The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path →
Find my CMMC path
3 questions. No CUI required.Get matched →

The CMMC Certification Process, Explained: The 4 Paths, the Steps, and What It Costs

By The Defense Compliance Report Editorial TeamRegulatory facts verified:

The CMMC certification process starts with the CMMC status your contract requires — not with a vendor quote — and many companies that search this phrase don’t need a third-party certification at all. The Cybersecurity Maturity Model Certification program runs on four assessment paths, and the one you need is named in the solicitation, contract, or prime flow-down. If you handle only Federal Contract Information (FCI), you do a Level 1 self-assessment— annual, no C3PAO, no certification fee. If your contract requires Level 2 with CUI and mandates a third-party assessment, you engage a C3PAO. The path is in the clause.

The rest of this page is the how— the exact order of operations, what each path costs using the Department of Defense’s own published estimates, what evidence an assessor actually wants to see, and the one rule that trips up more contractors than any other: the firewall between the people who help you get ready and the people who certify you.

What we verified for this article

We built this page from primary and authoritative sources, not other people’s summaries:

  • The CMMC Program Rule, 32 CFR Part 170 (effective December 16, 2024) in the eCFR and Federal Register — confirming the four-phase schedule, the seven CMMC Status values, scoring rules, and conflict-of-interest requirements.
  • The DFARS acquisition rule (effective November 10, 2025) and clauses DFARS 252.204-7021 and 252.204-7025.
  • CMMC Level 2 maps to NIST SP 800-171 Revision 2 — not Revision 3 — per DoD CIO guidance and the May 2024 DFARS class deviation.
  • Cyber AB ecosystem figures from the March 2026 Cyber AB Town Hall (most recent available; counts change monthly).
  • The DoD Office of Inspector General audit (DODIG-2025-056) on the C3PAO authorization process.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. Not affiliated with the DoD, NIST, the Cyber AB, DCMA DIBCAC, or any U.S. government agency. This is editorial research, not legal, contractual, or compliance advice.

The CMMC Certification Process at a Glance: The Four Paths

There is no single CMMC certification process. There are four assessment paths, and they diverge on who assesses you, where your results go, how long the status lasts, and what it costs. This table is the spine of the entire decision, assembled from 32 CFR Part 170, the DFARS clauses, and the CMMC Assessment Process.

Those four paths produce up to seven possible CMMC Status valuesin SPRS, because Level 2 and Level 3 each have a Conditional and a Final version. DFARS 252.204-7021 lists all seven: Final Level 1 (Self); Conditional and Final Level 2 (Self); Conditional and Final Level 2 (C3PAO); and Conditional and Final Level 3 (DIBCAC). Level 1 has no “conditional” — you either meet all 15 requirements or you don’t.

CMMC certification process by required path — last verified

Level 1 (Self)Level 2 (Self)Level 2 (C3PAO)Level 3 (DIBCAC)
ProtectsFCI onlyCUI (Level 2 Self contract)CUI (Level 2 C3PAO contract)CUI on most sensitive programs
Control baselineFAR 52.204-21 (15 requirements)NIST SP 800-171 Rev. 2 (110 requirements)NIST SP 800-171 Rev. 2 (110 requirements)110 + 24 from NIST SP 800-172 (134 total)
Who assessesYou (self-assessment)You (self-assessment)An authorized C3PAODCMA DIBCAC (government)
PrerequisiteNoneNoneNoneFinal Level 2 (C3PAO) first
POA&M allowed?No — all 15 must be metYes, limitedYes, limitedYes, limited (stricter)
Conditional status?NoYes (score ≥ 88 of 110)Yes (score ≥ 88 of 110)Yes (score ÷ total ≥ 0.8)
Where results goSPRS (you enter)SPRS (you enter)eMASS → SPRS (C3PAO enters)eMASS → SPRS (DIBCAC enters)
Validity1 year3 years3 years3 years
AffirmationAfter assessment + annuallyAfter assessment + annuallyAfter assessment + annuallyAfter assessment + annually
DoD cost estimate (small entity)~$5,977 (annual)~$37,000 (triennial cycle)~$105,000 (triennial cycle)Level 2 cost + Level 3 implementation
Typical readiness timeWeeks to a few months6–18 months6–18 months18+ months (after Level 2)

Key definitions

  • FCI (Federal Contract Information) — information provided by or generated for the government under a contract, not intended for public release. Almost every DoD contractor touches it.
  • CUI (Controlled Unclassified Information) — sensitive-but-unclassified government information (technical drawings, specs, certain PII) that triggers Level 2. See our FCI vs. CUI guide.
  • C3PAO (CMMC Third-Party Assessment Organization) — a company authorized by the Cyber AB to conduct Level 2 certification assessments.
  • SPRS (Supplier Performance Risk System) — where your CMMC status and affirmations live. eMASS is where C3PAO and DIBCAC results are entered; it feeds SPRS automatically.
  • DCMA DIBCAC — the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center, which conducts Level 3 assessments.

Want to confirm which of the four paths is yours?

Answer three questions — no CUI, contract numbers, or sensitive system details — and we’ll tell you your likely path, who assesses you, where results go, and your realistic next step.

Find my CMMC certification path →

Honest Answer Before We Go Further: Most of You Don’t Need a Third-Party Certification

A large share of the companies typing “CMMC certification process” into a search bar don’t need a third-party certification at all. Level 1 and lower-risk Level 2 are self-assessments— you evaluate your own systems, post the result to SPRS, and have a senior official affirm it. There’s no certificate, no C3PAO, and no five- or six-figure assessment invoice.

If your contract requires it, you still need a current CMMC status in SPRSeven on a self-assessment path — that part isn’t optional. What you may not need is the expensive third-party certification. We’d rather tell you that up front and point you toward a $6,000 path than nudge you toward a $105,000 one you don’t need.

The flip side: if your contract requires Level 2 (C3PAO) or Level 3, the cost and timeline are real, and the work takes 6–18 months.So the first job isn’t to buy anything. It’s to find out which of the four buckets you’re in.

If you already know you’re on a self-assessment path (Level 1 or Level 2 Self), the most useful next step is our CMMC Readiness Checklist, mapped to all 14 NIST SP 800-171 control families. If you’re not sure which status your contract requires, keep reading — we’ll show you how to confirm it.

Which CMMC Certification Path Do You Actually Need?

You need the path named in your solicitation, contract, or prime flow-down — not the path a salesperson assumes. Two DFARS clauses control this. DFARS 252.204-7025 (“Notice of Cybersecurity Maturity Model Certification Level Requirements”) is a solicitation provision that tells offerors the required CMMC level beforeaward — miss it and you’re ineligible to win. DFARS 252.204-7021 (“Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements”) is the contract clause that enforces it after award. Find those clauses. Read them. The level is written in the clause, not implied by the subject matter or the size of the program.

We’ve watched the same expensive mistake play out repeatedly: a prime sends a vague “be CMMC certified by [date]” email, and the subcontractor panics and buys an enterprise CUI platform — before anyone has confirmed whether the contract actually requires a C3PAO assessment or just a self-assessment. The clause tells you. Start there.

How to read your situation

The single honest admission

There is no one-size “CMMC certification process,” and many readers don’t need a third-party certification at all. A generic 8-step guide feels reassuring, but it’s exactly what sends a Level 2 Self contractor to a C3PAO too early — or lets a Level 2 (C3PAO) contractor believe a self-assessment will satisfy the contract. The messiness is real. The good news: once you know your required status, the path becomes clean and predictable.

Not sure which status your clause is asking for?

Before you request a single quote, tell us your level, scope, and timeline and we’ll match the next step to the right provider category — readiness, secure enclave, evidence software, or assessment.

Get matched to the right starting point →

When Does CMMC Actually Start Showing Up in Your Contracts?

CMMC requirements began appearing in DoD solicitations on November 10, 2025, and they roll out in four phases over three years, each phase one year apart. The clauses don’t hit every contract at once — DoD has discretion during the phase-in, expanding which requirements are mandatory at each stage. The schedule from 32 CFR 170.3:

The practical read: if you handle CUI and expect to bid in 2026 or 2027, the clock that matters is Phase 2. And because readiness is the long pole, the time to start is well ahead of the date a clause shows up in your solicitation. See our CMMC phases guide for the full schedule breakdown.

Before You Spend a Dollar on CMMC: Confirm These Nine Things

The most expensive CMMC mistakes happen before assessment, not during it — almost always because money got spent before scope was defined. The CMMC Assessment Scope must be established before any assessment. Run this checklist before you sign anything:

  1. Required level and assessment type — Level 1 Self, Level 2 Self, Level 2 (C3PAO), or Level 3 (DIBCAC).
  2. Which clause is present — DFARS 252.204-7025 in the solicitation, DFARS 252.204-7021 in the contract, or a prime flow-down.
  3. What data is in play — FCI only, CUI, or neither.
  4. Which systems process, store, or transmit that FCI or CUI.
  5. Whether CUI can be isolated in an enclave to shrink your assessment boundary.
  6. The state of your System Security Plan (SSP) — the document describing your environment and how you meet each requirement.
  7. Your current NIST SP 800-171 score already in SPRS, if any.
  8. The real deadline — award, option exercise, or the date your prime needs proof.
  9. Who can help without creating a conflict with the eventual assessment (see the independence firewall below).

Scope is the lever that controls everything downstream. Network segmentation and a defined CUI enclave can dramatically reduce how many systems have to meet all 110 requirements — which reduces cost, timeline, and the number of findings an assessor can raise.

The CMMC Certification Steps: From Contract Review to Final Status

Whatever your path, the process follows the same arc: read the clause, identify your covered data, define scope, choose your path, build your SSP and evidence, remediate gaps, pass a readiness check, complete the required assessment, close any allowed POA&M, submit or receive your status, and maintain it with annual affirmations. The order matters because CMMC status attaches to specific information systems — each identified by a CMMC unique identifier (CMMC UID) in SPRS — not to your company as a whole.

The CMMC step-to-evidence map

#What you doWhat it producesWho typically helpsWhere it goes wrong
1Read the solicitation / flow-downRequired CMMC status, in writingContracts, compliance leadAssuming 'Level 2' means C3PAO without reading the status
2Identify FCI and CUIA data map of what you handle and whereContracts, program, engineering, ITTreating every file as CUI — or missing CUI in email, ERP, or file shares
3Define the assessment scopeAsset inventory, network diagram, scope statementRPO, MSP, vCISOOver-scoping the entire company instead of isolating CUI
4Select your pathA path-decision memoCompliance leadEngaging a C3PAO before scope and evidence are stable
5Build or update the SSPSSP, policies, proceduresReadiness consultant (RPO)A template SSP with no real implementation behind it
6Run a gap assessmentGap report and POA&MRPO, internal teamMistaking a gap assessment for the actual certification
7RemediateWorking controls + evidenceMSP/MSSP, GRC tooling, enclave providerBuying tools without owning the process behind them
8Pass an evidence-readiness gateAn assessment-ready evidence binderReadiness leadEvidence exists, but staff can't explain how the control runs
9Complete the assessmentA score and statusYou (self), or C3PAO / DIBCACAssessors find 'policy-only' controls with no operating proof
10Report the resultsSPRS entry, eMASS feed, CMMC UIDYou, or C3PAO / DIBCACA missing affirmation leaves you without current status
11Close the POA&MCloseout assessment within 180 daysYou / C3PAO / DIBCACThe 180-day clock runs out and conditional status expires
12MaintainAnnual affirmation, refreshed evidenceInternal owner, MSP/MSSPTreating CMMC as a one-time audit

RPO = Registered Provider Organization (readiness consulting, listed in Cyber AB Marketplace). MSP/MSSP = managed (security) service provider. vCISO = fractional CISO. None of them issue certification.

How the formal assessment actually runs (Level 2 C3PAO)

If your path is Level 2 (C3PAO), the assessment follows the CMMC Assessment Process (CAP). It has four phases, and a few details inside it surprise people:

  1. Phase 1 — Planning. You hand the C3PAO your SSP, policies, and procedures; you agree on scope together; and you complete a Pre-Assessment Form uploaded to eMASS. Two things to know: the lead assessor can suspendthe assessment if you’re clearly not ready, and the C3PAO is prohibited from advising youon how to fix gaps. That’s the independence rule.
  2. Phase 2 — Assessment. Assessors examine your evidence, interview your people, and test your controls, scoring each of the 110 requirements MET, NOT MET, or N/A. Daily check-ins let you surface additional evidence to correct a finding before it’s final.
  3. Phase 3 — Reporting. The C3PAO compiles your score, runs an internal quality-assurance review, and uploads results to eMASS, which transmits them to SPRS. You receive a Certificate of CMMC Status — Conditional or Final.
  4. Phase 4 — POA&M Close-Out (only if you landed Conditional). A closeout assessment must verify every open item within 180 days. It can be done by the same C3PAO or a different one.

Calendar note: the 180-day clock

Your CMMC Status Date does notreset when you close a POA&M. Burn the full 180 days and you effectively get about two and a half years of full status before re-assessment — not three. Plan the calendar accordingly.

How Does the Process Change for CMMC Level 1 (Self)?

Level 1 is the lightest path: it covers FCI only, uses the 15 basic safeguarding requirements in FAR 52.204-21, and is an annual self-assessment you record in SPRS with an annual affirmation. No C3PAO is involved, and there is no conditional status — all 15 requirements must be met for award.

Level 1 questionDirect answer
Who assesses?You. It's a self-assessment.
What data?FCI only — no CUI.
Is a C3PAO involved?No.
How often?Annual self-assessment and annual affirmation.
Biggest mistake?Building a Level 2 environment before confirming you actually handle CUI.

The 15 requirements are basic hygiene: control who has access, use authentication, patch and protect your systems, limit physical access, and sanitize media before disposal. Even “basic” controls need real evidence behind them: a current asset inventory, access-control settings, your acceptable-use and access policies, and proof you actually do what the policy says. If you discover CUI anywhere in your workflow, the path changes — you’re now looking at Level 2.

How Does the Process Change for CMMC Level 2 (Self)?

Level 2 (Self) applies when your contract requires Level 2 but allows self-assessment for the CUI involved. You assess against all 110 requirements in NIST SP 800-171 Rev. 2, enter your score in SPRS, affirm it, and reassess every three years. “Self” does not mean “honor system.”

A defensible Level 2 (Self) SPRS entry is backed by:

The DoD retains the ability to conduct its own assessments under existing authority, and posting a number you can’t support carries real downstream risk. Treat Level 2 Self with the same rigor you’d bring to a C3PAO assessment — minus the third party in the room.

If your initial self-assessment isn’t perfect, you may post a Conditional Level 2 (Self) status if you score at least 88 of 110 and your remaining gaps are POA&M-eligible. You then have 180 days to close those items.

See also: CMMC Level 2 self-assessment vs. C3PAO and our CMMC Level 2 cost guide.

How Does the Process Change for CMMC Level 2 (C3PAO) Certification?

Level 2 (C3PAO) requires an authorized C3PAO to assess your implementation of all 110 NIST SP 800-171 Rev. 2 requirements. The C3PAO submits results to eMASS — which transmits them to SPRS — and issues your Certificate of CMMC Status. You maintain it for three years with annual affirmations.

Case study: why verifying your assessor belongs in the process, not at the end

In January 2025, the DoD Office of Inspector General released an audit (DODIG-2025-056) that found the DoD had not effectively implemented the process for authorizing C3PAOs. Reviewing 11 of the 48 C3PAOs authorized at the time, the OIG found that two had been authorized without a signed C3PAO Agreement on file, four had quality-control leads whose certifications hadn’t been verified, and none had been adequately confirmed to have the required certified assessors on staff.

Practical takeaway:verify your C3PAO’s current authorization status yourself in the Cyber AB Marketplace before you rely on them. Relying on an improperly authorized assessor could expose a contractor to false-certification risk.

What makes a C3PAO legitimate under 32 CFR 170.9: authorization or accreditation by the Cyber AB, compliance with conflict-of-interest and ethics policies, ISO/IEC 17020 accreditation within 27 months of authorization, and Tier 3 background investigations for the assessment personnel.

Have a scoped SSP and an evidence package built?

That’s the point at which a C3PAO conversation makes sense. See what to verify before you request C3PAO assessment quotes — authorization status, conflict disclosures, assessment-team credentials, scope, and terms.

Verify and compare authorized C3PAOs →

How Does the Process Change for CMMC Level 3 (DIBCAC)?

Level 3 is the highest path. It requires you to hold Final Level 2 (C3PAO) status first, it adds 24 selected requirements from NIST SP 800-172 on top of the 110, and the assessment is performed by the government — DCMA DIBCAC — not a C3PAO. It’s reserved for contractors on the most sensitive programs, those facing advanced, nation-state-level threats.

If your contract doesn’t name Level 3, this almost certainly isn’t your path. If it does, treat Level 3 as a higher-assurance program in its own right — not “Level 2 plus some extra paperwork.” DIBCAC submits Level 3 results to eMASS, which feeds SPRS, and you affirm annually.

A version note worth knowing

Level 3 draws 24 selected requirements from NIST SP 800-172. NIST withdrew the original SP 800-172 on May 13, 2026 and superseded it with Revision 3 — but CMMC Level 3 remains tied to the specific version incorporated by reference in 32 CFR Part 170 unless and until DoD amends the rule. This is the same pattern as Level 2 staying on NIST SP 800-171 Revision 2: a newer NIST publication does not change your CMMC obligation until the CMMC rule itself changes.

How Long Does the CMMC Certification Process Take?

The rule fixes the assessment cadence — three years for Level 2 and Level 3, one year for Level 1 — but your readiness timeline depends on your starting maturity, your CUI scope, the complexity of your environment, and the quality of your evidence. Level 1 can take weeks. A Level 2 (C3PAO) effort commonly runs 6 to 18 months because scoping, remediation, SSP documentation, and evidence collection are the long poles — not the assessment itself.

Your starting pointLevel 1 SelfLevel 2 SelfLevel 2 (C3PAO)Level 3
Already running mature controls2–6 weeks1–3 months3–6 months6–12+ months after Final L2
Partial NIST 800-171 program1–2 months3–6 months6–12 months12+ months
Cold start / unclear CUI scope2–3 months6–12 months9–18+ monthsNot ready until L2 is mature

Editorial estimate; not a guarantee. Your contract deadline governs your real timeline.

Head-start worth checking

Under 32 CFR Part 170, a contractor that earned a perfect score with no open POA&M on a DCMA DIBCAC High Assessment (including a Joint Surveillance assessment) before the rule’s effective date can be granted Level 2 Final (C3PAO) status, valid three years from that original assessment date. If that’s you, check SPRS — you may already hold the status you’re about to pay to pursue.

How Much Does the CMMC Certification Process Cost?

There is no single CMMC cost, because assessment, readiness, remediation, tooling, and internal labor are separate buckets — and DoD’s official estimates cover mainly the assessment and affirmation burden, assuming you’ve already implemented the underlying security requirements. That assumption is the gap where most real-world spending lives.

The Department of Defense’s own published estimates from 32 CFR Part 170 (cited in the Federal Register), expressed by entity size:

CMMC pathDoD estimate, small entityDoD estimate, larger entity
Level 1 self-assessment (annual)~$5,977Lower per-entity
Level 2 self-assessment (triennial cycle)~$37,000~$49,000
Level 2 (C3PAO) certification (triennial cycle)~$105,000 (DoD’s figure: $104,670)~$118,000
Level 3Level 2 cost + Level 3 implementation/assessment (separate DoD estimate)

Source: 32 CFR Part 170 and Federal Register impact analysis. These figures assume the underlying security requirements were already implemented — the distance from your current state to that baseline is where real-world spend accumulates.

Market-reported figures put first-cycle Level 2 totals commonly in the $100,000–$300,000 band once you include remediation, documentation, tooling, and a CUI enclave; standalone C3PAO assessment fees are frequently cited around $35,000–$75,000, varying widely by size and scope. Treat them as planning ranges, not quotes — and remember the single biggest lever on all of them is scope. The tighter your CUI boundary, the lower every other number.

There’s primary-source support for the “it costs more than the estimate” reality: the U.S. Small Business Administration’s Office of Advocacy commented during rulemaking that DoD underestimated the cost of compliance for small businesses, and it convened a Small Business Impacts Roundtable on March 12, 2026 to gather contractor cost data. So if your real number is coming in above DoD’s estimate, you’re not doing it wrong — you’re experiencing the gap the SBA flagged.

Think of your real budget in buckets: (1) assessment and affirmation, (2) readiness consulting, (3) remediation labor and technology, (4) secure environment or CUI enclave, (5) evidence/GRC software, and (6) your own team’s time. The assessment fee is rarely the biggest one. See the full breakdown in our CMMC Level 2 cost guide.

Want to size the right bucket before asking for a quote?

Start with the free CMMC Readiness Checklist to see what a Level 2 program actually involves, mapped to all 14 control families. Then decide whether your next dollar belongs in readiness, an enclave, evidence software, or assessment.

Download the CMMC Readiness Checklist →

What Evidence Do You Need Before a CMMC Assessment?

For Level 2, assessors evaluate whether each requirement is actually implemented and operating — not whether a policy template exists. The official assessment methods are examine, interview, and test, so you need documentation, working configurations, and people who can explain how the controls run. “Policy-only” controls are the most common reason a contractor that felt ready isn’t.

Build this evidence package before you schedule anything:

For a Level 2 (C3PAO) assessment, prepare your evidence as an organized, referenceable set so assessors can move efficiently through examine-interview-test. Disorganized evidence doesn’t just risk findings — it burns assessor hours, and assessor hours cost money.

Can You Use a POA&M and Still Get Certified?

Yes, but only in narrow cases and only within the rule’s constraints. You can earn a Conditional status if you score at least 80% — 88 of 110 points at Level 2 — and your remaining gaps are POA&M-eligible. You then have 180 days to close them, or the conditional status expires.

The scoring is weighted, and this is where oversimplified guides mislead people. Level 2 starts at a 110-point baseline, and each unmet requirement subtracts 1, 3, or 5 points depending on its security significance. So “88 points” is notthe same as “you can skip any 22 requirements.” Under 32 CFR 170.21, no requirement placed on the POA&M may have a point value greater than 1 — with a single exception: the CUI encryption requirement (SC.L2-3.13.11) may go on a POA&M if you’re using encryption that simply isn’t FIPS-validated (which scores 3 points). On top of that, a specific set of controls must be met at the initial assessmentand can’t be deferred at all. Miss a high-value requirement like multifactor authentication and you may be blocked from a Conditional status entirely until it’s fixed.

Sitting on open POA&M items right now?

Before you book a C3PAO, check whether your open items are assessment-blocking or POA&M-eligible — it changes your entire timeline.

Check POA&M eligibility with the readiness checklist →

What Goes into SPRS, eMASS, and Annual Affirmations?

SPRS is the system of record for your CMMC status and affirmations; eMASS is where C3PAO and DIBCAC assessment results are entered and then transmitted to SPRS. For self-assessment paths, you enter results in SPRS yourself; for third-party assessments, the assessor enters them — but you still file the affirmations. An affirmation is a senior official’s formal statement that you continue to meet the requirements, and a stale affirmation breaks your current status.

PathWho enters assessment resultsSystemAnnual affirmation required?
Level 1 (Self)YouSPRSYes
Level 2 (Self)YouSPRSYes
Level 2 (C3PAO)C3PAO → eMASS → SPRSeMASS / SPRSYes
Level 3 (DIBCAC)DIBCAC → eMASS → SPRSeMASS / SPRSYes

Every in-scope information system gets a CMMC UID in SPRS, and DFARS 252.204-7025 requires offerors to provide those UIDs in their proposals. Your Affirming Officialis the senior person attesting — on the record — that controls remain in place. A “current” affirmation can’t be older than one year. See our SPRS score guide for the full workflow.

Who Can Help with the CMMC Certification Process — and Who Can’t?

Readiness consultants, managed service providers, secure-enclave providers, GRC software, and C3PAOs each solve a different piece of the process — and the single hardest rule is that the company that helps you get ready cannot be the C3PAO that assesses you.

The independence firewall, in plain English

The rule (32 CFR 170.9) requires C3PAOs to follow the Accreditation Body’s conflict-of-interest and Code of Professional Conduct policies. Under 32 CFR 170.8(b)(17)(ii)(G), a C3PAO — and every assessor on its team — is prohibited from participating in a Level 2 certification assessment for an organization it served as a consultant to prepare for any CMMC assessment within the prior three years. Assessment team members sign a conflict-of-interest attestation before the engagement begins.

If a single vendor offers to “get you ready and certify you” in one engagement, that’s a red flag, not a convenience. Keep readiness and assessment separate — and if a firm did your readiness work, plan on a different C3PAO doing the assessment. See also: RPO vs. C3PAO: which do you need?

Which category fits which need

Provider categoryHelps withCannot doBest timing
RPO / readiness consultantScoping, gap assessment, SSP, POA&M, evidence prepIssue official CMMC certificationEarly to mid readiness
MSP / MSSPBuild and run the environment, monitoring, logging, endpoint, security operationsIssue certificationBefore the evidence-readiness gate
vCISOProgram ownership, executive risk, affirmation readinessReplace an assessor's judgmentEarly through maintenance
GRC / evidence softwareEvidence workflows, SSP/POA&M tracking, control mappingMake controls real on its ownAfter scope and control ownership are set
CUI enclave providerShrinking scope, isolating CUI workflowsTransfer CMMC status to you automaticallyEarly architecture decision
C3PAOLevel 2 certification assessmentRemediate then assess the same engagementAssessment-ready stage only
DCMA DIBCACLevel 3 assessment (government)Commercial readiness consultingLevel 3 only

A point to be blunt about: buying GCC High, AWS GovCloud, or a GRC platform does not make you CMMC certified. A properly configured FedRAMP-authorized cloud can carry a meaningful share of the work — and for cloud services that process, store, or transmit CUI, the bar under DFARS 252.204-7012 is the FedRAMP Moderate baseline or equivalent. But CMMC status belongs to your scoped implementation and your assessment result. Tools are a layer, not the whole solution.

Not sure which category you need yet?

Compare provider categories by your CMMC path — readiness, managed environment, evidence software, or assessment — and we’ll point you to the right starting line.

Compare provider categories by CMMC path →

The Biggest Mistakes That Delay CMMC Certification

The costliest delays are decisions made out of order: buying tools before mapping CUI, choosing the wrong assessment path, scheduling an assessor before evidence is ready, or hiring a conflicted firm to both prepare and certify. Fix these before you lock in any assessment dates:

  1. Buying GCC High, GovCloud, or a GRC tool before mapping where your CUI lives.
  2. Assuming Level 2 always means a C3PAO.
  3. Assuming Level 2 (Self) is “just a checkbox.”
  4. Scheduling a C3PAO before your SSP and evidence are stable.
  5. Hiring a consultant who promises a certification outcome — no one can guarantee that.
  6. Using one conflicted firm for both readiness and assessment.
  7. Treating a POA&M as open-ended.
  8. Forgetting the annual affirmation and letting status go stale.
  9. Failing to document ESP/CSP shared responsibilities.
  10. Flowing CMMC requirements down to suppliers who touch no FCI or CUI.

Primes, Subcontractors, and Flow-Down

Prime contractors must hold their own required CMMC status and flow CMMC requirements down to subcontractors that will process, store, or transmit FCI or CUI — and a subcontractor’s required level is set by the data it handles, not by the prime’s level. DFARS 252.204-7021 governs the flow-down. A sub can need a lower status than the prime, an equal one, or occasionally none at all if it touches no covered data.

One operational wrinkle: subcontractors post their own assessment results and affirmations in SPRS, and DoD does notshare subcontractor data with the prime. Primes are expected to verify a subcontractor’s compliance directly — so as a sub, expect to be asked for proof, and as a prime, plan how you’ll confirm it. See the full guide: CMMC flow-down requirements for primes and subs.

A vague “be CMMC certified by [date]” email isn’t enough to act on. Here’s a script to get what you actually need before spending a dollar:

Subject: CMMC flow-down clarification

“Can you confirm the required CMMC status for our subcontracted scope — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC)? Please also confirm whether our systems will process, store, or transmit FCI or CUI under this work, whether the CUI will remain inside your controlled environment, the date you need status or evidence by, and what interim proof you’ll accept before award or option exercise.”

Send that, get answers in writing, and thenscope your work. If the honest answer is that you’ll handle CUI you don’t need to, the cheapest compliance move may be redesigning the workflow so the CUI never lands in your environment at all.

Know your required level. Need to match it to the right help?

Tell us your level, scope, and timeline and we’ll match you with source-checked provider options — no commitment, and you don’t share CUI or contract numbers to start.

Match me with provider options for my path →

Where the Program Stands Now — and Why the “Assessor Shortage” Story Is Misleading

As of the March 2026 Cyber AB Town Hall — the most recent figures we verified — roughly 103 authorized C3PAOs and about 759 credentialed assessors support a Defense Industrial Base of roughly 80,000 companies expected to need Level 2, and only about 1,000 organizations had certified so far, around 1% of those that need it. (These counts move every month; we re-verify them against each Town Hall.)

Here’s the reframe: with about 759 credentialed assessors and only roughly 178 new Level 2 certificates issued in a recent month, theoretical assessment capacity sits well above what’s being used. The binding constraint right now isn’t the number of assessors — it’s contractor readiness.Most companies aren’t assessment-ready, which is precisely why the certified count is stuck near 1%.

The practical conclusion is the same urgency the vendors push, but for the honest reason: start your readiness work now, because that’s the part that takes 6 to 18 months. The genuine, calendar-based deadline is Phase 2 — November 10, 2026. That date won’t wait for your readiness.

And if budget is your real obstacle, you don’t have to start by hiring anyone. The DoD sponsors Project Spectrum, a free resource for small DIB businesses with training and assessment tools. Use it.

A Word on the False Claims Act — Why “Post a Number You Can’t Back Up” Is Dangerous

Your CMMC affirmation is a formal representation to the government, and misrepresenting your cybersecurity compliance can carry False Claims Act exposure. The U.S. Department of Justice runs a Civil Cyber-Fraud Initiative that uses the False Claims Act to pursue government contractors that knowingly misrepresent their cybersecurity practices or knowingly provide deficient products or services. That’s not a reason to panic — it’s a reason to make sure the score you post and the affirmation you sign are backed by real, current evidence. Honest, well-documented compliance is the protection.

This is general information, not legal advice; consult counsel about your specific situation.

What to Do Next

Your next step depends on where this page showed you that you’re stuck. If your required status is unclear, clarify the clause first. If your scope is unclear, map your CUI. If your evidence is thin, that’s a readiness engagement. If your evidence is ready, it’s time to evaluate C3PAOs. If your contract names Level 3, plan around the Level 2 prerequisite and DIBCAC.

You don’t have to solve all of it today. Pick the one true next move:

  1. Find your CMMC path — confirm whether you’re Level 1 Self, Level 2 Self, Level 2 (C3PAO), or Level 3, with no CUI or contract details required.
  2. Download the CMMC Readiness Checklist — see what a Level 2 program actually involves, mapped to all 14 control families.
  3. Compare provider categories — readiness, enclave, evidence software, or assessment.
  4. Get matched — when you’re ready, hand us the specifics and we’ll route you.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Get matched with source-checked CMMC provider options →

CMMC Certification Process FAQ

Is CMMC certification the same as NIST SP 800-171 compliance?

No. NIST SP 800-171 Revision 2 is the control baseline for CMMC Level 2 — the 110 requirements themselves — while CMMC adds the assessment, status, reporting, POA&M, and affirmation framework around that baseline. The Level 2 security requirements are identical to NIST SP 800-171 Rev. 2, but the contract decides whether you self-assess or undergo a C3PAO assessment.

Does CMMC Level 2 always require a C3PAO?

No. Level 2 can be either self-assessed or C3PAO-assessed, depending on the contract. DFARS 252.204-7025 identifies in the solicitation whether the requirement is Level 2 (Self) or Level 2 (C3PAO), and prioritized CUI is what generally triggers the C3PAO path.

Who issues CMMC certification?

For Level 2 (C3PAO), an authorized CMMC Third-Party Assessment Organization conducts the assessment and issues a Certificate of CMMC Status. For Level 3, DCMA DIBCAC — a government body — performs the assessment. Level 1 and Level 2 (Self) are self-assessment statuses, not third-party certifications.

How long is CMMC certification valid?

Final Level 2 (Self), Final Level 2 (C3PAO), and Final Level 3 (DIBCAC) statuses are current for three years, each with an annual affirmation. Final Level 1 (Self) is current for one year. A Conditional status is limited to 180 days, within which you must close your POA&M to reach Final.

Is CMMC based on NIST SP 800-171 Revision 2 or Revision 3?

Revision 2 is the controlling baseline for CMMC today. NIST published Revision 3 in May 2024, but a May 2024 DFARS class deviation keeps contractors on Revision 2, and DoD has not transitioned the CMMC program. Once you’re assessed against a given revision, you stay on it for that three-year cycle.

Can a C3PAO help us prepare and then assess us?

No. Under 32 CFR 170.8(b)(17)(ii)(G) and the Cyber AB Code of Professional Conduct, a C3PAO and its assessors are barred from performing a Level 2 certification assessment for an organization they helped prepare for any CMMC assessment within the prior three years. Keep readiness and assessment with separate providers.

Does using GCC High or AWS GovCloud make us CMMC certified?

No. A properly configured FedRAMP-authorized cloud can support many requirements, but CMMC status attaches to your scoped implementation and assessment result, not the cloud product itself. You still have to implement, operate, document, and be assessed.

Do subcontractors need CMMC?

Only if the subcontractor will process, store, or transmit FCI or CUI under the subcontract. The required level follows the data and the flow-down, so a subcontractor’s status can differ from the prime’s. Subcontractors post their own status and affirmations in SPRS, and primes verify compliance directly.

What happens if you fail a CMMC assessment?

No status is posted, which means you can’t meet a contract requirement that calls for that level. If you scored at least 88 of 110 with only POA&M-eligible gaps, you may hold a Conditional status and have 180 days to remediate and close out; otherwise you remediate and reassess.

Related Guides

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This article is editorial research and does not constitute legal, contractual, or compliance advice. Regulatory facts were verified against primary sources on ; time-sensitive figures (assessor counts, certificate totals, market costs) should be re-verified before reliance. Next scheduled review: September 2026, or sooner if DoD, NIST, the Cyber AB, or DCMA DIBCAC publishes a relevant change. Not affiliated with the Department of Defense, NIST, the Cyber AB, DCMA DIBCAC, or any U.S. government agency. Editorial standards · Methodology · Corrections policy.

Primary sources cited

  • CMMC Program Final Rule — 32 CFR Part 170 (effective December 16, 2024): §170.3 phases; §170.8 AB/COI; §170.9 C3PAO authorization; §170.17 Level 2 C3PAO + expiration; §170.19 scoping; §170.21 POA&M/scoring; §170.22 affirmation. Federal Register 2024-22905; eCFR.
  • DFARS Final Rule (Case 2019-D041), clause 252.204-7021 (effective November 10, 2025): Federal Register 2025-17359; Acquisition.gov. DFARS 252.204-7025 (solicitation provision). DFARS 252.204-7012/-7019/-7020; FAR 52.204-21.
  • NIST SP 800-171 Revision 2 (110 requirements, 14 families); NIST SP 800-171A (assessment objectives: examine/interview/test). NIST SP 800-172 — February 2021 version (current CMMC Level 3 reference; withdrawn May 13, 2026 and superseded by Revision 3, but CMMC Level 3 remains tied to the version in 32 CFR Part 170 until DoD amends the rule).
  • DoD CIO — CMMC program and phased rollout, CAP v2.0, “CMMC Alignment to NIST Standards”: dodcio.defense.gov/CMMC.
  • The Cyber AB Marketplace and ecosystem roles; Cyber AB Code of Professional Conduct v2.0; March 2026 Town Hall ecosystem figures. cyberab.org.
  • SPRS (Supplier Performance Risk System): sprs.csd.disa.mil. eMASS (Enterprise Mission Assurance Support Service).
  • DoD OIG, Report No. DODIG-2025-056 — Audit of the DoD’s Process for Authorizing Third-Party Organizations to Perform CMMC Assessments (January 2025): dodig.mil.
  • U.S. Small Business Administration, Office of Advocacy — rulemaking comment and Small Business Impacts Roundtable, March 12, 2026: advocacy.sba.gov.
  • Project Spectrum (DoD-sponsored small DIB resource): projectspectrum.io.
  • DOJ Civil Cyber-Fraud Initiative: justice.gov.