Skip to content
ISI has rebranded and updated to a new URL—if you are here from dodsecurity.com you are in the right place!
Talk to an Advisor
Talk to an Advisor

CMMC Requirements: What You Need to Know

The U.S. government is strengthening cybersecurity measures for defense contractors with CMMC 2.0. Beginning in 2025, you will need to demonstrate that your cybersecurity practices meet the required standards to secure government contracts. This page is designed to help you understand and prepare for the CMMC requirements.

CMMC Requirements: What You Need to Know

With the official launch of its revised Cybersecurity Maturity Model Certification program (CMMC 2.0), the U.S. Department of Defense (DoD) has set the stage for a new era in cybersecurity standards. Designed to safeguard sensitive information systems within the Defense Industrial Base (DIB), CMMC establishes a robust framework to protect against cyber threats to private defense contractors that work with the U.S. government. 

But in doing so, it’s also created a substantial new regulatory hurdle for small and midsize businesses. Starting in 2025, contractors must prove they can meet a wide range of cybersecurity standards in order to accept a contract award. These requirements are more than a subset of traditional compliance measures—they represent a comprehensive effort to secure the nation's defense supply chain.

On this page, we’ll break down what you need to know about key CMMC requirements and point you toward resources you need to prepare.

 

Cybersecurity Maturity Model Certification: The Basics

Understanding the fundamentals of CMMC is crucial for any organization aiming to secure contracts with the Department of Defense (DoD). The CMMC framework establishes a three-tiered approach to cybersecurity, with each level defining specific requirements tailored to the sensitivity of the data being protected. From foundational practices for Federal Contract Information (FCI) to advanced safeguards for Controlled Unclassified Information (CUI), the CMMC ensures that contractors’ information systems meet stringent cybersecurity standards. 

 

CMMC 2.0: Updates and Changes

The rulemaking process for CMMC has been unfolding since the program’s initial inception in 2020. Shortly afterwards the proposed model for certification was updated by what’s called CMMC 2.0. Now that the final rule for 32 CFR has entered the federal register, CMMC 2.0 is becoming law, and Department of Defense contractors will soon find CMMC security requirements are an essential part of new contracts. 

 

From Five Levels to Three Levels

The most significant update in CMMC 2.0 was the change from a five-level certification model to a three-level one. The simplified structure was meant to reduce the complexity of the process and provide Level 1 and some Level 2 contractors with the option to self-assess.

 

pasted-image-0-768x344-1

 

The Three Levels of CMMC 2.0

Level 1

CMMC Level 1 is for defense contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). It requires adherence to 17 basic security practices drawn from FAR 52.204-21 (Federal Acquisition Regulation clause). Level 1 allows for annual self-assessment rather than audits by a third-party accreditation body. 

Level 2

CMMC Level 2 is for DoD contractors who handle (or are contractually required to be able to handle) CUI. This applies to the vast majority of contractors within the defense industrial base (DIB). Level 2 involves full implementation of the 110 practices and 320 objectives across 14 domains outlined in the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 and mandates triennial certification by a CMMC Third-Party Assessment Organizations (C3PAO).

Level 3

CMMC Level 3 is designed for DoD contractors handling highly sensitive information that could impact national security if compromised. It mandates advanced, comprehensive cybersecurity measures focused on advanced persistent threat (APT) detection, incident response, and recovery mechanisms. A government-led DIBCAC assessment is required every three years for Level 3 certification.

For a fuller account of the differences between Levels 1, 2, and 3, see our CMMC Levels Guide.

 

FAQs

Everything contractors need to know about CMMC:

Does CMMC Only Apply to Companies that Work with the DoD?
As of now, CMMC only applies to companies in the DoD supply chain, including contractors and subcontractors who handle FCI or CUI. However, the CMMC program can also impact companies outside the traditional DoD sphere if they are part of broader contracting networks or have compliance needs due to interconnected supply chains. As the DoD's cybersecurity requirements grow stricter, businesses indirectly involved with DoD contracts may also find it beneficial—or necessary—to align with CMMC standards to maintain partnerships and market competitiveness​​.
Do I Still Need to Comply with NIST SP 800-171 Under CMMC 2.0?
Familiarity with NIST SP 800-171 and compliance with its standards is critical to successfully navigating the CMMC 2.0 process. The security controls in NIST SP 800-171 for protecting CUI are all necessary for Level 2 certification. Think of it like this: If NIST 800-171 is the textbook, CMMC is the test.
Can I Implement CMMC Requirements Myself, or Do I Need Help?
While it’s possible to implement CMMC requirements independently, it can be challenging for small to midsize businesses without expertise in cybersecurity frameworks like NIST SP 800-171 or experience with the CMMC-specific processes. Smaller companies with limited IT resources often benefit from external help, such as a CMMC consultant or a managed service provider (MSP), to ensure compliance and avoid costly missteps. Professional support can streamline cybersecurity assessments, identify gaps, and provide tools or processes to manage security requirements effectively.
Can You Self-Certify CMMC?
Yes, companies seeking Level 1 certification can perform a self-assessment and submit their score to the Supplier Performance Risk System (SPRS) for certification, yes. There is also a self-assessment certification for some Level 2 companies, though it will be very limited. What contracts your company bids on will determine whether a Level 2 self-assessment is sufficient or whether you need full Level 2 certification by a C3PAO. It’s worth noting, however, that Level 2 certification by a C3PAO opens up far more business opportunities for your company.
How Much Does CMMC Certification Cost?
We estimate that the average DoD contractor looking to achieve Level 2 CMMC certification should expect to budget at least $30,000 for the process. The cost of CMMC certification can vary widely, though, depending on your company’s size, current cybersecurity maturity, and the certification level required.
How Long Does CMMC Certification Take?
Preparing for CMMC certification can be a lengthy process, depending on your current level of readiness. Depending on where you are when you start, preparation could take a few weeks or it could take up to six to nine months. Once you’ve prepared and scheduled a third-party assessment, the CMMC audit itself will likely take at least one full work week (i.e. five 8-hour days) for the assessment period.
Is CMMC Replacing DFARS?
CMMC doesn’t replace the Defense Federal Acquisition Regulation Supplement (DFARS); it’s designed to complement it. DFARS 252.204-7012 already requires defense contractors to implement the 110 controls in NIST SP 800-171 that comprise the security requirements for Level 2 certification.  CMMC enhances DFARS by requiring independent third-party assessments to verify compliance, particularly for contracts involving CUI. Contractors still need to comply with DFARS clauses while also achieving the appropriate CMMC certification level to remain eligible for DoD contracts​​.
How Does CMMC Relate to FedRAMP?

CMMC and FedRAMP (Federal Risk and Authorization Management Program) both focus on improving cybersecurity but apply to different entities and have distinct scopes. CMMC is specific to the DoD and targets contractors in the DIB. FedRAMP, on the other hand, applies to cloud service providers (CSPs) and sets baseline security standards for cloud products and services used by federal agencies, including the DoD.

While separate, the two frameworks can intersect. For example, CMMC requires CSPs to be FedRAMP moderate or equivalent.

Who Audits CMMC?
Audits are completed by a C3PAO. C3PAOs and CMMC Certified Assessors (CCAs) accredited by the Cyber AB are the only entities capable of completing a CMMC assessment. Once you select a C3PAO, an assessment team consisting of a lead CCA, a secondary CCA, and an individual conducting quality assurance reviews for the assessment team will begin your audit. (If you work with a third-party organization to prepare you for assessment, you may not use the same organization for your audit.)
What Happens If I Fail a CMMC Audit?

Failing a CMMC audit means your company will be ineligible to win or renew DoD contracts requiring CMMC compliance, directly impacting your revenue and competitive standing. A failed audit can hurt your reputation with prime contractors and will effectively double the cost of achieving compliance as you go through the process again and lose out on contracts in the interim.

Proactive measures, such as pre-assessments and gap analyses, are crucial to prevent failure and ensure readiness for future audits​​​. Establishing a Plan of Action and Milestones (POA&M) for bridging any gaps in your security posture can help you achieve conditional certification.

How Does CMMC Relate to Other Cybersecurity Frameworks?
The CMMC framework relates to other cybersecurity frameworks by incorporating and building upon existing standards like NIST SP 800-171, which serves as its foundation. While frameworks like ISO 27001 and FedRAMP focus on broader organizational security or cloud-specific requirements, CMMC is a U.S.-specific program for safeguarding FCI and CUI that applies to non-federal organizations working with the DoD.