CMMC 2.0 requirements

If you’re a defense contractor or subcontractor, you already know CMMC 2.0 certification is quickly becoming a condition for winning and keeping Department of Defense work. But the rollout has moved from “coming soon” to “showing up in real solicitations.” As of November 10, 2025, contracting officers have begun including CMMC requirements in new DoD solicitations and contracts under the final acquisition rule.

This guide explains what CMMC 2.0 requires, how to determine the level that applies to you, how assessments work, what certification actually costs, and what you should be doing now to avoid delays when requirements appear in your next solicitation.

What is the Cybersecurity Maturity Model Certification (CMMC 2.0)?

The CMMC is the Department of Defense’s way of ensuring that all contractors within its supply chain have strong cybersecurity measures in place. It was created to address rising cyber threats, inconsistent security practices, and the need to protect sensitive defense information across the entire supply chain.

Before CMMC, there were major gaps in security readiness among contractors. Some had strong controls in place, others didn’t. CMMC helps standardize expectations and introduces a third-party certification layer to ensure all contractors meet the required baseline level of security.

Who needs to comply with CMMC 2.0?

If you work with the DoD and handle Federal Contract Information (FCI), Security Protection Data (SPD), or Controlled Unclassified Information (CUI), you’ll need to meet the CMMC level specified in your contract. This includes both prime contractors and subcontractors.

You can determine your exact compliance requirements by:

• Reviewing your DoD contracts or RFPs for CMMC clauses. It’s also important to examine specific contract clauses that outline CMMC requirements, such as the DFARS (Defense Federal Acquisition Regulation Supplement) clauses related to cybersecurity.
• Assessing whether you store or transmit FCI, SPD, or CUI and which asset categorization you fall into. This will determine which level of CMMC certification you’ll need. 
• Communicating with your prime contractor if you’re a subcontractor. Prime contractors are responsible for ensuring that their subcontractors meet the necessary CMMC requirements, so they should provide guidance and set expectations.

CMMC 2.0 levels: How to determine your compliance requirements

Not every company handles the same type of sensitive information, so not everyone has to meet the same strict cybersecurity standards.

For instance, a small business working with basic project details for the DoD doesn’t need the same level of security as a contractor managing highly sensitive military data. That’s why CMMC 2.0 is designed as a maturity model with three levels, each one adding more advanced safeguards based on the sensitivity of the information handled.

This tiered approach keeps compliance manageable, especially for smaller businesses, and encourages organizations to strengthen their cybersecurity posture as they take on more sensitive work. It’s about having the right level of protection without overcomplicating things or spending more than they need to.

Let’s take a closer look at the three levels of CMMC 2.0 compliance to help you determine which compliance level applies.

CMMC Level 1: Foundational

CMMC Level 1 ensures that companies implement basic cybersecurity practices to protect FCI. It includes 15 fundamental practices based on FAR 52.204-21 focused on safeguarding access, authentication, media protection, physical security, communications protection, and system integrity. Level 1 compliance involves an annual self-assessment and executive affirmation.

CMMC Level 2: Advanced

CMMC 2.0 Level 2 compliance is more extensive than Level 1 and is designed for organizations handling CUI. It aligns with the NIST SP 800-171 framework and includes 110 security practices. Third-party assessments for critical national security information are conducted every three years, and annual self-assessments are conducted for non-critical information.

CMMC Level 3: Expert

CMMC 2.0 Level 3 is the highest level and applies to contractors working on the most sensitive national security programs involving CUI. It focuses on advanced cybersecurity practices to protect against Advanced Persistent Threats (APTs). It builds on the practices of Levels 1 and 2 and incorporates 24 additional requirements from a subset of NIST SP 800-172 controls (specific practices are defined by the DoD). Before pursuing Level 3, organizations must satisfy compliance requirements for CMMC Level 2. A government-led assessment by the DoD is conducted every three years.

In addition to referring to the CyberAB website and the Department of Defense CMMC page for official guidance and resources on CMMC requirements, asset categorizations, and levels, you can use the decision tree below to help determine which level applies to you.

What’s the difference between CMMC 2.0 vs NIST 800-171?

There’s often confusion about the relationship between CMMC 2.0 Level 2 and NIST 800-171, especially since Level 2 is built directly on NIST 800-171 controls. So, if you’re compliant with one, are you automatically compliant with the other? Let’s clarify. 

NIST 800-171 outlines the security requirements federal contractors must follow to protect Controlled Unclassified Information (CUI). It’s mandatory for any contractor handling CUI for a federal agency. CMMC 2.0 Level 2 takes those same requirements and adds a certification layer to meet requirements for working with the Department of Defense.

CMMC 2.0 Level 2 is currently based on NIST 800-171 Rev 2, which remains the governing version for CMMC assessments. However, it’s important to know that NIST 800-171 Rev 3 was recently published. While CMMC 2.0 is still tied to Rev. 2 for now, organizations that are just beginning their compliance initiatives are advised to implement NIST 800-171 Rev 3. 

The good news is that if your organization is already fully compliant with NIST 800-171, you're well on your way to meeting CMMC Level 2. The core controls are the same, but CMMC adds formal verification through third-party assessment or executive attestation. This certification is the added assurance that NIST 800-171 controls are not just in place, but properly implemented and maintained.

To know which framework applies to you, start by reviewing your contracts and the type of information you handle. That will determine whether you need to meet NIST 800-171, CMMC Level 2, or both.

What is the CMMC 2.0 assessment process?

The CMMC assessment process varies depending on which level of compliance is required. CMMC Level 1 and non-critical Level 2 assessments are less rigorous self-assessments, compared to C3PAO and government-led assessments for Level 2 and Level 3.

Here’s an overview of the assessment process for each CMMC level. 

CMMC Level 1: Annual self-assessment

If your organization only handles Federal Contract Information (FCI), you’ll need CMMC Level 1. You don’t need a third-party auditor, just an annual self-assessment and a bit of documentation to back it up.

You’ll start by going through 15 basic cybersecurity practices (based on FAR 52.204-21) and check whether each one is fully in place. The DoD provides a useful self-assessment guide to help you scope the work and walk through each requirement. You’ll document your findings and fix any critical gaps before moving forward.

To keep things accountable, a senior executive at your company also needs to formally affirm that you’ve completed the self-assessment and that your organization meets the Level 1 requirements. 

While not hard requirements for CMMC Level 1 self-assessments, these documents are highly recommended: 

• System Security Plan (SSP): This is your cybersecurity blueprint. It explains how your systems are set up, what security controls you’ve implemented, and how you protect FCI.
• Plan of Action and Milestones (POA&M): Think of this as your to-do list. If any requirements aren’t fully in place yet, the POA&M outlines how and when you plan to fix them.

Once everything is documented, reviewed, and signed off, your self-assessment is complete until next year. Just make sure you revisit the process annually, and update your documents as needed to reflect any changes to your systems or processes.

Organizations handling Level 2 non-critical CUI can also perform an annual self-assessment against the applicable controls from NIST SP 800-171. Similar to Level 1, a senior executive will need to affirm the results of the self-assessment with a letter of attestation. You’ll also need a SPRS score for your self-attestation, which is a cybersecurity performance metric the DoD uses to evaluate risk.

CMMC Level 2: C3PAO assessment

If your organization handles Controlled Unclassified Information (CUI) or Security Protection Data (SPD), you’ll need to comply with CMMC Level 2. This level is based on the 110 controls in NIST SP 800-171—and how you prove compliance depends on the type of contract you’re working under.

• For non-critical contracts: You can perform an annual self-assessment, similar to Level 1. You’ll still need a senior executive to sign off, and you’ll document your results with an SSP and POA&M.
• For critical contracts: You’re required to pass a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) every three years.

Once you’ve selected a C3PAO from the list of authorized organization on the CyberAB, they’ll conduct a deep dive into your security environment. That includes reviewing:

• Your SSP, which outlines security controls, policies, and system boundaries.
• Your POA&M, which tracks any areas you’re still working to remediate.
• Your Supplier Performance Risk System (SPRS) Assessment score.

They’ll also want to see supporting documentation like your incident response and reporting plan, access control policy, and separation of duties matrix. A  risk mitigation plan, continuous monitoring plan, configuration management plan, and an audit log management plan are also beneficial, although not strict requirements. Expect interviews with staff and possibly system tests to confirm controls are working as expected.

You’ll get preliminary feedback after the assessment. If anything needs to be fixed, you’ll have the chance to address it within 180 days as long as it’s documented within your POA&M. Once your final report is submitted to the CyberAB and approved, you’ll be officially certified for three years.

To stay compliant during that time, you’ll need to maintain your cybersecurity practices, keep your POA&M updated, and monitor your systems for new issues.

CMMC Level 3: Government-led assessment

Level 3 is designed for organizations working on high-stakes, national security-related contracts, and involves the most rigorous requirements.

This level builds on everything from Levels 1 and 2, but adds 24 extra controls from NIST SP 800-172. These are designed to defend against advanced persistent threats (APTs), so the bar is high and the assessment is run directly by the Department of Defense.

Once your organization is ready, you’ll coordinate with the DoD to schedule a government-led assessment. This process is very similar to the third-party assessment at Level 2, but it’s conducted by government assessors instead of a C3PAO.

They’ll review key evidence, including your SSP, POA&M, and relevant policies and technical documents. They’ll also perform interviews, observe your security practices in action, and test your systems to verify that advanced controls are working as intended.

You’ll likely receive a draft report with any deficiencies noted, giving you a chance to fix issues before the final assessment is submitted. Once approved, you’ll be certified for three years.

As with Level 2, ongoing compliance is essential. You’ll need to continuously monitor your systems, update documentation, and keep your POA&M current to reflect any changes to your environment.

CMMC 2.0 certification costs

The DoD recently released cost estimates for organizations seeking to achieve and maintain CMMC 2.0 compliance, including assessment costs for each certification level.

According to the DoD’s proposed rule for CMMC 2.0:

• Level 1 self-assessments are expected to cost between $4,000 and $6,000.
• Level 2 self-assessments, conducted every three years, are estimated to cost $37,000 to $49,000.
• Level 2 third-party certification assessments are projected to range from $50,000 to $118,000, which includes the triennial assessment and two annual affirmations.
• Level 3 assessments involve the same costs as Level 2, with an additional $41,000 to meet the more advanced security requirements specific to Level 3.

However, these figures only account for the assessment itself. The broader cost of achieving and maintaining compliance is more complex. It includes both initial preparation and ongoing maintenance, which can vary significantly based on your organization’s current cybersecurity posture, resources, and scope of operations.

Several key factors influence total CMMC compliance costs:

• Internal expertise vs. external support: Organizations with limited internal expertise will likely need to hire consultants for gap assessments, remediation, and documentation, especially with their SSP. This can add significant costs, especially for more complex security requirements.
• Preparation costs: The current state of your cybersecurity program impacts how much preparation will be needed. For example, if you’re already compliant with NIST 800-171, fewer updates may be necessary. But if there are significant gaps, costs could include developing new policies, enhancing security infrastructure, or even implementing a CUI enclave to isolate and protect sensitive information.
• Technology and tools: Certain controls may require additional tools for monitoring, encryption, or secure access. The cost of purchasing, configuring, and maintaining these tools can add up over time.
• Assessment type: Costs will differ based on whether you're conducting a self-assessment or engaging a C3PAO for third-party certification. Third-party assessments tend to be more resource-intensive and costly.
• Organizational Scope: The size and complexity of your organization also influence costs. The number of locations, systems, and personnel involved in processing CUI or FCI will impact preparation, implementation, and maintenance costs. The broader the scope, the higher the potential investment.

Below is a breakdown of common cost categories to help you estimate the investment required for certification and ongoing compliance.

Initial preparation costs

Preparation involves identifying gaps, implementing new controls, and updating documentation.

• Gap Assessments:
• Level 1: Internal assessments or external consultants to verify the implementation of basic practices.
• Level 2: Gap assessments for NIST 800-171 can range from $3,500 to $20,000.
• Level 3: More complex gap assessments can range from $20,000 to $50,000+.
• Remediation and Implementation:
• Level 1: Tens of thousands for basic tools and training.
• Level 2: Between $35,000 and $115,000, depending on cybersecurity gaps.
• Level 3: Between $50,000 and $250,000 due to advanced controls and infrastructure needs.
• Consulting services (Optional):
• Consultants can charge $250-$400 per hour for policy development, readiness assessments, and technical implementations.
• CUI enclaves (Optional for Levels 2 and 3):
• Costs range from $300-$400 per user/month or $3,000-$4,000 per month for dedicated systems.

Certification assessment costs

Assessment costs depend on the certification level and whether the assessment is internal or performed by a third party.

• Level 1 self-assessment:
• Estimated at $4,000 to $6,000, including preparation and documentation.
• No POA&M is required, and gaps must be fully remediated before executive affirmation.
• Level 2 self-assessment (Select non-critical contracts):
• Estimated at $37,000 to $49,000, including preparation and documentation.
• A POA&M is required to document any gaps identified.
• Level 2 C3PAO (Critical Contracts):
• Estimated at $105,000 to $118,000 for the triennial third-party assessment and two annual affirmations.
• Level 3 government-led assessment:
• Estimated at $146,000 to $159,000, including the additional costs for implementing advanced NIST 800-172 controls.

Maintenance and ongoing compliance costs

Certification is triennial at Levels 2 and 3, but compliance is continuous.

• Continuous Monitoring:
• Between $6,500 and $13,000 annually, depending on tools and services used.
• Policy Updates and Documentation Maintenance:
• Recurring costs for consultants or internal personnel to update security policies, POA&Ms (for Levels 2 and 3), and SSPs.
• Employee Training:
• Annual training costs between $15 to $25 per user.
• Managed Security Providers (Optional for Level 3):
• Starting at $2,000 to $3,500 per month, depending on scope and complexity.

Streamline CMMC 2.0 compliance with Secureframe Defense

Achieving and maintaining CMMC 2.0 compliance can be complex and resource-intensive, especially for contractors that are being asked to meet Level 2 requirements on a tight timeline. The hardest part usually isn’t understanding the requirements. It’s building a defensible scope, standing up a compliant environment, and keeping evidence and documentation current as your systems change.

That’s exactly what Secureframe Defense is built to simplify. It combines AI-powered automation with purpose-built capabilities for the Defense Industrial Base, including automated cloud provisioning, guided CMMC scoping and implementation workflows, and assessment-ready documentation that stays aligned to your real environment.

As a small but fast-growing startup supporting the U.S. military, Adyton needed to meet strict federal security standards while operating with a lean team. Compliance was business-critical, but the time and effort required to manage assessments, implement controls, and maintain documentation was draining their internal resources. Director of Operations Stephanie Castro estimates Secureframe saved their team 50–70% of the time and effort involved in achieving NIST 800-53 compliance.

With Secureframe Defense, contractors can take a similar approach to CMMC readiness, with capabilities designed specifically for Level 2 and enclave-based environments. For example, teams can provision a compliant cloud environment in minutes instead of spending weeks coordinating infrastructure, configurations, and security baselines. If you’re using an enclave strategy, Secureframe Defense can pair that environment with secure virtual desktops or Federal MDM to help keep CUI within a clearly defined boundary. Designing that boundary correctly often determines both your audit complexity and your long-term compliance costs.

From there, Defense Navigator provides a structured, step-by-step workflow for scoping assets, mapping requirements, tracking remediation, and preparing for assessment. Secureframe Defense also generates key documentation like your SSP and POA&M based on your live environment, so you’re not trying to keep critical artifacts up to date manually in spreadsheets and static templates.

If you’re preparing for CMMC Level 2, Secureframe Defense helps you move faster with less manual effort while building a compliance posture that’s easier to explain, defend, and maintain. Schedule a demo to see how Secureframe Defense provisions a CMMC-ready environment and streamlines your path to certification.

This post was originally published in June 2024 and has been updated for accuracy and comprehensiveness.