What Is CMMC? The Complete Guide for Defense Contractors [2026]

Posted: March 3, 2026 to Compliance.

What Is CMMC? The Complete Guide for Defense Contractors

If your company does business with the Department of Defense, you have almost certainly heard the term CMMC. The Cybersecurity Maturity Model Certification is reshaping how the federal government evaluates the security posture of every organization in the defense industrial base. Whether you are a prime contractor building weapons systems or a small machine shop supplying bolts, CMMC applies to you.

This guide breaks down what CMMC is, why it was created, how the 2.0 framework works, who needs certification, the current timeline, and exactly how to prepare so your organization can continue winning DoD contracts.

Why CMMC Exists: The Problem It Solves

The defense industrial base (DIB) includes more than 300,000 companies. These organizations collectively handle vast quantities of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Nation-state adversaries have repeatedly targeted these companies because they are often easier to breach than the DoD itself.

Before CMMC, compliance with cybersecurity standards was largely self-attested. Contractors would claim adherence to NIST SP 800-171 in their contracts, but the DoD had no reliable way to verify those claims. Studies found that a significant percentage of contractors were not actually meeting the requirements they claimed.

CMMC was created to solve this trust gap. Instead of self-attestation, most contractors handling CUI will need to be assessed by a certified third-party assessment organization (C3PAO). This shifts cybersecurity compliance from a checkbox exercise to a verified, measurable standard.

CMMC 2.0: The Current Framework

The original CMMC 1.0 model introduced five maturity levels and was widely criticized for complexity and cost. In November 2021, the DoD announced CMMC 2.0, which streamlined the model into three levels. The final rule (32 CFR Part 170) was published in October 2024, and CMMC requirements began appearing in contracts in 2025.

Level 1: Foundational (Self-Assessment)

Level 1 applies to companies that handle only Federal Contract Information. It requires implementation of 15 basic cybersecurity practices drawn from FAR 52.204-21. These include fundamentals like limiting system access to authorized users, authenticating users before granting access, and sanitizing media before disposal.

Level 1 allows annual self-assessment. Companies must affirm compliance in the Supplier Performance Risk System (SPRS) and have a senior official sign off on the results. No third-party audit is required. Use our free SPRS Score Calculator to determine where you stand.

Level 2: Advanced (Third-Party Assessment)

Level 2 is the level that most contractors handling CUI will need to achieve. It maps directly to all 110 security requirements in NIST SP 800-171 Revision 2. These requirements span 14 control families, covering everything from access control and incident response to system and communications protection.

For contracts involving critical CUI, Level 2 requires assessment by a C3PAO accredited by the Cyber AB (formerly the CMMC Accreditation Body). Some contracts with less sensitive CUI may allow self-assessment at Level 2, but the DoD has been clear that third-party assessment will be the norm for most CUI-handling contractors.

Assessments are valid for three years. Companies must also submit annual affirmation of continued compliance.

Level 3: Expert (Government-Led Assessment)

Level 3 is reserved for contractors handling the most sensitive CUI and working on the highest-priority programs. It adds 24 requirements from NIST SP 800-172 on top of the 110 from 800-171. Assessments at Level 3 are conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Very few contractors will need Level 3. If you are not sure whether you need it, you almost certainly do not.

Who Needs CMMC Certification?

CMMC applies to any organization in the defense supply chain that processes, stores, or transmits FCI or CUI. This includes:

• Prime contractors who bid directly on DoD contracts
• Subcontractors at every tier who receive CUI flow-down
• IT service providers (like MSPs and MSSPs) who support DIB companies
• Cloud service providers hosting CUI for defense contractors
• Consulting and engineering firms with access to technical data

The DoD is implementing CMMC through a phased rollout. Starting in 2025, CMMC requirements began appearing as evaluation criteria in select contracts. By 2028, all DoD contracts involving FCI or CUI are expected to include CMMC requirements. Companies that lack the required certification level will not be eligible to bid.

The CMMC 2.0 Timeline

Understanding the current timeline is critical for planning:

• October 2024: Final CMMC rule (32 CFR Part 170) published
• December 2024: Rule became effective; DFARS clause finalized
• 2025: Phase 1 rollout; CMMC requirements appear in new contracts; self-assessment for Level 1 and some Level 2
• 2026: Phase 2; third-party assessments for Level 2 required in applicable contracts
• 2027: Phase 3; Level 3 assessments for applicable contracts
• 2028: Full implementation across all applicable DoD contracts

The message is clear: waiting is no longer an option. If your company does not start preparing now, you risk losing the ability to compete for DoD work within the next 12 to 24 months.

CMMC Requirements: What You Actually Need to Do

For Level 1

Level 1 is straightforward for most organizations. The 15 practices focus on basic cyber hygiene: using antivirus, applying patches, limiting physical access, and training employees. Most competent IT organizations already meet these requirements. The key is documenting your compliance and submitting your self-assessment score to SPRS.

For Level 2

Level 2 is significantly more demanding. The 110 requirements from NIST 800-171 cover:

• Access Control (22 requirements): Role-based access, session controls, remote access management
• Awareness and Training (3 requirements): Security training for all personnel
• Audit and Accountability (9 requirements): Logging, log review, and audit trail protection
• Configuration Management (9 requirements): Baselines, change control, least functionality
• Identification and Authentication (11 requirements): MFA, password policies, device authentication
• Incident Response (3 requirements): IR planning, detection, reporting
• Maintenance (6 requirements): Controlled maintenance, remote maintenance security
• Media Protection (9 requirements): Media marking, storage, transport, sanitization
• Personnel Security (2 requirements): Screening, termination procedures
• Physical Protection (6 requirements): Facility access, visitor logs, environmental controls
• Risk Assessment (3 requirements): Vulnerability scanning, risk identification
• Security Assessment (4 requirements): System security plans, assessments, remediation
• System and Communications Protection (16 requirements): Boundary protection, encryption, network segmentation
• System and Information Integrity (7 requirements): Flaw remediation, malicious code protection, monitoring

For a deeper dive into each control family, see our comprehensive CMMC Compliance Guide.

How to Prepare for CMMC: A Practical Roadmap

Step 1: Determine Your Required Level

Review your current and target DoD contracts. If you only handle FCI, Level 1 may suffice. If any contract involves CUI (check your DD Form 254 or contract clauses for DFARS 252.204-7012), you will need Level 2.

Step 2: Scope Your CUI Environment

Identify every system, network, and process that touches CUI. The smaller your CUI boundary, the fewer systems need to meet all 110 requirements. Many organizations benefit from creating a dedicated enclave for CUI processing rather than trying to bring their entire IT environment into compliance.

Step 3: Conduct a Gap Assessment

Compare your current security posture against the required NIST 800-171 controls. Document each requirement as Met, Not Met, or Partially Met. Calculate your SPRS score. This gives you a clear picture of the work ahead.

Step 4: Develop Your System Security Plan and POA&M

Your System Security Plan (SSP) documents how your organization meets each requirement. For any gaps, you need a Plan of Action and Milestones (POA&M) with specific remediation steps and target dates. Assessors will review both documents closely.

Step 5: Implement Controls and Remediate Gaps

This is typically the longest phase. Depending on your starting point, remediation may involve deploying new security tools, reconfiguring systems, establishing new policies, or restructuring your network. Common areas that require significant work include multi-factor authentication, logging and monitoring, encryption of CUI at rest and in transit, and incident response procedures.

Step 6: Engage a C3PAO for Assessment

Once you believe you are ready, schedule your assessment with an accredited C3PAO. Demand for assessments is expected to exceed supply in 2026 and 2027, so scheduling early is advisable. The assessment itself typically takes several days and includes document review, interviews, and technical testing.

Common CMMC Preparation Mistakes

After helping dozens of defense contractors through the compliance process, we consistently see these mistakes:

• Underestimating scope: CUI flows through more systems than most organizations realize. Email, file shares, collaboration tools, and backup systems all count.
• Treating it as an IT project: CMMC compliance requires organizational commitment. Policies, training, and executive sponsorship are just as important as technical controls.
• Waiting for contract requirements: By the time CMMC appears in your contract, it is too late to start. Remediation and assessment typically take 6 to 18 months.
• Ignoring supply chain obligations: If you flow CUI to subcontractors, they need to meet CMMC requirements too. Start those conversations now.
• Neglecting documentation: Having controls in place is not enough. You must demonstrate them through documented policies, procedures, and evidence.

The Cost of CMMC Compliance

Cost varies widely based on organization size, current maturity, and scope. For a small to mid-size contractor, typical costs include:

• Gap assessment: $15,000 to $50,000
• Remediation: $50,000 to $500,000+ depending on gaps
• C3PAO assessment: $30,000 to $100,000+
• Ongoing compliance: $20,000 to $100,000 annually

These are significant investments, but they must be weighed against the value of your DoD contracts. For most defense contractors, the cost of non-compliance, which means losing eligibility to bid, far exceeds the cost of achieving certification.

How Petronella Technology Group Can Help

At Petronella Technology Group, we have been helping defense contractors navigate CMMC since the framework was first announced. Our team provides end-to-end CMMC support, including gap assessments, remediation planning, SSP and POA&M development, and assessment preparation. We understand both the technical requirements and the business realities of defense contracting.

We also offer our free SPRS Score Calculator to help you understand your current standing before engaging in a full assessment.

Frequently Asked Questions

How long does it take to get CMMC certified?

Most organizations need 6 to 18 months from the start of preparation to passing their C3PAO assessment. The timeline depends on your current security maturity, the size of your CUI environment, and the availability of assessors. Starting early is critical, especially as demand for C3PAO assessments increases.

What happens if I fail my CMMC assessment?

If you do not pass, you will receive a report detailing the deficiencies. You can remediate the issues and schedule a reassessment. However, there is no formal "grace period" in the current rules. Until you achieve certification, you cannot be awarded contracts that require it.

Is CMMC the same as NIST 800-171?

CMMC Level 2 is based entirely on NIST SP 800-171, so the technical requirements are the same 110 controls. The difference is verification: NIST 800-171 compliance has historically been self-attested, while CMMC Level 2 typically requires third-party assessment. CMMC also adds process maturity and institutionalization requirements that go beyond the technical controls.

Do subcontractors need CMMC certification?

Yes. Any subcontractor that processes, stores, or transmits CUI as part of a DoD contract must achieve the CMMC level specified in that contract. This is a flow-down requirement. Prime contractors are responsible for ensuring their supply chain meets the applicable standards.

Can I use a cloud solution to reduce my CMMC scope?

Yes, using a FedRAMP-authorized cloud environment (such as Microsoft GCC High or AWS GovCloud) can significantly reduce the number of systems in your CUI boundary. However, the cloud solution itself must meet the requirements, and your organization still needs to implement controls for the systems and processes that interact with CUI outside the cloud.

Ready to start your CMMC journey? Contact Petronella Technology Group for a free initial assessment. Call us at (919) 348-4912 or visit our CMMC compliance page to learn more about how we can help your organization achieve and maintain certification.