VIVID TECHNICAL
CMMC

What is CMMC? The Complete Guide for Defense Contractors (2026)

If you’re a defense contractor — or a subcontractor to one — someone has probably told you that you need “CMMC.” Maybe it showed up in a contract clause. Maybe a prime sent you an email with the subject line “CMMC Requirements” and a deadline. Maybe you Googled it and found 47 different acronyms before giving up.

Here’s the short version: CMMC (Cybersecurity Maturity Model Certification) is how the Department of Defense verifies that companies handling government data have adequate cybersecurity. Instead of trusting contractors to self-report (which wasn’t working), DoD created a tiered certification program with actual assessments.

If you want government contracts, you need CMMC. That’s the punchline. The rest of this article explains what that means for your company — which level you need, what it costs, and how to get there.

Why CMMC Exists

For years, DoD relied on the honor system for contractor cybersecurity. Contractors were required to implement the security controls in NIST SP 800-171 and self-report a compliance score. Most companies submitted scores. Many of those scores were… optimistic.

A 2019 DoD Inspector General report found that contractors were routinely failing to implement basic security controls while reporting full compliance. Meanwhile, adversaries — particularly China — were siphoning sensitive defense data through contractor networks. The F-35 program alone suffered multiple breaches traced back to supply chain weaknesses.

So DoD created CMMC. The premise is simple: if you want to handle our data, a third party is going to verify that you can protect it. No more self-grading your own exam (at least for the contracts that matter most).

The Timeline

CMMC has been in the works since 2019, went through a major revision (CMMC 2.0), and the final rule took effect in December 2024. Here’s where things stand now:

MilestoneDateStatus
CMMC 2.0 final rule publishedOctober 2024Complete
Rule effectiveDecember 16, 2024Complete
Phase 1 — CMMC required in new contracts2025In progress
Phase 2 — Level 2 C3PAO assessments required for prioritized contracts2026Upcoming
Phase 3 — Full CMMC requirements in all applicable contracts2027Planned
Phase 4 — CMMC in all DoD contracts with option periods2028Planned

The key takeaway: CMMC is already in contracts. The rollout is phased, but waiting until your contract specifically requires it is a bad strategy. Assessments take months, and there aren’t enough assessors to handle everyone at the last minute.

CMMC 2.0 Levels Explained

CMMC 2.0 has three levels. The original CMMC 1.0 had five, but DoD simplified it. Each level maps to the type of data you handle.

Level 1 — Foundational

Who needs it: Companies that handle FCI (Federal Contract Information) only. FCI is basic contract data — delivery schedules, invoices, performance reports. Not classified, not sensitive, but still government data that shouldn’t be public.

What’s required: 17 basic cybersecurity practices. We’re talking fundamentals: use antivirus, require passwords, lock your doors, limit who can access systems. If your company has functional IT, you probably already meet most of these.

How you’re assessed: Self-assessment. You evaluate your own security, submit a score to DoD through SPRS, and have a senior official sign an annual affirmation saying the score is accurate. Nobody comes to check.

What it costs: $3,000 – $15,000. Mostly staff time. See our detailed cost breakdown for the full picture.

We wrote a complete CMMC compliance checklist that covers all 17 Level 1 controls in plain English.

Level 2 — Advanced

Who needs it: Companies that handle CUI (Controlled Unclassified Information). CUI is the sensitive stuff — technical drawings, engineering data, test results, specifications that DoD has determined need protection. If your contracts include DFARS clause 252.204-7012, you handle CUI.

What’s required: 110 security requirements from NIST SP 800-171. This is a significant step up from Level 1. You need things like multi-factor authentication, encrypted data at rest and in transit, incident response plans, audit logging, vulnerability scanning, and system security plans.

How you’re assessed: This depends on the contract. DoD categorizes acquisitions as either “prioritized” or “non-prioritized.”

Assessment TypeWhen RequiredWho Does ItFrequency
Self-assessmentNon-prioritized CUI contractsYour own teamEvery 3 years, annual affirmation
C3PAO assessmentPrioritized CUI contractsIndependent third-party assessorEvery 3 years, annual affirmation

Most companies handling CUI will eventually need the C3PAO (third-party) assessment. The self-assessment path is for lower-priority contracts, and DoD hasn’t published the full list of what qualifies. Plan for third-party.

What it costs: $50,000 – $300,000+. The range is wide because it depends on your starting point, company size, and whether you use a consultant. The assessment itself typically runs $50,000 – $120,000, but the real cost is getting ready for it. We break all of this down in our cost analysis.

Our CMMC assessment guide explains exactly what happens during an assessment — what assessors look for, how long it takes, and what the outcomes mean.

Level 3 — Expert

Who needs it: Companies working on the most sensitive DoD programs. Think weapons systems design, intelligence community support, programs where a breach would cause serious damage to national security.

What’s required: Everything in Level 2, plus additional requirements from NIST SP 800-172. These are advanced controls designed to protect against nation-state-level threats — things like threat hunting, advanced network segmentation, and system resilience.

How you’re assessed: The government assesses you directly. No self-assessment, no third-party. DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center) conducts the evaluation.

What it costs: $500,000+. If you need Level 3, you likely already know it, and your contracts probably justify the investment.

Note: Level 3 assessments aren’t expected to begin until the later phases of the rollout. If you’re reading this article to figure out whether you need CMMC, you almost certainly don’t need Level 3.

Who Needs CMMC Certification?

The short answer: anyone in the defense supply chain who handles FCI or CUI. That includes:

  • Prime contractors — the companies with direct DoD contracts
  • Subcontractors — companies that primes hire and flow CUI/FCI down to
  • Suppliers — even if you just make a part to a spec that’s marked CUI
  • IT service providers — if you host, process, or transmit a contractor’s CUI (cloud providers, MSPs, etc.)

How to Tell Which Level You Need

Look at your contracts. Specifically:

  1. DFARS 252.204-7021 — This is the CMMC requirement clause. It will specify the level required.
  2. DFARS 252.204-7012 — This clause means you handle CUI and need at least Level 2.
  3. No DFARS 7012, but you have government contracts — You likely handle FCI and need Level 1.
  4. No government contracts at all — You don’t need CMMC (yet). But if you want to win DoD work in the future, start preparing now.

If you’re not sure, ask the contracting officer or the prime contractor who awarded your subcontract. They should be able to tell you what type of data flows to your company.

CMMC vs. NIST 800-171: What’s the Difference?

This is the question we get more than any other. If you’re already familiar with NIST 800-171, CMMC might feel redundant. It’s not, but they are related.

NIST SP 800-171 is the set of 110 security requirements. It’s the “what” — what controls you need to implement to protect CUI. It was published by NIST (the National Institute of Standards and Technology) and has been a DoD requirement since 2017.

CMMC is the “how DoD verifies it.” It’s the certification framework that wraps around NIST 800-171. CMMC Level 2 maps directly to NIST 800-171 Rev 2 — same 110 requirements, same domains, same controls. What CMMC adds is the assessment methodology: who checks your work, how they check it, and what happens when you don’t pass.

NIST 800-171CMMC Level 2
What it isSecurity requirementsCertification framework
Who created itNISTDoD
Controls110 requirementsSame 110 requirements
VerificationSelf-reported via SPRSThird-party or self-assessment
Consequence of non-complianceContract clause violationCan’t win/keep contracts
Legal teethFalse Claims Act (if you lie)False Claims Act + no certification

The practical difference: before CMMC, you could claim you met NIST 800-171 and nobody verified it. After CMMC, someone checks. That’s the entire reason CMMC was created.

For more on what’s changing with the latest revision of NIST 800-171, see our NIST 800-171 compliance overview.

How to Get CMMC Certified

The certification process varies by level, but here’s the general path for Level 2 (where most companies land):

1. Figure Out Your Scope

Before anything else, you need to define your CUI boundary — which systems, people, and processes touch CUI. This is critical because everything inside that boundary needs to meet all 110 requirements. Everything outside it doesn’t.

Many companies make this harder than it needs to be. If CUI lives on every laptop and every server, your entire environment is in scope. That’s expensive to protect. A smarter approach is to isolate CUI into a defined enclave — a segmented part of your network built specifically for handling sensitive data. Smaller scope means fewer systems to secure, fewer controls to implement, and lower cost.

We help companies design these enclave solutions to reduce their CMMC scope and cost.

2. Assess Where You Stand

Run a gap assessment. Compare your current security posture against all 110 NIST 800-171 requirements. For each control, determine whether it’s fully met, partially met, or not met. Be honest — the point is to find the gaps now, not during the real assessment.

Document everything. For every control, you need evidence: policies, configurations, screenshots, logs, whatever proves the control is in place and working.

3. Remediate the Gaps

This is where the time and money go. Common gaps include:

  • No multi-factor authentication on all systems
  • No FIPS-validated encryption for data at rest
  • Missing or incomplete System Security Plan (SSP)
  • No audit log review process
  • No incident response plan (or one that’s never been tested)
  • Employees with more access than they need
  • No vulnerability scanning

For most companies, remediation takes 6-18 months depending on the starting point. This is not something you knock out in a weekend.

4. Build Your Documentation

CMMC assessors don’t just check that controls are in place. They check that you’ve documented them. At minimum, you need:

  • System Security Plan (SSP) — Describes your system, its boundaries, and how each control is implemented
  • Plan of Action and Milestones (POA&M) — Lists any controls not yet fully met and your plan to fix them
  • Policies and procedures — Written policies for each security domain (access control, incident response, etc.)

5. Get Assessed

If you need a C3PAO assessment, find one through the CMMC Marketplace. Schedule early — assessment slots are limited and filling up fast as CMMC enforcement ramps up. The assessment itself typically takes 1-2 weeks of active work, spread across a few weeks.

Our assessment process guide walks through exactly what happens during the assessment, what to expect, and how to prepare.

6. Maintain It

Passing the assessment isn’t the finish line. You need to:

  • Submit an annual affirmation confirming you still meet the requirements
  • Continuously monitor your security controls
  • Reassess every three years
  • Update your SSP and POA&M as things change

CMMC isn’t a one-time event. It’s an ongoing program.

How Much Does CMMC Cost?

We wrote an entire article answering this question with real numbers: CMMC Certification Cost: Complete Breakdown by Level. Here’s the summary:

LevelTypical Total CostWhat Drives the Cost
Level 1$3,000 – $15,000Mostly staff time for self-assessment
Level 2 (self-assessment)$50,000 – $150,000Security tools, remediation, documentation
Level 2 (C3PAO)$100,000 – $300,000+Everything above plus assessment fees
Level 3$500,000+Advanced controls, government assessment

The biggest variable is your starting point. A company that already has a solid security program might spend $50,000 to get to Level 2. A company starting from scratch with no security infrastructure could spend $300,000 or more. Most companies we work with land somewhere in the $100,000–$200,000 range for Level 2 with a C3PAO assessment.

For small manufacturers and defense subcontractors, the cost can be especially painful. We’ve written about practical strategies for small manufacturers to manage the expense.

Finding a CMMC Consultant

Not every company needs a consultant, but most benefit from one — especially for Level 2. The CMMC ecosystem has a few different types of organizations:

RPOs (Registered Practitioner Organizations) help you prepare for CMMC. They assess your current state, identify gaps, and help you remediate them. An RPO cannot also be your assessor — there’s a required separation.

C3PAOs (Certified Third-Party Assessment Organizations) conduct the actual assessments. They’re independent, certified by the Cyber AB, and determine whether you pass or fail.

We explain the difference between RPOs and C3PAOs in detail, including how to pick the right one for your situation.

If you’re weighing whether to do it yourself or hire help, our consultant vs. DIY comparison lays out the tradeoffs.

CMMC Training and Certifications

If you want to become a CMMC professional — whether to handle compliance internally or build a consulting career — there’s a defined certification path:

  • CCP (Certified CMMC Professional) — The entry-level certification for individuals doing CMMC work
  • CCA (Certified CMMC Assessor) — Required for individuals conducting C3PAO assessments
  • CMMC Instructor — Authorized to teach CMMC courses

Our CMMC training guide covers each certification in detail, compares course providers, and includes free resources to get started.

Common Mistakes

We’ve seen enough companies go through this process to know where people trip up. Here are the big ones:

Waiting too long to start. Assessment slots are limited. Remediation takes months. If you wait until CMMC appears in your contract to start, you’re already behind.

Underscoping the environment. Not defining CUI boundaries clearly leads to either too much in scope (expensive) or too little (you fail the assessment). Get scoping right first.

Treating it as an IT project. CMMC isn’t just about technology. It covers policies, training, physical security, and personnel. Your IT team can’t do this alone.

Buying tools without a plan. A SIEM doesn’t help if nobody reads the alerts. A GRC platform doesn’t help if you haven’t written your policies yet. Start with the plan, then buy the tools.

Over-scoring in SPRS. Some companies submit inflated scores to avoid losing contracts. This is a False Claims Act risk. The Department of Justice is actively pursuing cases.

Ignoring the people controls. Security awareness training, background checks, visitor logs, access reviews — these aren’t optional. Assessors check them all.

Frequently Asked Questions

What does CMMC stand for?

Cybersecurity Maturity Model Certification. It’s the DoD’s framework for verifying that defense contractors meet specific cybersecurity standards before they can handle government data.

Is CMMC mandatory?

Yes, for any company that wants to win or keep DoD contracts involving FCI or CUI. The rollout is phased (2025–2028), but the requirement is real and CMMC clauses are already appearing in new contracts.

When does CMMC go into effect?

The final rule took effect December 16, 2024. Phase 1 (self-assessments for new contracts) started in 2025. Phase 2 (C3PAO assessments for prioritized contracts) begins in 2026. Full implementation is expected by 2028.

What happens if I don’t get CMMC certified?

You won’t be eligible for new DoD contracts that require CMMC. For existing contracts, CMMC requirements will appear as they come up for renewal or option periods. No certification means no contract — DoD has been clear about this.

How long does it take to get CMMC certified?

For Level 2, plan on 6-18 months of preparation depending on your starting point. The assessment itself takes 1-2 weeks. Scheduling an assessor can add another 2-4 months of lead time. Start early.

Do subcontractors need CMMC?

Yes. If a prime contractor flows CUI or FCI down to you, you need the appropriate CMMC level. This applies to the entire supply chain, not just companies with direct DoD contracts.

Can I use a cloud enclave to reduce scope?

Yes. Isolating CUI processing into a dedicated, compliant cloud environment — like a Microsoft GCC High enclave — can significantly reduce your assessment scope and cost. Fewer systems in scope means fewer controls to implement and maintain. We help companies design these enclave solutions.

What’s the difference between FCI and CUI?

FCI (Federal Contract Information) is data provided by or generated for the government under a contract that isn’t intended for public release. Think delivery schedules and invoices. Requires CMMC Level 1.

CUI (Controlled Unclassified Information) is data that requires safeguarding per government policy. Technical specifications, engineering drawings, export-controlled data. Requires CMMC Level 2 or higher.