CMMC Compliance Guide 2026 Levels, Costs, Timeline, and Requirements

CMMC, the Cybersecurity Maturity Model Certification, is a Department of Defense (DoD) framework that verifies defense contractors and subcontractors have implemented required cybersecurity controls before they can be awarded contracts. CMMC compliance means your organization has been independently assessed and certified to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) according to the standards defined in NIST SP 800-171 and, for higher levels, NIST SP 800-172. The program replaces the previous system of voluntary self-attestation, where contractors self-reported their compliance status through Supplier Performance Risk System (SPRS) scores, with a mandatory verification model enforced through contract requirements.

The DoD published the final CMMC rule (32 CFR Part 170) in October 2024 after years of development and public comment periods. This rule establishes three certification levels, defines assessment requirements for each level, accredits the Cyber AB (formerly the CMMC Accreditation Body) to authorize C3PAOs (CMMC Third-Party Assessment Organizations), and creates the enforcement mechanism through DFARS contract clauses. Starting in 2025, CMMC requirements are being phased into DoD solicitations and contracts. By 2028, all applicable contracts will require the appropriate CMMC certification level.

For most defense contractors, CMMC Level 2 is the applicable certification. Level 2 aligns directly with all 110 security requirements in NIST SP 800-171 Revision 2 and requires a triennial assessment by an accredited C3PAO. The assessment evaluates whether your organization has implemented each control, documented your System Security Plan (SSP), and established processes for maintaining those controls over time. Achieving CMMC Level 2 certification is not a one-time event but an ongoing commitment to maintaining your security posture, which is why working with an experienced CMMC consulting partner is critical for long-term success.

The practical impact of CMMC is significant. Without certification at the required level, your organization cannot bid on or be awarded DoD contracts that specify CMMC requirements. Prime contractors are already flowing CMMC requirements down to subcontractors, which means even small businesses deep in the supply chain must achieve certification. Organizations that delay CMMC preparation risk losing existing contract vehicles and being excluded from future opportunities. The Defense Industrial Base (DIB) includes approximately 300,000 contractors, and the DoD estimates that roughly 80,000 will need Level 2 certification. The limited number of accredited C3PAOs means assessment scheduling will become increasingly competitive as the Phase 2 deadline approaches in 2026.

CMMC Level 2 is built on the 110 security requirements defined in NIST SP 800-171 Revision 2. These requirements are organized across 14 control families. A C3PAO assessor evaluates each control individually, examining your implementation evidence, interviewing personnel, and testing technical controls to determine whether each requirement is MET, NOT MET, or NOT APPLICABLE. To pass, your organization must demonstrate full implementation of all applicable controls, with limited allowance for Plans of Action and Milestones (POA&Ms) on non-critical items.

The 14 NIST 800-171 Control Families

The control families cover the full spectrum of cybersecurity, from access control and awareness training to system and communications protection. Each family contains multiple individual requirements, and a weakness in any single family can result in a failed assessment. Here is a summary of all 14 families and what assessors look for:

• Access Control (AC) - 22 requirements: Account management, least privilege, remote access, session management, and separation of duties. This is the largest family and the one where most contractors have gaps.
• Awareness and Training (AT) - 3 requirements: Security awareness training for all personnel, role-based training for privileged users, and documented training records.
• Audit and Accountability (AU) - 9 requirements: Audit logging, log review, log protection, correlation, and response to audit failures. Assessors want to see SIEM or centralized logging with defined alert thresholds.
• Configuration Management (CM) - 9 requirements: Baseline configurations, change control, software restrictions, and security configuration settings for all systems.
• Identification and Authentication (IA) - 11 requirements: Multi-factor authentication, password management, device identification, and authenticator management.
• Incident Response (IR) - 3 requirements: IR plan, IR testing, and IR reporting procedures. Your plan must include specific steps for CUI-related incidents.
• Maintenance (MA) - 6 requirements: Controlled maintenance, maintenance tools, remote maintenance sessions, and maintenance personnel oversight.
• Media Protection (MP) - 9 requirements: Media access, marking, storage, transport, sanitization, and CUI handling procedures for both physical and digital media.
• Personnel Security (PS) - 2 requirements: Personnel screening and personnel actions upon termination or transfer.
• Physical Protection (PE) - 6 requirements: Physical access controls, monitoring, visitor management, and alternate work site protections.
• Risk Assessment (RA) - 3 requirements: Risk assessments, vulnerability scanning, and remediation of vulnerabilities in a timely manner.
• Security Assessment (CA) - 4 requirements: Internal assessments, system interconnection management, and continuous monitoring of the security plan.
• System and Communications Protection (SC) - 16 requirements: Boundary protection, CUI encryption in transit and at rest, network segmentation, and cryptographic key management.
• System and Information Integrity (SI) - 7 requirements: Flaw remediation, malware protection, security alerts, system monitoring, and software integrity verification.

PTG evaluates every one of these 110 controls during our CMMC gap assessment, identifies deficiencies, and implements the remediation required to bring your organization into full compliance. Our assessment reports map directly to the C3PAO assessment format so you can track progress and predict your assessment outcome before engaging the assessor.

CMMC certification cost is the question every defense contractor asks first. The answer depends on your required level, your current security posture, the size of your CUI boundary, and how much internal expertise you have. Below is a realistic breakdown of costs for CMMC Level 2, which is the most common certification level for defense contractors handling CUI.

Gap assessment: $15,000 to $50,000 depending on organizational size and complexity. This is the starting point that establishes your baseline and defines the remediation scope. PTG's gap assessment is a fixed-fee engagement that includes a validated SPRS score, detailed findings report, and prioritized remediation roadmap.

Remediation and implementation: $50,000 to $300,000+, which represents the largest variable in the total cost. Organizations that already have strong security practices may only need policy updates and documentation. Organizations starting from a low baseline may need new infrastructure, endpoint protection deployments, SIEM implementation, network redesign, and comprehensive policy development. CUI enclave solutions can significantly reduce this cost by limiting the scope of systems that require all 110 controls.

SSP and documentation development: $10,000 to $40,000 when done by experienced consultants. The SSP alone can be 200 to 500 pages, with detailed narratives for each of the 110 controls. Additional documentation includes the POA&M, configuration management plan, incident response plan, and training records.

C3PAO assessment fees: $30,000 to $150,000 depending on the size and complexity of the assessment scope. These fees are paid directly to the accredited C3PAO that conducts your assessment. PTG does not perform C3PAO assessments but coordinates with your selected assessor to ensure a smooth process.

Ongoing annual costs: $20,000 to $80,000 per year for continuous monitoring, annual affirmation, control maintenance, and policy updates. Organizations that attempt to maintain compliance without ongoing support often experience drift that leads to findings during triennial reassessment.

The total first-year cost for CMMC Level 2 typically ranges from $100,000 to $500,000+ for most small to mid-sized defense contractors. Larger organizations with multiple facilities and complex CUI boundaries may exceed this range. PTG provides detailed cost estimates during our initial consultation so you can budget accurately and avoid the surprise expenses that derail compliance programs.

After working with hundreds of defense contractors on NIST 800-171 and CMMC compliance, PTG has identified the mistakes that most frequently delay certification or cause assessment failures. Avoiding these mistakes can save your organization months of rework and tens of thousands of dollars in additional costs.

1. Submitting inflated SPRS scores. Claiming a score higher than your actual compliance level exposes your organization to False Claims Act liability. Recent DOJ enforcement actions have resulted in settlements exceeding $9 million. PTG produces validated SPRS scores backed by documented evidence that will withstand scrutiny.
2. Defining the CUI boundary too broadly. Including your entire enterprise in the CMMC scope when CUI only flows through specific systems dramatically increases cost and complexity. PTG helps you scope the boundary to include only the systems that actually store, process, or transmit CUI.
3. Defining the CUI boundary too narrowly. The opposite mistake is equally dangerous. If CUI exists on systems outside your defined boundary, the assessor will identify a critical finding. PTG conducts CUI data flow analysis to ensure nothing is missed.
4. Focusing on technology while neglecting policies and training. Technical controls address roughly half of the 110 requirements. The other half require documented policies, procedures, and evidence that your workforce follows them. Assessors will interview your staff and ask them to describe processes. If they cannot, the control is NOT MET.
5. Waiting until a contract requires CMMC to start preparation. CMMC Level 2 preparation takes 6 to 18 months for most organizations. If you wait until a solicitation requires certification, you will miss the bid. Starting now ensures you are ready when the requirement appears.
6. Underestimating documentation requirements. C3PAO assessors require documented evidence for every control. A functioning firewall is not enough. You need documented firewall rules, a documented change management process for rule updates, and logs showing the rules are reviewed periodically.
7. Using consumer-grade tools instead of enterprise solutions. Free antivirus, personal email accounts, and consumer cloud storage will not pass assessment. CMMC requires enterprise-grade endpoint detection and response, managed email with audit logging, and FedRAMP-authorized cloud services for CUI.
8. Ignoring physical security requirements. CMMC includes physical protection controls covering access to facilities where CUI is processed. If your staff works from home and accesses CUI from home offices, those locations are in scope and must meet physical security requirements.
9. Not testing your incident response plan. Having a written IR plan is necessary but not sufficient. NIST 800-171 requires that you test the plan. If your assessor asks when you last conducted an IR exercise and the answer is never, that control fails.
10. Trying to handle CMMC without experienced guidance. The CMMC framework is complex, and the assessment methodology has specific expectations for how evidence should be presented and how controls should be documented. Organizations that attempt CMMC preparation without experienced consulting support have significantly higher failure rates and higher total costs due to rework.