CMMC Compliance for Small Business: Levels, Cost & Requirements (2026)

Last updated: 2026-03-28

Summary: CMMC (Cybersecurity Maturity Model Certification) is required for companies in the Department of Defense (DoD) supply chain that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0 has three levels: Level 1 (basic, 17 practices, self-assessment), Level 2 (advanced, 110 practices aligned with NIST SP 800-171, third-party or self-assessment), and Level 3 (expert, 110+ NIST SP 800-172 practices, government-led assessment). Costs range from $5,000 for Level 1 to $100,000+ for Level 3. Without CMMC certification, you will not be able to bid on or retain DoD contracts that require it.

What is CMMC?

CMMC is a cybersecurity certification program created by the U.S. Department of Defense to ensure that defense contractors adequately protect sensitive information. Before CMMC, contractors were required to self-attest to NIST SP 800-171 compliance, but audits revealed widespread non-compliance. CMMC adds verification through independent assessments.

CMMC 2.0 (the current version, finalized in 2024) streamlined the original 5-level model down to 3 levels and aligned them with existing NIST standards. It applies to all companies in the Defense Industrial Base (DIB) that handle FCI or CUI — from major defense primes to small machine shops and IT providers.

The CMMC requirement is implemented through DFARS clause 252.204-7021 and will be included in contract solicitations. Companies must achieve the required CMMC level before contract award.

The three CMMC levels

Factor	Level 1 (Foundational)	Level 2 (Advanced)	Level 3 (Expert)
Data type protected	Federal Contract Information (FCI)	Controlled Unclassified Information (CUI)	CUI for highest-priority programs
Based on	FAR 52.204-21 (15 basic safeguarding requirements)	NIST SP 800-171 Rev 2 (110 security requirements)	NIST SP 800-172 (110+ enhanced requirements)
Number of practices	17	110	110+ enhanced
Assessment type	Annual self-assessment	Third-party (C3PAO) or self-assessment (for select contracts)	Government-led (DIBCAC)
Typical cost	$5K-$15K	$30K-$100K+	$100K+
Timeline to achieve	1-3 months	6-18 months	12-24+ months
Who needs it	All DoD contractors with FCI	Contractors handling CUI	Contractors on highest-priority programs

CMMC Level 1: Foundational (17 practices)

Level 1 requires implementation of 17 basic cybersecurity practices from FAR 52.204-21. These are fundamental security hygiene measures that every business should already have in place:

•Limit information system access to authorized users and transactions
•Identify, report, and correct information system flaws in a timely manner
•Provide protection from malicious code (antivirus) at appropriate locations
•Update malicious code protection mechanisms when new releases are available
•Perform periodic scans and real-time scans of files from external sources
•Authenticate (or verify) the identities of users, processes, or devices
•Sanitize or destroy information system media containing FCI before disposal or reuse
•Limit physical access to organizational information systems, equipment, and operating environments

Assessment: Level 1 is self-assessed annually. You complete the assessment and submit your score to the Supplier Performance Risk System (SPRS). No third-party auditor is required.

CMMC Level 2: Advanced (110 practices)

Level 2 requires full implementation of all 110 security requirements from NIST SP 800-171 Revision 2. This is the level most small and mid-size DoD contractors will need to achieve. The 110 requirements span 14 families:

Family	# of Requirements	Key Focus
Access Control	22	User access, remote access, MFA, least privilege
Awareness & Training	3	Security awareness, role-based training
Audit & Accountability	9	Logging, log review, audit trail protection
Configuration Management	9	Baseline configs, change control, least functionality
Identification & Authentication	11	MFA, password policies, authenticator management
Incident Response	3	IR planning, detection, reporting, testing
Maintenance	6	System maintenance, remote maintenance controls
Media Protection	9	Media access, marking, storage, sanitization, transport
Personnel Security	2	Screening, termination procedures
Physical Protection	6	Facility access, visitor control, monitoring
Risk Assessment	3	Risk identification, vulnerability scanning
Security Assessment	4	Control assessments, system security plans, POA&Ms
System & Comm. Protection	16	Boundary protection, encryption, network segmentation
System & Info. Integrity	7	Flaw remediation, malware protection, monitoring

Assessment: Level 2 requires either a third-party assessment by an authorized C3PAO (for contracts involving critical CUI) or a self-assessment (for non-critical CUI contracts). The assessment type is specified in the contract solicitation.

CMMC cost breakdown for small businesses

Cost Component	Level 1	Level 2
Gap assessment / readiness	$2K-$5K	$5K-$20K
Security tools (SIEM, EDR, MFA, backup)	$1K-$5K/year	$5K-$30K/year
Consultant / CMMC-registered practitioner	$2K-$5K	$10K-$40K
C3PAO assessment fee	N/A (self-assess)	$30K-$75K
System Security Plan (SSP) development	$1K-$3K	$5K-$15K
Estimated first-year total	$5K-$15K	$30K-$100K+

DoD resources for small businesses: The DoD provides free cybersecurity resources through Project Spectrum and the CISA Cyber Hygiene program (free vulnerability scanning). The SBA also offers cybersecurity guidance for small businesses.

CMMC compliance timeline

Gap assessment (2-4 weeks). Evaluate your current security posture against the applicable NIST standard. Identify gaps and create a remediation roadmap. For Level 1, this can be done internally. For Level 2, consider hiring a CMMC-registered practitioner (RP) or consultant.

System Security Plan (SSP) development (2-6 weeks). Document your system boundaries, data flows, security controls, and how each NIST requirement is met. The SSP is the foundational document for your CMMC assessment.

Remediation (1-12 months). Implement missing controls, deploy security tools, write policies, configure systems, and train employees. This is typically the longest phase. For Level 2, expect to address access controls, MFA, encryption, logging, incident response, and dozens of other requirements.

Submit SPRS score (Level 1 and Level 2 self-assessment). Calculate your NIST 800-171 score (0-110 for Level 2) and submit it to the Supplier Performance Risk System (SPRS). A score of 110 means full compliance. Lower scores indicate gaps and require a POA&M.

C3PAO assessment (Level 2 third-party, 2-4 weeks). Schedule and complete the assessment with an authorized C3PAO. The assessment includes document review, interviews, configuration testing, and evidence examination. Results are submitted to the CMMC eMASS system.

Certification and ongoing maintenance.Once certified, maintain your security program, conduct annual self-assessments (Level 1) or triennial C3PAO assessments (Level 2), and continuously update your SSP and POA&M as your environment changes.

Official Resources

Frequently Asked Questions

What is CMMC?

CMMC (Cybersecurity Maturity Model Certification) is a cybersecurity framework created by the U.S. Department of Defense (DoD) to protect sensitive information in the defense industrial base (DIB). It requires contractors and subcontractors who handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to demonstrate cybersecurity maturity at specified levels. CMMC 2.0 (the current version) has three levels, aligning with existing frameworks like NIST SP 800-171 and NIST SP 800-172.

Who needs CMMC certification?

Any company in the DoD supply chain that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will need CMMC certification. This includes prime contractors, subcontractors at all tiers, and small businesses that provide products or services to the DoD. Even if you are a small machine shop, IT service provider, or consulting firm working on a DoD contract, CMMC requirements will flow down to you. The specific CMMC level required will be stated in the contract solicitation (DFARS clause 252.204-7021).

When does CMMC become mandatory?

CMMC 2.0 rulemaking was finalized in late 2024, and the DoD began including CMMC requirements in select contract solicitations in 2025. Full implementation is being phased in over several years. By 2026-2028, CMMC requirements are expected to appear in most new DoD contracts and many existing contract renewals. The DoD has stated that CMMC will eventually be required for all contracts involving FCI or CUI. Companies should begin preparing now, as the certification process takes 6-18 months.

What is the difference between FCI and CUI?

Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not intended for public release. It is the lower sensitivity category and requires CMMC Level 1. Controlled Unclassified Information (CUI) is information that requires safeguarding per federal law, regulation, or government-wide policy. Examples include technical drawings, test results, engineering data, and export-controlled information. CUI requires CMMC Level 2 or higher. The CUI Registry (maintained by NARA) lists all CUI categories.

How much does CMMC compliance cost for a small business?

Costs vary significantly by level. CMMC Level 1 (self-assessment): $5,000-$15,000 for preparation and documentation. CMMC Level 2 (C3PAO assessment): $30,000-$100,000+ including preparation, security tools, consultant fees, and the assessment itself. CMMC Level 3 (government-led assessment): $100,000+ due to advanced requirements and DIBCAC assessment. Beyond the assessment, ongoing annual costs for security tools, monitoring, and compliance maintenance typically run $10,000-$50,000 per year for Level 2.

Can I self-assess for CMMC?

It depends on the level. CMMC Level 1 allows annual self-assessment. Some CMMC Level 2 contracts will allow self-assessment (for contracts involving non-critical CUI), while others will require a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). CMMC Level 3 always requires a government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The specific assessment type will be stated in the contract solicitation.

What is a C3PAO?

A C3PAO (CMMC Third-Party Assessment Organization) is an organization authorized by the CMMC Accreditation Body (known as The Cyber AB) to conduct CMMC Level 2 assessments. C3PAOs employ certified assessors who evaluate whether your organization meets all required practices and processes for the specified CMMC level. You can find a list of authorized C3PAOs on The Cyber AB Marketplace. Assessment costs from a C3PAO typically range from $30,000 to $75,000 depending on the size and complexity of your organization.

What is a POA&M and can I use one for CMMC?

A POA&M (Plan of Action and Milestones) is a document that identifies security weaknesses and outlines specific steps and timelines to remediate them. Under CMMC 2.0, limited use of POA&Ms is permitted for Level 2 assessments. You may receive a conditional certification with a POA&M for a subset of requirements, but you must close all POA&M items within 180 days. Not all requirements are eligible for POA&Ms — certain critical security practices must be fully implemented at the time of assessment. POA&Ms are not allowed for Level 1 self-assessments.

Related Resources on This Site

Related by industry

Manufacturing business guide

Helpful guides

Business Licensebusiness license requirements by state
DBA RegistrationDBA / fictitious name registration
Home Business Permithome-based business permits
Formationsole proprietorship vs LLC

This is general information, not legal or cybersecurity advice. CMMC requirements are evolving and implementation timelines may change. Always consult a qualified CMMC-registered practitioner or cybersecurity consultant for advice specific to your situation. Sources: DoD CIO, The Cyber AB, NIST, CISA.