CMMC 2.0 Compliance Guide 2026: Levels, Cost & Timeline

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's mandatory cybersecurity framework that requires all defense contractors to verify their cybersecurity practices before they can win or maintain DoD contracts. CMMC 2.0 has three levels: Level 1 requires 17 basic cyber hygiene practices for Federal Contract Information (FCI), Level 2 requires 110 practices aligned to NIST SP 800-171 for Controlled Unclassified Information (CUI), and Level 3 requires 134 practices based on NIST SP 800-172 for the most sensitive programs. The final CMMC rule (32 CFR Part 170) took effect on December 16, 2024, and assessments began in Q1 2025. Every company in the Defense Industrial Base that handles FCI or CUI must achieve the appropriate CMMC level or lose eligibility for DoD contracts.

As someone who has guided over 200 defense contractors through NIST 800-171 and CMMC readiness over the past eight years, I can tell you that the organizations succeeding with CMMC are the ones that started early and treated it as a security program rather than a checkbox exercise. This guide covers everything you need to know about CMMC 2.0 in 2026, from the three certification levels to the assessment process, timeline, and realistic cost expectations.

What Is CMMC 2.0

The Cybersecurity Maturity Model Certification is a unified cybersecurity standard created by the Department of Defense to protect sensitive defense information across the entire supply chain. Before CMMC, defense contractors were expected to self-attest to NIST SP 800-171 compliance through DFARS clause 252.204-7012. The problem was that self-attestation had no verification mechanism. A 2019 DoD Inspector General report found that contractors routinely claimed compliance without implementing required controls. Adversaries, particularly nation-state actors from China and Russia, exploited these gaps to steal critical defense data including F-35 fighter jet designs, submarine warfare systems, and missile defense technology.

CMMC 2.0 solves this by requiring independent third-party verification for organizations handling CUI. The framework was first announced in January 2020 as CMMC 1.0 with five levels. In November 2021, the DoD streamlined it to three levels and renamed it CMMC 2.0. The final rule was published on October 15, 2024, and became effective December 16, 2024.

Key differences between CMMC 1.0 and CMMC 2.0 include the reduction from five levels to three, elimination of CMMC-unique practices that went beyond NIST standards, allowance of Plans of Action and Milestones (POA&Ms) for certain controls, introduction of a phased rollout rather than immediate enforcement across all contracts, and alignment directly with existing NIST SP 800-171 and 800-172 standards.

The Three CMMC 2.0 Levels Explained

CMMC 2.0 establishes three maturity levels, each building on the one below it. The level required for your organization depends on the type of information you handle in performance of DoD contracts.

Level 1: Foundational (17 Practices)

CMMC Level 1 applies to organizations that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). FCI is information provided by or generated for the government under contract that is not intended for public release. Level 1 requires implementation of 17 practices drawn from FAR clause 52.204-21, covering basic cyber hygiene.

The 17 Level 1 practices include requirements such as limiting system access to authorized users, controlling the flow of FCI on systems, verifying and controlling connections to external systems, controlling information posted on public systems, identifying and authenticating users, sanitizing or destroy media before disposal, screening personnel with system access, limiting physical access, escorting visitors, maintaining audit logs, protecting communications transmissions, establishing and maintaining system security, identifying and remediating vulnerabilities, performing malware scanning, updating malicious code protections, and monitoring organizational systems.

Assessment method: Annual self-assessment. Results must be entered into the Supplier Performance Risk System (SPRS). No third-party certification is required.

Typical timeline to achieve: 1 to 3 months for organizations with basic IT security already in place.

Level 2: Advanced (110 Practices)

CMMC Level 2 is the most significant level for the majority of defense contractors. It applies to organizations that process, store, or transmit Controlled Unclassified Information and requires implementation of all 110 security requirements from NIST SP 800-171 Revision 2. These 110 practices are organized across 14 domains and represent a comprehensive cybersecurity program.

Level 2 is divided into two assessment paths based on the criticality of the CUI involved:

Level 2 with Third-Party Assessment (C3PAO): Required for contracts involving CUI that the DoD designates as critical or high-value. A CMMC Third-Party Assessment Organization (C3PAO) conducts the assessment. Certification is valid for three years with an annual affirmation requirement.

Level 2 with Self-Assessment: Permitted for contracts involving CUI that is not designated as critical. The organization conducts its own assessment against NIST SP 800-171 and submits results to SPRS. This path still requires rigorous documentation including a complete System Security Plan (SSP) and any applicable POA&Ms.

Typical timeline to achieve: 6 to 18 months depending on starting posture, organizational complexity, and scope of CUI environment.

Level 3: Expert (134 Practices)

CMMC Level 3 is reserved for the highest-priority programs and applies to a small subset of the defense industrial base. It includes all 110 NIST SP 800-171 practices plus 24 additional practices selected from NIST SP 800-172 (Enhanced Security Requirements for Protecting CUI). Level 3 focuses on protecting CUI against advanced persistent threats (APTs) and includes requirements for penetration testing, security operations centers, and advanced threat hunting capabilities.

Assessment method: Government-led assessment conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Typical timeline to achieve: 18 to 36 months. Most organizations at this level have dedicated cybersecurity teams and significant existing security infrastructure.

The 14 CMMC Domains

CMMC Level 2 organizes its 110 practices across 14 security domains. Understanding these domains is essential for scoping your compliance program and allocating resources appropriately.

1. Access Control (AC) — 22 practices. Restricting system and data access to authorized users, processes, and devices. This is the largest domain and includes requirements for account management, separation of duties, least privilege, remote access, and wireless access controls.

2. Awareness and Training (AT) — 3 practices. Ensuring personnel are aware of security risks and trained on policies and procedures. Includes role-based training for privileged users and system administrators.

3. Audit and Accountability (AU) — 9 practices. Creating, protecting, and reviewing system audit logs. Requirements cover audit event logging, audit record content, audit log capacity, audit review and reporting, and time synchronization.

4. Configuration Management (CM) — 9 practices. Establishing and maintaining baseline configurations for systems and controlling changes. Includes configuration change control, security impact analysis, and restricting unauthorized software.

5. Identification and Authentication (IA) — 11 practices. Verifying the identity of users, processes, and devices. Covers multi-factor authentication, password complexity, authenticator management, and replay-resistant authentication.

6. Incident Response (IR) — 3 practices. Establishing incident handling capabilities. Requires incident response plans, incident tracking, and reporting incidents to appropriate authorities.

7. Maintenance (MA) — 6 practices. Performing timely maintenance on organizational systems. Addresses controlled maintenance, maintenance tools, and nonlocal maintenance requirements.

8. Media Protection (MP) — 9 practices. Protecting both digital and physical media containing CUI. Covers media access, media marking, media storage, media transport, media sanitization, and CUI handling on portable storage devices.

9. Personnel Security (PS) — 2 practices. Screening individuals before granting access and ensuring access is revoked promptly upon personnel actions like termination or transfer.

10. Physical Protection (PE) — 6 practices. Limiting physical access to systems, equipment, and operating environments. Addresses facility access, visitor management, and physical access monitoring.

11. Risk Assessment (RA) — 3 practices. Identifying and evaluating risk to organizational operations, assets, and individuals. Requires periodic risk assessments and vulnerability scanning.

12. Security Assessment (CA) — 4 practices. Periodically assessing security controls, developing and implementing plans of action, and monitoring security controls on an ongoing basis.

13. System and Communications Protection (SC) — 16 practices. Monitoring and protecting communications at system boundaries. Covers CUI encryption in transit and at rest, architectural designs, network segmentation, and session termination.

14. System and Information Integrity (SI) — 7 practices. Identifying, reporting, and correcting system flaws in a timely manner. Includes malicious code protection, security alert monitoring, and system monitoring.

Who Needs CMMC Certification

CMMC applies to every organization in the Defense Industrial Base (DIB) supply chain, not just prime contractors. If your company meets any of these criteria, you need CMMC certification:

You hold a DoD contract with DFARS clause 252.204-7012. This clause has been in contracts since 2017 and requires NIST SP 800-171 compliance. CMMC adds verification to this existing requirement.

You are a subcontractor to a DoD prime contractor. CUI flows down through the supply chain. If a prime contractor shares CUI with you, you need the same CMMC level they do for that information.

You handle FCI under a government contract. Even if you do not handle CUI, any organization with a federal contract containing FAR clause 52.204-21 needs at least CMMC Level 1.

You plan to bid on future DoD contracts. The phased rollout means CMMC requirements are appearing in new solicitations throughout 2025 and 2026. Organizations that wait until they see CMMC in a solicitation will not have time to achieve compliance before the bid deadline.

It is estimated that over 220,000 companies in the DIB will ultimately need some level of CMMC certification. About 80,000 of these will need Level 2, and a few hundred will need Level 3.

The CMMC Assessment Process

The assessment process differs by level. Here is what to expect at each stage.

Level 1 Self-Assessment: Your organization reviews its implementation of all 17 practices, documents the results, and has a senior company official sign an affirmation statement. Results are entered into SPRS. This must be repeated annually.

Level 2 Self-Assessment: Similar to Level 1 but far more rigorous, covering all 110 NIST SP 800-171 practices. Requires a complete System Security Plan documenting how each practice is implemented, evidence artifacts for each practice, SPRS score calculation (110 minus weighted point values for unimplemented practices), and senior official affirmation.

Level 2 C3PAO Assessment: This is the most common assessment path for CUI-handling organizations. The process involves selecting a C3PAO from the Cyber AB marketplace, scheduling a pre-assessment consultation to define scope and logistics, the C3PAO review team (typically 2 to 4 assessors) conducts the assessment over 3 to 5 days on-site, assessors review documentation and interview personnel for all 110 practices, each practice receives a MET, NOT MET, or NOT APPLICABLE determination, if deficiencies are found you may submit a POA&M for certain practices, the C3PAO submits results to the CMMC eMASS system, and the Cyber AB issues your certification upon successful completion.

Level 3 Government Assessment: DIBCAC conducts a comprehensive government-led assessment that builds on your Level 2 certification. The scope includes the 24 additional NIST SP 800-172 practices plus a deeper evaluation of your overall cybersecurity maturity.

CMMC Timeline and Phased Rollout

The DoD is implementing CMMC through a four-phase rollout tied to the 48 CFR rulemaking process:

Phase 1 (Beginning Q1 2025): The DoD began including CMMC Level 1 self-assessment and Level 2 self-assessment requirements in new contracts. This phase is active now.

Phase 2 (Beginning Q1 2026): Level 2 C3PAO third-party assessments begin appearing as requirements in applicable contracts. This is the current phase as of this writing. Organizations that have not begun their CMMC journey are running out of time.

Phase 3 (Beginning Q1 2027): Level 3 government-led assessments are included in applicable contracts. Level 2 C3PAO requirements expand to all contracts involving critical CUI.

Phase 4 (Beginning Q4 2027): Full implementation. CMMC requirements at the appropriate level are included in all applicable DoD contracts. The option period for any existing contract will require CMMC as a condition of exercising the option.

Critical deadline awareness: Although Phase 4 full implementation is not until late 2027, contracting officers have discretion to include CMMC requirements in solicitations earlier than the phase schedule. We are already seeing Level 2 C3PAO requirements in 2026 solicitations. The time to prepare is now, not when you see the requirement in an RFP.

CMMC Compliance Costs

CMMC compliance costs vary significantly based on your organization's size, existing security maturity, and the scope of your CUI environment. The following estimates are based on our experience helping over 200 contractors through the process.

Level 1 estimated costs:

• Internal time for self-assessment and documentation: $2,000 to $5,000
• Remediation of gaps (if any): $1,000 to $10,000
• Consulting assistance (optional): $3,000 to $8,000
• Total Level 1 range: $3,000 to $20,000

Level 2 estimated costs for a 50-person company:

• Gap assessment and roadmap: $15,000 to $30,000
• Technology remediation (SIEM, MFA, encryption, backup, endpoint): $50,000 to $150,000
• Policy and documentation development: $10,000 to $25,000
• Managed security services (ongoing): $3,000 to $8,000 per month
• C3PAO assessment fee: $30,000 to $120,000
• Total Level 2 first-year range: $120,000 to $350,000
• Ongoing annual costs: $40,000 to $100,000

Level 3 estimated costs: Level 3 costs are highly variable but typically range from $500,000 to $2 million or more for initial implementation, with annual ongoing costs of $200,000 to $500,000. Most Level 3 organizations have dedicated cybersecurity staff and existing security operations infrastructure.

Cost reduction strategies: The single most effective way to reduce CMMC costs is to minimize the scope of your CUI environment. Rather than trying to secure your entire network to CMMC Level 2 standards, create a defined CUI enclave, a segmented portion of your network where CUI is processed and stored. This approach can reduce compliance costs by 40 to 60 percent.

SPRS Score and Self-Assessment

The Supplier Performance Risk System (SPRS) score is a numeric representation of your NIST SP 800-171 implementation status. A perfect score is 110, meaning all 110 practices are fully implemented. Each unimplemented practice reduces your score by 1, 3, or 5 points depending on the DoD's weighting of that practice.

The minimum acceptable SPRS score is -203 (if no practices are implemented), but contracting officers can set minimum score thresholds for individual solicitations. In practice, organizations with scores below 70 face significant challenges winning new contracts.

To calculate your SPRS score, review each of the 110 NIST SP 800-171 practices, determine whether each practice is fully implemented, partially implemented, or not implemented, sum the weighted point values for all practices that are not fully implemented, and subtract that sum from 110.

Your SPRS score must be current (within the last three years for C3PAO assessments, annually for self-assessments) and entered into the SPRS system. A senior company official must sign an affirmation statement attesting to the accuracy of the score.

Plans of Action and Milestones

CMMC 2.0 allows Plans of Action and Milestones (POA&Ms) for certain practices that are not fully implemented at the time of assessment. This is a significant change from CMMC 1.0, which required 100 percent implementation with no exceptions.

POA&M rules under CMMC 2.0 include the following: POA&Ms are not permitted for Level 1. For Level 2, POA&Ms are allowed but with strict limitations. Your SPRS score must be at least 80 percent of the maximum (88 out of 110) even with the POA&M items. Certain high-weighted practices cannot be placed on POA&M. All POA&M items must be closed within 180 days of the assessment. Failure to close POA&M items within 180 days results in loss of certification.

POA&Ms are a tool for managing the final stretch of compliance, not a way to defer significant work. Organizations that enter a C3PAO assessment planning to POA&M their way through major gaps will likely fail.

CUI Enclaves and Scoping

Scoping is arguably the most important strategic decision in your CMMC compliance journey. The scope of your assessment determines which systems, networks, and personnel are subject to the 110 Level 2 practices.

A CUI enclave is a defined boundary within your network where CUI is processed, stored, and transmitted. Everything inside the enclave must meet CMMC requirements. Everything outside it does not, though systems that connect to the enclave may be classified as Security Protection Assets that require a subset of controls.

CMMC scoping categories include:

• CUI Assets: Systems that process, store, or transmit CUI. Subject to all 110 practices.
• Security Protection Assets: Systems that provide security functions for the CUI environment (firewalls, SIEM, domain controllers). Subject to relevant practices.
• Contractor Risk Managed Assets: Systems that can but do not process CUI, and are not security protection assets. The contractor determines and documents the risk.
• Specialized Assets: IoT devices, OT systems, test equipment, and government-furnished equipment that may have limited ability to implement all practices.
• Out of Scope Assets: Systems completely separated from CUI processing with no connection to the CUI enclave.

Effective scoping strategies include using a dedicated virtual desktop infrastructure (VDI) or cloud enclave for CUI processing, implementing network segmentation to isolate the CUI environment, using a managed CUI enclave service from a provider like Petronella Technology Group, and minimizing the number of personnel with CUI access.

Common CMMC Compliance Mistakes

After working with hundreds of defense contractors, these are the mistakes I see most frequently:

1. Waiting for the requirement to appear in a contract. By the time CMMC is in your RFP, you do not have time to achieve compliance. Level 2 takes 6 to 18 months for most organizations. Start now.

2. Confusing IT management with cybersecurity compliance. Having a managed IT provider does not mean you are CMMC compliant. Most general IT providers do not understand NIST SP 800-171 controls, cannot produce the documentation required for assessment, and have not configured your environment to meet specific practice requirements.

3. Underestimating documentation requirements. CMMC assessors verify compliance through documentation review and personnel interviews, not just technical testing. You need a complete System Security Plan, policies for all 14 domains, procedures for key processes, and evidence artifacts for every practice. Organizations that focus exclusively on technology and ignore documentation fail their assessments.

4. Trying to secure the entire network. As discussed in the scoping section, trying to make your entire corporate network CMMC Level 2 compliant is unnecessarily expensive. Define a CUI enclave and minimize scope.

5. Choosing the wrong consulting partner. The CMMC ecosystem includes many new entrants with limited experience. Look for consultants with verifiable experience helping organizations achieve NIST SP 800-171 compliance, knowledge of the specific technologies and architectures used in CUI enclaves, the ability to provide both technical implementation and documentation support, and references from organizations that have passed C3PAO assessments. For a 2026 shortlist of RPO-verified best CMMC compliance consultants, see our 9-firm comparison.

How to Get Started with CMMC

Whether you are starting from scratch or have an existing NIST SP 800-171 program, follow this roadmap:

Step 1: Determine your required CMMC level. Review your current and anticipated DoD contracts. If you handle CUI, you need Level 2. If you handle only FCI, Level 1 is sufficient. Your contracting officer or prime contractor can clarify what level of information you handle.

Step 2: Conduct a gap assessment. Evaluate your current implementation status against all applicable practices. For Level 2, this means assessing all 110 NIST SP 800-171 practices and calculating your SPRS score. A professional gap assessment from a firm like Petronella Technology Group provides a detailed roadmap with prioritized remediation steps.

Step 3: Define your CUI scope and enclave. Identify where CUI enters, resides, and exits your organization. Design or refine your enclave architecture to minimize the systems subject to CMMC controls.

Step 4: Remediate gaps. Implement technical controls, develop required documentation, and train personnel. Prioritize high-weighted practices and those that cannot be placed on POA&M.

Step 5: Conduct an internal readiness review. Before engaging a C3PAO, perform a thorough internal assessment or hire a consultant to conduct a mock assessment. This identifies remaining gaps while there is still time to fix them.

Step 6: Engage a C3PAO. Select a C3PAO from the Cyber AB marketplace, schedule your assessment, and achieve your certification.

5-Question CMMC Readiness Check

Use this quick self-check to see whether you should be planning a C3PAO assessment in the next 6–12 months, a self-assessment, or stepping back to scope your CUI environment first. If you answer "yes" to three or more questions, you almost certainly need a CMMC Level 2 program now.

1. Do you currently hold a DoD contract with DFARS 252.204-7012 (or are you a subcontractor to one)? If yes, NIST 800-171 compliance is already required and CMMC verification is coming.
2. Do you process, store, or transmit Controlled Unclassified Information (CUI) — CDI, ITAR-controlled data, or any data marked "CUI" or "CUI//SP-PRVCY"? If yes, Level 2 is your target, not Level 1.
3. Will your contract or prime require C3PAO certification (not just self-assessment) in your next renewal or option period? If yes, you need 9–12 months of runway to gap, remediate, document, and book the assessment.
4. Is your current SPRS score below 88 (the POA&M floor) or do you not have a current score in SPRS? If yes, you have measurable risk of losing eligibility on the next contract action and need a gap assessment immediately.
5. Have you defined a CUI enclave with documented scope, or is CUI scattered across general corporate file shares, laptops, and email? If "scattered," scoping is your first project — not technology purchasing.

Three or more "yes" answers means a Level 2 managed program is the right next step. Two means a discovery and scoping engagement first. One or zero means you may be a Level 1 self-assessment candidate — verify with your contracting officer before assuming.

Petronella CMMC Engagement Tiers

We have structured our CMMC engagements into three predictable tiers so you can match scope to budget and bid timeline. Every tier is led by a CMMC Registered Practitioner and includes ComplianceArmor evidence automation.

All prices are starting figures and depend on user count, site count, and CUI environment complexity confirmed during discovery. Fixed-fee milestones are paid 100% at contract execution; managed services bill monthly.

DIY CMMC vs. Petronella Managed CMMC

The DIY path is viable for contractors with a mature internal cybersecurity function, a former NIST 800-171 auditor on staff, and the bandwidth to absorb a 6–18 month program. For everyone else, the managed path is the difference between passing on the first attempt and burning through one or two failed assessments.

Why Petronella Technology Group

Petronella Technology Group is a Raleigh, NC–based cybersecurity, compliance, and managed IT firm serving the Defense Industrial Base since 2003. We are BBB A+ accredited, MIT Sloan–trained in cybersecurity leadership, and led by Craig Petronella — a CMMC Registered Practitioner, Digital Forensics Expert, and author of 15 books on cybersecurity, AI, and compliance.

• 200+ contractors guided through NIST 800-171 and CMMC across aerospace, defense electronics, robotics, and DoD logistics.
• ComplianceArmor evidence automation — our internal platform builds the SSP, policies, and continuous evidence artifacts a C3PAO actually reviews, instead of generic templates.
• Single-vendor accountability — one team owns gap, remediation, enclave engineering, SOC monitoring, and assessment prep, so nothing slips between the IT firm and the consultant.
• 24/7 SOC covering CUI enclaves, with Managed XDR, vulnerability management, and incident response retained.
• BBB A+ since 2003 with a 24-year track record and zero reported CUI breaches across the managed contractor base.
• 30-day promise — we will not start a CMMC engagement unless we can credibly defend the timeline and budget we quote you on day one.

“We had three months to get a defensible SPRS score in front of a prime that suddenly required CMMC L2 visibility on their next option. Petronella came in, ran a 110-control gap, redesigned our CUI handling around a GCC High enclave, and had us at 92/110 before our prime's deadline. We would not have made the option period without them.”

— VP of Operations, NC Defense Electronics Subcontractor (engagement 2025–2026)

Frequently Asked Questions

Petronella Technology Group has helped over 200 defense contractors prepare for and achieve CMMC compliance. With 24 years of cybersecurity experience and deep expertise in NIST SP 800-171, we provide gap assessments, CUI enclave design, technology implementation, documentation development, and assessment preparation support. Contact us for a free CMMC readiness consultation to understand where your organization stands and what it will take to achieve certification.

About the Author: Craig Petronella is the CEO of Petronella Technology Group, Inc., a cybersecurity and compliance firm based in Raleigh, NC. Craig holds MIT Sloan cybersecurity leadership credentials, is a CMMC Registered Practitioner and Digital Forensics Expert, and has authored 15 books on security, AI, and compliance. He has guided over 200 defense contractors through CMMC and NIST 800-171 readiness over the past eight years.