What Is CMMC? Certification Levels, Costs & How to Comply
Updated July 14, 202620 min read

What Is CMMC? Your Complete Guide to Certification & Compliance

Understand CMMC levels, assessment types, timelines, costs, and the cybersecurity career opportunities this framework is creating.

What you’ll learn in this article…

  • CMMC compliance costs small companies over $100,000 across three years.
  • Level 2 third-party certification requirements begin November 10, 2026.
  • Information security analyst roles are projected to grow 29% through 2034.

The Cybersecurity Maturity Model Certification, known as CMMC, is the Department of Defense's framework for verifying that contractors actually protect controlled unclassified information rather than simply claiming they do. Since 2017, defense contractors have been required to follow NIST SP 800-171, but self-attestation proved insufficient: intellectual property theft continued, and the DoD needed a verification mechanism with teeth.1

The final CMMC rule took effect December 16, 2024, and the contractual DFARS rule followed in September 2025. Phase 2, which requires third-party Level 2 certification for most CUI-handling contracts, begins November 2026. For contractors, the compliance window is narrow. For cybersecurity professionals, the $4 billion annual compliance cost represents a substantial hiring wave in assessment, consulting, and implementation roles. Those switching to cybersecurity from other IT careers will find CMMC-related positions among the most accessible entry points into defense-sector work right now.

The Three CMMC Levels Explained

CMMC organizes cybersecurity requirements into three levels, each designed for a different type of sensitive information and contract priority. Understanding which level applies to your work is the first step toward compliance. Here is a side-by-side breakdown so you can quickly identify where your organization falls.

Comparison of CMMC Levels 1, 2, and 3 across six attributes including framework, practice count, and assessment type as of 2026

Self-Assessment Vs. Third-Party Vs. Government Assessment

Not every contractor goes through the same assessment process. CMMC assigns one of three assessment types depending on the level of certification required and the sensitivity of the controlled unclassified information (CUI) involved.

Self-Assessment applies to Level 1 and, during Phase 1, to some Level 2 contractors.121541 The contractor organization conducts the assessment internally, documenting compliance through a System Security Plan (SSP), Plan of Action and Milestones (POA&M), policies and procedures, screenshots, logs, network diagrams, and asset inventories.121533 Assurance is lower compared to the other two types: the contractor attests to compliance, and the DoD may spot-check results. This path has a lighter lift, but it carries real accountability.

Third-Party Assessment (C3PAO) is required for most Level 2 contracts covered under DFARS 252.204-7021.121540 A Cyber AB-accredited C3PAO (Certified Third-Party Assessment Organization) conducts the review. Evidence standards are strict: screenshots must be taken within 90 days from a production environment, and a single "NOT MET" finding on a required practice can cause the contractor to fail that requirement. Documents needed include a finalized SSP, POA&M, approved policies, network diagrams, a Customer Responsibility Matrix (CRM), audit logs, ticket records, and training documentation.121536 This path offers a higher assurance level and is increasingly the standard for defense contracts. For professionals interested in this space, accelerated cybersecurity certification programs can build the technical foundations that C3PAO assessors and compliance consultants rely on.

Government Assessment (DIBCAC) is the most rigorous path, reserved for Level 2 and above contracts involving high-value CUI programs.121541 The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) leads these reviews, which mirror the C3PAO documentation requirements but go further: broader log sampling, stronger traceability across controls, and extensive technical testing.121540 If you are exploring a cybersecurity professional career path, understanding DIBCAC-level expectations gives you a clear picture of how thorough federal compliance scrutiny can be.

Choosing the right assessment path depends on contract type, CUI sensitivity, and the CMMC level required. As phased deadlines approach, knowing which path applies to you (or your clients) is one of the most practical starting points in the compliance journey.

Step-By-Step: How to Get CMMC Certified

With the phased CMMC rollout now firmly underway, organizations working in the Defense Industrial Base can no longer treat certification as a distant concern. The practical question shifts quickly from "do we need this?" to "how do we actually get it done?"

The path to certification is structured, but navigating it well requires preparation, the right partners, and a realistic timeline.

Understand Which Level Applies to You

Before engaging any assessor, you need to confirm which CMMC level your contracts require. Organizations that handle only Federal Contract Information typically fall under Level 1, which allows for an annual self-assessment. Companies that process or store Controlled Unclassified Information generally face Level 2, which for most contracts means a formal third-party assessment. Level 3 applies to a smaller group working on the most sensitive DoD programs and involves government-led evaluation.

Knowing your level shapes every subsequent decision, including which type of assessor you need and how much time and budget to set aside.

Find a Qualified C3PAO Through the Cyber AB Marketplace

For organizations requiring a third-party assessment at Level 2, the starting point is the Cyber AB Marketplace at cyberab.org. The Cyber AB (the official accreditation body for the CMMC ecosystem) maintains a searchable directory of accredited Certified Third-Party Assessment Organizations, commonly called C3PAOs. You can filter results by location, certification level, and current accreditation status, which helps narrow the field considerably.

Before committing to any C3PAO, take a few additional steps:

  • Request accreditation documentation: Ask the organization to share its current accreditation certificate and any recent audit or quality assurance reports. Accredited C3PAOs are expected to meet defined standards, and reputable ones will not hesitate to provide evidence.
  • Inquire about relevant experience: Ask specifically whether the C3PAO has assessed organizations with a similar scope, size, and type of CUI environment to yours. Experience with your specific context matters.
  • Ask about recent rule updates: Given the pace of change in 2025 and 2026, confirm that the assessor is current on the latest CMMC requirements and any guidance updates from the DoD or the Cyber AB.
  • Contact more than one: Speaking with several C3PAOs before selecting one gives you a clearer sense of pricing ranges, timelines, and communication styles.

Check the Cyber AB's Assessor Guidance

The Cyber AB's website also includes a section covering assessor accreditation requirements, application processes, training mandates, and quality assurance expectations. Even if you are an organization seeking assessment rather than becoming an assessor yourself, reviewing this material is useful. It tells you what a properly credentialed C3PAO should have completed, which makes your vetting conversations more informed.

Monitor the Cyber AB's news and blog pages as well. Updates posted through 2025 and into 2026 have addressed evolving requirements, and staying current reduces the risk of being caught off guard late in your assessment process.

Cross-Reference with Established Standards Bodies

Beyond the Cyber AB, a few additional sources can sharpen your preparation. NIST publishes detailed guidance on the SP 800-171 requirements that sit at the core of Level 2 compliance, and its documentation is freely available. Defense Industrial Base sector associations often publish best practices, lessons learned from early assessors, and practitioner forums where compliance teams share practical experience. For professionals building toward roles in this space, a broader grounding in cybersecurity certifications can make you a more credible contributor to these assessments.

Using these resources alongside the Cyber AB materials gives you a rounded picture of what assessors are actually looking for, which in turn helps you close gaps more efficiently before your formal assessment begins.

Build in Enough Time

Compliance readiness typically takes anywhere from six months to well over a year, depending on your starting point. Rushing toward a certification deadline without adequate preparation rarely ends well. Map your contract timelines against the CMMC phase schedule, identify your level early, begin your C3PAO search well in advance of when you need to be assessed, and treat the remediation work as a project in its own right, not an afterthought before the assessment call. If you are still weighing how to position yourself for this kind of work, a cybersecurity career guide can help clarify which roles align with CMMC consulting and compliance.

Questions to Ask Yourself

FCI requires only Level 1 (15 basic practices), while CUI mandates Level 2 (110 NIST SP 800-171 requirements) or Level 3. Misidentifying the data type can leave you pursuing the wrong certification track, wasting time and budget on compliance activities that do not match your contract obligations.

A formal gap analysis identifies which of the 110 Level 2 practices your organization currently satisfies and which require remediation. Without an SSP that maps controls to your environment, third-party assessors cannot validate your compliance, delaying certification and contract eligibility.

CMMC assessments examine the entire CUI flow, including cloud services, partner networks, and supply-chain vendors. Any unmanaged endpoint or subcontractor that handles CUI but lacks appropriate safeguards can fail your assessment, even if your primary systems are compliant.

CMMC Certification Costs and Timelines

Budgeting for CMMC compliance is one of the biggest challenges facing defense contractors, and costs scale dramatically with organization size. According to National Defense Magazine, the private sector faces an annualized cost of $4 billion to implement CMMC overall, with small companies alone facing estimated costs of over $100,000 over three years just for assessment and certification. Key cost drivers include gap analysis, remediation of security controls, technology upgrades, consultant fees, C3PAO (Certified Third-Party Assessment Organization) assessment fees, and ongoing monitoring. Preparation timelines also vary: small businesses should plan for 6 to 12 months, mid-size organizations for 9 to 18 months, and large enterprises for 12 to 24 months or longer, depending on current security posture.

First-cycle CMMC compliance costs ranging from $75,000 to $1,000,000 across small, mid-size, and large organizations in 2025 to 2026

CMMC Phased Rollout: Key Dates for Contractors

The CMMC rollout follows a carefully staged timeline, and contractors who miss a phase deadline risk losing eligibility for Department of Defense contracts.

The Regulatory Foundation

Two rules anchor the entire CMMC framework. The DoD released its final CMMC rule on October 15, 2024, with an effective date of December 16, 2024. That rule established the structure, levels, and assessment requirements. The Defense Federal Acquisition Regulation Supplement (DFARS) final rule, released September 10, 2025, translated those requirements into enforceable contract language. Together, these two actions converted CMMC from policy guidance into a binding contractual obligation.1

Phase 1: November 10, 2025

The rollout entered Phase 1 on November 10, 2025. During this phase, contractors handling federal contract information at Level 1 must complete a self-assessment and submit results to the Supplier Performance Risk System (SPRS). Some Level 2 contracts also fall under Phase 1 self-assessment provisions. If your organization has not yet completed this step, it is already behind schedule.

Phase 2: November 10, 2026

Phase 2 is the most consequential near-term deadline for a large portion of the defense industrial base. Beginning November 10, 2026, Level 2 certification from an accredited third-party assessment organization (C3PAO) becomes a contract requirement for applicable awards. This is not a self-assessment. An independent auditor must validate your controls against the 110 requirements of NIST SP 800-171 Rev. 2 before work can begin on covered contracts.1

Phase 3 and Phase 4: 2027 and 2028

Phase 3, expected in 2027, introduces government-led assessments for organizations seeking Level 3 certification. Level 3 builds on the NIST SP 800-171 baseline by adding enhanced requirements drawn from NIST SP 800-172, targeting contractors working with the most sensitive controlled unclassified information.

Phase 4 closes the loop. By November 10, 2028, all applicable DoD contracts must include CMMC requirements, meaning no contractor in the defense supply chain can sidestep compliance by waiting for a future contract cycle.

What the Timeline Means for Your Workforce

Each phase creates immediate demand for professionals who understand NIST frameworks, audit preparation, and system security plan development. Organizations scrambling to meet the November 2026 deadline are actively hiring compliance specialists, assessment coordinators, and cybersecurity analysts right now. Veterans transitioning into the field may find this an especially well-timed opportunity, as covered in Cybersecurity Careers for Military Veterans: Best Jobs and Transition Guide. For anyone building skills in this space through accredited online cybersecurity programs, the phased structure is not just a compliance calendar. It is a hiring roadmap.

Did You Know?

CMMC implementation is projected to cost the private sector roughly $4 billion annually, and that spend has to go somewhere. Much of it flows to cybersecurity professionals who understand NIST SP 800-171, assessment methodology, and compliance architecture. If you're building a career path, this is a rare moment where regulation is actively creating hiring demand.

Common CMMC Pitfalls and How to Avoid Them

What causes organizations to fail CMMC assessments even after months of preparation? Most failures stem from four recurring mistakes that assessment organizations spot immediately: underscoping the environment, treating documentation as static files, ignoring supply-chain obligations, and starting remediation too late.

Pitfall 1: Underscoping the CUI Environment

The most common failure point is incomplete boundary mapping. Organizations routinely miss cloud storage buckets, mobile devices accessing email, development servers that temporarily hold CUI, or subcontractor VPNs that connect to prime systems. A C3PAO assessment covers every asset that stores, processes, or transmits controlled unclassified information.1 If your self-assessment missed a forgotten SharePoint site or a contractor laptop, the formal assessment will not. Map your CUI flows end to end, including temporary storage locations, backup systems, and third-party integrations, before the assessor arrives.

Pitfall 2: Checkbox Compliance in SSPs and POA&Ms

System Security Plans and Plans of Action and Milestones are living operational documents, not one-time paperwork exercises. Assessors verify that your documented processes match actual practice. If your SSP claims weekly vulnerability scans but your scanner logs show monthly runs, you fail that practice. POA&Ms must contain realistic remediation timelines, assigned owners, and resource commitments. Organizations that treat these documents as templates copied from the internet consistently score below the required 88 points for Level 2 certification.2

Pitfall 3: Ignoring Supply-Chain Flow-Down

Primes bear responsibility for subcontractor compliance. If your Level 2 contract flows CUI to a subcontractor, that subcontractor must also meet Level 2 requirements. A prime cannot achieve certification if a sub in the CUI chain lacks the same CMMC level. Flow-down clauses must appear in subcontracts, and primes should verify sub compliance well before their own assessment. Subcontractor non-compliance discovered during a prime assessment stops certification immediately. For professionals building expertise in this area, understanding compliance analyst education requirements provides a useful foundation for navigating these obligations.

Pitfall 4: Waiting Too Long to Start

Remediation typically takes six to eighteen months. Organizations targeting Phase 2 enforcement in November 20263 should already be closing gaps identified in their readiness assessments. Starting fresh in mid-2026 leaves insufficient time to implement access controls, harden configurations, train staff, and generate the audit logs assessors will review. A cybersecurity degree program that covers NIST frameworks and risk management can give practitioners a head start on these requirements.

What Happens If You Fail

Scoring below 88 points triggers a full reassessment from the beginning. Organizations may receive a conditional status if they score 88 or higher but have open POA&M items in deferrable practices. Conditional status allows contract eligibility on accepting contracts but expires in 180 days if the open items remain unaddressed.2 After expiration, a full reassessment is required. Non-deferrable practices (Access Control, Identification and Authentication, Incident Response) must pass during the initial assessment; you cannot defer these.5 Remediation and re-assessment typically require three to six months, and assessment costs range from $15,000 to $75,000 per attempt.6 For contracts requiring certification to bid in Phase 2, a failed or expired assessment removes your organization from competition until you achieve a passing score.

Cybersecurity Career Opportunities Created by CMMC

Consulting firms are hiring two very different profiles right now: the generalist compliance analyst who can read a control catalog and write policy, and the specialist assessor who can walk into a defense contractor's environment and validate 110 NIST SP 800-171 controls under scrutiny. Both paths pay well, and both are being reshaped by CMMC's phased rollout. If you are weighing whether to pursue a cybersecurity degree vs. certifications, this is one area where having both gives you a clear edge.

Roles Driving the Hiring Wave

As Level 2 certification requirements kick in this November, defense primes and their suppliers need people in seats. The roles showing up most often in job postings tied to CMMC work include:

  • CMMC assessor: Conducts formal Level 2 and Level 3 assessments on behalf of a Certified Third-Party Assessment Organization (C3PAO). Requires the CCA credential.
  • Compliance analyst: Maps existing controls to NIST SP 800-171, tracks remediation, and prepares System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms).
  • GRC specialist: Owns the broader governance, risk, and compliance program, often bridging CMMC with ISO 27001, SOC 2, and FedRAMP work.
  • NIST framework consultant: Advises contractors on scoping CUI environments and closing gaps ahead of assessment. Becoming a cybersecurity consultant typically requires a mix of technical credentials and practical framework experience.
  • Security engineer: Implements the technical controls: access management, logging, encryption, incident response tooling.

According to the Bureau of Labor Statistics, information security analysts nationwide earn a median wage of about $124,910, with the 75th percentile near $159,600 and roughly 179,000 people employed in the occupation. CMMC-specialized roles tend to land in the upper half of that cybersecurity salary distribution, especially for cleared professionals.

How Online Degrees and Certifications Stack

An online cybersecurity degree gives you the foundation employers expect: risk management, security architecture, and hands-on exposure to NIST frameworks. Layer CMMC-specific credentials on top to signal domain expertise.

The CAICO ecosystem, now managed by ISACA as of April 2026,1 offers the Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) credentials. CCP eligibility requires a cyber or IT degree or two-plus years of related experience, plus DoD Mandatory CUI Awareness Training and a Tier 3 background investigation.2 The exam fee is $760,3 with total program costs running $1,995 to $3,000.4 CCA builds on an active CCP and runs $2,995 to $3,300 with a 150-question, four-hour exam.2 Lead CCA and Certified CMMC Instructor (CCI) tracks sit above that.

Pair these with broader credentials like CISSP, CISM, or CompTIA Security+ and you have a resume that reads as both deep and defense-ready. The CompTIA cybersecurity career pathway is a practical starting point before layering in CMMC-specific credentials.

Information Security Analyst Salary Snapshot

CMMC compliance is fueling demand for information security analysts across the country, particularly in states with heavy defense contracting activity. According to the Bureau of Labor Statistics, this occupation is projected to grow 29% from 2024 to 2034, which is much faster than average. The table below highlights median annual wages and employment levels across a selection of states, drawn from the most recent Occupational Employment and Wage Statistics data.

StateTotal Employment25th Percentile WageMedian Annual Wage75th Percentile WageMean Annual Wage
Virginia18,670$101,610$132,460$166,510$136,680
California15,800$105,150$140,660$178,090$152,640
Texas14,730$96,020$124,970$149,780$126,800
Florida13,770$86,250$105,990$139,150$117,500
New York8,860$98,320$131,100$170,220$139,540
Maryland8,770$105,230$140,480$175,390$145,450
North Carolina6,850$88,560$121,070$147,030$122,310
Washington6,830$117,040$142,920$169,350$144,140
Georgia6,480$92,620$124,270$156,390$126,380
Colorado5,840$102,350$130,570$164,010$135,980
Massachusetts5,780$101,730$127,610$161,940$129,350
Ohio5,070$83,480$107,570$137,430$115,600
New Jersey4,730$108,320$135,390$168,240$141,130
Illinois4,560$83,960$114,300$138,130$119,540
Pennsylvania4,420$79,670$110,230$137,900$114,870
Arizona4,170$88,520$125,320$161,250$123,780
Alabama3,290$79,870$111,110$138,270$112,800
Michigan3,120$79,920$104,540$129,150$107,630
Indiana2,540$64,500$78,290$115,650$91,740
District of Columbia2,010$109,680$127,760$150,920$132,790

Frequently Asked Questions About CMMC

Below are answers to the most common questions about the Cybersecurity Maturity Model Certification. Each response draws on the key details already covered in this guide, including the phased rollout timeline, cost estimates, and assessment types.

CMMC stands for Cybersecurity Maturity Model Certification. It is a Department of Defense framework that requires defense contractors to verify their cybersecurity practices at a defined maturity level before they can handle controlled unclassified information (CUI). Understanding what is cybersecurity and why is it important provides helpful context for grasping why frameworks like CMMC exist. The final CMMC rule took effect on December 16, 2024, and is being rolled out in phases through November 2028.

Level 1 covers 15 basic cybersecurity practices drawn from FAR 52.204-21. Level 2 requires organizations to meet all 110 security requirements in NIST SP 800-171 Revision 2, which is the standard most contractors handling CUI will need. Level 3 adds enhanced requirements from NIST SP 800-172 and applies to contractors working with the most sensitive defense programs.

Costs vary widely based on company size and current security posture. For small companies, estimates exceed $100,000 over three years for assessment and certification alone, not counting the remediation work needed to close gaps. Across the private sector, the annualized cost of CMMC implementation is projected at roughly $4 billion, as reported by National Defense Magazine. Professionals who want to build expertise in this space can explore online cybersecurity programs that cover compliance and risk management fundamentals.

Most organizations should plan for 6 to 18 months or longer to achieve compliance, depending on their starting point. This timeline includes conducting a gap analysis, remediating any shortfalls, documenting policies and procedures, and completing the required assessment. Starting early is critical, especially with Phase 2 (Level 2 certification requirements) beginning in November 2026.

Level 1 and certain Level 2 scenarios allow organizations to perform a self-assessment, where leadership affirms compliance internally. For most Level 2 requirements, a CMMC Third-Party Assessment Organization (C3PAO) must conduct an independent evaluation. Level 3 assessments are performed by government assessors. The type of assessment required depends on the sensitivity of the information a contractor handles.

If an organization does not meet the required maturity level, it will not receive certification and may be ineligible for contract awards that require that level. Companies can remediate deficiencies and undergo reassessment. However, gaps in certification can mean lost contract opportunities, so addressing weaknesses before the formal assessment is strongly recommended.

Yes. CMMC requirements flow down to subcontractors who handle CUI or federal contract information. If a prime contractor's agreement involves protected data, the subcontractors supporting that work must also hold the appropriate CMMC level. By Phase 4, expected to begin November 2028, all applicable defense contracts will include CMMC clauses. Those considering a pivot to cybersecurity from other IT roles may find subcontractor compliance work a practical entry point into the defense sector.

After achieving certification, organizations must submit an annual affirmation confirming they continue to meet the required security practices. This is not a one-time event. Companies need to maintain their security controls, keep documentation current, and be prepared for periodic reassessment. Letting compliance lapse can jeopardize active contracts and future eligibility.

Recent News

Recent Articles

In this article