CMMC Compliance: The Complete Guide for Defense Contractors

Table of Contents

CMMC Compliance: The Complete Guide for Defense Contractors

The Cybersecurity Maturity Model Certification is the DoD's answer to a decade of contractor breaches that exposed weapons specifications, troop movements, and technical data to adversaries — contractors self-attested compliance with cybersecurity requirements they hadn't implemented. CMMC replaces self-attestation with verified certification. For most defense contractors handling Controlled Unclassified Information, that means a third-party assessment by a Certified Third-Party Assessment Organization before you can win or retain contracts.

Phase 1 of the rollout began November 10, 2025. CMMC clauses are appearing in DoD solicitations now. Phase 2 — when mandatory C3PAO third-party assessments become a condition of award for Level 2 contracts — begins November 10, 2026. Contractors who haven't started preparation are already behind on a realistic timeline.

This guide covers what CMMC requires at each level, who it applies to, how the assessment process works, what costs look like, and how to approach preparation without losing bids while you do it. Each section links to deeper coverage.

What CMMC Is — and What It's Not

CMMC is not a new cybersecurity standard. It's a verification framework built on top of existing requirements. Since 2016, DFARS 252.204-7012 has required contractors to implement the controls in NIST SP 800-171 on any system that processes, stores, or transmits Covered Defense Information. The problem was no mechanism existed to verify whether contractors had done it. A 2019 DoD Inspector General report found widespread gaps between what contractors self-reported and what independent assessments found.

CMMC fixes that by requiring third-party verification for most contractors handling Controlled Unclassified Information (CUI). The CMMC 2.0 Program Rule took effect December 16, 2024. The companion DFARS acquisition rule took effect November 10, 2025 — the date the DoD began inserting CMMC clauses into new solicitations. This is a live requirement.

Who Needs CMMC Certification

Any organization in the Defense Industrial Base supply chain that handles Federal Contract Information or Controlled Unclassified Information. That's approximately 300,000 companies — primes, subcontractors, and suppliers. The requirement doesn't stop at the prime. If a prime contractor passes CUI to a subcontractor, that subcontractor must hold the same CMMC level required by the prime's contract. Assuming the prime's certification covers you is one of the most common and costly mistakes in the DIB supply chain.

Contracts now include DFARS 252.204-7021, which requires contractors to hold the required CMMC level at the time of contract award and maintain it for the duration of the contract. A lapsed certification can disqualify you mid-contract. Major primes — Lockheed Martin, Boeing, and others — have already issued supply chain communications requiring documented CMMC status in SPRS, independent of formal DoD deadlines.

If you hold a DoD contract that contains DFARS 252.204-7012, you are subject to NIST SP 800-171 requirements today, regardless of where you are in the CMMC certification process. The question isn't whether CMMC applies — it's which level you need.

The Three Levels

Level 1 — Foundational

Covers 17 basic security practices drawn from FAR 52.204-21. Applies to contractors handling only Federal Contract Information, not CUI. Self-assessment is required annually by a senior company official, with results submitted to SPRS. No C3PAO required. Direct certification cost is minimal — the investment is in documenting and maintaining the 17 practices and ensuring your SPRS submission is accurate and defensible.

Level 2 — Advanced

Requires implementing all 110 controls from NIST SP 800-171 Revision 2. Applies to most defense contractors that store, process, or transmit CUI. This is where roughly 80% of the DIB falls. For prioritized acquisitions — programs that involve critical national security information — a third-party C3PAO assessment is required. For non-prioritized programs, self-assessment may be sufficient, but that determination is made by the DoD program office and reflected in the contract.

Level 2 certification is valid for three years, with annual affirmations required. SPRS scores must reflect your actual posture. Submitting an inflated score is a False Claims Act liability — not just a compliance problem.

The most common failure point at Level 2 is documentation. The technical controls — MFA, EDR, access controls, patch management — are implementable. What derails assessments is the absence of a System Security Plan that accurately maps controls to systems, a POA&M that documents open items with close dates, and evidence packages that prove implementation. SPRS scoring and POA&M management deserve their own focused attention.

Level 3 — Expert

Adds 24 controls from NIST SP 800-172 on top of the 110 from NIST SP 800-171 — 134 practices total. Designed for contractors working on the DoD's highest-priority programs facing Advanced Persistent Threat actors. Assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government-led body — not a C3PAO. Level 3 requirements become available starting November 10, 2026. The differences between Level 2 and Level 3 go beyond the control count — the operational demands are substantially higher.

The Assessment Process

For Level 2 certification, the assessment is conducted by a C3PAO — a Certified Third-Party Assessment Organization authorized by the CMMC Accreditation Body. C3PAOs function as the gatekeepers of the CMMC ecosystem — only organizations that have verifiably implemented required controls receive certification.

What the assessment involves: documentation review of your System Security Plan, personnel interviews, system testing, and evaluation of evidence against all 110 NIST SP 800-171 controls. Assessors are not looking for perfect security — they're looking for implemented, documented, and demonstrable controls. The difference between passing and failing is usually not the controls themselves but whether you can produce evidence that they're operating.

C3PAO slots book months in advance. As Phase 2 approaches, assessor capacity is becoming a real constraint. Contractors without a scheduled assessment by mid-2026 risk missing the Phase 2 window entirely — not because they failed, but because there's no available appointment. Book early.

The Enforcement Timeline

Phase 1 — November 10, 2025 (active now): CMMC clauses appearing in new DoD solicitations. Level 1 and Level 2 self-assessments required as a condition of award. SPRS scores reviewed by contracting officers. This phase is underway.

Phase 2 — November 10, 2026: Mandatory C3PAO third-party assessments for Level 2 certification contracts. Level 3 DIBCAC assessments become available. Contractors without scheduled assessments risk losing bids.

Phase 3 — November 10, 2027: Level 2 C3PAO requirements can be included through exercise of options in active contracts. Existing contracts begin to be affected at renewal.

Phase 4 — November 10, 2028: Full enforcement. CMMC clauses mandatory in all applicable DoD contracts, including option periods on existing contracts.

The timeline matters because preparation takes longer than most contractors expect. Achieving Level 2 readiness — from initial gap assessment through remediation, documentation, and C3PAO assessment — takes 12 to 18 months for an organization starting from scratch. A contractor who waits for a contract to force the issue is often too late to meet the award date.

What It Costs

The DoD's own Federal Register cost estimate, published in October 2024, puts the total cost of CMMC Level 2 certification for a small contractor at approximately $104,670 for the assessment cycle alone. Industry figures from 2025 put the full first-year cost — including preparation, remediation, and assessment — between $138,000 and $285,000 for most organizations. The DoD's January 2025 draft FAR estimate puts three-year total Level 2 compliance cost for a representative small business at approximately $487,970.

Those numbers vary significantly based on two variables: how much CUI your environment handles, and how far your current security posture sits from NIST SP 800-171 requirements. An organization that already runs structured security programs — documented policies, access controls, endpoint protection, log monitoring — will spend less than one starting from scratch. Scope also matters enormously: a defined CUI enclave that limits which systems touch CUI can reduce compliance costs dramatically compared to trying to harden an entire network. A detailed breakdown of CMMC cost categories is covered separately, as is how contractors can reduce compliance costs through preparation and smart scoping decisions.

The Role of CUI Scoping

Your CUI boundary determines your compliance scope. Define it too narrowly and you leave CUI unprotected — a failure point in the assessment and a contractual liability. Define it too broadly and you multiply the cost and complexity of certification unnecessarily.

CUI is defined under 32 CFR Part 2002 and the National Archives CUI Registry. For defense contractors, the most commonly encountered categories are Controlled Technical Information (CTI), Export Controlled information (ITAR/EAR), and Privacy data. The originating government agency determines whether information is CUI — not your organization. When a contracting officer sends unmarked documents, that doesn't mean they aren't CUI.

A well-scoped CUI enclave — isolating CUI to specific systems and users rather than allowing it to flow across the entire network — is the single most effective cost-control measure available during the preparation phase. Virtual desktop infrastructure in a FedRAMP-authorized environment is one common approach. What matters is that the boundary is documented, defensible, and accurately reflected in your System Security Plan.

DFARS: The Regulatory Backbone

CMMC doesn't replace DFARS — it enforces it. Four DFARS clauses form the compliance backbone for defense contractors: 252.204-7012 (the foundational safeguarding and incident reporting clause), 252.204-7019 (NIST SP 800-171 assessment requirements), 252.204-7020 (DoD assessment requirements for higher-risk contracts), and 252.204-7021 (the CMMC certification clause).

CMMC Level 2 certification demonstrates that you've implemented the 110 controls in NIST SP 800-171, which addresses the core technical requirements of 7012 and the assessment requirements of 7019 and 7020. But 7012 carries independent obligations that certification doesn't eliminate — the 72-hour cyber incident reporting requirement, system image preservation after an incident, and DoD access for damage assessment. A functioning incident response program is an operational requirement, not something you certify away.

NIST SP 800-171 and the Control Framework

Level 2 certification is built entirely on NIST SP 800-171 Revision 2. The 110 controls span 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

NIST published SP 800-171 Revision 3 in May 2024, but the DoD issued a Class Deviation requiring contractors to continue using Revision 2 for CMMC purposes. C3PAO assessments still run against Rev 2. SPRS scores are still calculated against Rev 2. Revision 3 represents where requirements are heading — understanding what changed matters for three-to-five year planning — but the active compliance obligation is Rev 2.

SPRS: Your Score Before the Assessment

SPRS — the Supplier Performance Risk System — is the DoD's centralized database for contractor compliance data. Before a contract can be awarded, contractors handling CUI must submit a NIST SP 800-171 self-assessment score. Contracting officers pull SPRS scores when evaluating bids. A missing score, or a score that's significantly out of line with what a contracting officer expects for an organization of your type, flags your submission.

Scores run from 110 (full implementation) to -203 (significant gaps across all control families). A low score doesn't automatically disqualify you, but it must be accompanied by a credible POA&M documenting how and when gaps will be closed. How SPRS scoring works and where contractors commonly go wrong is worth understanding before you submit. Knowingly submitting an inflated score is a False Claims Act exposure, not just a technical problem.

SPRS scores need to precede C3PAO assessments by a period of active remediation. The assessment itself is a verification of what your SPRS score claims — if the two don't align, you have a problem. Build your SPRS submission to reflect your actual posture, with a documented POA&M that shows what you're working on and when it will close.

What Preparation Looks Like

For a small to mid-size contractor starting from a position of basic IT hygiene — some controls in place, no formal documentation — the preparation sequence runs approximately 12 to 18 months:

Months 1–2: Gap assessment. Measure your current environment against all 110 NIST SP 800-171 Rev 2 controls. Identify what's implemented, what's partially implemented, and what's missing. Calculate an initial SPRS score. Define your CUI boundary. This produces the foundation for everything that follows — your SSP draft and your POA&M.

Months 2–10: Remediation. Work through the POA&M in priority order. High-weight controls in Access Control and Identification and Authentication should move first — they carry disproportionate impact on your SPRS score and are frequent assessment failure points. Technical implementations include MFA across all accounts and remote access, EDR on all endpoints including servers, structured patch management with documented SLAs, log collection and retention, and network segmentation to contain your CUI enclave.

Months 8–14: Documentation. The System Security Plan must accurately describe every system in scope, the controls implemented on each, and the people and processes responsible for maintaining them. The POA&M must document every open item with a responsible owner and a close date. These documents are what the C3PAO reviews first. Assessments get derailed not by missing tools but by SSPs that don't match the environment assessors find when they start testing.

Months 12–18: Pre-assessment and C3PAO engagement. A readiness assessment against the C3PAO assessment methodology before the formal assessment catches gaps in evidence and documentation. Schedule the C3PAO early — lead times run three to six months and are extending as Phase 2 approaches. For small contractors, the preparation path has specific considerations that affect both timeline and cost.

How an MSP Factors In

A managed service provider that operates within your environment is part of your compliance boundary. Their access to your systems, the tools they deploy on your network, and whether they meet CMMC requirements themselves all affect your assessment. If your MSP can't produce documentation of their own security controls and how they protect your CUI environment, that's a gap your C3PAO will find.

The right MSP relationship accelerates CMMC preparation rather than complicating it. A provider with CMMC-specific experience can run the gap assessment, manage remediation, build the SSP and POA&M, and provide the ongoing evidence collection that keeps your posture assessment-ready between certification cycles. What to evaluate when selecting that provider is covered in our guide to choosing a managed IT provider.

Start With a Gap Assessment

Every CMMC preparation effort starts in the same place: measuring your current environment against the 110 controls in NIST SP 800-171 and understanding where you stand. Everything else — your cost estimate, your timeline, your remediation roadmap, your SPRS score — comes from that assessment.

Stratify IT conducts CMMC gap assessments for defense contractors across the Defense Industrial Base, working from initial scope definition through remediation, documentation, and pre-assessment readiness. Contact us to discuss what an assessment would cover for your environment, or explore our CMMC certification services to understand what we support.

Frequently Asked Questions

1. Does CMMC apply to subcontractors or only prime contractors?

CMMC requirements flow down through the entire supply chain under DFARS 252.204-7021. If a prime contractor shares CUI with a subcontractor, that subcontractor must hold the same CMMC level the prime's contract requires. The prime is responsible for enforcing flow-down — and cannot assume a subcontractor is covered by the prime's own certification. This is one of the most commonly misunderstood aspects of the program.

2. What happens if a contractor fails a C3PAO assessment?

A failed assessment means you cannot be awarded or maintain contracts requiring that CMMC level until deficiencies are remediated and a re-assessment is passed. There is no automatic disqualification from future work, but re-assessment fees apply and C3PAO scheduling can add months to your timeline. Remediating findings quickly and scheduling a follow-up assessment as soon as possible is critical to minimizing contract impact.

3. Does standard Microsoft 365 meet CMMC requirements for storing CUI?

No. Standard commercial Microsoft 365 does not meet the data sovereignty and access control requirements for CUI under CMMC. The DoD requires CUI stored or processed in Microsoft cloud environments to reside in GCC High — a separate cloud instance with U.S.-citizen-only staffing and physical access controls. Organizations using standard M365 tenants for CUI have a scope and remediation issue that must be resolved before assessment.

4. Are there limits on what can be left on a POA&M during a CMMC assessment?

Yes. Not all open items can be deferred to a POA&M. Certain high-weight controls — particularly in Access Control and Identification and Authentication — must be fully implemented at the time of assessment and are not POA&M-eligible. For items that are eligible, the DoD Assessment Methodology requires documented close dates and a credible remediation plan. All open POA&M items must close within 180 days of assessment.

5. How does CMMC affect contracts already in place before November 2025?

Existing contracts awarded before November 10, 2025 were not immediately affected — CMMC clauses were not retroactively inserted into active contracts. However, Phase 3 (beginning November 10, 2027) allows the DoD to include Level 2 C3PAO requirements through the exercise of options on active contracts. By Phase 4 (November 10, 2028), CMMC applies to all applicable contracts including option periods. Contractors with active contracts should not assume they are protected until renewal.

6. What is the False Claims Act risk associated with CMMC self-assessments?

Knowingly submitting an inaccurate SPRS score — claiming compliance with NIST SP 800-171 controls that have not been implemented — exposes the company and its officers to False Claims Act liability. The FCA allows the government to recover three times the contract value plus civil penalties. Several enforcement actions have already been brought against contractors for misrepresenting cybersecurity compliance. SPRS submissions are legal attestations, not administrative estimates.

7. Are commercially available off-the-shelf products exempt from CMMC?

Yes. Contracts exclusively for commercially available off-the-shelf (COTS) items are exempt from CMMC requirements. The exemption applies only when the contract is solely for COTS products — if those products are customized, integrated with CUI systems, or combined with services that involve CUI access, the exemption does not apply. Contractors who believe they qualify should have legal counsel review the specific contract terms before assuming CMMC does not apply.

8. How do cloud service providers factor into CMMC compliance scope?

Any cloud service provider that processes, stores, or transmits CUI on behalf of a contractor is within the CMMC compliance boundary. CSPs must meet FedRAMP Moderate baseline requirements or equivalent. If a CSP is not FedRAMP authorized, CUI cannot be stored in that environment. Encrypted CUI in a non-FedRAMP environment does not automatically qualify as compliant — the authorization status of the platform itself is what assessors evaluate.

9. How long does CMMC Level 2 certification remain valid?

Level 2 certification issued by a C3PAO is valid for three years. Annual affirmations of continued compliance are required between triennial assessments — a senior company official must formally attest each year that the organization continues to meet CMMC requirements. If controls lapse or a significant change to the environment occurs, certification status can be affected. Maintaining evidence of continuous compliance between assessments is an operational requirement, not just a milestone.

10. What is the difference between FCI and CUI, and why does it determine CMMC level?

Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not intended for public release. Controlled Unclassified Information (CUI) is defined under 32 CFR Part 2002 — information requiring protection under law, regulation, or government-wide policy that does not rise to the level of classified. Contractors handling only FCI need Level 1. Those handling CUI need Level 2 or Level 3 depending on program sensitivity. Correctly identifying which applies determines your entire compliance obligation.