CMMC Assessment Preparation

What Is CMMC Compliance?

Discover what CMMC compliance means and its crucial role for defense contractors.

Alex Fuerst

Alex Fuerst

4 min read
What Is CMMC Compliance?

Word count: ~1,060 Specificity markers hit: (1) NIST/CMMC control reference — NIST SP 800-171, 110 controls at Level 2; (5) Decision point — who needs CMMC and at which level; (2) Cost/time estimate — typical timeline to Level 2 certification

---

CMMC stands for Cybersecurity Maturity Model Certification. It's the Department of Defense's (DoD's) program for ensuring that defense contractors protect sensitive government information — specifically CUI (Controlled Unclassified Information) — with a verified, documented security program.

Before CMMC, contractors self-reported their compliance with cybersecurity standards. The DoD had no reliable way to verify those reports. CMMC changed that by introducing independent third-party assessments for contracts above a certain sensitivity level. The goal: make sure the companies building weapons systems, processing defense contracts, and handling sensitive technical data are actually protecting it.

Who Needs CMMC

CMMC applies to companies in the Defense Industrial Base (DIB) — any company that holds DoD contracts or subcontracts where sensitive information is involved.

Two categories of information drive the requirement:

FCI (Federal Contract Information): Information generated for or provided under a government contract, not intended for public release. Nearly every defense contractor handles FCI. The CMMC Level 1 requirement applies here.

CUI (Controlled Unclassified Information): Formally designated sensitive information — technical drawings, export-controlled data, program information, certain personnel records. CUI requires stronger protections under CMMC Level 2.

If your company is a subcontractor, check whether your prime's contract includes CUI. If it does, and your work involves that CUI, CMMC requirements flow down to you through your subcontract. Being a sub doesn't exempt you.

The Three Levels

CMMC Level 1 — Foundational: 15 security practices. All based on FAR (Federal Acquisition Regulation) clause 52.204-21's basic safeguarding requirements. Self-assessed annually. No third-party assessment required. Appropriate for companies that handle only FCI with no CUI involvement. This is a very basic bar — unique user accounts, access limits, basic physical security, a few others.

CMMC Level 2 — Advanced: 110 security practices, aligned exactly to NIST SP 800-171 Rev 2 (the National Institute of Standards and Technology's standard for protecting CUI in non-federal systems). Third-party assessment by a C3PAO (Certified Third-Party Assessor Organization) required for most contracts. This is the level that applies to the majority of contractors handling CUI. Level 2 is what most people mean when they talk about "getting CMMC certified."

CMMC Level 3 — Expert: All 110 Level 2 practices plus additional requirements from NIST SP 800-172, targeting defense against advanced persistent threats (nation-state hackers). Government-led assessments conducted by the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center). Applies to a smaller set of high-priority programs — primarily companies working on weapons systems and critical defense technologies.

What Level 2 Actually Requires

The 110 Level 2 practices are organized into 14 control domains — Access Control, Audit and Accountability, Configuration Management, Incident Response, and so on. Across all 14 domains, the requirements address:

  • Who can access your systems and CUI (and how that's enforced)
  • Whether logins require more than a password for remote access
  • Whether sensitive data is encrypted, both stored and in transit
  • Whether you log what happens in your environment and review those logs
  • Whether your systems are patched and hardened
  • Whether your staff knows how to recognize and report security incidents
  • Whether you have a documented plan covering all of the above

That last item — the plan — is the SSP (System Security Plan). Your SSP describes how your organization implements each of the 110 practices. It's the central document for any CMMC assessment. Every practice needs to be addressed in it: what the control is, how you've implemented it, who's responsible, and where the evidence is.

How Certification Works

At Level 2, the certification process works like this:

  1. Prepare: Implement the required controls, document them in your SSP, and address gaps with a POA&M (Plan of Action and Milestones).
  2. Engage a C3PAO: Select an authorized assessment organization from the Cyber AB (CMMC Accreditation Body) marketplace at cyberab.org.
  3. Assessment: The C3PAO conducts an assessment using three methods: examining your documentation, interviewing your personnel, and testing your technical controls. This typically takes 1–4 weeks on-site or remote, depending on your organization's size and complexity.
  4. Findings: Each of the 110 practices is rated Met or Not Met. You need to meet the required threshold to pass.
  5. Certification: The C3PAO submits assessment results to the Cyber AB. If results are validated, CMMC certification is issued. Certificates are valid for three years with annual affirmations required.

How Long It Takes and What It Costs

The honest answer: it depends on where you're starting.

A company that already has reasonable IT security practices, documented policies, and a small, well-defined CUI environment might get to Level 2 readiness in 6–12 months. A company starting from minimal security practices with a complex environment might need 18–24 months.

Assessment cost (the C3PAO fee) typically ranges from $30,000–$150,000, depending on organization size and scope. That's separate from remediation costs — the work to actually implement missing controls before the assessment. Remediation is usually the larger investment: technical infrastructure, consulting, and possibly managed security services.

The assessment is not the expensive part of CMMC. Getting ready for the assessment is.

Common Starting-Point Mistakes

Buying compliance software first. Tools that track CMMC requirements are useful for managing the process, but they don't implement controls. You still have to do the technical work.

Writing an SSP before implementing controls. The SSP documents what you've done. Writing it before controls are in place produces a plan document, not a compliance document — and an assessor will tell the difference.

Assuming CMMC only applies to the IT department. Physical security, personnel practices, maintenance procedures, and security training all have control requirements in the CMMC framework. It's an organization-wide effort.

The Bottom Line

CMMC compliance means your organization genuinely meets the security requirements, has documented them, and can prove it to an independent assessor. It's not about passing a test — it's about actually protecting the information the DoD has entrusted to you.

If your DoD contracts include CUI, CMMC Level 2 is your target. Start with an honest assessment of where your security program stands today — tools, documentation, and practices. The gap between where you are and where you need to be is the project.

---

Ready to start scoping your CMMC effort? Talk to our bot — describe your contract situation and current security posture, and it can help you identify which Level 2 domains need the most work. For a concise overview of how CMMC works in practice, start there.

Read more