Any company in the US defense industrial base that handles CUI or FCI. This includes defense contractors, subcontractors, and suppliers at every tier. CMMC 2.0 streamlined the model from five levels to three and is being phased into DoD contracts starting in 2025. Level 1 requires basic cyber hygiene (17 practices). Level 2 aligns with NIST 800-171 (110 practices). Level 3 requires advanced security for the most sensitive programs.
CMMC (Cybersecurity Maturity Model Certification) is a DoD cybersecurity standard that defense contractors must meet to handle Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The Department of Defense created CMMC because the existing self-attestation model wasn't working. Contractors were claiming compliance with NIST 800-171 on paper while leaving serious security gaps in practice.
CMMC fixes that by requiring independent, third-party assessments for most contractors. The model is being phased into DoD contracts starting in 2025, and eventually all contractors handling CUI will need CMMC certification to bid on and perform defense work.
The current version is CMMC 2.0, which simplified the original 5-level model down to 3 levels. The final rule (32 CFR Part 170) was published in October 2024, and CMMC requirements started appearing in solicitations in early 2025.
Level 1 (Self-assessment). Covers 17 practices from FAR 52.204-21. Basic cyber hygiene: use antivirus, enforce passwords, limit access, update software. Companies handling only FCI (not CUI) qualify at this level. Self-assessment with annual affirmation is sufficient. No third-party auditor required.
Level 2 (Third-party or self-assessment). Covers all 110 security requirements from NIST SP 800-171 Rev 2. This is where most defense contractors land. Protects CUI in non-federal systems. For contracts involving "prioritized acquisitions" (most CUI-handling contracts), a third-party assessment by a CMMC Third-Party Assessor Organization (C3PAO) is required. Some lower-priority contracts may allow self-assessment at Level 2.
Level 3 (Government-led assessment). Covers NIST 800-171 plus a subset of controls from NIST 800-172 (enhanced security requirements). For contractors handling the most sensitive CUI on the most critical programs. Assessment is conducted by the Defense Contract Management Agency (DCMA) DIBCAC, not a private assessor. Very few contractors need Level 3.
Any company in the defense industrial base (DIB) that handles FCI or CUI. That's a broad group:
The defense industrial base includes an estimated 220,000+ companies. Most small and mid-size contractors need Level 2. The DoD estimates about 80,000 companies will need third-party assessments.
The key question for any contractor: does your contract involve CUI? If yes, plan for Level 2. If you only handle FCI (basic contract information, not sensitive technical data), Level 1 is likely sufficient. Your contracting officer should specify the required level in the solicitation.
The original CMMC 1.0 (released in 2020) had five levels, 171 practices, and required third-party assessments at every level above 1. The defense contractor community pushed back hard. It was too complex, too expensive, and the assessor ecosystem wasn't ready.
CMMC 2.0 addressed these concerns:
Level 2 maps directly to NIST SP 800-171's 110 security requirements, organized into 14 families:
The requirements cover familiar ground if you've worked with other security frameworks: encrypt CUI in transit and at rest, enforce MFA, maintain audit logs, limit access based on roles, patch vulnerabilities, train employees, and so on. What makes CMMC harder than many frameworks is the specificity of evidence required and the military context of some controls.
1. Scoping (2-4 weeks). Define your CUI boundary, the systems, networks, and processes that store, process, or transmit CUI. This determines what's in scope for the assessment. Getting scoping wrong is one of the most expensive mistakes.
2. Gap assessment (4-8 weeks). Evaluate your current state against all 110 NIST 800-171 requirements (for Level 2). Document what's in place, what's partially implemented, and what's missing.
3. Remediation (3-12 months). This is where the real work happens. Common remediation items: implementing FIPS-validated encryption, setting up a SIEM for log monitoring, configuring MFA on all CUI systems, writing incident response plans, establishing configuration baselines, and training employees.
4. System Security Plan (SSP) and POA&M. Document how you implement each of the 110 requirements in your SSP. Any requirements not yet fully implemented go into a Plan of Action & Milestones with remediation timelines.
5. C3PAO assessment (2-4 weeks of fieldwork). The certified third-party assessor organization reviews your documentation, interviews staff, tests controls, and examines evidence. They score each requirement as Met, Not Met, or Not Applicable.
6. CMMC certification. If you meet the requirements (with limited POA&M items allowed), you receive conditional certification. You have 180 days to close any remaining POA&M items for full certification. Certification is valid for 3 years with annual affirmation.
For small manufacturers and suppliers with 20-50 employees, Level 2 compliance typically runs $50,000-$150,000 all-in. The DoD has acknowledged this is a burden and has created some assistance programs, but the reality is that CMMC compliance is expensive for small businesses.
Compliance automation platforms with CMMC/NIST 800-171 mapping help contractors track their compliance status, collect evidence automatically, generate SSP documentation, and manage POA&M items. They're especially valuable for ongoing compliance since CMMC requires annual affirmation and continuous adherence to controls.
Of the 17 tools in our database, 9 support CMMC. Tools with strong NIST 800-171 and NIST 800-53 mapping tend to handle CMMC well since the controls are derived from those standards.
A compliance platform alone won't get you certified. You'll still need to implement technical controls (encryption, SIEM, network segmentation), train staff, and engage a C3PAO for the assessment. But the platform reduces the documentation burden and keeps you organized throughout the process.
Scoping the CUI boundary too broadly. If CUI touches every system in your network, everything is in scope. Smart contractors isolate CUI into a defined enclave with limited access points. This reduces the number of systems that need to meet all 110 requirements.
Waiting until a contract requires it. CMMC assessments take months, and the C3PAO ecosystem is still scaling up. If you wait until a contract deadline is looming, you may not find an available assessor in time. Start early.
Confusing self-assessment with no assessment. Level 1 self-assessment still requires a thorough evaluation, documentation, and annual affirmation. It's not "check a box and move on." False claims of compliance can trigger False Claims Act liability, which carries penalties up to three times the government's damages.
Underestimating FIPS encryption requirements. NIST 800-171 requires FIPS 140-2 validated encryption for CUI at rest and in transit. Not all encryption implementations meet FIPS standards. This is a common remediation item that takes longer than expected because it may require changing infrastructure components.
Ignoring subcontractor flow-down. If you handle CUI and pass it to a subcontractor, they need CMMC certification too. Many primes are discovering that their supply chain isn't ready, which creates risk for their own contracts.
| Platform | Starting Price | Best For | G2 Rating |
|---|---|---|---|
| Vanta | ~$10,000/yr | Compliance automation | 4.6 |
| Drata | ~$7,500/yr | Compliance automation | 4.8 |
| Secureframe | ~$7,500/yr | Compliance automation | 4.7 |
| Hyperproof | ~$12,000/yr | GRC platform | 4.5 |
| AuditBoard (Optro) | ~$30,000/yr | Audit management | 4.6 |
| Strike Graph | ~$9,000/yr | Compliance automation | 4.7 |
| Cypago | ~$60,000/yr | GRC platform | 4.5 |
| Apptega | ~$9,950/yr | GRC platform | 4.8 |
| Ostendio | ~$2,994/yr | GRC platform | 4.8 |