Resource Guide — Getting Started

CMMC for Beginners: Everything You Need to Know in 2026

You just heard about CMMC and you're trying to figure out if it applies to you and what to do about it. This is your starting point — plain English, no jargon, no consultant-speak.

What CMMC Is (The One-Paragraph Version)

CMMC stands for Cybersecurity Maturity Model Certification. It's the Department of Defense's program to verify that defense contractors actually protect sensitive government information — not just claim they do. Every company that wants to bid on DoD contracts containing sensitive technical data needs to get certified. Certification requires a third-party assessment by an authorized organization. You can't self-certify at Level 2.

Why CMMC Exists

The short version: the DoD's supply chain was getting hacked, and the existing rules weren't working.

Since 2016, DoD contracts have included a clause (DFARS 252.204-7012) requiring contractors to protect sensitive data following NIST 800-171. Contractors signed compliance attestations. But audits found that a large percentage of contractors who self-attested compliance had significant gaps — sometimes fundamental gaps, like no multi-factor authentication on any system. The data was still leaking.

CMMC replaced self-attestation with third-party verification. Now, instead of a contractor saying "yes, we're compliant" and signing a form, an independent authorized assessor comes in, reviews your environment, interviews your staff, tests your controls, and issues (or withholds) a certificate. It's harder to fake.

The Three Levels

CMMC 2.0 has three levels, and the one you need depends on what kind of information you handle:

  • Level 1 — Foundational: 17 basic cybersecurity practices covering things like anti-virus, password requirements, and limiting system access to authorized users. Required if you handle Federal Contract Information (FCI) — basic info like purchase orders and invoices. Annual self-attestation by the company.
  • Level 2 — Advanced: 110 security practices based on NIST SP 800-171. Required if you handle CUI (Controlled Unclassified Information) — engineering drawings, technical specs, test data. Third-party assessment by an authorized C3PAO required every three years.
  • Level 3 — Expert: 110+ additional practices for the highest-risk programs. Required for a small subset of contractors working on the most critical defense systems. Government-led assessment.

Most defense contractors who manufacture or engineer things need Level 2. If you receive engineering drawings or technical specifications from a prime contractor, you almost certainly need Level 2.

Who Needs CMMC

Any company in the Defense Industrial Base (DIB) that handles CUI or FCI needs CMMC. That includes:

  • Prime contractors who receive DoD contracts directly
  • Subcontractors who receive CUI from primes
  • Any company in the supply chain that works with controlled technical data
  • IT service providers and MSPs who manage systems that process CUI

If your company revenue includes work done under DoD contracts that involve technical data — drawings, specs, test results — you're in scope. The trigger isn't the dollar amount of the contract. It's whether CUI is present in your work.

The Timeline

CMMC is rolling out in phases. The CMMC final rule took effect in December 2024. Here's the current schedule:

  • Phase 1 (Active now): CMMC requirements appear in some contracts. Self-attestation for Level 1 contracts.
  • Phase 2 (Starting late 2025/2026): Level 2 certification requirements expand to more contracts. Primes begin flowing requirements to subs.
  • Phase 3 (2026 and beyond): CMMC requirements are widespread across DoD contracts. Not having certification means not being able to bid.

The practical implication: if you do defense work and don't have CMMC Level 2, your ability to win or renew contracts is increasingly at risk. Primes are already asking subs for compliance documentation.

What CMMC Costs

The honest answer: it depends on your starting point and the size of your CUI environment. Rough ranges for Level 2 certification:

  • Small companies (10–25 people, tight CUI scope): $50,000–$100,000 first year, $15,000–$25,000 annually thereafter
  • Mid-size companies (25–100 people, moderate scope): $80,000–$200,000 first year, $20,000–$50,000 annually
  • Larger operations or complex environments: $150,000–$400,000+ first year

The biggest variables are: how tight your CUI enclave is, how far your existing security posture is from NIST 800-171, and whether you need significant technology infrastructure changes. See our detailed cost guide for a full breakdown.

How to Get Started

  1. Take a free readiness assessment — Understand where you stand before you spend a dollar. Our free readiness check gives you a baseline in 2 minutes.
  2. Define your CUI environment — Understand what data you handle, where it lives, and which systems touch it. See our scoping guide.
  3. Conduct a gap assessment — Measure your current security posture against the 110 controls. See the full control checklist.
  4. Remediate your gaps — Fix what's broken. Implement what's missing. This is the longest phase — budget 6–12 months for a typical small company.
  5. Write your policies and SSP — Document everything. See our policies guide.
  6. Book a C3PAO now — Assessment slots are scarce. Book early while you're still in remediation. See our guide to choosing a C3PAO.
  7. Get certified — Pass your assessment. Maintain your controls. Renew every three years.

The single most common mistake: waiting until a contract requires CMMC to start the process. By then, you're in a 12–18 month remediation project with a 6–12 month assessor wait time on top. Start now.

Key Terms You'll Encounter

  • CUIControlled Unclassified Information. The technical data at the center of CMMC.
  • FCI — Federal Contract Information. Less sensitive than CUI. Triggers Level 1.
  • NIST 800-171 — The NIST standard that defines the 110 controls for Level 2.
  • SSP — System Security Plan. The master document describing your security environment.
  • C3PAOCertified Third-Party Assessment Organization. The entity that conducts your Level 2 assessment.
  • CCA — Certified CMMC Assessor. The individual assessors who work for C3PAOs.
  • RPO — Registered Practitioner Organization. Consultants who help you prepare for assessment (distinct from C3PAOs).
  • POA&M — Plan of Action and Milestones. Document describing unmet controls and your timeline to fix them.
  • DFARS — Defense Federal Acquisition Regulation Supplement. The regulation that put CUI protection requirements in DoD contracts.
  • SPRS — Supplier Performance Risk System. Where your self-assessment scores and CMMC certification status are recorded.

Where to Get Help

There are several types of organizations that can help:

  • Registered Practitioner Organizations (RPOs) — CMMC consultants authorized by the Cyber AB. Find them at cyberab.org/marketplace.
  • PTAC (Procurement Technical Assistance Centers) — Free government-funded advisory services for small defense contractors. Many PTACs now have CMMC expertise. Find your local PTAC at aptac.org.
  • SBDC (Small Business Development Centers) — Another free government resource that is increasingly CMMC-aware.
  • MyCMMC.org — Our free readiness check and resource library is designed specifically for small defense contractors who don't have CMMC expertise on staff.
Ready to understand where you stand?

Our free 2-minute assessment gives you a plain-English picture of your CMMC readiness and tells you exactly what to do first.

Take the Free Readiness Check →

Frequently Asked Questions

If you receive CUI — engineering drawings, technical specs, test data — in connection with a DoD contract, yes. Size doesn't grant an exemption. A 5-person machine shop that machines aerospace components from controlled drawings needs CMMC Level 2. A 3-person engineering firm that receives export-controlled design data needs CMMC Level 2. The requirement follows the data, not the company size.

The fastest realistic path: hire an RPO to conduct a rapid gap assessment (4–8 weeks), address your highest-priority gaps immediately while working through the rest in parallel, write your policies and SSP concurrently with remediation, and book your C3PAO assessment now — even before remediation is done. A company starting with reasonably mature IT practices can reach certification in 6–9 months. Starting from scratch with poor IT hygiene: 12–18 months minimum.

Several things, progressively worse: First, you can't bid on new contracts that require CMMC. Second, existing contracts that are renewed or modified will likely require CMMC. Third, primes who are required to be certified will stop giving subcontract work to uncertified subs. Fourth, if you've been self-attesting compliance you didn't have, you face potential False Claims Act liability. See our detailed guide to the costs of non-compliance.

CMMC Level 2 is based on NIST 800-171 — all 110 NIST 800-171 controls are in CMMC Level 2. The difference is enforcement: NIST 800-171 was the requirement, CMMC is the verification mechanism. You could self-attest to NIST 800-171 compliance; CMMC Level 2 requires a third-party assessment to verify it. Think of NIST 800-171 as the rulebook and CMMC as the referee.

CMMC Level 2 certificates are valid for three years. After that, you need a new C3PAO assessment to renew. You're also required to maintain your security controls continuously during those three years and report significant changes to your environment. The certification isn't a 'set it and forget it' — it requires ongoing maintenance.

You only need CMMC for contracts that require it — and those are specifically contracts that involve CUI. If you occasionally bid on defense work that involves controlled technical data, you'll need CMMC to be competitive on those bids. If you're bidding on commercial-off-the-shelf supply contracts with no CUI, you likely only need Level 1 or nothing at all. The question is always: does the work involve CUI?

Yes — and for most small contractors, a cloud-first approach using FedRAMP-authorized services is significantly simpler and cheaper than building on-premises infrastructure. Microsoft 365 GCC High handles many of the email, collaboration, and document management controls out of the box. Azure Government can handle infrastructure. The key is that the cloud services must be FedRAMP-authorized at the appropriate impact level — standard commercial cloud services (regular M365, Google Drive, standard AWS) don't count.

Take a readiness assessment — ours is free and takes 2 minutes. Beyond that: identify someone in your organization who will own CMMC compliance (this can be a designated employee, an MSP, or an RPO consultant), get a formal gap assessment done by an RPO so you know what you're actually dealing with, and book a C3PAO now even though you're not ready. Assessment slots are scarce. You'll use the time between booking and your assessment date for remediation.

Start your CMMC journey today. Don't wait for a contract to require it.

Our free readiness check gives you a baseline, a prioritized action list, and matches you with help. Takes 2 minutes.

Start Free Readiness Check →

2 minutes. No email required to see results.

Or see pricing & packages →

Related Guides

Checklist
CMMC Level 2 Checklist: All 110 Controls
Resource Guide
What Is CUI? A Plain-English Guide
Cost Guide
CMMC Certification Cost in 2026