Requirements guide for DoD defense contractors pursuing CMMC certification at Level 1, 2, or 3
The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is the Department of Defense's framework for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). As of November 10, 2025, CMMC requirements appear in all new DoD solicitations and contracts.
CMMC replaced the previous self-certification approach under DFARS 252.204-7012, which too many contractors abused by claiming NIST SP 800-171 compliance without actually implementing the required security controls. The new model requires independent third-party assessment for contractors handling CUI, ensuring controls are not just documented but actually working.
This overview provides step-by-step guidance for achieving CMMC certification at each level. Use it to assess your current security posture, identify gaps, and plan your path to certification.
Important: CMMC requirements flow down through the entire supply chain. Even if you're a small subcontractor working for a prime, you need certification if you handle FCI or CUI. Your prime contractor will specify which level you need.
You need Level 1 if your contract only involves FCI—non-public information created for or provided to the government under contract. Examples:
You need Level 2 if your contract involves CUI—sensitive information requiring safeguarding under law, regulation, or policy. Examples:
About 90% of DoD contractors need Level 2.
You need Level 3 only if DoD specifically designates your program as requiring protection against advanced persistent threats (APTs). This is rare—DoD estimates only 1% of contractors will need Level 3.
If your contract doesn't explicitly state "Level 3 required," you probably need Level 2.
CMMC Level 1 implements 17 basic cybersecurity practices from FAR 52.204-21. These practices protect Federal Contract Information and establish foundational cyber hygiene.
Timeline: 2-4 weeks for initial self-assessment, then annual renewal
Cost: Internal time only—no auditor fees for Level 1
CMMC Level 2 requires full implementation of all 110 security requirements from NIST Special Publication 800-171 Revision 2. This is the most common CMMC level—about 90% of defense contractors handling CUI need Level 2 certification.
⚠️ Critical Difference from Level 1:
Level 2 requires third-party assessment by a certified C3PAO. You cannot self-certify. The assessment is pass/fail—partial implementation doesn't count. Every single one of the 110 practices must be marked "Met" or you fail and must remediate.
The 110 security requirements are organized into 14 families. You must implement practices from all families:
Each family contains multiple specific practices. C3PAO assessors evaluate implementation of each practice against assessment objectives defined in the CMMC Assessment Guide.
Note: CMMC uses NIST SP 800-171 Revision 2. While Revision 3 exists, DoD has not yet adopted it for CMMC assessments.
The C3PAO (CMMC Third-Party Assessment Organization) assessment follows a four-phase process:
⚠️ Assessment is Pass/Fail
Unlike the old NIST 800-171 assessment where you got a compliance score, CMMC is binary. Any practice marked "Not Met" means you fail the entire assessment. You don't get certification with partial compliance. This is why thorough preparation before engaging a C3PAO is critical.
The System Security Plan is the foundational document for CMMC Level 2 assessment. Your SSP must include:
Common SSP Mistakes:
CMMC Level 3 builds on all 110 Level 2 practices and adds 24 enhanced security controls from NIST SP 800-172. These controls protect high-value CUI programs against advanced persistent threats (APTs) and sophisticated adversaries.
Key Difference: Level 3 assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not a C3PAO. This is a government-led assessment with higher scrutiny.
The 24 additional controls focus on advanced threat protection:
Level 3 is Rare
DoD estimates only 1% of assessed organizations will require Level 3. Unless your contract explicitly states "CMMC Level 3 required," assume you need Level 2. Level 3 requirements are reserved for programs involving the most sensitive CUI where compromise could cause significant harm to national security.
Level 3 assessments are conducted by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center), not C3PAOs:
Timeline: 12-18 months typical from start to certification
Cost: Significantly higher than Level 2 due to enhanced controls and government assessment
The Defense Federal Acquisition Regulation Supplement (DFARS) includes four key cybersecurity clauses. Understanding these clauses helps you understand how CMMC fits into broader DoD cybersecurity requirements.
Effective: December 31, 2017 | Applies to: All DoD contracts with CUI
This is the foundational clause requiring NIST SP 800-171 implementation. Most contractors already have this in their contracts. It predates CMMC and established the baseline security requirements.
What it requires:
Why it matters for CMMC: CMMC Level 2 uses the exact same 110 practices from NIST 800-171. If you're already compliant with DFARS 7012, you're halfway to CMMC—you just need third-party verification via C3PAO assessment.
Effective: November 30, 2020 | Applies to: Contracts requiring Medium or High assessments
This clause notifies contractors they must undergo DoD assessment of NIST 800-171 implementation. It warns that self-certification isn't sufficient.
Key point: Must complete assessment within 3 years and post results to SPRS database.
Effective: November 30, 2020 | Applies to: Contracts with CUI requiring DoD assessment
This clause gives DoD the right to conduct assessments and requires contractors to cooperate fully.
Key point: Must provide access to facilities, systems, personnel, and documentation for assessment.
These two clauses established the assessment framework that CMMC formalized. They're being replaced by DFARS 7021 in new contracts but remain in many existing agreements.
Effective: Phased rollout 2024-2026 | Applies to: New DoD contracts specifying CMMC level
This is the current CMMC-specific clause appearing in contracts since November 2025. It replaces the previous DFARS clauses for most new awards.
What it requires:
No Certification = No Contract Award
Unlike previous DFARS clauses where you could start work with a Plan of Action, DFARS 7021 requires certification BEFORE contract award. You cannot win contracts without valid CMMC certification at the required level. This makes early preparation critical—don't wait until you see a contract opportunity to start your CMMC journey.
Total: 1-2 months | No auditor fees
Total: 6-12 months | C3PAO fees $50K-$150K+
Total: 12-18 months | Significant investment required
Industry experience and assessment data show these eight mistakes commonly cause certification delays:
Problem: Over-scoping includes systems that don't touch CUI, wasting money. Under-scoping excludes systems that do access CUI, causing assessment failure.
Solution: Map CUI data flows throughout your environment. Include every system that processes, stores, or transmits CUI—workstations, servers, network equipment, cloud services. Document your scope clearly in your SSP.
Problem: Waiting until right before assessment to gather documentation. This reveals gaps you thought were covered.
Solution: Build evidence collection into your security operations from day one. Maintain access logs, configuration management records, training certificates, and incident reports continuously. Document how each control works, not just that it exists.
Problem: Assuming your cloud provider, IT vendor, or subcontractors are CMMC compliant. If they access your CUI and aren't certified, you fail.
Solution: Verify CMMC certification status of every vendor with CUI access. Include CMMC requirements in vendor agreements. Maintain a supplier compliance matrix showing each vendor's certification status and renewal dates.
Problem: Research shows 73% of contractors lack end-to-end detection and response. 79% need multi-factor authentication fixes. Partial implementation fails assessments.
Solution: Enforce MFA for ALL users accessing CUI—no exceptions. Deploy continuous monitoring across your entire scope. Implement centralized logging with retention policies. Test your incident response procedures regularly.
Problem: CMMC requires organization-wide controls including personnel security, physical security, and security awareness training. IT can't do this alone.
Solution: Involve HR for personnel security practices. Engage facilities for physical access controls. Train all employees on CUI handling. Establish a cross-functional security committee reporting to executive leadership.
Problem: 57% of contractors identify cost as their biggest CMMC challenge. Underestimating expenses leads to failed projects.
Solution: Budget for C3PAO assessment fees ($50K+), security tools (logging, MFA, encryption), staff time (hundreds of hours), consultant help if needed, and ongoing compliance costs. Get quotes from multiple C3PAOs before starting.
Problem: Limited C3PAO capacity and increasing demand mean long wait times for assessments. Starting late risks missing contract deadlines.
Solution: Start preparation 12-18 months before you need certification. Engage a C3PAO early to get on their schedule. Don't assume you can compress the timeline—the 110 practices take time to implement properly.
Problem: Many contractors think their current security controls meet CMMC requirements. Most don't. Assuming compliance and scheduling an assessment without gap analysis wastes assessment fees.
Solution: Conduct a thorough gap analysis before engaging a C3PAO. Use the CMMC Assessment Guide to evaluate your implementation against each assessment objective. Fix gaps before formal assessment. Consider a pre-assessment consultation to identify blind spots.
If you need assistance with CMMC certification, I provide gap assessments, control implementation, SSP development, and C3PAO coordination for defense contractors nationwide.
Tabletop exercises satisfy CMMC incident response testing requirements (IR.2.092 and IR.2.093). Practice your response procedures with free scenario-based training.