CMMC Overview
Do I need CMMC?
You need CMMC if your organization handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under a Department of Defense contract. Which level you need depends on the data you handle:
-
Touch only FCI → Level 1 (annual self-assessment).
-
Store, process, or transmit CUI → Level 2, usually verified by an authorized C3PAO.
Your required level follows the data, not your prime contractor's level. If a prime flows CUI down to you, you need Level 2 even if the prime only holds Level 1. If a DoW contract involves neither FCI nor CUI, CMMC generally does not apply. We address this question further in this article.
When is the CMMC deadline?
There is no single deadline. The date most CUI contractors plan around is Phase 2, November 10, 2026, when third-party Level 2 certification becomes standard. Your real deadline is when your own contracts are solicited and awarded.
Requirements phase in over four annual stages from November 10, 2025 through November 10, 2028 (see the rollout timeline). Because a Level 2 program typically takes 6–12 months to stand up, working backward from the contract you want to win is more useful than watching the phase calendar.
How much does a CMMC assessment cost?
A CMMC Level 2 assessment typically costs between $35,000 and $60,000, depending on your organization's size and the scope of your environment. That figure is the third-party (C3PAO) assessment fee itself, not the full cost of certification, which also includes readiness work and remediation of any gaps. Two things move the number the most:
-
Scope: how many systems, users, and workflows touch CUI.
-
Maturity: how many of the 110 controls you already meet before the assessor arrives.
Isolating CUI in an enclave narrows the scope and can substantially reduce both assessment and implementation costs.
When is the CMMC deadline?
A C3PAO (CMMC Third-Party Assessment Organization) is a company authorized by the Cyber AB to perform official CMMC Level 2 certification assessments. Only an authorized C3PAO can issue a Level 2 certification. Consultants, managed service providers, and Registered Provider Organizations can help you prepare, but they cannot certify you, and the same firm generally cannot both prepare and assess you, to preserve independence.
How long is a CMMC certification valid?
Three years, with an annual affirmation of continued compliance submitted to SPRS by a senior company official in between. Certification is not "set and forget." You must maintain the controls throughout the contract, submit annual affirmations, and notify contracting officials of significant changes to the systems that handle CUI.
What is a CMMC enclave?
An enclave is an isolated, hardened environment that holds CUI and the systems that touch it, keeping CUI out of the rest of your network, which shrinks your assessment scope and lowers cost.
Instead of bringing every user, device, and workflow into scope (the "enterprise-wide" path), an enclave confines CUI to a secure island, often built on a government-grade cloud tenant. Assessors evaluate only the systems in scope, so you prove fewer controls, spend less on licensing and remediation, and certify faster.
CMMC Glossary and Terms
CMMC
Cybersecurity Maturity Model Certification. The DoW program verifies that defense contractors meet required cybersecurity standards before contract award.
CUI (Controlled Unclassified Information)
Sensitive government information that isn't classified but still requires safeguarding. Handling CUI is what pushes a contractor to Level 2. It's usually identified by contract markings and DFARS clauses; ask your contracting officer if unsure.
FCI (Federal Contract Information)
Non-public information provided by or generated for the government under a contract, not intended for public release. Handling only FCI generally means Level 1.
DIB (Defense Industrial Base)
The network of companies that supply products and services to the U.S. military. CMMC applies across the DIB, including subcontractors.
Enclave
An isolated, hardened environment that holds CUI and the systems that touch it, separated from the rest of the network. Used to shrink assessment scope and lower certification cost.
Scoping
Defining exactly which systems, users, and data are in the assessment boundary. Scope drives everything downstream, cost, effort, and how many controls you must prove.
Who's Involved
C3PAO (CMMC Third-Party Assessment Organization)
A company authorized by the Cyber AB to perform official Level 2 certification assessments. The only entity that can issue a Level 2 certification.
Cyber AB (The Accreditation Body)
The organization that authorizes C3PAOs and trains and credentials CMMC assessors. Formerly the CMMC-AB; the DoW's authorized accreditation body for the CMMC ecosystem.
DIBCAC (Defense Industrial Base Cybersecurity Assessment Center)
The government body (under DCMA) that conducts CMMC Level 3 assessments. Level 3 is government-led, unlike the third-party Level 2 process.
OSC / OSA (Organization Seeking Certification / Assessment)
The contractor pursuing CMMC. "OSC" is used for certification (Level 2 via C3PAO); "OSA" for self-assessment contexts.
Flowdown
A prime contractor's obligation to pass CMMC requirements down to subcontractors that handle FCI or CUI. Your required level is set by the data you receive, not the prime's own level.
Standards & Contract Clauses
NIST SP 800-171
The catalog of 110 security requirements for protecting CUI that forms the basis of CMMC Level 2. A Level 2 assessment evaluates all 110 controls, broken into 320 assessment objectives.
NIST SP 800-172
Enhanced security requirements aimed at advanced persistent threats. CMMC Level 3 adds a selected subset (24 requirements) on top of 800-171.
FAR 52.204-21
The Federal Acquisition Regulation clause includes 15 basic safeguarding requirements for FCI. These 15 practices are the basis of CMMC Level 1.
DFARS 252.204-7012
The long-standing clause requires contractors to safeguard CUI to NIST 800-171 and report cyber incidents. Predates CMMC; CMMC adds verified proof of that compliance.
DFARS 252.204-7021
|The clause that makes a current CMMC certificate a condition of contract award and performance. Its insertion into contracts is what the phased rollout schedules.
Documents & Systems
SSP (System Security Plan)
The document describing how your systems meet each required control. An SSP that says how a control "should" work isn't enough; assessors want evidence it actually operates.
POA&M (Plan of Action & Milestones)
A tracked plan for closing gaps not yet met at assessment time. Limited POA&Ms are allowed at Level 2 and must be closed within 180 days; none are permitted at Level 1.
SPRS (Supplier Performance Risk System)
The DoW system, where assessment scores and annual affirmations are recorded. An accurate SPRS score matters, inflated scores are a leading enforcement risk.
Affirmation
A senior official's annual statement that the organization continues to meet its required CMMC level. Required each year between assessments, submitted through SPRS.
Assessment Objective
A discrete, testable element of a control that an assessor checks. Level 2's 110 requirements break into 320 objectives, the granular items you're actually scored on.
Let's Talk
1. Team Review
Our sales team reviews your submission within 1 business day.
2. Discovery Call
We schedule a 30-minute call to understand your specific situation.
3. Proposals
We provide proposals from the relevant C3PAO partners for your needs.
4. You Decide
No pressure. Compare proposals and choose what's right for you.