What Is CMMC Compliance? A Plain-Language Guide for Defense Contractors

If your company works in the defense supply chain, you already know the acronym. CMMC, the Cybersecurity Maturity Model Certification, is the DoD’s way of verifying that contractors actually protect the sensitive information they handle.

Phase 1 of the CMMC rollout is already live. It focuses primarily on Level 1 and Level 2 self-assessments, though DoD may require Level 2 C3PAO status for some applicable contracts. Phase 2 begins November 10, 2026, when Level 2 third-party certification requirements are expected to appear more broadly in DoD solicitations and contracts. Contractors without a credible readiness plan are already losing pre-award conversations to competitors who do.

What you may not know is exactly where you stand, what it will take to get certified, or how much runway you have before it affects your contracts. That is what this guide is built to clear up. We have helped over 35 defense contractors move from gap assessment to audit-ready, and we will walk you through every step here.

What Is CMMC Compliance?

CMMC compliance means meeting the cybersecurity standards required by the Cybersecurity Maturity Model Certification (CMMC) program, the DoD’s framework for verifying that contractors actually protect the sensitive data their contracts expose them to.

CMMC is organized by level. Level 1 aligns to the 15 basic safeguarding requirements in FAR 52.204-21 for Federal Contract Information (FCI). Level 2 maps to the 110 security requirements in NIST SP 800-171 Rev 2 for Controlled Unclassified Information (CUI). Level 3 adds 24 selected enhanced requirements from NIST SP 800-172 for the most sensitive DoD programs. If your company processes, stores, or transmits FCI or CUI on contractor information systems under a covered DoD contract or subcontract, you need to achieve and maintain the required CMMC status.

Why CMMC Exists

The defense industrial base has been a target for state-sponsored cyber operations for over a decade. Weapons designs, contract details, and personnel records have been stolen through gaps in contractor security.

DFARS 252.204-7012 has required NIST 800-171 compliance since the December 2017 deadline, but contractors often relied on self-reported implementation with limited outside verification. CMMC changed that by requiring a current CMMC status in SPRS and, for many Level 2 contracts and all Level 3 contracts, third-party or DoD assessment of controls that must be implemented and functioning, not just documented.

If you have been treating this as a paperwork drill, the enforcement timeline means that approach is running out of road. Our overview of the CMMC 2.0 final rule and enforcement timeline breaks down exactly where each phase stands and what it means for contracts being awarded right now.

Which Companies Need CMMC Compliance

A company falls under CMMC when a DoD contract or subcontract requires it to process, store, or transmit FCI or CUI on contractor information systems. That includes prime contractors, subcontractors, manufacturers, IT service providers, software vendors, and professional services firms across the defense supply chain. CMMC requirements are phased in and include exceptions such as COTS-only procurements, micro-purchase threshold limits, and approved DoD waivers. DoD’s own estimate in the CMMC 2.0 final rule projects roughly 338,000 contractors and subcontractors in scope by full implementation.

If you have been operating under DFARS 252.204-7012 and submitting SPRS scores, you already have a foundation for CMMC Level 2 readiness. The next step is confirming the CMMC status your contract requires: Level 1 self-assessment, Level 2 self-assessment, Level 2 C3PAO certification, or, for a small number of programs, Level 3 DIBCAC assessment.

How to Tell If You Are in Scope

Check your contract for any of these markers:

• DFARS 252.204-7012, 252.204-7019, 252.204-7020, or 252.204-7021 appears in the clauses
• The statement of work mentions FCI or CUI
• You are required to submit a score to the Supplier Performance Risk System (SPRS)
• A prime contractor has flowed down a NIST 800-171 or CMMC requirement to you
• The DoD or a defense prime requires you to process, store, or transmit FCI or CUI on contractor information systems

If any of those apply, review the contract language and the data flows before assuming you are out of scope. The time to find out is before an RFP requires a specific CMMC status at award.

How the CMMC Framework Is Structured

The CMMC framework operates at three levels under CMMC 2.0. The level you need depends on what kind of information your contract requires you to handle, and whether the contract requires self-assessment, third-party assessment, or DoD assessment.

Many contractors that handle CUI focus on Level 2. Here is how each level breaks down:

CMMC Level 1: Foundational

Level 1 covers contractors that handle FCI only. It maps to the 15 basic safeguarding requirements in FAR 52.204-21(b)(1). Some assessment materials show 17 Level 1 rows because one FAR physical-protection requirement is split into three NIST SP 800-171A assessment phrases, but the official CMMC Level 1 requirement count is 15.

Assessment is annual and self-conducted, with no third-party certification required, but a senior official must affirm the results and submit the compliance result to SPRS. Many small subcontractors that do not touch CUI fall here, though that can change as programs evolve and data flows downstream.

CMMC Level 2: Advanced

Level 2 is where many CUI-handling defense contractors operate. It covers CUI and maps directly to all 110 security requirements of NIST SP 800-171 Rev 2 and the related assessment objectives.

For many Level 2 contracts, DoD requires a triennial assessment by a Certified Third-Party Assessment Organization (C3PAO), with annual senior-official affirmations submitted to SPRS in between. Some lower-sensitivity Level 2 contracts allow self-assessment instead. If your current SPRS score is negative, which is common after an honest gap assessment, Level 2 remediation is how you close those gaps and prepare for the required CMMC status.

CMMC Level 3: Expert

Level 3 is reserved for the most sensitive DoD programs. It requires Final Level 2 (C3PAO) status as a prerequisite, then adds 24 selected NIST SP 800-172 enhanced requirements with DoD-approved parameters.

Assessments at Level 3 are conducted by the Defense Contract Management Agency’s DIBCAC, not a C3PAO. Very few contractors will need this level. If it applies to your program, DoD will communicate that directly through contract requirements.

What Is the Difference Between CMMC and NIST 800-171?

NIST SP 800-171 is the Level 2 security requirement set. CMMC is the DoD verification program that uses NIST SP 800-171 for Level 2 and adds separate Level 1 and Level 3 requirements.

NIST 800-171 has been a DFARS requirement since 2017, but the government had limited visibility into whether contractors were actually implementing it. CMMC closes that gap by requiring contractors to maintain a current CMMC status in SPRS. Level 1 and some Level 2 requirements use self-assessment, many Level 2 requirements use C3PAO assessment, and Level 3 is assessed by DoD through DCMA DIBCAC.

For Level 2, the same 110 controls defined in NIST SP 800-171 remain the foundation, now with the assessment and affirmation process CMMC adds. If you have been submitting SPRS scores and maintaining an SSP under DFARS, you have a head start. The gap analysis tells you how much work remains.

How CMMC and DFARS Work Together

DFARS 252.204-7012 still governs covered defense information protection and 72-hour cyber incident reporting through the DoD-designated reporting process. DFARS 252.204-7019 requires a current NIST SP 800-171 DoD Assessment score where applicable, and DFARS 252.204-7021 is the clause that requires the contractor to maintain the CMMC status specified in the contract.

All three can appear in the same contract, and increasingly do. Achieving a current CMMC status can help demonstrate implementation of applicable cybersecurity requirements, but it does not replace DFARS obligations such as incident reporting, media preservation, cloud-service requirements, malicious software submission, damage-assessment support, and flowdown.

If you have a System Security Plan (SSP) and a current SPRS score, you are already working from the same foundation CMMC builds on. Our DFARS 7012 compliance services page covers how we help contractors meet those underlying obligations before the C3PAO assessment begins.

FCI and CUI, Explained

Most contractors land at the wrong CMMC level because they misread what kind of data they actually handle. FCI and CUI sit at different sensitivity tiers and trigger different obligations. Here is how to tell them apart.

What Is Federal Contract Information (FCI)?

FCI is information the government provides to a contractor, or that a contractor generates for the government, under a contract not intended for public release. It does not include publicly available data or basic transactional information like payment processing.

If your covered DoD work involves FCI but not CUI, you need at least Final Level 1 (Self) CMMC status. The more important question is whether FCI flows into your environment and whether your team recognizes it when they see it.

What Is Controlled Unclassified Information (CUI)?

CUI is sensitive unclassified information that federal law, regulation, or government-wide policy requires or permits an agency to safeguard or control. It can include technical drawings, export-controlled data, personally identifiable information (PII) collected for the government, financial records tied to a federal program, and more.

The federal CUI Registry maintained by the National Archives defines the full taxonomy of CUI categories. If your systems touch CUI, Level 2 is your floor, and you need to protect it at the same standard the government does.

How to Identify CUI in Your Environment

Most contractors are surprised by how much CUI flows through systems they did not think were in scope. Email attachments, shared file servers, ERP systems, engineering laptops, and cloud storage are the usual hiding places.

The scoping exercise maps every location where CUI is created, processed, stored, or transmitted. That map becomes the assessment boundary your CMMC compliance program is built to protect.

Scoping it narrowly and accurately, ideally to a segmented enclave, is often the single biggest cost-control lever in a compliance buildout. You can learn more about how that process works on our CMMC compliance services page.

What the 110 NIST 800-171 Controls Cover

The 110 CMMC Level 2 requirements are organized across 14 control families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

Together they address people, process, and technology. To pass a C3PAO assessment, you need to meet each control and produce evidence that proves it, not just document that you intend to.

For contractors starting from scratch, implementation typically takes 6 to 12 months.

What a System Security Plan (SSP) Includes

For Level 2 and Level 3, the SSP is the central document for both DFARS and CMMC 2.0. It defines your assessment boundary, describes how your organization meets each applicable NIST 800-171 requirement, identifies who is responsible for each requirement, and links to supporting policies and procedures.

Without a current, well-maintained SSP, you do not have a Level 2 CMMC program. You have a collection of security habits, not a program. Nexeris offers a free CMMC SSP template covering all 110 Level 2 requirements and the related assessment objectives.

What a POA&M Includes

A Plan of Action and Milestones (POA&M) documents eligible controls you have not yet fully implemented and the timeline to close them. Under CMMC 2.0, no POA&M is permitted for Level 1. For Level 2 and Level 3, a limited POA&M can support Conditional CMMC Status only if the assessment score meets the 80 percent threshold, the open items are eligible, and the gaps are closed through a closeout assessment within 180 days.

High-weight and specifically excluded controls must be in place before the assessment begins. If your current Level 2 SPRS score reflects open eligible gaps, the POA&M is the document that shows exactly what you are doing to close them and by when.

How Much Does CMMC Compliance Cost?

Cost varies significantly based on company size, current security posture, and how much CUI flows through your environment. Based on Nexeris client experience and current market pricing, small contractors with a reasonably clean starting point often spend $40,000 to $120,000 on Level 2 remediation, plus any third-party assessment fee when Level 2 C3PAO status is required.

Mid-sized firms working through a full CMMC Level 2 buildout often invest $150,000 to $400,000 over a 6 to 12 month timeline, including consulting, tooling, and staff training. C3PAO assessment pricing often falls in the $35,000 to $120,000 range, depending on scope and assessor pricing. These are planning estimates, not regulatory minimums.

Annual maintenance often runs roughly 10 to 15 percent of the initial buildout. Set against the alternative, a single mid-size DoD contract loss typically dwarfs the entire CMMC buildout, and option-year non-renewals compound that loss across multiple fiscal cycles.

What Drives Cost Up or Down

The biggest cost driver is the size of your CUI scope. A contractor that segments CUI into a narrow enclave, such as a Microsoft GCC High environment built to CMMC specifications, typically spends less than one trying to certify an entire enterprise.

Other drivers include endpoint count, existing documentation quality, and whether IT and security functions are in-house or outsourced. For most small to mid-sized contractors, the hidden cost is internal: leadership hours, IT team capacity, and operational disruption.

Getting that estimate on paper early is part of a proper readiness assessment.

The CMMC Certification Path, Step by Step

Most defense contractors preparing for Level 2 C3PAO certification follow this sequence:

1. Define the boundary: Identify all locations where FCI and CUI are stored, processed, or transmitted
2. Readiness assessment: Evaluate current controls against NIST 800-171/CMMC Level 2 requirements and calculate your Level 2 SPRS score
3. SSP and policy build: Draft or update the System Security Plan and all supporting policies and procedures
4. Gap remediation: Implement missing controls, prioritizing high-weight items that must be in place before assessment
5. Staff training: Train everyone who handles CUI and run tabletop exercises for incident response
6. SPRS submission: Post a current, accurate self-assessment score or CMMC compliance result, as applicable, and complete senior-official affirmation
7. C3PAO assessment: If the contract requires Level 2 (C3PAO) status, engage a Certified Third-Party Assessment Organization and complete the formal assessment
8. Ongoing maintenance: Sustain compliance through quarterly internal reviews and prepare for annual senior-official affirmation

How Long CMMC Certification Takes

A contractor with strong existing cybersecurity controls and a current SSP can reach assessment readiness in 3 to 6 months. One starting from scratch typically needs 9 to 12 months of buildout before a C3PAO assessment is appropriate.

For contracts that require Level 2 (C3PAO) status, C3PAO scheduling can add another 2 to 4 months on top of remediation. The window that matters most is the one before your contract requires a current CMMC status. Starting the readiness assessment after an RFP lands means you are already behind.

Nexeris brings most clients to audit-ready status in 3 months or less using a 90 percent done-for-you delivery model. See how our CMMC consulting services are structured and what the engagement looks like from day one.

CMMC Level 2 Readiness Checklist for Defense Contractors

Use this checklist to gauge Level 2 readiness. Level 1 contractors will not need every item below, and Level 2 self-assessment contracts may not require a C3PAO.

• We have identified all locations where FCI and CUI are processed, stored, or transmitted
• We have a current System Security Plan (SSP) covering all 110 NIST 800-171 Rev 2 requirements for the Level 2 assessment scope
• We have a POA&M only for eligible open Level 2 gaps, with a closeout plan that meets CMMC limits
• We have submitted the required SPRS score or CMMC result and completed senior-official affirmation
• We require multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts
• We log security events and review them on a defined, regular schedule
• We deliver annual security awareness training to all staff who handle CUI
• We have a tested incident response plan with a completed tabletop exercise in the last 12 months
• If our contract requires Level 2 (C3PAO) status, we have engaged a C3PAO or have a scheduled assessment date
• We have documented leadership sign-off on the security program and a defined annual budget

For a more detailed version mapped to all 110 controls and all 320 assessment objectives, download our free CMMC Level 2 audit readiness checklist.

Free CMMC Compliance Resources

Nexeris offers a free CMMC SSP template, CMMC policy templates, and a printable checklist for DFARS and NIST 800-171 readiness. Each resource is built for defense contractors and is already in use across more than 20 companies in the defense industrial base.

Specialized CMMC Consultants for the Defense Industrial Base

Nexeris focuses exclusively on the U.S. defense industrial base. Since 2019, we have guided 35+ contractors through CMMC certification and built ongoing programs that keep them audit-ready every year.

Our team holds CISA, CISSP, CISM, and CMMC-RP credentials and has led 100+ audits across CMMC, SOC 2, ISO 27001, HIPAA, and HITRUST. We do not do general IT support. We do compliance for contractors who cannot afford to get it wrong.

Our CMMC Compliance Guarantees

We put our work in writing. We start within 24 hours of contract execution or you receive a $1,000 credit. If your covered assessment results in a failure, we credit $5,000 against your account.

You can cancel with 30 days’ notice and no termination fee. Security incidents receive unlimited consulting support at no additional charge. These are not marketing lines. They are the standards we hold every engagement to.

Frequently Asked Questions