CMMC Compliance – A Quick Overview

last edit: 03/29/2026

Table of Contents

• What Is CMMC?
• Who Needs CMMC?
• Which CMMC Level Do We Need?
• How CMMC Assessments Work
• When Is CMMC Required?
• How Long Does CMMC Take?
• What Does CMMC Cost?
• CMMC and Existing Cybersecurity Requirements
• How We Help

What Is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is an assessment and certification program created by the US Department of Defense (DoD) to better protect its supply chain and contractor network. Its primary goal is to verify that contractors and subcontractors have implemented the cybersecurity requirements needed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on nonfederal systems used in contract performance.

It is important to understand that, for most companies, CMMC does not create an entirely new set of cybersecurity obligations.
For Level 1 and Level 2, CMMC is largely a verification mechanism for requirements that already existed in FAR 52.204-21 and DFARS 252.204-7012 which are in place sine ~10 years.
Level 3, however, adds 24 selected requirements from NIST SP 800-172 for a smaller subset of higher-risk programs.

The final CMMC program rule, 32 CFR Part 170, was published on October 15, 2024, and became effective on December 16, 2024. It establishes three CMMC levels:

• Level 1: 15 basic safeguarding requirements from FAR 52.204-21
• Level 2: 110 security requirements from NIST SP 800-171 Rev. 2, as required by DFARS 252.204-7012
• Level 3: 24 additional selected requirements from NIST SP 800-172, on top of Level 2

Most organizations will ultimately need to meet either Level 1 or Level 2. Level 3 is expected to apply only to a smaller subset of contractors supporting more sensitive programs.

Who Needs CMMC Certification?

Solicitations and contracts solely for the acquisition of commercially available off-the-shelf (COTS) items are excluded from the DFARS CMMC clause. Outside of that exception, contractors and subcontractors may need a CMMC requirement when they will use contractor information systems to process, store, or transmit FCI or CUI in performance of the contract.

In practical terms, if a DoD solicitation includes a CMMC requirement, the offeror must have the required current CMMC Status and annual affirmation before award. These requirements can also flow down to subcontractors when FCI or CUI is being flowed down to them as part of contract performance.

Which Level of CMMC Will We Need?

The CMMC level and assessment type required will be stated in the solicitation and resulting contract. For most companies, the question will be whether they need Level 1 or Level 2.

As a general rule:

• If your company will receive or handle only FCI under the contract, then CMMC Level 1 will usually apply.
• However, if your organization will handle CUI on contractor-owned (aka your) systems, then CMMC Level 2 will generally be required at a minimum. The solicitation will determine whether that Level 2 requirement is a self-assessment or a C3PAO assessment.

For more detail on the different CMMC Levels and the assessment requirements see: CMMC Compliance Levels in CMMC 2.0.

CMMC Assessments

CMMC verification methods vary by compliance level. Here’s how each level is assessed:

• Level 1: A self assessment must be performed annually and entered into Supplier Performance Risk System (SPRS), along with an annual affirmation by the company’s affirming official. The affirming can be held responsible under the False Claims Act. Level 1 is based on the 15 safeguarding requirements in FAR 52.204-21, and POA&Ms are not permitted at this level.
• Level 2: A Level 2 assessment must be completed every three years, plus annual affirmations as for Level 1. Depending on the solicitation, Level 2 may be either a self-assessment (for a small fractions of the contracts) or an independent assessment by an authorized CMMC Third-Party Assessment Organization (C3PAO) of your choice. As of February 2026 approximately 1,000 companies have been certified at Level 2. For Level 2, very limited use of POA&Ms is allowed. A contractor may obtain a conditional result if it meets the minimum passing score of 88 and closes permitted(!) POA&M items within 180 days.
• Level 3: Level 3 requires the company to first achieve Final Level 2 (C3PAO) for the same assessment scope. The Level 3 assessment itself is then conducted by DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years, with annual affirmations required thereafter.

When Will This Be Required?

The CMMC rollout is no longer a future event — it has already begun. The final DFARS rule, 48 CFR, was published on September 10, 2025 and became effective on November 10, 2025, which started Phase 1 of CMMC implementation. Phase 1 runs from November 10, 2025 through November 9, 2026 and is focused primarily on Level 1 and Level 2 self-assessments.

That said, not every solicitation will automatically include the same CMMC requirement. The requirement depends on the procurement, the information involved, and the level specified by DoD in the solicitation. During Phase 1, DoD has stated that its intent is to focus on the appropriate self-assessment requirement, although the rules allow some limited discretion to use Level 2 (C3PAO) in selected cases.

Defense contractors and subcontractors should not confuse the phased rollout of CMMC contract clauses with the underlying cybersecurity requirements that already exist today. DFARS 252.204-7012, 7019, and 7020 still matter, and organizations handling CUI should already have their NIST SP 800-171 implementation, SPRS score, System Security Plan (SSP), and POA&M documentation in place where applicable. CMMC is, in many cases, the verification mechanism on top of those existing obligations.

After years of delays, the CMMC rulemaking process is now in place. Even for companies that do not yet see a CMMC clause in every opportunity, the time to prepare is now. Getting ready for Level 2 can take real time, especially when scoping, architecture, documentation, and remediation all need attention.

Prime contractors can put CMMC requirements into their contracts as of now and have been warning their subcontractors to ensure compliance. For example Lockheed Martin stated in June 2025: “By now, all DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements.“

How Long Does It Take to Implement CMMC?

The implementation timeline depends mainly on three factors:

• The level you need to achieve
• Your current state of implementation of NIST SP 800-171 revision 2
• The size and scope of the environment being assessed

For some companies, Level 1 can be completed relatively quickly. For companies pursuing Level 2, preparation often takes substantially longer because the scope, technical controls, documentation, and evidence requirements are more demanding. In our experience it will take most organizations 12-18 months to achive CMMC Level 2 compliance. The right way to estimate timing is to start with a gap assessment and a realistic remediation plan.

For an overview of the preparation and certification process including some time estimates see CMMC Compliance Process and Timeline.

What Is the CMMC Cost?

The cost of CMMC depends on many of the same factors listed above: the level required, your current maturity, and the size and complexity of the environment in scope.

Companies should typically plan for costs in three broad areas:

• Readiness, scoping, and implementation support
• Technical and operational remediation work
• The assessment itself, if an independent assessment is required

We advise companies that intend to stay in the DoD supply chain to also expect ongoing compliance costs, not just a one-time project cost. Annual affirmations, periodic reassessments, documentation upkeep, and continued control operation all require ongoing attention.

CMMC Compliance  & Existing Cybersecurity Requirements

While there is a lot of attention on CMMC right now, the reality is that for most defense contractors, CMMC is closely tied to cybersecurity requirements that have already existed for years. The real challenge for many organizations is not understanding that requirements exist — it is correctly scoping their environment, implementing the controls, documenting them, and being ready to prove that they are in place.

Our latest report gives a high-level overview of these existing FAR and DFARS requirements, how they relate to each other and to CMMC. The report is available for download at https://www.ecuron.com/dib-report/.

How We Are Prepared To Help You

Ecuron is a CMMC Registered Practitioner Organization™ (CMMC-RPO). As an RPO, we help organizations understand CMMC requirements, assess readiness, identify gaps, and support implementation and preparation for assessment. RPOs provide consulting and implementation support, but they do not perform certified CMMC assessments.

With experience supporting organizations across multiple industries, continents, and environments, we focus on practical CMMC readiness: defining scope, addressing gaps, building documentation, and helping clients prepare for the assessment path required by their contracts.

Depending on your current cybersecurity posture and the level required, preparing for CMMC can take anywhere from a relatively short effort to a much longer remediation program. Starting early gives you more options, more time to remediate properly, and less risk of being rushed when a contract opportunity depends on it. The sooner a company is certified, the bigger it’s competitive advantage.

We offer CMMC Consulting Services to get you CMMC compliant in 4 Steps:

1. CMMC Gap Analysis / CMMC Gap Assessment
   See where your organization stands and what it takes to achieve compliance
2. CMMC Implementation Help
   Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls  and any missing requirements. This includes developing and writing the extensive documentation required.
3. CMMC Pre-Assessment
   Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. If your company needs to be assessed by a C3PAO or DoD official we will recommend to schedule the actual audit once we are confident that you are ready for the CMMC Assessment.
4. CMMC Assessment Support
   If your company needs to be assessed by a C3PAO or DoD official  we help you prepare for the audit, gather & organize evidence for a smooth assessment . We will be at your side throughout the process.
5. CMMC Maintenance
   Following successful certification, Ecuron offers ongoing support services to maintain your CMMC Level 2 compliance. This inlcudes guidance on regulatory updates (such as migration to and meeting requirements of NIST SP 800-171 rev3), threat intelligence relevant to your operating environment, vendor risk assessments, and more.

To discuss your CMMC requirements and schedule a complimentary 30 min consultation, email us at cmmc@ecuron.com, use the form below, or give us a call.

Additional Articles

• CMMC Compliance Process and Timeline
• CMMC Compliance Levels
• NIST SP 800-171 Assessment