What Is CMMC 2.0?
CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's unified framework for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Unlike previous standards that relied on self-attestation, CMMC introduces formal verification requirements — annual self-assessments for most, third-party audits (C3PAO) for contracts involving sensitive CUI.
CMMC 2.0 simplified the original five-level model to three levels, aligned Level 2 directly with NIST SP 800-171, and reduced compliance burden for smaller contractors through expanded self-assessment options.
Official CMMC 2.0 Implementation Timeline
Every date below is cited from official DoD and Federal Register sources. Your actual deadline depends on when your specific contract is solicited.
Level 1 vs. Level 2: What You Actually Need
Your required level depends entirely on what type of information you handle — Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
CMMC Level 2: 14 Domains Mapped to SMB Reality
Level 2 requires 110 controls across 14 domains. The table below maps each domain, its typical SMB gap, and which CyberStackHub tools help address it.
| CMMC Domain | Controls | Common SMB Gap | CyberStackHub Tool |
|---|---|---|---|
| Access Control (AC) | 22 | No formal role-based access control; shared credentials; no remote access restrictions | Compliance Gap Analysis |
| Audit & Accountability (AU) | 9 | No centralized logging; no log review process; logs not retained for 90+ days | Security Audit |
| Awareness & Training (AT) | 3 | No formal security awareness program; no role-based training documentation | Security Training |
| Configuration Management (CM) | 9 | No baseline configuration documented; unauthorized software not tracked; open ports on systems | Security Audit |
| Identification & Authentication (IA) | 11 | No MFA on all systems; weak password policies; shared service accounts not identified | Compliance Gap Analysis |
| Incident Response (IR) | 3 | No documented incident response plan; no defined roles for incident response; no test exercises | IR Plan Builder |
| Maintenance (MA) | 6 | No formal maintenance policy; remote maintenance not secured or logged | Security Policies |
| Media Protection (MP) | 9 | CUI printed or stored on USB drives without encryption; no media sanitization policy | Security Policies |
| Personnel Security (PS) | 2 | No termination procedures that revoke access; no security screening for CUI roles | Compliance Gap Analysis |
| Physical Protection (PE) | 6 | No visitor log; CUI workstations visible to unauthorized individuals; no screen lock policy | Security Audit |
| Risk Assessment (RA) | 3 | No formal risk assessment process; no vulnerability scanning schedule | Vendor Risk Assessment |
| Security Assessment (CA) | 4 | No system security plan (SSP); no periodic control review; no POA&M tracking | Compliance Gap Analysis |
| System & Comm. Protection (SC) | 16 | No network segmentation; CUI flows unencrypted; no boundary protection on internet-facing systems | Pentest Readiness |
| System & Information Integrity (SI) | 7 | No patch management program; no malware protection on all endpoints; no alerts for security events | Security Audit |
Typical SMB Compliance Gap
Most SMBs pursuing CMMC Level 2 for the first time score 30–70 out of 110 controls before remediation. Here's what that looks like in practice:
⚠️ Cost estimates for CMMC Level 2 compliance vary widely by organization size, current posture, and whether cloud migration is required. No reliable public SMB-specific cost benchmark was available in the sources reviewed for this guide. Consulting a CMMC Registered Practitioner Organization (RPO) for a scoped estimate is recommended.
6-Step CMMC Readiness Roadmap for SMBs
Sequence matters. Starting in the wrong order wastes months. Follow this order.
-
Step 1 — Determine your level (Week 1). Review your contracts for DFARS clauses 252.204-7012 and 252.204-7021. If you handle CUI (drawings, specs, contract data marked CUI), you need Level 2. If FCI only (basic contract performance data), Level 1 may suffice. When in doubt, assume Level 2.
-
Step 2 — Define and reduce your CUI scope (Weeks 2–4). Map exactly where CUI is stored, processed, and transmitted. Every system in scope = more controls to implement. Reduce scope aggressively: move CUI to fewer systems, or use a compliant cloud environment that carries CUI off your infrastructure entirely.
-
Step 3 — Conduct a gap assessment (Weeks 3–6). Compare your current state against all 110 NIST SP 800-171 controls for Level 2. Use the DoD's SPRS to understand your scoring baseline. Identify which domains have the highest gap density — typically Access Control, Audit & Accountability, and Configuration Management for SMBs.
-
Step 4 — Create your System Security Plan (SSP) (Months 2–4). The SSP documents how your organization implements each required control. It's the primary artifact C3PAO assessors review. A well-written SSP can compensate for implementation gaps with compensating controls and context. This is not a checkbox — it's your compliance evidence.
-
Step 5 — Remediate gaps and build your POA&M (Months 3–12). Prioritize by risk and assessment timeline. Controls that are critical (no POA&M allowed) must be fully implemented before certification. Non-critical gaps can be documented in a POA&M with a remediation timeline — DoD allows 180 days for these after conditional certification.
-
Step 6 — Complete assessment and submit to SPRS (Month 12–18). Level 1: Annual self-assessment submitted to SPRS. Level 2 (non-prioritized): Self-assessment submitted to SPRS. Level 2 (prioritized): Schedule C3PAO 1–3 months in advance. Submit certification to SPRS. Annual affirmation required every year.
What to Do This Month (May 2026)
Phase 1 is active. If you haven't started, these are the three actions with the most immediate impact:
Search for DFARS 252.204-7021 in any contract awarded after December 2024. If it's there, CMMC is already a requirement. Contact your contracting officer to clarify your specific level and timeline.
The 17 Level 1 controls are the foundation. Completing a Level 1 self-assessment takes 2–4 days and tells you where you stand. It's also required annually regardless of Level 2 certification status. Use the DoD's SPRS system to submit your score.
Third-party assessors (C3PAOs) are booking 1–3 months out. Schedule your slot now so your certification timeline aligns with your remediation completion. Find accredited C3PAOs at cyberab.org.
Frequently Asked Questions
Level 1 (Foundational) protects Federal Contract Information (FCI) — basic contract data that isn't public. It requires 17 practices based on FAR 52.204-21, verified by annual self-assessment. No third-party auditor required.
Level 2 (Advanced) protects Controlled Unclassified Information (CUI) — sensitive data marked CUI like defense technical specs, export-controlled information, or personally identifiable information. It requires 110 security practices from NIST SP 800-171 Rev. 3. May require C3PAO third-party assessment for prioritized acquisitions.
Yes. CMMC requirements flow down to all subcontractors at every tier that store, process, or transmit FCI or CUI. Prime contractors must verify subcontractor CMMC status before contract award or sharing sensitive information. Access to the Supplier Performance Risk System (SPRS) is limited to the entity that owns the certification — prime contractors must collect documentation like SPRS screenshots or certificates from subs.
A Plan of Action and Milestones (POA&M) documents security gaps and your plan to remediate them. For CMMC Level 2, DoD allows conditional certification with a POA&M for non-critical controls, giving you 180 days to achieve full compliance after certification. Level 1 does not allow POA&Ms — all 17 controls must be fully implemented before certification.
Most organizations need 6–18 months to properly prepare for and complete CMMC Level 2 assessment. Typical timeline: 2–4 weeks for initial readiness assessment, 2–6 months for remediation and control implementation (parallel to documentation development), 1–3 months to schedule a C3PAO assessor (limited availability), 1–2 weeks for the certification audit itself.
Starting today and targeting an October 2026 certification is a realistic but tight timeline for most SMBs with significant gaps.
The Supplier Performance Risk System (SPRS) is the DoD's database where contractors submit their CMMC self-assessment scores. For NIST SP 800-171, the maximum score is 110 (all controls implemented). Each unimplemented control subtracts points — some critical controls subtract more than others. Many SMBs score -50 to +50 before remediation. A score of 110 means all controls are fully implemented. You submit your score to SPRS by logging in at sprs.csd.disa.mil.
Primary Sources — Verification Status
All CMMC requirements and timeline data on this page are drawn from official DoD, Federal Register, and NIST sources. URLs verified as accessible May 2026. Sources refreshed monthly.
- DoD CMMC Program Official Page — Authoritative source for CMMC framework, levels, and resources. dodcio.defense.gov/CMMC/About/
- 48 CFR CMMC Acquisition Rule (Federal Register, September 10, 2025) — Official rule activating CMMC in DoD contracts. Effective November 10, 2025. federalregister.gov (2025-17359)
- NIST SP 800-171 Rev. 3 — Protecting CUI in Nonfederal Systems — The 110 controls required for CMMC Level 2. csrc.nist.gov/pubs/sp/800/171/r3/final
- FAR Clause 52.204-21 — Basis for CMMC Level 1's 17 foundational practices. acquisition.gov/far/52.204-21
- DoD SPRS (Supplier Performance Risk System) — Where contractors submit CMMC assessment scores. sprs.csd.disa.mil
- CMMC Accreditation Body — C3PAO Directory — Find accredited third-party assessors. cyberab.org/Catalog/