If you sell to the Department of Defense, you have heard about CMMC certification. You have probably also heard numbers that made you want to close your laptop and walk away. $150,000. $300,000. “Impossible for small businesses.”
Here is what most of those articles leave out: they are written by companies that sell CMMC compliance services. The scarier the number, the more likely you are to hire them.
Most small defense contractors need CMMC Level 1. That means a small set of cybersecurity practices, a self-assessment you do yourself, and a cost most firms can absorb. If you handle Controlled Unclassified Information (CUI), you need Level 2, which costs more and requires a third-party assessment. But even Level 2 is manageable with the right plan and timeline.
This guide covers what CMMC actually is, whether you need it, what each level costs, and exactly how to prepare. No sales pitch. No gated content. Written by a CISSP (Certified Information Systems Security Professional) who works with small businesses, not a vendor trying to sell you a platform.
What You Will Learn
- Determine which CMMC level your business needs
- Estimate your real costs by level ($5K to $150K, cited sources)
- Follow a 9-step readiness checklist you can start today
- Avoid 7 myths that waste small businesses’ money
- Access every free CMMC resource available
What Is CMMC Certification?
CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense’s (DoD) framework for verifying that defense contractors protect sensitive government information on their systems. The final rule was published as 32 CFR Part 170 on October 15, 2024, and took effect December 16, 2024. CMMC applies to all tiers of the defense supply chain, from prime contractors to the smallest subcontractors, if they handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
In plain language: if the DoD shares information with you as part of a contract, CMMC is the government’s way of making sure you protect that information. Before CMMC, contractors self-reported their cybersecurity status with no verification. That system was not working. CMMC adds verification.
Do You Need CMMC?
Not every government contractor needs CMMC. It depends on what information you handle and which agency you work with.
| Your Situation | CMMC Level | What It Means |
|---|---|---|
| You handle FCI only (no CUI) | Level 1 | 15 practices, self-assessment, submit to SPRS |
| You handle CUI | Level 2 | 110 controls (NIST 800-171), third-party assessment required for critical CUI |
| You handle critical national security information | Level 3 | 110 + 24 enhanced controls, government-led assessment |
| You sell only COTS products to DoD | Exempt | Commercial off-the-shelf products are not covered |
| Your contract is at or below $15,000 | Generally exempt | Micro-purchase threshold contracts typically excluded |
| You only work with civilian agencies (GSA, HHS, etc.) | Not required | CMMC is a DoD program. Civilian agencies have separate requirements. |
| No FCI or CUI on your systems | Not required | If your DoD contract does not involve FCI or CUI, CMMC does not apply |
Important for subcontractors: CMMC flows down. If your prime contractor handles CUI and passes any of it to you, you need CMMC certification at the appropriate level. “I am just a sub” is not an exemption.
What is FCI vs. CUI? Federal Contract Information (FCI) is information the government gives you or that you create for the government under a contract (your SAM.gov registration is a prerequisite for any of this). It is not public information. Controlled Unclassified Information (CUI) is a step above: it is information the government has specifically marked as sensitive and requiring protection under DFARS 252.204-7012. Most small subcontractors handle FCI (Level 1). Most small primes handling technical data or engineering drawings handle CUI (Level 2).
The Three CMMC Levels Explained
| Feature | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
| What it protects | FCI | CUI | Critical CUI / national security |
| Number of controls | 15 practices | 110 controls (NIST SP 800-171 Rev 2) | 110 + 24 enhanced (NIST SP 800-172) |
| Assessment type | Self-assessment | Third-party (C3PAO) | Government-led (DIBCAC) |
| Who assesses you | You | Certified Third-Party Assessor Organization | DoD assessors |
| Cost range (small biz) | $5,000 to $15,000 | $50,000 to $150,000 first year | $150,000+ |
| Certification cycle | Annual affirmation | 3-year certification + annual affirmation | 3-year certification |
| Plan of Action (POA&M) | Not allowed | Yes, if 80%+ controls met (180-day closeout) | TBD |
Fact check: Level 1 requires 15 practices (from FAR 52.204-21), not 17. The final rule (32 CFR Part 170) corrected this from earlier drafts. Many websites and AI tools still cite 17. If a guide says 17 practices, it is using outdated information.
Most small businesses in the defense supply chain need Level 1 or Level 2. Level 3 applies to a small number of contractors handling the most sensitive programs. If you are reading this guide, you almost certainly need Level 1 or Level 2.
What CMMC Actually Costs
Cost is the question that stops most small businesses from moving forward. Here are real numbers from 2026 industry reports, not marketing estimates.
Level 1 Cost: $5,000 to $15,000
Level 1 is a self-assessment. You review the required cybersecurity practices, document how you meet each one, and submit the results to the Supplier Performance Risk System (SPRS). The cost is mostly your team’s time. If you hire a consultant to help, the range matches what most small firms budget for an annual compliance task.
The DoD estimates the cost of a Level 1 self-assessment at about $6,000 for a small business.
Level 2 Cost: $50,000 to $150,000 (First Year)
Level 2 is where costs get real. Here is the breakdown for a small business with fewer than 50 employees:
| Cost Component | Range | What It Covers |
|---|---|---|
| Gap assessment | $3,500 to $20,000 | Registered Practitioner Organization (RPO) compares your current state to NIST 800-171 |
| Remediation and implementation | $15,000 to $50,000 | Fix gaps: new tools, configurations, policies, training |
| Managed security services (annual) | $24,000 to $48,000 | Ongoing monitoring, security event monitoring (SIEM), endpoint protection |
| C3PAO assessment fee | $30,000 to $55,000 | The actual third-party certification assessment |
| Total first year | $50,000 to $150,000 | |
| Annual maintenance (post-certification) | $20,000 to $40,000 | Keeping controls active, monitoring, annual affirmation |
Note: Firms starting with minimal cybersecurity maturity may exceed $150,000 in first-year costs. The IntelliGenesis example below ($180,000 to $200,000 for a 140-person firm) reflects this reality.
Sources: Paramify, Secureframe, CISPoint
Real example: IntelliGenesis, a woman- and veteran-owned firm with about 140 employees, has spent $100,000 toward Level 2 certification so far and expects $180,000 to $200,000 total. Their mock assessment alone cost $40,000. Source: ExecutiveGov
The DoD’s own estimate puts the 3-year cost for a “representative small business” at about $487,970. The SBA Office of Advocacy has formally stated this figure is too low. They filed comments to that effect and held a small business impacts roundtable on March 12, 2026 specifically to gather real-world cost data.
How to Reduce Your CMMC Costs
The enclave approach is the single best cost-saving strategy. Instead of securing your entire network to CUI standards, you create a separate, hardened environment (an “enclave”) where all CUI processing happens. For firms with 15 or fewer CUI-handling users, this can cut costs by up to 50%. Cloud-based enclaves (using Microsoft GCC High or AWS GovCloud) reduce costs by about 20% compared to on-premises setups.
Other cost reducers:
- Use free resources first. Project Spectrum, APEX Accelerators, and NIST MEP Centers provide free cybersecurity guidance and assessments (details in the resources section below).
- State-level programs. Some state APEX offices (Indiana, Maryland) offer free CMMC Resource Kits or direct funding to help small manufacturers prepare.
- Start with Level 1. If you only handle FCI, do not overpay for Level 2 readiness you do not need.
The CMMC Timeline: What Has Happened and What Is Coming
| Date | Event |
|---|---|
| October 15, 2024 | Final rule published (32 CFR Part 170) |
| December 16, 2024 | Rule takes effect |
| September 10, 2025 | DFARS acquisition rule (48 CFR) published, fast-tracked in 34 days |
| November 10, 2025 | Phase 1 LIVE: Level 1 and Level 2 self-assessments appear in applicable DoD solicitations |
| November 10, 2026 | Phase 2: Level 2 C3PAO (third-party) assessments required for contracts involving critical CUI |
| November 10, 2027 | Phase 3: Level 3 government-led (DIBCAC) assessments begin |
| November 10, 2028 | Phase 4: Full implementation across all applicable contracts |
Phase 1 is live right now. If you are bidding on DoD contracts today, check every solicitation for CMMC clauses. Some contracts already require Level 1 self-assessment at the time you submit your offer.
The C3PAO Bottleneck: Why You Cannot Wait
This is the math that should get your attention: there are roughly 60 authorized Certified Third-Party Assessor Organizations (C3PAOs) in the country. More than 80,000 defense contractors will eventually need Level 2 certification. The wait times are already stretching to 18 months or longer.
When Phase 2 hits, demand for C3PAO assessments will spike. Firms that start now will have completed their assessments. Firms that wait will be competing for slots with tens of thousands of others, paying premium prices, and potentially losing contract eligibility because they could not get assessed in time.
The SBA recognizes this problem. The SBA Office of Advocacy held a roundtable on March 12, 2026, specifically to address the cost and access challenges small businesses face with CMMC. Their position is clear: DoD underestimated what this costs small businesses.
Where to find a C3PAO: The Cyber AB Marketplace is the official directory. Filter by “C3PAO” to see all authorized assessors. Start reaching out now, even if you are still remediating gaps.
SPRS score matters. Your SPRS (Supplier Performance Risk System) score reflects how many of the 110 NIST 800-171 controls you have implemented. The minimum for a conditional Level 2 certification is 88 out of 110. You can submit your score at sprs.csd.disa.mil.
How to Prepare: Your 9-Step CMMC Readiness Checklist
This is the sequence that works. Do not skip steps.
Step 1: Determine your level. Do you handle FCI only (Level 1) or CUI (Level 2)? Check your contracts for DFARS clause 252.204-7012. If it is there, you handle CUI and need Level 2. If your contracts only reference FCI, Level 1 is your target.
Step 2: Check your SPRS score. Log in to sprs.csd.disa.mil. If no score exists, you need to complete a NIST SP 800-171 self-assessment first. This is a baseline requirement before any CMMC assessment.
Step 3: Run a gap assessment. Compare your current cybersecurity controls against the required practices (Level 1) or the full NIST 800-171 control set (Level 2). Document every gap. An RPO (Registered Practitioner Organization) can do this for $3,500 to $20,000, or you can use free resources like Project Spectrum’s readiness check.
Step 4: Build your System Security Plan (SSP). This document describes how you implement each required control. It is a living document that assessors will review. If you do not have one, start here: NIST provides a free SSP template in its 800-171 documentation.
Step 5: Remediate gaps. This is where the work happens. Implement the missing controls your gap assessment identified. Budget 3 to 9 months for remediation depending on how many gaps you have. Common fixes include deploying multi-factor authentication, encrypting CUI at rest and in transit, establishing an incident response plan, and documenting access controls.
Step 6: Create your Plan of Action and Milestones (POA&M). If you are pursuing Level 2 and cannot close every gap before your assessment, a POA&M documents your plan. The rules: you must have at least 80% of controls implemented, and you have 180 days after assessment to close remaining gaps. One detail most guides miss: POA&M items can only apply to controls valued at 1 point, not the high-importance 3- or 5-point controls. Those must be fully implemented before your assessment. POA&Ms are not available for Level 1.
Step 7: Consider the enclave approach. If only a small team handles CUI, isolate that work into a separate, secured environment. This reduces your assessment scope and cost. For firms with 15 or fewer CUI users, enclaves can cut costs by up to 50%.
Step 8: Schedule your assessment. For Level 1, complete your self-assessment and submit results to SPRS. For Level 2, contact a C3PAO through the Cyber AB Marketplace. Do this early. Wait times are long and getting longer.
Step 9: Maintain compliance. CMMC is not one and done. Level 2 certification lasts three years, but a senior official at your company must affirm compliance every year. Keep your SSP updated. Continue monitoring. Document changes.
7 CMMC Myths That Cost Small Businesses Money
| Myth | Reality |
|---|---|
| “Only large primes need CMMC” | CMMC applies to all tiers of the supply chain. If you handle FCI or CUI as a subcontractor, you need certification. Size does not matter. |
| “I can wait until 2027 to start” | C3PAO wait times are 18+ months. If you need Level 2 by the Phase 2 deadline, the time to start was six months ago. Starting now is still possible. Starting in 2027 is too late. |
| “I can self-certify for Level 2” | Self-assessment covers Level 1 only. Level 2 for contracts involving critical CUI requires a third-party C3PAO assessment. There is no shortcut. |
| “CMMC is just an IT problem” | CMMC requires changes across your entire organization: written policies, employee training, physical security, incident response plans, and management accountability. It is a business transformation, not a software install. |
| “One tool makes you compliant” | No single product delivers CMMC compliance. Tools help, but certification requires documented controls, tested procedures, trained employees, and a third-party or self-assessment. |
| “It is one and done” | Level 2 certification lasts three years, but annual affirmation by a senior company official is required at every level. Ongoing maintenance adds tens of thousands per year. |
| “Level 1 has 17 practices” | The final rule (32 CFR Part 170) corrected this to the current count. Earlier drafts said 17. The rule changed. Many sources have not caught up. |
Is CMMC Going Away?
No. This question comes up constantly, and the answer is clear.
CMMC is a statutory mandate under Section 1648 of the FY2020 National Defense Authorization Act, codified in federal regulation (32 CFR Part 170). An executive order cannot eliminate it. Congress would have to repeal the law. The Congressional Review Act window for blocking the program rule passed without action.
Katie Arrington, performing the duties of DoD Chief Information Officer, said it directly in 2026: “Yeah, it’s happening. So knock it off.” James Gillooley of the CMMC Program Management Office: “CMMC is an operational reality.”
That said, the broader cybersecurity ecosystem is under pressure. CISA (the Cybersecurity and Infrastructure Security Agency) has lost roughly 1,000 of its 3,300 employees since early 2025, a reduction of nearly one-third. The proposed FY2026 budget would cut CISA funding by nearly $500 million (source: CNN, March 2025; Federal News Network, May 2025).
What does this mean for you? CMMC enforcement is not going away. But the government support structure around cybersecurity is thinner than it was a year ago. Small businesses need to be more self-reliant on cybersecurity preparation, not less. The free resources listed below are more important than ever.
Free CMMC Resources for Small Businesses
You do not need to pay a consultant to start preparing. These resources cost nothing (see also our full list of free government contracting resources).
| Resource | What It Provides | Where to Find It |
|---|---|---|
| Project Spectrum | Free cybersecurity training, readiness checks for NIST 800-171 and CMMC, mentor matching with large defense contractors. Has helped hundreds of thousands of businesses since launch. | projectspectrum.io |
| APEX Accelerators | Free one-on-one counseling for government contractors, including CMMC readiness. 90+ locations. Some state offices (Indiana, Maryland) offer free CMMC Resource Kits. | apexaccelerators.us |
| NIST MEP Centers | 1,400 advisors at 450+ locations. Cybersecurity guidance for small manufacturers. The FY2021 NDAA (Section 1642) authorizes DoD to fund MEP Centers for small manufacturer cybersecurity. | nist.gov/mep |
| Cyber AB Marketplace | Official directory of 60+ authorized C3PAOs, Registered Practitioners, and Registered Provider Organizations. | cyberab.org |
| DoD CIO CMMC Portal | Official program information, guidance documents, and the CMMC Self-Assessment Guide for Level 1. | dodcio.defense.gov/CMMC |
| NIST SP 800-171 Rev 2 | The actual 110 security controls that CMMC Level 2 is built on. Free to download. | csrc.nist.gov |
| SPRS Portal | Submit and check your NIST 800-171 assessment score. Required for all CMMC levels. | sprs.csd.disa.mil |
Watch for: The “Small Business Cybersecurity Act of 2024” proposed a tax credit of up to $50,000 for companies with 50 or fewer employees to cover CMMC assessment and remediation costs. It has not become law yet. If it passes in a future NDAA, it could significantly reduce Level 2 costs for the smallest contractors.
Frequently Asked Questions
How much does CMMC certification cost for a small business?
Level 1 is the lower-cost tier, typically under $15,000 for documentation and self-assessment. Level 2 runs significantly higher in the first year because it includes a gap assessment, remediation, and a C3PAO assessment fee. Annual maintenance adds ongoing costs after certification. The enclave approach can cut Level 2 expenses by up to 50% for firms with a small number of CUI-handling users. See the detailed cost tables above for exact ranges by component.
Do I need CMMC if I am a subcontractor?
Yes, if you handle FCI or CUI. CMMC requirements flow down through the supply chain. If your prime contractor passes any federal contract information or controlled unclassified information to you, you need CMMC certification at the appropriate level. Check with your prime contractor about which CMMC level applies to your subcontract.
What is the difference between CMMC Level 1 and Level 2?
Level 1 protects Federal Contract Information (FCI) with a set of foundational cybersecurity practices and a self-assessment. Level 2 protects Controlled Unclassified Information (CUI) with the full NIST SP 800-171 Rev 2 control set and requires a third-party assessment by a C3PAO. Level 2 costs significantly more and takes longer to achieve.
Can I self-assess for CMMC?
For Level 1, yes. You conduct your own assessment and submit the results to SPRS. For Level 2, it depends on the contract. Some Level 2 contracts allow self-assessment, but contracts involving critical CUI require a third-party C3PAO assessment. Phase 2 expands the C3PAO requirement starting late 2026.
What happens if I am not CMMC certified by the deadline?
You will not be eligible for DoD contracts that require CMMC certification. The contracting officer will not be able to award you the contract, regardless of how strong your proposal is. For contracts where CMMC is required at the time of offer, you must have your certification before you submit your bid.
Does CMMC apply to commercial off-the-shelf (COTS) products?
No. Contracts exclusively for COTS items (as defined in FAR 2.101) are exempt from CMMC. The product must be sold in significant quantities in the commercial market at commercial prices with no modifications. If your contract includes any non-COTS services or customization, the exemption does not apply.
What is SPRS and what score do I need?
SPRS (Supplier Performance Risk System) is the DoD’s portal where contractors submit their NIST 800-171 self-assessment scores. Scores range from -203 to a perfect score, based on how many NIST 800-171 requirements you have implemented. For a conditional Level 2 certification (with a POA&M), you need a minimum score of 88. Access it at sprs.csd.disa.mil.
Is CMMC going to be delayed or canceled?
No. CMMC is a statutory requirement under the FY2020 NDAA, codified in federal regulation. It cannot be reversed by executive order. Phase 1 is already live in DoD solicitations. Phase 2 (C3PAO assessments) begins late 2026. Plan accordingly.
Next Steps
Here is your action plan:
- Determine your CMMC level using the decision table above. Check your contracts for DFARS 252.204-7012.
- Check your SPRS score at sprs.csd.disa.mil. If you do not have one, start your NIST 800-171 self-assessment.
- Contact your local APEX Accelerator for free, one-on-one CMMC guidance.
- Run a free readiness check at Project Spectrum.
- If you need Level 2: Start contacting C3PAOs through the Cyber AB Marketplace now. Wait times are long.
- Read our FAR Compliance guide for the broader compliance picture.
- Update your capability statement to include your CMMC level once certified.
CMMC is real, it is happening now, and the cost is manageable if you plan ahead. The contractors who start today will be certified and winning contracts while their competitors are still waiting for a C3PAO slot. Do not let perfect be the enemy of started.
This article is for informational purposes only. It is not legal, financial, or cybersecurity advice. Consult with qualified professionals for guidance specific to your business and contracts.
