Back to Blog
Compliance

CMMC Certification Guide: Cybersecurity Maturity Model Requirements

Complete guide to CMMC 2.0 certification for defense contractors. Learn about certification levels, assessment requirements, timelines, and how to prepare for CMMC compliance.

David Park
December 27, 2025
15 min read

Quick Answer

CMMC (Cybersecurity Maturity Model Certification) is a DoD requirement for defense contractors to demonstrate cybersecurity practices protecting Controlled Unclassified Information (CUI). CMMC 2.0 has three levels: Level 1 (17 practices, self-assessment), Level 2 (110 practices, third-party or self-assessment), and Level 3 (110+ practices, government-led assessment).

3
Certification Levels
110
Level 2 Controls
300K+
Affected Contractors
3 Years
Certification Valid

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard developed by the Department of Defense (DoD) to protect sensitive defense information. It measures a contractor's ability to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC 2.0, released in November 2021, streamlined the original five-level model to three levels. The final rule was published in October 2024, making CMMC a contractual requirement for DoD contracts containing FCI or CUI.

Key CMMC 2.0 Changes

  • Reduced from 5 levels to 3 levels
  • Aligned with existing NIST standards (800-171, 800-172)
  • Self-assessment allowed for Level 1 and some Level 2
  • Plans of Action & Milestones (POA&M) allowed in limited circumstances
  • Waivers available for mission-critical situations

CMMC 2.0 Certification Levels

CMMC 2.0 establishes three certification levels, each with specific security requirements and assessment methods.

1

Level 1 - Foundational

Federal Contract Information (FCI)

17
Practices
Self
Assessment
Annual
Affirmation

Basic cyber hygiene practices based on FAR 52.204-21. Required for contractors handling only FCI with no CUI.

2

Level 2 - Advanced

Controlled Unclassified Information (CUI)

110
Practices
C3PAO
or Self
Triennial
Certification

Based on NIST SP 800-171 Rev 2. Third-party assessment required for critical CUI; self-assessment allowed for non-critical CUI.

3

Level 3 - Expert

Highest Priority CUI

110+
Practices
DIBCAC
Assessment
Triennial
Certification

Based on NIST 800-171 plus subset of NIST 800-172. Government-led assessment by DCMA DIBCAC. Required for contractors on highest-priority programs.

Who Needs CMMC Certification?

CMMC applies to all contractors and subcontractors in the Defense Industrial Base (DIB) that process, store, or transmit FCI or CUI on DoD contracts.

CMMC Required

  • • Prime contractors on DoD contracts
  • • Subcontractors handling FCI/CUI
  • • All tiers of the supply chain
  • • Cloud service providers for CUI
  • • Managed service providers

CMMC May Not Apply

  • • COTS-only contractors
  • • Contracts with no FCI/CUI
  • • Non-DoD federal contracts
  • • Commercial contracts only
  • • Grants and cooperative agreements

Phased Implementation

CMMC requirements are being phased in starting 2025. Phase 1 (2025): Self-assessments only. Phase 2 (2026): Third-party assessments begin. Phase 3 (2027): Full implementation across all applicable contracts.

Security Controls Overview

CMMC Level 2 is based on the 110 security requirements from NIST SP 800-171, organized into 14 control families.

Access Control (AC)

22 requirements - Limit system access to authorized users and transactions.

Awareness & Training (AT)

3 requirements - Ensure personnel are trained on security responsibilities.

Audit & Accountability (AU)

9 requirements - Create, protect, and review system audit logs.

Configuration Management (CM)

9 requirements - Establish and maintain baseline configurations.

Identification & Auth (IA)

11 requirements - Identify and authenticate users and devices.

Incident Response (IR)

3 requirements - Establish incident handling capability.

Additional families include: Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System & Communications Protection (SC), and System & Information Integrity (SI).

Assessment Process

The assessment process varies by level and whether self-assessment or third-party assessment is required.

Self-Assessment (Level 1 & Some Level 2)

  1. 1Conduct self-assessment against applicable requirements
  2. 2Enter results and score into SPRS (Supplier Performance Risk System)
  3. 3Senior official affirms accuracy of assessment
  4. 4Renew affirmation annually

Third-Party Assessment (Level 2 C3PAO)

  1. 1Select and contract with CMMC Third-Party Assessment Organization (C3PAO)
  2. 2Prepare documentation and evidence for all 110 practices
  3. 3Undergo on-site or remote assessment
  4. 4Address any findings and receive certification
  5. 5Maintain certification with annual affirmation

How to Prepare for CMMC

Define Your Scope

Identify where CUI is processed, stored, and transmitted. Minimize scope to reduce compliance burden.

Gap Assessment

Compare current security posture against NIST 800-171 requirements. Document gaps and prioritize remediation.

System Security Plan

Create comprehensive SSP documenting how each requirement is implemented in your environment.

Implement Controls

Deploy technical and administrative controls. Consider enclave solutions for isolating CUI.

Document Everything

Maintain evidence of policy, procedures, and implementation. Assessors will verify documentation.

Train Your Team

Ensure all employees understand security policies and their responsibilities for protecting CUI.

Certification Costs

CMMC certification costs vary significantly based on your current security posture, company size, and required level.

Estimated Cost Ranges

Level 1 Self-Assessment$5,000 - $15,000
Level 2 Self-Assessment$20,000 - $50,000
Level 2 C3PAO Assessment$50,000 - $150,000+
Level 3 DIBCAC Assessment$100,000 - $500,000+

Note: These estimates include gap remediation, consulting, and assessment fees. Costs for ongoing maintenance are additional.

Frequently Asked Questions

When will CMMC be required in contracts?

CMMC requirements begin appearing in contracts in 2025 with phased implementation through 2027. Check current solicitations for DFARS 252.204-7021.

Can subcontractors have a lower CMMC level than the prime?

Subcontractors only need the level required for the CUI they handle. If a sub doesn't process CUI, Level 1 may suffice even if the prime needs Level 2.

What is a C3PAO?

A CMMC Third-Party Assessment Organization (C3PAO) is an authorized entity that conducts Level 2 assessments. C3PAOs are accredited by the Cyber AB (formerly CMMC-AB).

Can I use a cloud service provider for CUI?

Yes, but the CSP must meet FedRAMP Moderate baseline or equivalent. The CSP's environment must be in scope for your CMMC assessment.

What is the SPRS score?

The Supplier Performance Risk System score reflects your self-assessed compliance with NIST 800-171. Scores range from -203 (no controls) to 110 (full compliance). Many contracts require a minimum score.

Find DoD Contract Opportunities with BidFinds

Once you're CMMC certified, BidFinds helps you discover DoD contract opportunities that match your capabilities—across all 50 states for just $99/month.

$99/month- No hidden fees

Ready to Find Your Next Contract?

Get instant access to thousands of government construction bids with our AI-powered platform.

Get Started