If you handle Department of Defense information and you are not already working toward CMMC, you are on the clock to lose contracts. The Cybersecurity Maturity Model Certification is the DoD's way of verifying that the companies in its supply chain actually protect sensitive data. Once the rule is fully in force, the math is blunt: no certification, no award. Here is what it is, what the three levels demand, what an assessment looks like, what it costs, and how to get there without setting money on fire.
Quick answer: CMMC has three levels. Level 1 (basic, Federal Contract Information only) is an annual self-assessment of 17 practices from FAR 52.204-21. Level 2 (Controlled Unclassified Information) requires all 110 NIST SP 800-171 practices, with a third-party assessment every three years for high-priority work. Level 3 (the most sensitive CUI) adds NIST SP 800-172 controls and a government-led assessment. Plan on 6 to 18 months to get ready, and start before a solicitation forces your hand.
CMMC is a single cybersecurity standard the DoD built to protect unclassified information shared across its supply chain, the CUI and FCI that contractors handle every day. The old model trusted contractors to self-report. This one does not. CMMC requires verification, and for higher-risk work that means a third party checks your controls instead of taking your word for it.
The reason is simple. Adversaries target contractor networks, not just government ones, to steal military technology, operational plans, and research. Self-attestation let too much slide. CMMC 2.0 also trimmed the original program, which had five levels, 171 practices, and 17 domains, down to three levels aligned with NIST SP 800-171. Less sprawl, same teeth.
Figure out your level first. Everything else follows from it, and the level is set by how sensitive the information you touch is.
Level 1 is basic hygiene for firms that handle only FCI. Seventeen practices from FAR 52.204-21, things like access control and physical security, checked through an annual self-assessment. No third party, low cost.
Level 2 is where most contractors live, because most DoD work involves CUI. It requires all 110 NIST SP 800-171 practices across 14 domains. High-priority programs need a third-party assessment every three years; lower-priority ones can self-assess annually with a senior official's signed affirmation.
Level 3 is for the most sensitive CUI, the critical-technology and advanced-weapons programs. It layers NIST SP 800-172 controls on top of Level 2 and is assessed by the government itself, not a commercial assessor. The levels stack: Level 2 contains Level 1, and Level 3 contains both. Pin down which one your contracts require, and you have your starting line.
The mechanics shift by level, but the shape is consistent.
At Level 1, you self-assess against the official guide, document that each of the 17 practices is actually working, and post your affirmation in the DoD's Supplier Performance Risk System (SPRS). Cheap, but not casual, the documentation has to show the controls are real, not aspirational.
At Level 2, high-priority contracts bring in a certified third-party assessor every three years. They review your documentation, test the controls, interview your people, and inspect your facilities against all 110 practices. It usually opens with a readiness review that surfaces gaps before the formal assessment, which is your chance to fix them. Lower-priority Level 2 work can ride on self-assessment plus a senior official's affirmation, though plenty of firms pay for the third-party assessment anyway because independent validation reassures customers and heads off a challenge.
Level 3 assessments are run by the DoD, on its schedule, to its strictest standard. Whatever the level, the certification is the easy part. The months of gap analysis, remediation, documentation, and training that come first are the work, so start well before a deadline.
The honest answer is that it depends, mostly on your target level and how far your current security sits from the standard. But the ranges are knowable.
Level 1 is modest. With no third-party assessor, the cost is mostly staff time, documentation, and minor fixes, roughly $5,000 to $15,000 with consulting help, and less if you already run decent security.
Level 2 is a different animal, typically $100,000 to over $1 million. Gap remediation is usually the biggest line: implementing missing controls, upgrading systems, and deploying tools like multi-factor authentication, endpoint detection and response, encryption, and a SIEM, which alone can run from tens of thousands into the hundreds of thousands. Documentation, your policies, procedures, and system security plan, runs $20,000 to over $100,000 if you bring in help. The third-party assessment itself is usually $15,000 to $50,000 or more. Then budget 20 to 30 percent of your initial spend every year for ongoing compliance, because this is not one-and-done. Readiness consultants generally charge $150 to $300 an hour.
For a small shop those numbers sting. But losing your DoD pipeline costs far more, and the controls you put in to pass also lower your odds of a breach that could end the business.
CMMC punishes the last-minute scramble and rewards the firms that treat it as a project. A few principles separate them.
Start with a real gap analysis against your target level. It tells you what is missing and what to document, and most firms underestimate the gap on the first look, which is why an outside assessment pays for itself. Then build a remediation roadmap with owners and dates, knock out the quick wins early, and give the heavy lifts the runway they need. Understanding the government procurement cycle helps you time all of this against when CMMC will actually hit your opportunities.
Implement the technical controls in order of value, access control, MFA, segmentation, encryption, and stand up logging early so you can prove the controls have been running over time, not just installed the week before. Document like the assessor will read it, because they will, and they will test whether your written procedures match reality. A solid System Security Plan is the backbone here. Train your people, since assessors interview staff and a control nobody operates correctly is a control you fail on.
Then sidestep the usual ways firms blow it:
The timeline has moved more than once, so anchor on the mechanics rather than a date. The DoD published the proposed rule in December 2023 and worked through public comment toward a final rule. Once that final rule lands in the Federal Register, a six-month clock starts before CMMC requirements begin showing up in solicitations.
It will not hit every contract at once. The rollout is phased, starting with the most sensitive information and the highest-priority programs, so watch the specific solicitations you care about rather than assuming a blanket date. Primes on major programs will see it first; flow-down to lower-tier subcontractors comes as primes write CMMC into their subcontracts. Deeper in the supply chain buys you a little time, not a pass. Track it through the official source at acq.osd.mil/cmmc, and do not wait for a solicitation to start, the lead time means late starters miss the award.
CMMC is a months-long program, and the cost of missing a requirement is a lost contract. A few resources make it easier. The CMMC Accreditation Body lists authorized assessment organizations and certified assessors and is the place to confirm you are working from current guidance. The National Institute of Standards and Technology publishes the underlying standards, and the DoD Cybersecurity Resource Center and groups like the National Defense Industrial Association add guidance and peer support.
OryonIQ sits alongside those. Ask Oryon, the built-in AI assistant, answers CMMC, CUI, and clause questions in plain language and cites its sources, and the Insights module flags the policy and regulatory changes that affect your eligibility before they catch you out. When your RFP responses have to state your compliance posture, that and sharp proposal writing are what get the message across to evaluators. Want help mapping CMMC to your specific contracts? Talk to our team.
Level 1 covers basic hygiene for Federal Contract Information and uses an annual self-assessment of 17 practices from FAR 52.204-21. Level 2 covers Controlled Unclassified Information and requires all 110 NIST SP 800-171 practices, with a third-party assessment for high-priority work. Level 3 covers the most sensitive CUI, adds NIST SP 800-172 controls, and is assessed by the government.
Level 1 runs roughly $5,000 to $15,000. Level 2 typically runs $100,000 to over $1 million depending on how far your current security is from the standard, with the third-party assessment alone usually $15,000 to $50,000 or more. Budget 20 to 30 percent of your initial cost each year for ongoing compliance.
Most organizations need 6 to 18 months, depending on readiness. Gap analysis, remediation, documentation, and training take the time; the assessment itself is the short part.
Level 1 and lower-priority Level 2 contracts allow annual self-assessment, with Level 2 also requiring a senior official's affirmation. High-priority Level 2 work requires a certified third-party assessment every three years, and Level 3 is assessed by the DoD.
It phases in. After the final rule publishes in the Federal Register, a six-month period precedes requirements appearing in solicitations, starting with the most sensitive programs. Because preparation takes months, the practical answer is to start now.
Are you curious about the networking events near you? Together we can expand your network and watch your pipeline exponentially grow.
Our mission is to empower the GovCon community to make better data driven decisions based on social relationships and opportunity data that is actionable, measurable, and trackable.
%20A%20Plain-English%20Guide%20for%20Contractors-sml.webp)
%20(1).webp)
