State of the Cyber AB Marketplace)
C3PAO authorization, assessor capacity, and certification throughput change every month, so treat any fixed count as a dated snapshot — not a permanent number. As of the March 2026 Cyber AB Town Hall, published figures pointed to roughly 100 authorized C3PAOs and about 759 certified assessors, with only about 1,000 organizations certified at Level 2 to date — roughly 1% of the population that will eventually need it. Verify the Cyber AB Marketplace directly on the day you sign.
We'll be straight with you about the data here, because the numbers genuinely move — and a page that pretends otherwise isn't worth your trust. This is a snapshot, dated, from the sources named. Re-verify before you rely on it.
| Metric | Snapshot figure | Source / date |
|---|---|---|
| Authorized C3PAOs | ~100 (published counts range from the high 60s to ~103) | March 2026 Cyber AB Town Hall; counts vary by source — verify live |
| Certified CMMC Assessors (CCAs) | ~759 | March 2026 Cyber AB Town Hall |
| Orgs certified at Level 2 | ~1,000 (~1% of the L2 universe) | March 2026 ecosystem reporting |
| New Level 2 certs issued (one month) | ~178 | March 2026 Cyber AB Town Hall |
| Typical C3PAO scheduling lead time | ~6–12 months | 2026 market reporting |
| Governance change | ISACA became the CAICO (April 2026) | Cyber AB / CAICO announcements |
Verify current status directly at the Cyber AB Marketplace. "CAICO" = CMMC Assessor and Instructor Certification Organization; ISACA now administers assessor and instructor training and exams, while the Cyber AB continues to run the Marketplace and C3PAO accreditation.
The headline most people miss: the famous "assessor shortage" is real but it is not your main problem. With only about 1% of the eligible population certified, the binding constraint is contractor readiness, not assessor availability. Most companies aren't waiting on a C3PAO — they're not ready to be assessed yet. So verify any assessor's status on cyberab.org the day you sign (remember the DoD OIG findings above), and put your energy into being ready. See our verified C3PAO list and our guide on how to choose a C3PAO.
How do you get CMMC 2.0 certified? The steps
The path is the same regardless of who helps you: define your CUI scope, run a gap assessment against NIST SP 800-171 Rev. 2, remediate, write your System Security Plan and any POA&Ms, get assessed (Self or C3PAO), then maintain it with annual affirmations in SPRS. Your System Security Plan must exist at the time of assessment — without it, the assessment can't be completed.
- Scope. Identify every system, person, facility, and external service provider that processes, stores, or transmits FCI or CUI. Per 32 CFR 170.19, you define your assessment scope before the assessment. Decide here whether you'll secure your whole environment or isolate CUI in an enclave.
- Gap-assess. Measure your current state against the 110 requirements. This is the diagnostic that prevents nasty surprises later.
- Remediate. Close gaps — technology, configuration, policy, and process. This is the most variable and usually the largest cost.
- Document. Write your System Security Plan (SSP) and any POA&Ms. The SSP is mandatory at assessment time; the absence of a current SSP results in a finding that the assessment can't be completed.
- Assess. Self-assess (and affirm in SPRS) or engage an authorized C3PAO (results to CMMC eMASS, transmitted to SPRS). For Level 3, DIBCAC assesses.
- Maintain. Submit annual affirmations of continuous compliance, and keep your evidence current. CMMC is not one-and-done — it's an operating discipline with a three-year reassessment cycle.
What to do in the next 30, 60, and 90 days
The next step differs by contractor, but the order rarely does. Skipping straight to vendor quotes is the classic mistake.
- First 30 days: Gather your contracts, solicitations, and flow-downs. Identify the DFARS clauses. Determine FCI vs CUI. Assign an internal owner. Draft an initial system/data map. Do not upload sensitive data to public forms.
- By 60 days: Build or update your SSP. Start the gap assessment. Decide enterprise scope vs enclave. Identify your likely provider category. Begin collecting evidence.
- By 90 days: Remediate the high-impact gaps. Prepare your SPRS and affirmation workflow. Decide whether your next move is a readiness provider, MSSP, enclave, GRC platform, or C3PAO — and if it's a C3PAO, schedule only when your evidence supports it.
Want the self-serve version? Map your level, scope, and timeline to the right provider category with the Find My CMMC Path tool, then bring a focused, scoped request to two or three providers instead of a vague "help, we need CMMC."
What type of CMMC provider do you need?
The provider you need depends on the job you're trying to finish. A C3PAO assesses. An RPO/RP helps you get ready. An MSSP/MSP operates your security controls. A GRC platform helps you manage evidence and workflow. A CUI enclave can shrink or isolate your scope. The CMMC Path Framework routes you to the right category first — not to a named company.
| Provider category | Use it when | Don't use it when | What to verify |
|---|---|---|---|
| RPO / RP (Registered Provider Organization / Registered Practitioner) | You need readiness, gap analysis, SSP, POA&M, scoping | You need a formal certification | Cyber AB listing, scope experience, deliverables |
| MSSP / MSP (Managed Security Service Provider) | You need ongoing operations — monitoring, identity, endpoint, patching | You only need a one-time policy package | Shared-responsibility terms, CUI handling, logging/evidence |
| GRC platform | You need evidence, workflow, control mapping, POA&M tracking | You think software alone makes you compliant | Exportable evidence, CMMC mapping, data handling |
| CUI enclave | You want to reduce or isolate scope | Your process genuinely can't run in an enclave | Cloud posture (FedRAMP), responsibility matrix, SSP boundary |
| C3PAO | You're assessment-ready and need Level 2 (C3PAO) | You still need implementation/remediation | Current Cyber AB authorization, independence, assessment scope |
| Federal-contracts attorney | Clause ambiguity, flow-down disputes, CUI marking, eligibility risk | Routine technical implementation | GovCon/CMMC familiarity |
A clarity note we hold to firmly: software is a supporting layer, not the whole CMMC solution. A GRC platform can make evidence management dramatically easier, but it doesn't implement your controls or certify you. Be skeptical of any pitch that implies otherwise.
The CMMC Path Framework maps a contractor's required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline to the provider category they need. It routes to a category, not a named provider, and it is not a score, ranking, or compliance advice.
See also: C3PAO vs RPO vs MSSP: provider categories compared.
Ready to move from "what is this" to "who do I call"?
Use Find My CMMC Path to identify whether your next conversation should be with an RPO/RP, MSSP, CUI enclave provider, GRC platform, C3PAO, or attorney — based on your actual situation, not a generic recommendation.
How should a small business approach CMMC 2.0 without overspending?
Start with scope, data flow, and contract language before you buy a single tool or schedule an assessment. The fastest way to overspend is to treat CMMC as a shopping list instead of a scoped path tied to your FCI/CUI, your assessment type, and the systems actually used for the contract.
Small contractors carry the heaviest relative burden in this program, and a six-figure compliance project can consume a meaningful share of annual profit for a modest shop. That's not a reason to panic; it's a reason to sequence the work and refuse to spend out of order.
The discipline that protects a small budget:
- Pull the solicitation, contract, or prime flow-down.
- Find the named CMMC level and assessment type (look for DFARS 252.204-7025 and 252.204-7021).
- Determine whether you handle FCI only, CUI, or unclear data.
- Map the systems that actually touch that data.
- Decide: enterprise scope, enclave scope, or a process change to avoid holding CUI at all.
- Build or update the SSP.
- Validate your evidence before scheduling any formal assessment.
- Then request quotes — from the correct category.
Do that in order and you'll avoid the two mistakes that cost small contractors the most: paying for a C3PAO before you're ready, and buying tools for a scope you never needed to secure.
What we actually verified for this guide
We don't ask you to take our word for it. Here's exactly what we checked, and where.
What we verified
- The three levels, control counts (15 / 110 / 134, including the 24Level 3 requirements), scoring, and POA&M rules — including the exact list of non-deferrable Level 2 requirements — against 32 CFR Part 170 on the eCFR, reviewed .
- The four phase dates — against 32 CFR 170.3(e).
- The DFARS acquisition rule effective date (November 10, 2025) — against the Federal Register final rule.
- The February 1, 2026 clause changes (7019 eliminated, 7020 → 252.240-7997, FAR 52.204-21 → 52.240-93) — against the DoD class-deviation list, cross-checked against the eCFR.
- The Rev. 2 vs Rev. 3 pinning and NIST's publication status — confirmed via DoD Class Deviation 2024-O0013, the eCFR's incorporation of NIST SP 800-171 Rev. 2, and NIST CSRC records.
- The DoD cost estimates ($101,752 / $104,670 / $117,768) and the explicit assumption that they exclude implementation — from the rule's Regulatory Impact Analysis.
- The assessor-vetting findings — from DoD OIG Report DODIG-2025-056.
What we did not verify on this broad page: any named provider's status, pricing, availability, or whether we have a compensation relationship with them. Those belong on provider-specific pages with their own last-verified date. Marketplace counts (C3PAOs, assessors) and market cost ranges move over time — re-verify before relying on them.
Byline: The Defense Compliance Report Editorial Team. This page has no individually credited reviewer. See our editorial standards and corrections policy.
Frequently asked questions about CMMC 2.0
What does CMMC 2.0 stand for?
CMMC stands for Cybersecurity Maturity Model Certification. CMMC 2.0 is the current three-level Department of Defense program that verifies contractors safeguard FCI and CUI, with the required level and assessment type set by the contract.
Is CMMC 2.0 the same as NIST SP 800-171?
No. NIST SP 800-171 Revision 2 is the requirement baseline for CMMC Level 2, but CMMC adds the assessment, scoring, status, affirmation, and contract-eligibility machinery around that baseline.
Does CMMC 2.0 use NIST SP 800-171 Rev. 3?
Not for the current rule. CMMC Level 2 is pinned to NIST SP 800-171 Revision 2. NIST has since published Revision 3 and withdrawn Revision 2, but a DoD class deviation holds CMMC at Revision 2 until the rule is amended through future rulemaking.
Who needs CMMC 2.0 certification?
Any organization in the DoD supply chain — prime or subcontractor — that processes, stores, or transmits FCI or CUI on its own systems, at the level the contract requires. Contracts exclusively for commercially available off-the-shelf (COTS) items are excluded.
Does CMMC apply to commercial products or COTS contracts?
CMMC can apply to contracts for commercial products or services, but 32 CFR Part 170 excludes solicitations and contracts that are exclusively for commercially available off-the-shelf (COTS) items. Confirm the clause and your data flow before assuming an exemption.
What's the difference between FCI and CUI?
FCI (Federal Contract Information) is non-public information provided by or generated for the government under a contract. CUI (Controlled Unclassified Information) requires safeguarding under law, regulation, or policy. CUI is what generally pushes you to Level 2 or Level 3.
Does every contractor need a C3PAO?
No. Level 1 is self-assessed, and some Level 2 contracts allow a self-assessment rather than a C3PAO certification. The solicitation determines your path under DFARS 252.204-7025.
What is DFARS 252.204-7025?
It's the solicitation notice that tells offerors which CMMC level is required — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC) — and ties award eligibility to having a current CMMC status and affirmation in SPRS.
What is DFARS 252.204-7021?
It's the contract clause requiring you to maintain current CMMC status at the level in the contract for systems handling FCI or CUI, and to flow the requirement down to relevant subcontractors.
What is SPRS?
SPRS (Supplier Performance Risk System) is the DoD system of record that stores CMMC and NIST SP 800-171 assessment information used in acquisition decisions.
Can I use a POA&M for CMMC?
Level 1 allows none. Level 2 and Level 3 allow limited POA&Ms only if your score is at least 0.8 of the total, certain requirements are fully met (they cannot be deferred), and you close every open item within 180 days.
What changed with DFARS 7019 and 7020 in 2026?
Effective February 1, 2026, the FAR Overhaul class deviations eliminated DFARS 252.204-7019 and renumbered 252.204-7020 to 252.240-7997. DFARS 252.204-7012 and 252.204-7021 were unchanged. Because these are deviations, the CFR still shows the old numbers during the transition, and CMMC self-assessments plus SPRS affirmations still apply.
How long does CMMC 2.0 take?
There's no single timeline in the rule. Most Level 2 contractors need 6 to 18 months — and sometimes more — depending on scope, current maturity, CUI flow, documentation, and remediation. If you need a C3PAO, add 6 to 12 months of scheduling lead time.
Should I hire a C3PAO first?
Only if you're assessment-ready and your contract requires a C3PAO. If your scope, SSP, evidence, and POA&M strategy aren't ready, start with readiness or category mapping — scheduling the formal assessment too early is a common, costly mistake.
What should I never submit to a provider-matching form?
Never submit CUI, drawings, technical data, export-controlled content, contract numbers, sensitive customer names, or proprietary details. Use these forms only for high-level routing inputs — required level, general scope, environment type, timeline, and company size.
Your next step
You came here to understand CMMC 2.0. By now you know the three levels, that your contract clause sets your level, what the program really costs versus what DoD estimated, how the timeline phases in, what changed in 2026, and where the expensive mistakes hide. That's the hard part — most contractors never get this far without a confusing sales call.
The last move is the cheapest and the most important: figure out which category of help you actually need before you spend anything.
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options.
Do not submit CUI, drawings, or sensitive contract details through the form.
This is educational research, not legal, contractual, or compliance advice. Confirm your scope, level, and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney — the contract clause and your CUI handling set your level, not a checklist.
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.
Go deeper
- The CMMC certification process, step by step
- CMMC Level 2 self-assessment vs C3PAO assessment
- What CMMC Level 2 actually costs
- C3PAO vs RPO vs MSSP: provider categories compared
- Best C3PAO for CMMC Level 2: how to choose
- CMMC enclave cost and scoping
- CMMC flow-down requirements for subcontractors
- Conditional CMMC Level 2 and the 180-day POA&M closeout
- CMMC annual affirmation: what and when
- Find My CMMC Path
Sources we read (primary and authoritative)
- 32 CFR Part 170 — CMMC Program Rule (eCFR, current): ecfr.gov/current/title-32/…/part-170
- 32 CFR 170.3 — Applicability and phase dates: section-170.3
- 32 CFR 170.21 — POA&M requirements (non-deferrable list): section-170.21
- 32 CFR 170.23 — Application to subcontractors: section-170.23
- Federal Register — CMMC Program Final Rule (32 CFR Part 170): 2024-22905
- Federal Register — DFARS CMMC Acquisition Final Rule (effective Nov 10, 2025): 2025-17359
- DoD CIO — CMMC program page: dodcio.defense.gov/cmmc/About/
- DoD Regulatory Impact Analysis — CMMC cost estimates: DOD-2023-OS-0063-0003
- DoD — Revolutionary FAR Overhaul class deviations (DFARS): acq.osd.mil/dpap/dars/…
- DoD OIG — Report DODIG-2025-056 (C3PAO authorization audit): DODIG-2025-056
- DFARS 252.204-7025: acquisition.gov/dfars/252.204-7025
- FAR 52.204-21: acquisition.gov/far/52.204-21
- SPRS — Supplier Performance Risk System: sprs.csd.disa.mil
- Cyber AB Marketplace: cyberab.org/marketplace
- NIST SP 800-171 Rev. 2 (withdrawn; CMMC-controlling version): csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
- NIST SP 800-171 Rev. 3 (final): csrc.nist.gov/pubs/sp/800/171/r3/final
- NIST SP 800-172 (Feb 2021, withdrawn; CMMC Level 3 version): csrc.nist.gov/pubs/sp/800/172/final