Signed in as:
filler@godaddy.com
Signed in as:
filler@godaddy.com
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) acquisition regulation that introduces new cybersecurity assessment and attestation requirements for defense contractors.
CMMC Level 2 is built directly on top of an existing contractual requirement. If your company has a DoD contract containing DFARS clause 252.204-7012, you are already obligated to implement the 110 security controls in NIST SP 800-171 wherever CUI resides or is processed on your network. CMMC does not change that underlying requirement. CMMC adds a formal assessment and attestation process to verify that you have actually implemented NIST 800-171 security controls.
Rather than creating entirely new cybersecurity obligations, CMMC adds assessment and attestation requirements to verify that contractors have implemented their existing cybersecurity obligations.
CMMC applies when it is included as a requirement in a DoD prime contract or subcontract.
The required CMMC level will be specified in the DoD solicitation or contract, so be sure to carefully read the solicitation or contract language.
However, until CMMC requirements begin to appear in your contracts, companies can anticipate which level they are likely to need based on the type of government data they handle.
As a general guide:
The honest answer is that it depends — and three factors have the biggest influence on your timeline.
But first, some important context. CMMC Level 2 is built directly on top of an existing contractual requirement. If your company has a DoD contract containing DFARS clause 252.204-7012, you are already obligated to implement the 110 security controls in NIST SP 800-171 wherever CUI resides or is processed on your network. CMMC does not change that underlying requirement; it adds a formal assessment and attestation process to verify that you have actually implemented the cybersecurity requirements. Companies that have been actively working toward NIST SP 800-171 compliance have a head start, while companies that have not yet addressed those obligations must start from the beginning.
It also matters whether your contract requires a Level 2 self-assessment or a Level 2 third-party assessment conducted by a certified third-party assessment organization (C3PAO). Both require the same underlying controls to be implemented, but preparing for a C3PAO assessment involves additional time for audit preparation, including organizing evidence and ensuring your program can withstand external scrutiny. Companies pursuing a C3PAO assessment should factor that preparation time into their timeline from the start.
With that context in mind, the following three factors will most influence how long the process takes for your organization:
1) Your current cybersecurity posture. Companies that have already implemented the 110 security controls contained in NIST SP 800-171, as required by the DFARS clause 252.204-7012, will have a much shorter path to certification than those starting from scratch. The further your current program is from compliance, the more remediation work stands between you and a successful assessment.
2) How much you prioritize it. CMMC preparation requires dedicated time and attention from your IT, security, and leadership teams. Companies that treat it as an active priority by assigning ownership, setting milestones, and holding themselves accountable move significantly faster than those fitting it in around other obligations.
3) Your budget. Remediation work, documentation, tooling, and a third-party assessment (if required) costs require investment. Companies with more resources to dedicate to the effort can compress the timeline considerably.
That said, industry trends suggests that most companies should plan for anywhere from 3 to 6 months to obtain Level 2 readiness. If your program is early-stage or your environment is complex, building in additional time is strongly advisable.
The best way to get a realistic estimate for your organization is to start with a gap assessment against the NIST SP 800-171 controls. That will give you a clear picture of where you stand and what it will realistically take to get ready.
Note: Not every company will need a third-party assessment under the CMMC program. The requirement to obtain a third-party assessment is based on the requirements contained in the DoD solicitation, contractor, or sub-contract.
Level 2 is built on the NIST SP 800-171 requirements already imposed by DFARS clause 252.204-7012; accordingly, it would be misleading to attribute all NIST SP 800-171 compliance costs to CMMC. If your company has an existing DoD contract with that clause, you were already obligated to implement those controls.
New costs that may be attributed directly to the CMMC obligations are the costs of the CMMC certification assessment and a set of specific remediation efforts. Under the traditional NIST 800-171 compliance obligation imposed by the DFARS -7012 clause, companies have been permitted to carry broad gaps in implementation as long as those gaps are documented in a Plan of Action and Milestones (POA&M). CMMC raises that bar significantly. While CMMC Level 2 does allow for a limited number of POA&M items, those exceptions apply only to a specific subset of explicitly identified controls and any open items must be closed within 180 days of certification. The specific set of allowable gaps can be found in the CMMC program rule at 32 CFR 170.21.
In practical terms, this means that a company may believe it is in reasonable compliance with its DFARS 7012 obligations while still having significant work ahead to meet CMMC Level 2 requirements. Understanding that gap and what it will cost to close it is one of the most important things a gap assessment will reveal.
CMMC certification assessment costs vary widely depending on the level required and the size and complexity of your environment.
For companies pursuing a Level 2 third-party assessment, cost estimates for C3PAO assessments generally range from $10,000 to $100,000. This range reflects real differences in company size, the scope of systems in scope, and the C3PAO you select. It is important to note that this cost is only for the CMMC C3PAO assessment itself. It does not include remediation efforts, tooling, documentation preparation, and third-party advisory services used to prepare for the CMMC assessment.
For companies pursuing a Level 2 self-assessment, it is easy to underestimate the cost because there is no external assessment fee. However, a CMMC Level 2 self-assessment must be conducted using the same methodology as a C3PAO assessment. This means that the internal time, resources, and rigor required are not immaterial. The cost of staff time, internal preparation, and any outside support should be factored into your planning just as carefully as an external assessment fee would be.
* The best way to develop a realistic cost estimate is to start with a gap assessment. Understanding where your program stands today is the foundation for any accurate projection of what certification will require.
While the DoD Chief Information Officer published the CMMC rule and designed the phased rollout schedule, the practical reality is that CMMC only applies when it appears in a specific solicitation or contract. It is ultimately the individual contracting officer — not the DoD CIO — who decides whether to include CMMC requirements in a given contract.
Actual CMMC implementation across the defense acquisition community will vary, and the pace at which CMMC appears in contracts depends heavily on how individual contracting officers exercise that discretion. A contractor is only bound by CMMC for the specific award in which it appears.
The three-year phased CMMC roll-out approach is detailed in the CMMC program rule at 32 CFR 170.3(e):
Phase 1 — November 10, 2025 to November 9, 2026CMMC Level 1 and Level 2 self-assessment requirements begin appearing in applicable DoD solicitations and contracts. A limited number of contracts may require a Level 2 C3PAO assessment at the DoD's discretion.
Phase 2 — November 10, 2026 to November 9, 2027The DoD begins adding Level 2 C3PAO assessment requirements to applicable contracts. Level 3 certification requirements may begin appearing in a limited number of contracts at the DoD's discretion.
Phase 3 — November 10, 2027 to November 9, 2028Level 2 C3PAO assessment requirements may begin being incorporated into existing contract option periods. Level 3 requirements expand to additional applicable contracts.
Phase 4 — Beginning November 10, 2028CMMC requirements become mandatory across all applicable DoD contracts.
What if a prime contractor is asking me about CMMC now??
Even where a contracting officer has not yet included CMMC requirements in a solicitation, subcontractors may find that prime contractors are getting there first. Because CMMC requires prime contractors to ensure their entire supply chain is compliant, many primes are proactively flowing CMMC requirements down to their subcontractors ahead of any formal DoD mandate.
For subcontractors, this means that waiting for CMMC to appear in a government solicitation may not be a reliable indicator of when compliance will actually be required. Your prime contractor may require it sooner — and a subcontractor that cannot demonstrate compliance may find itself replaced by one that can. This is an important market dynamic that makes early preparation strategically valuable regardless of where the formal DoD rollout stands.
Can I still bid on a contract if I am not yet certified?
Yes — but with an important caveat. When CMMC appears in a solicitation, it is a condition precedent to contract award, not a requirement to submit a bid. This means your company can compete for and pursue a contract without holding a current CMMC certification. However, if you are selected for award, you must have obtained the required certification at the time of contract award. Without it, you will not be eligible to receive the contract.
The most important thing a small contractor can do right now is to conduct a formal self-assessment.
A gap assessment measures where your cybersecurity program stands today against the controls required. It will identify what is already in place, what needs to be implemented, and what remediation work is required. This is the most important step you can take and should be done early in your CMMC journey. Without a gap assessment you cannot accurately determine whether you are ready for a certification assessment, how long it will take to get there, or what level of effort remediation will require.
The gap between where most small businesses are today and where CMMC requires them to be is real, but it is not an insurmountable problem. With the right planning, prioritization, and budget, a small business can be CMMC level 2 ready in less than 6 months.
NO.
When evaluating consultants or service providers to support your CMMC preparation, focus on demonstrated experience and technical capability rather than CyberAB marketplace credentials alone.
Under 32 CFR 170.8(a), the CMMC Accreditation Body (CyberAB) is statutorily responsible for establishing the authorization requirements and accreditation scheme for C3PAOs and their assessors. That is the extent of the CyberAB's mandatory credentialing authority under the rule. C3PAOs and their assessors must hold CyberAB credentials to conduct a CMMC certification assessment.
The CyberAB also offers a separate marketplace of credentials and badges related to CMMC advisory and implementation services — such as Registered Practitioners (RPs) and Registered Provider Organizations (RPOs). These credentials are entirely voluntary. Neither the CMMC rule nor any DoD guidance requires contractors to hire or work with CyberAB-credentialed advisors or consultants when preparing for certification.
When evaluating consultants or service providers to support your CMMC preparation, focus on demonstrated experience and technical capability rather than CyberAB marketplace credentials alone. For practical guidance on how to build a trusted network of CMMC advisors and service providers, including how to evaluate quality, manage cost, and reduce risk, check out Episode 2 of my podcast Ooey Cooey: How to Build a Trusted Cyber Compliance Ecosystem to Manage Cost and Risk.