CMMC Compliance for Small Defense Contractors: What You Actually Need to Do

Table of Contents

CMMC Compliance for Small Defense Contractors: What You Actually Need to Do

Phase 1 of CMMC implementation began November 10, 2025. Contracting officers are pulling SPRS scores on bids today. Lockheed Martin and Boeing have already told their supply chains to document CMMC status now, not when a contract forces the issue. Phase 2 — when C3PAO third-party assessments become mandatory for Level 2 contracts — begins November 2026. For a small contractor starting from scratch, 12 to 18 months is a realistic preparation timeline. That math is uncomfortable for anyone who hasn't started.

This guide covers what CMMC actually requires for small and mid-size defense contractors, what the path to certification costs, and where most organizations go wrong before they ever get to an assessment.

What CMMC Is — and Why It's Now a Contract Eligibility Condition

The Cybersecurity Maturity Model Certification is the DoD's framework for verifying that defense contractors have actually implemented the cybersecurity controls they've been required to maintain since 2016 under DFARS 252.204-7012. The core problem CMMC was designed to solve: contractors were self-attesting compliance with NIST SP 800-171 while independent assessments found widespread gaps. CMMC replaces self-attestation with verified certification for most contractors handling Controlled Unclassified Information.

The CMMC 2.0 Program Rule took effect December 16, 2024. The companion DFARS acquisition rule took effect November 10, 2025 — the date the DoD began inserting CMMC clauses into new solicitations. This is not a future requirement. CMMC is live, and it's appearing in contracts now.

What makes CMMC different from previous self-attestation regimes: under DFARS 252.204-7021, contractors must hold the required CMMC level at the time of contract award and maintain it for the duration of the contract. If your certification lapses or you fail to meet the required level, you're ineligible to compete. It's a go/no-go condition, not a factor weighed against price or past performance.

For context on the regulatory foundation beneath CMMC — the four DFARS clauses that create layered obligations independent of whether 7021 has appeared in your contracts yet — see our detailed breakdown of DFARS and its role in CMMC compliance.

Does CMMC Apply to You? FCI vs. CUI, Primes vs. Subs

The first question isn't "how do I get certified" — it's "what level do I actually need." That answer depends on what type of government information flows through your environment.

Federal Contract Information (FCI) is information provided by or generated for the government under a contract, not intended for public release. If you handle only FCI — no technical drawings, no sensitive program data, no personnel records tied to government contracts — you fall under CMMC Level 1. Level 1 requires 17 basic safeguarding practices drawn from FAR 52.204-21, self-attested annually. Direct cost is minimal.

Controlled Unclassified Information (CUI) is a broader category tied to specific legal and regulatory authorities. Engineering drawings for defense systems, ITAR-controlled technical data, personnel files on cleared individuals, procurement-sensitive information — these are CUI. If you handle CUI, you need CMMC Level 2 at minimum: 110 controls from NIST SP 800-171, with third-party C3PAO assessment required for most contractors by Phase 2.

A practical decision framework:

• Does your contract include DFARS 252.204-7012? If yes, you're handling CDI/CUI and you're in Level 2 territory.
• Are you a subcontractor receiving CUI from a prime? You need the same CMMC level the prime's contract requires. The prime's certification does not cover you.
• Do you handle only FCI with no CUI? Level 1 applies.
• Are you supporting a high-priority DoD program with advanced persistent threat risk? Level 3 may apply — that requires a government-led DIBCAC assessment and adds 24 controls from NIST SP 800-172.

The most important clarification for subcontractors: assuming the prime's CMMC covers your work is one of the most common and costly misconceptions in the defense supply chain. If you receive CUI, you need your own certification.

Getting your CUI scope right — identifying exactly what information in your environment qualifies as CUI and where it flows — is the foundational step. Define it too broadly and you multiply your compliance cost unnecessarily. Define it too narrowly and you leave actual CUI unprotected. The practical detail on what CUI is, how it enters contractor environments, and how to define your compliance boundary is covered separately.

The Phased Implementation Timeline

The DoD is rolling CMMC out in four phases between 2025 and 2028. Understanding where you are in that timeline determines how urgent your preparation needs to be.

Phase 1 (November 10, 2025 – November 9, 2026): CMMC Level 1 and Level 2 self-assessments are conditions of award in applicable new DoD solicitations. SPRS scores are required and actively reviewed. Some contracts are already requiring Level 2 C3PAO certification at DoD discretion for higher-risk programs. This phase is active now.

Phase 2 (November 2026): Third-party C3PAO assessments become mandatory for Level 2 certification contracts at scale. This is the deadline most small contractors should be planning toward. C3PAO slots are already filling — contractors without assessments scheduled will face availability constraints as this deadline approaches.

Phase 3 (November 2027): Level 2 C3PAO certification requirements begin appearing in option exercises on existing contracts. Level 3 DIBCAC assessments required for the highest-priority programs.

Phase 4 (November 2028): CMMC clauses mandatory in all applicable DoD contracts. Full enforcement.

The practical math: a small contractor with no formal security program needs 6 to 12 months for remediation before they're ready for a C3PAO assessment, plus 2 to 4 months to schedule and complete the assessment itself. Organizations targeting Phase 2 eligibility need to have their gap assessment and remediation roadmap active now — not in late 2026 when the deadline pressure creates a C3PAO scheduling bottleneck.

The Four DFARS Clauses You're Already Obligated Under

CMMC certification under DFARS 252.204-7021 gets most of the attention, but three other clauses create obligations that are active regardless of where 7021 stands in your contracts.

252.204-7012 — the foundational clause in place since 2016 — requires you to implement NIST SP 800-171 on any system that processes, stores, or transmits Covered Defense Information, report cybersecurity incidents to the DoD within 72 hours of discovery, and flow these requirements down to your subcontractors handling CDI. That 72-hour window requires a functioning incident response process with documented escalation paths. You cannot improvise it after an incident occurs.

252.204-7019 requires you to conduct a NIST SP 800-171 self-assessment and submit the resulting score to SPRS before contract award. The score must reflect actual implementation — a senior company official must affirm it. Submitting an inflated score creates False Claims Act exposure.

252.204-7020 authorizes the DoD to conduct its own assessments to verify the score you submitted. Your SPRS score and the documentation behind it need to be defensible under external scrutiny, not just internally consistent.

252.204-7021 integrates CMMC certification directly into contracts as a condition of award and flows certification requirements down to subcontractors.

If your contracts include 7012 but you haven't seen 7021 yet, you still have active obligations under 7012, 7019, and 7020 right now. Waiting for 7021 to appear before addressing cybersecurity obligations is a common mistake with real consequences. The full operational detail on each clause is in our DFARS and CMMC compliance breakdown.

What CMMC Level 2 Actually Requires

Level 2 maps to all 110 security practices in NIST SP 800-171 Rev 2, organized across 14 control families. The families most commonly cited in assessment failures for small contractors are Access Control (AC), Identification and Authentication (IA), Audit and Accountability (AU), and System and Information Integrity (SI).

What "implemented" means in practice is more demanding than most contractors assume. The control requiring multi-factor authentication isn't satisfied by enabling MFA in your Microsoft 365 tenant — it requires MFA enforced through Conditional Access policies, applied to all CUI-adjacent systems, and documented with evidence that it operates consistently. A C3PAO assessor will ask for configuration screenshots, access logs, and evidence that the policy applies to every user in scope.

This is the core distinction between self-assessment and third-party assessment: the evidence standard is materially higher. Self-assessment requires documentation sufficient for a senior official to affirm. C3PAO assessment requires documentation sufficient for trained assessors to independently verify through document review, personnel interviews, and system testing. Controls you scored as implemented need to be demonstrably, consistently implemented with records that prove it.

Note on Revision 3: NIST published SP 800-171 Revision 3 in May 2024, but a DoD Class Deviation requires contractors to continue complying with Revision 2 for CMMC purposes. C3PAO assessors are not authorized to evaluate against Rev 3. For what changed in Revision 3 and how to factor it into longer-term planning, see our NIST SP 800-171 Revision 3 analysis.

The Realistic Path to Certification — and What It Costs

Most cost estimates for CMMC compliance understate the true first-year number because they focus on the C3PAO assessment fee and omit preparation, remediation, and technology investment. The DoD's January 2025 FAR CUI Rule estimate puts the three-year cost of Level 2 compliance for a representative small business at approximately $487,970. Industry research puts full first-year costs — including gap assessment, remediation, documentation, and the assessment — between $100,000 and $285,000 for organizations starting from a typical commercial security baseline.

Here is how that breaks down across four preparation phases:

Gap Assessment (Weeks 1–6) — A structured review of your current environment against all 110 NIST SP 800-171 Rev 2 controls, mapped to your actual CUI boundary. This produces your SPRS score and a prioritized remediation list. Cost: $10,000 to $40,000. Do this first. Contractors who skip straight to remediation consistently fix the wrong things and discover expensive gaps late.

Remediation (Months 2–12) — Implementing the controls identified as deficient. Common items for small contractors: MFA enforcement across all CUI-adjacent systems, EDR deployment on all endpoints, CUI boundary scoping and network segmentation, GCC High migration for contractors currently on commercial Microsoft 365, SSP development, policy and procedure documentation. Cost: $50,000 to $150,000 depending on starting posture.

Pre-Assessment Audit (Month 11–13) — A mock assessment under C3PAO conditions before the formal engagement. Findings caught here cost far less to fix than findings surfaced during the formal assessment. Cost: $5,000 to $20,000, among the highest-ROI activities in the process.

C3PAO Assessment (Schedule 6+ Months in Advance) — The formal certification event. Fees range from $35,000 to $75,000 depending on the size of your CUI environment. The assessment covers documentation review, personnel interviews, and system testing. Schedule early — capacity is constrained and will tighten significantly as Phase 2 approaches.

Ongoing annual maintenance after certification typically runs $15,000 to $40,000 for continuous monitoring, vulnerability management, policy updates, and annual SPRS affirmations.

For the full cost breakdown by category and the variables that drive the most variation, see understanding CMMC compliance costs. For specific strategies that reduce total spend, see 5 ways to reduce CMMC compliance costs.

CUI Scoping: The Decision That Controls Everything Else

Your CUI boundary is the set of systems, people, and locations that process, store, or transmit CUI. Every system inside that boundary is in scope for all 110 controls and C3PAO assessment. Every system outside it is not.

This is the single highest-leverage decision in your CMMC program. A tightly defined CUI enclave — specific systems isolated from the rest of your environment — can limit your assessment scope to 20 users and a handful of systems. An undefined boundary where CUI flows freely across email, laptops, shared drives, and personal devices means your entire IT environment is in scope. The cost difference is substantial.

Three principles that consistently matter in practice:

CUI follows the data, not the system label. If CUI lands on a personal laptop, in a personal email account, or in standard commercial Microsoft 365, those systems are in scope regardless of intent. Data flow mapping — tracing where CUI enters your environment, where it moves, and where it rests — is the starting point for boundary definition.

Cloud environment matters. CUI must be stored in FedRAMP-authorized services at the appropriate impact level. Microsoft 365 GCC or GCC High are appropriate for CUI. Standard commercial Microsoft 365 is not. Many contractors discover during gap assessments that CUI has been flowing through non-compliant cloud services — and the fix requires migrating to GCC High before remediation can be finalized.

Document the boundary explicitly in your SSP. An SSP that describes "all of our systems" provides no scoping protection and no cost control. A clearly defined, minimized boundary is both more defensible and less expensive to maintain through recertification cycles.

The full detail on CUI identification, the Registry categories most relevant to defense contractors, and common scoping mistakes is in CUI explained: why scoping is critical for CMMC compliance.

Working with a C3PAO: What to Expect

C3PAOs are the only entities authorized to conduct CMMC Level 2 assessments and issue certification. Understanding how the C3PAO relationship works before you engage one prevents some of the most expensive mistakes in the process.

C3PAOs assess; they don't advise. A C3PAO cannot help you fix deficiencies while assessing whether you've fixed them — that's a conflict of interest. Remediation should be completed before the C3PAO engages, typically with a Registered Practitioner Organization (RPO) or GRC advisor. Contractors who try to use their C3PAO as a remediation partner during the assessment create timeline and cost problems.

Assessment readiness determines outcome. C3PAOs assess what exists, not what you intend to implement. Arriving with incomplete documentation, untested controls, or an SSP that doesn't match your actual environment produces findings that delay certification and require remediation before re-assessment. The cost of a second engagement typically exceeds the cost of thorough preparation upfront.

The assessment covers four stages: documentation review, personnel interviews, system testing, and evidence evaluation. If you pass, certification is valid for three years with annual affirmations. If there are findings, you have a defined window to remediate and return.

Schedule early. C3PAO capacity is limited and fills months in advance. As Phase 2 enforcement approaches, scheduling pressure will increase significantly. Don't let a filled calendar be the thing that costs you a contract.

For detail on selecting a C3PAO, understanding their assessment methodology, and distinguishing a C3PAO from an RPO, see understanding the CMMC ecosystem and the role of C3PAOs.

Your SPRS Score: What It Is and What It Exposes

Your SPRS score is your NIST SP 800-171 self-assessment score submitted to the Supplier Performance Risk System. Contracting officers can see it. It runs from 110 (all controls implemented) down to -203 (significant gaps across every family).

A low score with a credible POA&M is better than a high score with no documentation. C3PAO assessors aren't just looking at whether a control exists — they're looking for evidence it's consistently implemented and that your team understands how it works. A 110 SPRS score backed by thin documentation is a liability entering assessment.

The False Claims Act dimension is real. In March 2025, MORSE Corp paid $4.6 million to settle DoJ allegations that it submitted a self-assessed SPRS score of 104 when a third-party consultant determined the actual score was -142. Only 22% of controls were implemented. A whistleblower employee initiated the case and received $851,000. A defensible score that accurately reflects your current state is always the right answer.

Two documents are non-negotiable for a credible SPRS submission: the System Security Plan (SSP), which describes your CUI environment and how each control is implemented, and the POA&M, which documents any gap, the planned remediation, the responsible party, and the target completion date. Both must be current and consistent with what your systems actually do today.

For detail on the scoring methodology, how SPRS connects to CMMC assessment preparation, and the most common errors, see SPRS scoring and CMMC readiness.

What Small Contractors Get Wrong

Five failure patterns show up repeatedly across small contractor CMMC engagements.

Waiting for DFARS 252.204-7021 to appear in a contract before starting. The incident reporting, SPRS submission, and flow-down requirements under 7012, 7019, and 7020 are active now. And by the time 7021 appears in a contract, you may not have enough runway to achieve certification before the award goes to someone who already has it.

Defining the CUI boundary too broadly. The most common cost multiplier. Allowing CUI to flow across your entire IT environment means your entire environment is in scope for 110 controls. A defined CUI enclave limits the assessment boundary and significantly reduces remediation cost. Scope first, remediate second.

Treating the SSP as a one-time document. Every infrastructure change — new cloud platform, new remote access capability, new user population — needs to be reflected in an updated SSP. An SSP that doesn't match your actual systems produces findings during assessment.

Submitting an inflated SPRS score. The MORSE Corp case established this as a False Claims Act issue, not just a compliance finding. A score that accurately reflects your current state — even a low one, with a credible POA&M — is always the right answer.

Booking a C3PAO before remediation is complete. Assessment fees are non-refundable. Findings surfaced during assessment require remediation and a return engagement — more expensive than finding them in a pre-assessment audit. Get to a credible SPRS score, run a mock assessment under C3PAO conditions, then schedule the formal assessment.

Next Steps by Where You Are Today

Haven't started: Three things in the next 30 days. First, pull your current SPRS score — if you've never submitted one, that's a contracting risk right now. Second, inventory your CUI: walk through your contracts and identify what qualifies as CUI, where it lives, and which systems touch it. Third, engage a CMMC consultant for a formal gap assessment. Without it, every estimate about cost and timeline is guesswork.

In progress: Validate that your remediation is sequenced correctly — CUI scoping before technical controls, SSP development running parallel to remediation rather than after. Confirm your C3PAO is scheduled with enough lead time to close remaining gaps before the assessment date. If you don't have a slot, book one now.

Already certified: Annual affirmations are required. Your SSP needs to reflect any infrastructure changes since certification. Continuous monitoring, vulnerability scanning, and incident response procedures need to be running and documented — C3PAO recertification looks at evidence of ongoing operation, not just point-in-time compliance.

Stratify IT works with defense contractors through the full CMMC process: initial gap assessment, CUI boundary scoping, remediation planning and implementation, SSP and POA&M development, and pre-assessment preparation through C3PAO engagement. We work with organizations at every stage.

Contact us to discuss where your organization stands, or explore our CMMC compliance services to see how we structure engagements from gap assessment through certification.

Stratify IT — CMMC compliance built around your business, not a template.