
Everything You Need To Know About CMMC 2.0 Certification: Requirements, Assessments, And Costs
If you're a defense contractor or subcontractor, you already know that CMMC 2.0 certification is a requirement for working with the Department of Defense. But what does that actually involve? And how do you get started? With evolving requirements, phased rollouts, and different certification levels, it's easy to get lost in the details.
This guide will walk you through all of the essentials: how to determine which CMMC level applies to you, what each level requires, how assessments work, and what it will cost to get and stay certified. You'll have a clear understanding of what CMMC 2.0 compliance involves and how to confidently take the first steps toward certification.
What is the Cybersecurity Maturity Model Certification (CMMC 2.0)?
The CMMC is the Department of Defense’s way of ensuring that all contractors within its supply chain have strong cybersecurity measures in place. It was created to address rising cyber threats, inconsistent security practices, and the need to protect sensitive defense information across the entire supply chain.
Before CMMC, there were major gaps in security readiness among contractors. Some had strong controls in place, others didn’t. CMMC helps standardize expectations and introduces a third-party certification layer to ensure all contractors meet the required baseline level of security.
Who needs to comply with CMMC 2.0?
If you work with the DoD and handle Federal Contract Information (FCI), Security Protection Data (SPD), or Controlled Unclassified Information (CUI), you need to comply with CMMC 2.0. This includes prime contractors and subcontractors.

You can determine your exact compliance requirements by:
- Reviewing your DoD contracts or RFPs for CMMC clauses. It’s also important to examine specific contract clauses that outline CMMC requirements, such as the DFARS (Defense Federal Acquisition Regulation Supplement) clauses related to cybersecurity.
- Assessing whether you store or transmit FCI, SPD, or CUI and which asset categorization you fall into. This will determine which level of CMMC certification you’ll need.
- Communicating with your prime contractor if you’re a subcontractor. Prime contractors are responsible for ensuring that their subcontractors meet the necessary CMMC requirements, so they should provide guidance and set expectations.
When does CMMC 2.0 go into effect?

The DoD began developing the CMMC framework in 2019 to strengthen cybersecurity standards for defense contractors and subcontractors. The framework builds upon existing requirements under DFARS Clause 252.204-7012 by introducing a verification process through self-assessments and third-party certification, depending on the level of sensitivity of the information handled.
The initial version, CMMC 1.0, was introduced under an interim rule in 2020. In November 2021, the DoD announced CMMC 2.0, a streamlined version of the original framework that reduced the number of levels and aligned more closely with NIST SP 800-171 requirements. This announcement marked the beginning of a formal rulemaking process.
That process culminated in the publication of the 32 CFR final rule on October 15, 2024, which took effect on December 16, 2024. This rule establishes the CMMC program structure and assessment ecosystem. The CMMC 2.0 program is now live, and organizations can begin pursuing assessments in preparation for contractual requirements.
The companion 48 CFR rule, which governs how CMMC requirements will be incorporated into DoD contracts, was finalized in March 2025 following a required congressional review period that was delayed by the 2024 election cycle.
As both rules are in place, the DoD will begin rolling out CMMC requirements in phases:
- Phase 1: Begins with the effective date of the 48 CFR rule in March 2025. During this phase, the DoD may include CMMC Level 1 or Level 2 self-assessments in solicitations and may require Level 2 third-party certifications for select high-priority acquisitions at its discretion.
- Phase 2: Begins March 2026, one year after Phase 1. At this stage, CMMC Level 2 third-party certifications will be required for applicable contracts.
- Phase 3: Begins March 2027, introducing mandatory CMMC Level 3 certifications for contracts requiring the protection of more sensitive national security information.
- Phase 4: Begins March 2028, marking full implementation of CMMC 2.0 across all relevant DoD contracts.
Even with this phased implementation, organizations cannot wait until 2028 to begin preparing. CMMC requirements for Level 1 and Level 2 will start appearing in contracts as early as this year. Subcontractors in particular may face pressure from prime contractors aiming to strengthen their supply chain security. Prepare now to avoid being left out of future contract opportunities.

Recommended reading

The CMMC 2.0 Compliance Hub
CMMC 2.0 levels: How to determine your compliance requirements

Not every company handles the same type of sensitive information, so not everyone has to meet the same strict cybersecurity standards.
For instance, a small business working with basic project details for the DoD doesn’t need the same level of security as a contractor managing highly sensitive military data. That’s why CMMC 2.0 is designed as a maturity model with three levels, each one adding more advanced safeguards based on the sensitivity of the information handled.
This tiered approach keeps compliance manageable, especially for smaller businesses, and encourages organizations to strengthen their cybersecurity posture as they take on more sensitive work. It’s about having the right level of protection without overcomplicating things or spending more than they need to.

Let’s take a closer look at the three levels of CMMC 2.0 compliance to help you determine which compliance level applies.
CMMC Level 1: Foundational
CMMC Level 1 ensures that companies implement basic cybersecurity practices to protect FCI. It includes 15 fundamental practices based on FAR 52.204-21 focused on safeguarding access, authentication, media protection, physical security, communications protection, and system integrity. Level 1 compliance involves an annual self-assessment and executive affirmation.
CMMC Level 2: Advanced
CMMC 2.0 Level 2 compliance is more extensive than Level 1 and is designed for organizations handling CUI. It aligns with the NIST SP 800-171 framework and includes 110 security practices. Third-party assessments for critical national security information are conducted every three years, and annual self-assessments are conducted for non-critical information.
CMMC Level 3: Expert
CMMC 2.0 Level 3 is the highest level, designed for organizations handling CUI. It focuses on advanced cybersecurity practices to protect against Advanced Persistent Threats (APTs). It builds on the practices of Levels 1 and 2 and incorporates 24 additional requirements from a subset of NIST SP 800-172 controls (specific practices are defined by the DoD). Before pursuing Level 3, organizations must satisfy compliance requirements for CMMC Level 2. A government-led assessment by the DoD is conducted every three years.
In addition to referring to the CyberAB website and the Department of Defense CMMC page for official guidance and resources on CMMC requirements, asset categorizations, and levels, you can use the decision tree below to help determine which level applies to you.

What are the CMMC 2.0 requirements?
CMMC 2.0 controls are grouped into 14 domains, each representing a key area of cybersecurity. These domains are:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Each maturity level includes specific requirements within these domains. These requirements are the actual policies, procedures, or security controls that organizations must implement to achieve the corresponding level of cybersecurity maturity. Requirements are cumulative, meaning that higher levels include all of the requirements from the lower levels.
For example, the Access Control (AC) domain includes the following requirements.
Level 1:
- 3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- 3.1.2: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- 3.1.20: Verify and control/limit connections to and use of external information systems.
- 3.1.22: Control information posted or processed on publicly accessible information systems.
Level 2, in addition to Level 1 controls, must implement:
- 3.1.10: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
- 3.1.11: Terminate (automatically) user sessions after a defined condition.
- 3.1.12: Monitor and control remote access sessions.
- 3.1.14: Route remote access via managed access control points.
- 3.1.15: Authorize remote execution of privileged commands and remote access to security-relevant information.
- 3.1.16: Authorize wireless access prior to allowing such connections.
- 3.1.17: Protect wireless access using authentication and encryption.
- 3.1.18: Control connection of mobile devices.
- 3.1.19: Encrypt CUI on mobile devices and mobile computing platforms.
- 3.1.21: Limit use of portable storage devices on external systems.
- 3.1.3: Control the flow of CUI in accordance with approved authorizations.
- 3.1.4: Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- 3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
- 3.1.6: Use non-privileged accounts or roles when accessing non-security functions.
- 3.1.7: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- 3.1.8: Limit unsuccessful logon attempts.
- 3.1.9: Provide privacy and security notices consistent with applicable CUI rules.
Level 3: Adds 24 requirements from NIST 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information. This is a supplemental publication to NIST 800-171 that details security measures for protecting against advanced persistent threats (APTs).
Under NIST 800-172, Access Control requirements also include:
- 3.1.3e: Employ organization-defined secure information transfer solutions to control information flows between security domains on connected systems.
This tiered structure helps organizations systematically improve their cybersecurity posture by implementing increasingly mature practices.

The CMMC 2.0 Compliance Kit
This free CMMC 2.0 compliance kit simplifies your assessment prep with SSP and POA&M templates, readiness checklists, and more resources from our team of in-house federal compliance experts.
What’s the difference between CMMC 2.0 vs NIST 800-171?
There’s often confusion about the relationship between CMMC 2.0 Level 2 and NIST 800-171, especially since Level 2 is built directly on NIST 800-171 controls. So, if you’re compliant with one, are you automatically compliant with the other? Let’s clarify.
NIST 800-171 outlines the security requirements federal contractors must follow to protect Controlled Unclassified Information (CUI). It’s mandatory for any contractor handling CUI for a federal agency. CMMC 2.0 Level 2 takes those same requirements and adds a certification layer to meet requirements for working with the Department of Defense.
CMMC 2.0 Level 2 is currently based on NIST 800-171 Rev 2, which remains the governing version for CMMC assessments. However, it’s important to know that NIST 800-171 Rev 3 was recently published. While CMMC 2.0 is still tied to Rev. 2 for now, organizations that are just beginning their compliance initiatives are advised to implement NIST 800-171 Rev 3.
The good news is that if your organization is already fully compliant with NIST 800-171, you're well on your way to meeting CMMC Level 2. The core controls are the same, but CMMC adds formal verification through third-party assessment or executive attestation. This certification is the added assurance that NIST 800-171 controls are not just in place, but properly implemented and maintained.
To know which framework applies to you, start by reviewing your contracts and the type of information you handle. That will determine whether you need to meet NIST 800-171, CMMC Level 2, or both.

What is the CMMC 2.0 assessment process?
The CMMC assessment process varies depending on which level of compliance is required. CMMC Level 1 and non-critical Level 2 assessments are less rigorous self-assessments, compared to C3PAO and government-led assessments for Level 2 and Level 3.
Here’s an overview of the assessment process for each CMMC level.

CMMC Level 1: Annual self-assessment
If your organization only handles Federal Contract Information (FCI), you’ll need CMMC Level 1. You don’t need a third-party auditor, just an annual self-assessment and a bit of documentation to back it up.
You’ll start by going through 15 basic cybersecurity practices (based on FAR 52.204-21) and check whether each one is fully in place. The DoD provides a useful self-assessment guide to help you scope the work and walk through each requirement. You’ll document your findings and fix any critical gaps before moving forward.
To keep things accountable, a senior executive at your company also needs to formally affirm that you’ve completed the self-assessment and that your organization meets the Level 1 requirements.
While not hard requirements for CMMC Level 1 self-assessments, these documents are highly recommended:
- System Security Plan (SSP): This is your cybersecurity blueprint. It explains how your systems are set up, what security controls you’ve implemented, and how you protect FCI.
- Plan of Action and Milestones (POA&M): Think of this as your to-do list. If any requirements aren’t fully in place yet, the POA&M outlines how and when you plan to fix them.
Once everything is documented, reviewed, and signed off, your self-assessment is complete until next year. Just make sure you revisit the process annually, and update your documents as needed to reflect any changes to your systems or processes.
Organizations handling Level 2 non-critical CUI can also perform an annual self-assessment against the applicable controls from NIST SP 800-171. Similar to Level 1, a senior executive will need to affirm the results of the self-assessment with a letter of attestation. You’ll also need a SPRS score for your self-attestation, which is a cybersecurity performance metric the DoD uses to evaluate risk.
CMMC Level 2: C3PAO assessment
If your organization handles Controlled Unclassified Information (CUI) or Security Protection Data (SPD), you’ll need to comply with CMMC Level 2. This level is based on the 110 controls in NIST SP 800-171—and how you prove compliance depends on the type of contract you’re working under.
- For non-critical contracts: You can perform an annual self-assessment, similar to Level 1. You’ll still need a senior executive to sign off, and you’ll document your results with an SSP and POA&M.
- For critical contracts: You’re required to pass a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) every three years.
Once you’ve selected a C3PAO from the list of authorized organization on the CyberAB, they’ll conduct a deep dive into your security environment. That includes reviewing:
- Your SSP, which outlines security controls, policies, and system boundaries.
- Your POA&M, which tracks any areas you’re still working to remediate.
- Your Supplier Performance Risk System (SPRS) Assessment score. A minimum score of 88 is needed to pass the CMMC audit.
They’ll also want to see supporting documentation like your incident response and reporting plan, access control policy, and separation of duties matrix. A risk mitigation plan, continuous monitoring plan, configuration management plan, and an audit log management plan are also beneficial, although not strict requirements. Expect interviews with staff and possibly system tests to confirm controls are working as expected.
You’ll get preliminary feedback after the assessment. If anything needs to be fixed, you’ll have the chance to address it within 180 days as long as it’s documented within your POA&M. Once your final report is submitted to the CyberAB and approved, you’ll be officially certified for three years.
To stay compliant during that time, you’ll need to maintain your cybersecurity practices, keep your POA&M updated, and monitor your systems for new issues.
CMMC Level 3: Government-led assessment
Level 3 is designed for organizations working on high-stakes, national security-related contracts, and involves the most rigorous requirements.
This level builds on everything from Levels 1 and 2, but adds 24 extra controls from NIST SP 800-172. These are designed to defend against advanced persistent threats (APTs), so the bar is high and the assessment is run directly by the Department of Defense.
Once your organization is ready, you’ll coordinate with the DoD to schedule a government-led assessment. This process is very similar to the third-party assessment at Level 2, but it’s conducted by government assessors instead of a C3PAO.
They’ll review key evidence, including your SSP, POA&M, and relevant policies and technical documents. They’ll also perform interviews, observe your security practices in action, and test your systems to verify that advanced controls are working as intended.
You’ll likely receive a draft report with any deficiencies noted, giving you a chance to fix issues before the final assessment is submitted. Once approved, you’ll be certified for three years.
As with Level 2, ongoing compliance is essential. You’ll need to continuously monitor your systems, update documentation, and keep your POA&M current to reflect any changes to your environment.

CMMC 2.0 certification costs
The DoD recently released cost estimates for organizations seeking to achieve and maintain CMMC 2.0 compliance, including assessment costs for each certification level.
According to the DoD’s proposed rule for CMMC 2.0:
- Level 1 self-assessments are expected to cost between $4,000 and $6,000.
- Level 2 self-assessments, conducted every three years, are estimated to cost $37,000 to $49,000.
- Level 2 third-party certification assessments are projected to range from $50,000 to $118,000, which includes the triennial assessment and two annual affirmations.
- Level 3 assessments involve the same costs as Level 2, with an additional $41,000 to meet the more advanced security requirements specific to Level 3.

However, these figures only account for the assessment itself. The broader cost of achieving and maintaining compliance is more complex. It includes both initial preparation and ongoing maintenance, which can vary significantly based on your organization’s current cybersecurity posture, resources, and scope of operations.
Several key factors influence total CMMC compliance costs:
- Internal expertise vs. external support: Organizations with limited internal expertise will likely need to hire consultants for gap assessments, remediation, and documentation, especially with their SSP. This can add significant costs, especially for more complex security requirements.
- Preparation costs: The current state of your cybersecurity program impacts how much preparation will be needed. For example, if you’re already compliant with NIST 800-171, fewer updates may be necessary. But if there are significant gaps, costs could include developing new policies, enhancing security infrastructure, or even implementing a CUI enclave to isolate and protect sensitive information.
- Technology and tools: Certain controls may require additional tools for monitoring, encryption, or secure access. The cost of purchasing, configuring, and maintaining these tools can add up over time.
- Assessment type: Costs will differ based on whether you're conducting a self-assessment or engaging a C3PAO for third-party certification. Third-party assessments tend to be more resource-intensive and costly.
- Organizational Scope: The size and complexity of your organization also influence costs. The number of locations, systems, and personnel involved in processing CUI or FCI will impact preparation, implementation, and maintenance costs. The broader the scope, the higher the potential investment.
Let’s examine common costs associated with CMMC certification to help you ballpark your budget.
Initial preparation costs
Preparation involves identifying gaps, implementing new controls, and updating documentation.
- Gap Assessments:
- Level 1: Internal assessments or external consultants to verify the implementation of basic practices.
- Level 2: Gap assessments for NIST 800-171 can range from $3,500 to $20,000.
- Level 3: More complex gap assessments can range from $20,000 to $50,000+.
- Remediation and Implementation:
- Level 1: Tens of thousands for basic tools and training.
- Level 2: Between $35,000 and $115,000, depending on cybersecurity gaps.
- Level 3: Between $50,000 and $250,000 due to advanced controls and infrastructure needs.
- Consulting services (Optional):
- Consultants can charge $250-$400 per hour for policy development, readiness assessments, and technical implementations.
- CUI enclaves (Optional for Levels 2 and 3):
- Costs range from $300-$400 per user/month or $3,000-$4,000 per month for dedicated systems.
Certification assessment costs
Assessment costs depend on the certification level and whether the assessment is internal or performed by a third party.
- Level 1 self-assessment:
- Estimated at $4,000 to $6,000, including preparation and documentation.
- No POA&M is required, and gaps must be fully remediated before executive affirmation.
- Level 2 self-assessment (Select non-critical contracts):
- Estimated at $37,000 to $49,000, including preparation and documentation.
- A POA&M is required to document any gaps identified.
- Level 2 C3PAO (Critical Contracts):
- Estimated at $105,000 to $118,000 for the triennial third-party assessment and two annual affirmations.
- Level 3 government-led assessment:
- Estimated at $146,000 to $159,000, including the additional costs for implementing advanced NIST 800-172 controls.
Maintenance and ongoing compliance costs
Maintaining CMMC compliance is an ongoing process that requires continuous monitoring, updates, and training.
- Continuous Monitoring:
- Between $6,500 and $13,000 annually, depending on tools and services used.
- Policy Updates and Documentation Maintenance:
- Recurring costs for consultants or internal personnel to update security policies, POA&Ms (for Levels 2 and 3), and SSPs.
- Employee Training:
- Annual training costs between $15 to $25 per user.
- Managed Security Providers (Optional for Level 3):
- Starting at $2,000 to $3,500 per month, depending on scope and complexity.

CMMC 2.0 Compliance Checklists
Download requirements checklists for CMMC 2.0 Level 1 and Level 2 to help guide your compliance efforts and assessment preparations.
Using automation to streamline CMMC 2.0 compliance
Achieving and maintaining CMMC 2.0 compliance can be complex and resource-intensive, but automation tools like Secureframe can significantly reduce the time, cost, and effort involved. We help organizations navigate framework requirements, implement and monitor controls, and achieve continuous compliance not just with CMMC, but also with related standards like NIST 800-171, NIST 800-53, FedRAMP, and many more.
As a small but fast-growing startup supporting the U.S. military, Adyton needed to meet strict federal security standards while operating with a lean team. Compliance was business-critical, but the time and effort required to manage assessments, implement controls, and maintain documentation was draining their internal resources. Director of Operations Stephanei Castro estimates Secureframe saved their team 50-70% of the time and effort involved in achieving NIST 800-53 compliance.
Secureframe gave Adyton a scalable way to manage compliance across NIST 800-53 and CMMC-related requirements, automate continuous monitoring, and reduce the manual lift across their security program — all without having to hire additional staff.
We’ve built Secureframe to deliver that kind of value for every customer, no matter your size or compliance readiness:
- Federal compliance expertise: Our dedicated, world-class team of former CMMC, FISMA, and FedRAMP auditors guide you through federal readiness and assessments.
- Assessment readiness: Simplify audit prep with automated evidence collection, pre-mapped controls, and guided gap assessments aligned to CMMC 2.0.
- Federal cloud integrations: 300+ deep integrations, including AWS GovCloud and Microsoft GCC High, automatically monitor your systems to verify compliance and control performance.
- Policy and document management: Generate your SSP and POA&M, simplify control documentation, and access customizable policies and procedures written by former federal auditors.
- Easier multi-framework compliance: Streamline multi-framework compliance by mapping controls across 40+ federal and industry frameworks, including NIST 800-53, NIST 800-171, NIST CSF 2.0, TX-RAMP 3.0, CJIS, GovRAMP, and FedRAMP.
- Trusted partner network: Our relationships with leading vCISOs, RPOs, 3PAOs, and C3PAOs allow you to prepare for and complete federal assessments faster.
Learn more about how Secureframe can support your organization in achieving and maintaining CMMC 2.0 compliance.
Use trust to accelerate growth
FAQs
What does CMMC compliance mean?
CMMC (Cybersecurity Maturity Model Certification) compliance means that an organization meets the required cybersecurity standards set by the Department of Defense (DoD) to protect sensitive information. The CMMC model mandates that contractors have appropriate cybersecurity measures in place to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
What are the 3 levels of CMMC?
The three levels of CMMC are:
- Level 1 (Foundational): Basic cyber hygiene practices.
- Level 2 (Advanced): Aligns with NIST SP 800-171 practices.
- Level 3 (Expert): Aligns with a subset of NIST SP 800-172 controls, focused on advanced/progressive cybersecurity practices.
What is CMMC vs NIST?
CMMC is a certification framework specifically created by the DoD to assess and enhance the cybersecurity posture of its contractors. It builds upon NIST SP 800-171, which provides a set of recommended security requirements for protecting the confidentiality of CUI. CMMC incorporates NIST SP 800-171 controls and adds additional practices and processes to improve maturity levels.
What is the difference between CUI and CMMC?
CUI (Controlled Unclassified Information) refers to information that requires protection under federal law, regulations, or government-wide policies but is not classified. CMMC is a certification model that ensures contractors implement sufficient security controls to protect CUI.
Does CMMC only apply to DoD?
Yes, the CMMC framework primarily applies to the defense industrial base (DIB), including DoD contractors and subcontractors. However, it could influence other federal agencies' cybersecurity requirements in the future.
Who needs to be CMMC certified?
Any organization that wants to bid on DoD contracts or handle DoD information must achieve the appropriate CMMC level for the contract's requirements. This includes prime contractors and their subcontractors.
How much does it cost to get CMMC certified?
The cost of CMMC certification can vary widely depending on several factors, including the level of certification required, the size and complexity of the organization, and the existing cybersecurity posture. Costs can range from a few thousand to several hundred thousand dollars, including preparation, assessment, and remediation costs.
Can you self-certify CMMC?
Some levels of CMMC allow for an annual self-assessment along with a senior executive attestation. Higher CMMC levels require a third-party assessment by a certified CMMC Third Party Assessment Organization (C3PAO).
What is the difference between FedRAMP and CMMC?
FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. CMMC, on the other hand, is specifically focused on assessing and certifying the cybersecurity practices of DoD contractors. While FedRAMP is for cloud service providers across various federal agencies, CMMC is for DoD contractors dealing with FCI and CUI.