CMMC Compliance – A Quick Overview

last edit: 09/12/2025

What Is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is an assessment & certification program created by the US Department of Defense (DoD) to secure its supply chain and contractor network. CMMC’s primary goal is protecting its Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from cyber threats.

It’s important to understand that CMMC doesn’t introduce new requirements but rather certifies that you implemented requirements that are in place since 2018.

The final CMMC rule (32 CFR Part 170) was published October 15, 2024, and became effective December 16, 2024. The framework establishes three compliance levels of CMMC, each building upon the previous one:

  • Level 1: Basic requirements from FAR 52.204-21
  • Level 2: NIST SP 800-171 revision 2 requirements (DFARS 252.204-7012)
  • Level 3: Additional advanced security controls from NIST SP 800-172

Most organizations will need to comply with either Level 1 or Level 2.

Who Needs CMMC Certification?

Only contracts for Commercial Off-The-Shelf (COTS) products will be exempt from CMMC compliance requirements.

Any company bidding on DoD contracts involving Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) must be CMMC compliant at contract award. These requirements also flow down to subcontractors who handle FCI and/or CUI.

Which Level of CMMC Will We Need?

The CMMC level mandated will be stated in the contract information. The majority of contracts will require a Level 1 or Level 2 compliance.

As a general rule:

  • If your company will receive exclusively FCI under the contract, then you will need to meet CMMC Level 1 compliance requirements.
  • However, if your organization will receive CUI in addition, then CMMC Level 2 will be required as a minimum.

For more details about the different CMMC Level and the assessment requirements see: CMMC Compliance Levels in CMMC 2.0.

CMMC Assessments

CMMC verification methods vary by compliance level. Here’s how each level is assessed:

  • Level 1: A self assessment will need to be submitted to the Supplier Performance Risk System (SPRS) by a Senior Official or Principal who is responsible for the CMMC compliance program within the organization and who can be held responsible under the False Claims Act. These assessments will have to be performed annually.
  • Level 2: A Certified  3rd Party Assessment Organization (C3PAO) of your choosing will perform an independent assessment. The finding will be submitted to the Cyber-AB which will issue the certification. Certification assessments by C3PAOs started Q1 2025 and currently ~60 companies are being certified each month. CMMC Level 2 certifications will be valid for 3 years but an annual self attestation by a company executive is required in addition. During the initial roll-out phase of 12 months, organizations at Level 2 might be allowed to perform a self assessment showing a minimum score of 88 to receive a Conditional Level 2 (Self). The remaining open controls will have to be closed out and met within 180 days.
  • Level 3: As for Level 2, a Certified  3rd Party Assessment Organization (C3PAO) will perform an independent assessment to check for the compliance to the Level 2 controls. Once a CMMC Level 2 certification is achieved, auditors of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will assess the additional controls that are exclusive to Level 3. The resulting certification will be valid for three years.

When Will This Be Required?

While the 32 CFR Part 170 CMMC rule is finally out and allows CMMC certifications through assessments by C3PAOs started in Q1 of 2025, DoD contracts will not contain CMMC requirements until Q4 of 2025. This timeline is based on a second CMMC rule (Title 48 CFR) that was published September 10th and will take effect November 10, 2025. This will kick-off Phase 1 of the CMMC roll-out. From this day on all new solicitations by the DoD will include some CMMC requirements.

Prime contractors can put CMMC requirements into their contracts as of now and have been warning their subcontractors to ensure compliance. For example Lockheed Martin states: “By now, all DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements.

In the meantime, DFARS 252.204-7012 and -7019 are still in effect and require each organization to have a NIST SP 800-171r2 Assessment performed, the resulting score submitted to the SPRS, and a System Security Plan (SSP) as well as a Plan of Actions & Milestones (PoA&M) document in place.

After years of delays, the CMMC rulemaking process is finally done. While the DoD does not put CMMC certification requirements into new contracts until later this year, the time to prepare is now: CMMC Level 2 implementation takes organizations an average of 12-18 months. Time is running out to prepare. Primes started to push hard for full implementation of the requirements. In addition, when there is a rush of companies trying to become certified availability of the C3PAOs will become a bottleneck. In other words – it’s time to get ready sooner than later.

How Long Does It Take to Implement CMMC?

The implementation time-frame depends on these main factors:

  • The level of certification you are required to comply with
  • The current state of your NIST SP 800-171 implementation
  • The size and scope of your system.

For example, after an initial Gap Analysis, it will take most organizations 12-18 months to achieve CMMC Level 2 compliance and to be ready for the certification assessment. CMMC Level 1 compliance can be accomplished in a much shorter time-frame. For an overview of the preparation and certification process including some time estimates see CMMC Compliance Process and Timeline.

What Is the CMMC Cost?

The cost of achieving CMMC compliance depends on the same factors as listed above. You have to consider expenses for these steps:

  • Support by companies like Ecuron for help with implementation
  • CMMC implementation cost
  • CMMC Assessment by a CMMC Third-Party Assessment Organization (C3PAO) if you are required to do so (CMMC Level 2 and Level 3)

We advise companies wishing to work with the DoD in the future to expect some ongoing expenses in addition to the initial cost of becoming compliant.

CMMC Compliance  & Existing Cybersecurity Requirements

While there is a lot of buzz about CMMC, the reality is that it adds hardly any new requirements. We thought it would be helpful to take a step back and summarize all the existing cybersecurity requirements for contractors in the DoD supply chain.

Our latest report gives a high-level overview of these existing FAR & DFARS requirements, how they relate to each other and to CMMC. The report is available for download at https://www.ecuron.com/dib-report/.

How We Are Prepared To Help You

Ecuron has been receiving CMMC Registered Professional training from the Cyber AB (formerly called the CMMC Accreditation Body) to be among the first companies qualified to help you to become CMMC compliant. As a CMMC Registered Practitioner Organization™ (CMMC-RPO) and with engagements in more than 12 states under our belt, Ecuron is specialized in services designed to take you from your current status to full CMMC compliance in the most efficient way. We do not conduct the final CMMC Assessments.

Depending on your organization’s current cybersecurity status and the CMMC Level required, implementation of the new standard can take from a few weeks to a several months. Starting now will save you valuable time and will get you ahead of the competition.

We offer CMMC Consulting Services to get you CMMC compliant in 4 Steps:

  1. CMMC Gap Analysis / CMMC Gap Assessment
    See where your organization stands and what it takes to achieve compliance
  2. CMMC Implementation Help
    Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls  and any missing requirements. This includes developing and writing the extensive documentation required.
  3. CMMC Pre-Assessment
    Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. If your company needs to be assessed by a C3PAO or DoD official we will recommend to schedule the actual audit once we are confident that you are ready for the CMMC Assessment.
  4. CMMC Assessment Support
    If your company needs to be assessed by a C3PAO or DoD official  we help you prepare for the audit, gather & organize evidence for a smooth assessment . We will be at your side throughout the process.

To discuss your CMMC requirements and schedule a complimentary 30 min consultation, email us at cmmc@ecuron.com, use the form below, or give us a call.

Additional Articles

You may also like

Government Shutdown and CMMC: What Defense Contractors Need to Know

10/10/2025As the federal government shutdown reaches Day 10 with no resolution in sight, defense contractors are asking a critical question: Does this shutdown impact the November 10, 2025 CMMC implementation deadline? The short answer: No. CMMC requirements remain on track. Here’s what defense contractors need to understand about how the current government shutdown affects – or more

Read More

CMMC: Phased Rollout Timeline

CMMC: Phased Rollout TimelineAfter years of delays, CMMC is finally launching. Six years, ten months, and 26 days after CMMC was first announced, the final rule putting CMMC into DoD contracts was published September 10, 2025. Starting November 10, 2025, the Department of Defense begins requiring cybersecurity certifications for contractors—and your company’s ability to win future

Read More

We’d Love to Talk About Your Cybersecurity Strategy.

- None of the information you provide in the form below will be used for marketing purposes -

/