Word Count: 1297

Context: Sample blog post created for the Fortunus Media portfolio to demonstrate SEO-optimized compliance and technology writing for regulated industries.

Client: Fictional company, SecureComply, a cybersecurity consultancy helping small federal contractors meet CMMC 2.0 requirements.

Target Audience: Small and mid-size contractors, managed service providers (MSPs), and SaaS vendors preparing for Department of Defense cybersecurity compliance (informational and consideration stage).

Beginning November 10, 2025, all new Department of Defense (DoD) contractors and subcontractors must meet specific Cybersecurity Maturity Model Certification (CMMC) requirements to receive a contract award.

There’s no grace period, which means contractors that don’t meet the right CMMC certification level won’t be eligible for DoD contracts. This, in turn, means potentially losing revenue and market share to competitors who are.

This guide covers what CMMC cybersecurity is, its levels, how it affects small contractors, and five steps to prepare for CMMC 2 certification. You’ll also learn why early CMMC compliance matters and how SecureComply can help get CMMC certified.

What Is CMMC 2.0?

CMMC 2.0 is the DoD’s framework for protecting the Defense Industrial Base (DIB) from cyber threats. It establishes mandatory cybersecurity standards for the entire supply chain working with the DoD, not just prime contractors directly contracting with the government.

The program’s main goals are strengthening how organizations protect two key data types:

• Federal Contract Information (FCI) is information generated for or provided by the government under a contract not intended for public release.

• Controlled Unclassified Information (CUI) is unclassified information that requires dissemination or safeguarding controls under federal law, regulation, or government-wide policy.

What Are the Three Levels of CMMC 2.0?

As a simplified successor to the original CMMC, CMMC 2.0 reduces the number of maturity levels from five to three. These levels align with NIST Special Publication 800-171, which outlines the security requirements for protecting CUI in non-federal systems and organizations.

Here’s what each CMMC level requires.

Level 1: Basic safeguarding of FCI

At this level, you only need to protect FCI. The only requirements are an annual self-assessment and affirmation of compliance with the 15 security requirements outlined in FAR clause 52.204-21.

Level 2: Broad protection of CUI

Contractors handling CUI must meet CMMC Level 2 certification. This level has 110 NIST SP 800-171 R2 requirements, as required by DFARS clause 252.204-7012.

There are two ways to achieve Level 2 certification:

• Annual self-assessment only meets the requirements for contractors with CUI outside of the National Archive’s CUI Registry Defense Organizational Index Grouping. 

• CMMC Third-Party Assessor Organization (C3PAO) assessment every three years is required for contractors who process, store, or transmit CUI categorized under the National Archive’s CUI Registry Defense Organizational Index Grouping.

Whether you self-assess or go through a C3PAO, you also need to submit an annual affirmation of compliance after each assessment and every year after that.

Level 3: Higher-level protection of CUI against advanced persistent threats

Level 3 CMMC compliance is required for contractors working with highly sensitive CUI who are likely to be targeted by advanced persistent threats (APTs) and nation-state actors.

You must meet the 110 NIST SP 800-171 requirements required under Level 2 as well as 24 additional requirements selected from NIST SP 800-172 Feb2021.

Here’s what you need to do to get this level of certification:

• Meet CMMC Level 2 requirements via a C3PAO assessment.

• Pass an annual assessment conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC) every three years. The DCMA DIBCAC leads the DoD contractor cybersecurity risk mitigation efforts.

Like in Level 2, you also need to submit an annual affirmation after each assessment and every year after that.

How Does CMMC Affect Small Contractors?

Small contractors must achieve CMMC 2.0 compliance as soon as possible. 

That’s because starting November 10, 2025, all new DoD contracts must require some level of CMMC certification. Without any type of CMMC certification, small contractors won’t be able to bid, even as subcontractors.

In practice, this often means many small businesses will need to formalize their cybersecurity programs for the first time.

This means establishing written procedures, employee training, access controls, and documented incident response plans that align with your assigned CMMC level.

Talk to the SecureComply team today to learn how you can start preparing for CMMC compliance. Just tell us about the compliance level you’re seeking to achieve, and we can build a custom plan to achieve compliance as efficiently and effectively as possible.

Five Steps to Prepare for CMMC 2 Certification

Getting ready for CMMC can seem daunting, but breaking it into stages makes it manageable.

1. Identify what data you handle and where it lives

Start by mapping where staff store, transmit, and access FCI and CUI. This defines the scope of your CMMC obligations and prevents you from wasting time and energy securing systems outside it.

2. Conduct a gap analysis against CMMC requirements

Compare your current cybersecurity practices with the controls for your target CMMC level. Identify missing elements like audit logging, access management, or encryption.

3. Implement technical and policy controls

Close the gaps with stronger safeguards. Depending on what’s missing from your current practices, updates could include incident response plans, written cybersecurity policies, and technical controls aligning with NIST SP 800-171.

4. Document processes and train staff

To get CMMC certified, you need to show consistency, not just one-time fixes. Keep evidence of policies, training sessions, and system configurations to show ongoing compliance.

5. Plan for assessment and continuous monitoring

If you process, store, or transmit CUI categorized under the National Archive’s CUI Registry Defense Organizational Index Grouping, you’ll need Level 2 C3PAO CMMC certification.

To get certified as soon as possible, engage a C3PAO early. They’re often booked months ahead.

After certification, maintain continuous monitoring and submit annual affirmations. Remember: CMMC certifications for Levels 2 (C3PAO route) and 3 last three years, so ongoing documentation and oversight are necessary.

Learn How SecureComply Can Help You Achieve CMMC Compliance

DoD contractors and subcontractors have limited time to achieve CMMC compliance. Starting November 10, 2025, you must have some level of CMMC compliance to be eligible for DoD contracts.

To achieve CMMC compliance quickly and effectively, talk to SecureComply. Our consultants have guided numerous DoD supply chain partners through CMMC and related cybersecurity frameworks, from initial gap analysis to final third-party assessment.

Book a free consultation today to learn how we can streamline your path to certification and help you stay audit-ready every year.

CMMC 2.0 Certification FAQs

What is CMMC in cybersecurity?

The Cybersecurity Maturity Model Certification or CMMC is a Department of Defense (DoD) framework. It sets standardized cybersecurity practices that DoD contractors must follow to protect sensitive government data.

What are CMMC requirements?

CMMC 2.0, the newest version of the CMMC framework, has different requirements depending on the level you’re seeking:

• Level 1 CMMC certification requires you to follow basic cybersecurity practices aligned with FAR 52.204-21 to protect Federal Contract Information (FCI). You only need to complete an annual self-assessment.

• Level 2 CMMC certification requires following all 110 controls from NIST SP 800-171 to safeguard Controlled Unclassified Information (CUI). You need third-party assessment by a C3PAO if you process, store, or transmit CUI categorized under the National Archive’s CUI Registry Defense Organizational Index Grouping.

• Level 3 CMMC certification requires following additional practices from NIST SP 800-172. It’s for organizations handling the most sensitive CUI. The Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC) will conduct the third-party assessment and certification.

How much does it cost to become CMMC certified?

CMMC certification costs depend on many factors. These include:

• The CMMC level you’re aiming for

• Your company size

• Your company’s cybersecurity maturity

• Additional tools or upgrades you need to meet CMMC standards

For general guidance—not as a quote or guarantee—estimated CMMC certification costs may include:

• Level 1 CMMC certification: $4,000 to $6,000

• Level 2 CMMC certification (self-assessment route): $34,000 to $44,000

• Level 2 CMMC certification (C3PAO or third-party route): $112,000

• Level 3 CMMC certification: $121,000 to $160,000

Talk to SecureComply to learn more about CMMC certification costs.

References

Acquisition.gov. (n.d.). 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. | Acquisition.GOV. Www.acquisition.gov. https://www.acquisition.gov/far/52.204-21

Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). (2023). Defense Contract Management Agency > DIBCAC. Dcma.mil. https://www.dcma.mil/DIBCAC/

Department of Defense. (n.d.). CMMC 2.0 is Here. Retrieved October 30, 2025, from https://business.defense.gov/Portals/57/Documents/1%20pagers/CMMC%20What%20Every%20DoD%20Contactor%20Needs%20to%20Know.pdf?ver=6qAxU6SRDXavfU0dmn2ATw%3d%3d

Federal Register. (n.d.). Cybersecurity Maturity Model Certification (CMMC) Program. Unblock.federalregister.gov. https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program

National Archives. (2016, September 12). Controlled Unclassified Information (CUI). National Archives. https://www.archives.gov/cui

Office of the Secretary of Defense. (2025, January 17). Memorandum for Senior Pentagon Leadership Defense Agency and DoD Field Activity Directors. https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf

Ross, R., & Pillitteri, V. (2024, May 14). Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST. https://csrc.nist.gov/pubs/sp/800/171/r3/final

Ross, R., Pillitteri, V., Guissanie, G., Wagner, R., Graubart, R., & Bodeau, D. (2021, February 2). Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. Csrc.nist.gov. https://csrc.nist.gov/pubs/sp/800/172/final

U.S. Department of Defense. (2024). About CMMC. Dodcio.defense.gov. https://dodcio.defense.gov/CMMC/About/