Does my company need CMMC 2.0 certification to bid on DoD contracts?

Not all DoD contracts require CMMC. If your contract involves Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), you likely need at minimum Level 1. Contracts involving technical data, export-controlled information, or operational technology require Level 2. Check Section H and I of any DoD solicitation for DFARS 252.204-7021, which specifies the required level.

What is the difference between CMMC Level 1 and Level 2?

Level 1 covers 17 basic safeguarding practices aligned with FAR 52.204-21 and is limited to protecting Federal Contract Information. Level 2 requires all 110 NIST SP 800-171 controls plus a third-party assessment (C3PAO) for critical programs, or an annual self-assessment for non-critical. Level 2 is required when your work involves Controlled Unclassified Information.

Can I self-assess for CMMC Level 2?

It depends on the program. DoD designates contracts as either 'Level 2 – Prioritized Acquisitions' (requiring a C3PAO third-party assessment) or 'Level 2 – Non-Prioritized' (allowing annual self-assessment with senior official affirmation). The solicitation and RFP will specify which applies. As of 2026, DoD is expanding the list of prioritized acquisitions.

How do I find a C3PAO for a CMMC Level 2 assessment?

The CMMC Accreditation Body (The Cyber AB) maintains the official Marketplace at cyberab.org/marketplace. Search for C3PAOs (Certified Third-Party Assessment Organizations) by state, certification type, and availability. Plan 6–12 months ahead — authorized C3PAO capacity is limited and wait times can be substantial.

What happens to my contracts if I fail a CMMC assessment?

You will not receive a Conditional certification and cannot accept or perform DoD contracts requiring that CMMC level until you remediate findings and pass re-assessment. Existing contracts with DFARS 252.204-7012 clauses may be at risk if you cannot demonstrate compliance. Start early and maintain a robust POA&M.

How does CMMC interact with DFARS 252.204-7012?

DFARS 252.204-7012 has been the foundational cybersecurity clause since 2017 and remains in force. CMMC 2.0 adds a verification layer: instead of self-attesting compliance with NIST SP 800-171 (as 252.204-7012 allowed), many contracts now require a C3PAO to independently confirm it. Both requirements apply simultaneously.

Does CMMC apply to subcontractors?

Yes. DFARS 252.204-7012 and CMMC requirements flow down to all subcontractors (at every tier) that process, store, or transmit CUI or provide operationally critical support. Prime contractors are responsible for verifying subcontractor compliance before award and throughout performance.

What is SPRS and why does it matter for CMMC?

SPRS (Supplier Performance Risk System) is the DoD database where contractors post their NIST SP 800-171 self-assessment scores under DFARS 252.204-7019. Scores range from -203 (zero controls implemented) to 110 (full compliance). Contracting officers check SPRS before award. A missing or outdated score can block contract award even before CMMC is formally required.

CMMC 2.0 Compliance Guide for Small Contractors (2026) | BidStride

What is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is a DoD framework that verifies defense contractors protect sensitive government information from cyber threats. Unlike prior self-attestation models, CMMC 2.0 requires independent validation for many contracts — meaning you can no longer just check a box and move on.

CMMC 2.0 replaced the original 5-level CMMC 1.0 framework in November 2021, consolidating it to three levels aligned with existing NIST standards. The final rule was published in late 2024, and DoD began including CMMC requirements in solicitations starting in 2025.

Who needs CMMC? Any contractor that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on DoD contracts. This captures manufacturers, IT firms, engineering companies, logistics providers, and research organizations across the entire Defense Industrial Base.

Level 1

17 basic practices. Self-attestation. Protects FCI only.

Level 2

110 NIST SP 800-171 controls. C3PAO or self-assessment. Protects CUI.

Level 3

110+ controls plus NIST SP 800-172. Government-led assessment. Critical programs.

CMMC Level 1 vs Level 2 vs Level 3 — Comparison

The three CMMC levels build on each other. Each level is a superset of the one below it. Most small contractors fall into Level 1 or Level 2.

Attribute	Level 1 — Foundational	Level 2 — Advanced	Level 3 — Expert
Practice count	17	110	110+
NIST standard	FAR 52.204-21	NIST SP 800-171	NIST SP 800-172
Assessment type	Annual self-attestation	C3PAO or self-assessment	Government-led triennial
Who it protects	FCI	CUI	Critical CUI
Senior official affirmation	Required	Required	Required
SPRS score required	Yes	Yes	Yes
Typical contracts	Commercial items w/ FCI	DoD IT, R&D, manufacturing	Advanced weapons, critical programs

The 4 DFARS Cybersecurity Clauses

CMMC operates alongside four foundational DFARS cybersecurity clauses. Every DoD contractor needs to understand all four — they work as a system, and they all flow down to subcontractors.

DFARS 252.204-7012Critical

Safeguarding Covered Defense Information and Cyber Incident Reporting

Requires implementation of NIST SP 800-171 controls and 72-hour incident reporting to DC3. The foundational cybersecurity clause since 2017.

Full details

DFARS 252.204-7019Critical

Notice of NIST SP 800-171 DoD Assessment Requirements

Mandates that offerors post a current NIST SP 800-171 self-assessment score in SPRS before contract award. Score must be no older than 3 years.

Full details

DFARS 252.204-7020Critical

NIST SP 800-171 DoD Assessments

Requires contractors to allow DoD to conduct higher-level assessments (medium or high confidence) of their NIST SP 800-171 implementation and post results to SPRS.

Full details

DFARS 252.204-7021Critical

Cybersecurity Maturity Model Certification Requirements

The CMMC clause itself. Specifies the required CMMC level for the contract and prohibits award to contractors that cannot demonstrate compliance.

Full details

NIST SP 800-171: The 110 Controls Explained

NIST SP 800-171 Rev 2 defines 110 security requirements organized into 14 families. Every Level 2 (and Level 3) contractor must implement all 110. There is no partial credit — any unimplemented control must have a documented Plan of Action and Milestones (POA&M) with a remediation deadline.

Each control is scored in SPRS. The maximum score is 110. Each unimplemented control reduces your score based on its weight (controls are weighted 1, 3, or 5 points each). The minimum possible score is -203, meaning every control is unimplemented.

22

Access Control (AC)

Who can access what systems

3

Awareness & Training (AT)

Security awareness programs

9

Audit & Accountability (AU)

Logging and monitoring

9

Configuration Management (CM)

Baseline configs, change control

11

Identification & Authentication (IA)

MFA, password policies

3

Incident Response (IR)

Incident handling and reporting

6

Maintenance (MA)

Controlled system maintenance

9

Media Protection (MP)

Physical and digital media

2

Personnel Security (PS)

Screening, termination

6

Physical Protection (PE)

Facility access controls

3

Risk Assessment (RA)

Vulnerability scanning, assessments

4

Security Assessment (CA)

Plans, reviews, POA&M

16

System & Comm Protection (SC)

Network segmentation, encryption

7

System & Info Integrity (SI)

Patch management, malware

How to Get CMMC Certified — Step by Step

1

Determine your required CMMC level

Review the DFARS clauses in your target solicitations (Section H/I). If you see 252.204-7021 with Level 2, that is your target. If you only see 252.204-7019, you need a current SPRS self-assessment.

2

Define your CUI boundary

Document every system, device, and location where CUI is processed, stored, or transmitted. This boundary is what gets assessed — making it smaller reduces cost and complexity significantly.

3

Conduct a gap assessment against NIST SP 800-171

Map each of the 110 controls against your current environment. You can self-assess or hire an RPMS (Registered Practitioner Organization). Document results in a System Security Plan (SSP).

4

Remediate gaps and build your POA&M

Implement missing controls. For any control not yet in place, create a Plan of Action and Milestones (POA&M) with specific remediation dates. A POA&M with no progress is a major finding in any assessment.

5

Post your SPRS score

Calculate your NIST SP 800-171 score and post it in SPRS (sprs.apps.mil). A senior company official must affirm the score annually under DFARS 252.204-7019 and 252.204-7020.

6

Engage a C3PAO (for Level 2 prioritized contracts)

If your contract requires a third-party assessment, search the Cyber AB Marketplace for an authorized C3PAO. They will conduct a formal assessment of your SSP and evidence, then submit results to DoD's CMMC Enterprise Mission Assurance Support Service (eMASS).

7

Receive your certification

If you pass, DoD records your CMMC Level 2 certification in SPRS. It is valid for 3 years for third-party assessments. Annual affirmations are required in year 2 and year 3.

CMMC Level 2 Cost Estimates by Company Size

Costs vary widely depending on your existing security posture, CUI boundary size, and whether you need a C3PAO assessment. These are representative estimates for a contractor with a moderate security baseline (some controls in place, some gaps) seeking Level 2 certification.

DoD's own cost model estimates average total CMMC Level 2 compliance costs between $118,000 and $240,000 for a medium-sized contractor over a 3-year assessment cycle, including labor, tools, and assessment fees.

Company Size	Gap Assessment	Remediation	C3PAO Assessment	Annual Maintenance
Sole proprietor (1 person)	$2K–$8K	$5K–$25K	$20K–$40K	$3K–$8K
Small (1–10 employees)	$5K–$15K	$15K–$50K	$30K–$55K	$8K–$18K
Small (11–50 employees)	$10K–$30K	$40K–$120K	$45K–$80K	$15K–$35K
Mid-size (51–200 employees)	$20K–$60K	$100K–$350K	$60K–$110K	$30K–$75K
Growing (201–500 employees)	$40K–$100K	$200K–$600K	$80K–$160K	$55K–$120K

Estimates based on publicly available DoD cost models and industry surveys. Actual costs vary. Contractors with strong existing security posture will be at the low end of each range.

Realistic Timeline to CMMC Level 2 Certification

Most contractors underestimate how long certification takes. C3PAO availability alone can add 3–6 months to your timeline. Start 12–18 months before you need certification.

Months 1–2

Scoping & gap assessment

Define CUI boundary, inventory systems, complete NIST SP 800-171 gap assessment, draft initial SSP.

Months 2–6

Remediation

Implement missing controls in priority order. Most time-intensive phase — particularly access control, audit logging, and system hardening.

Months 6–8

Documentation & SPRS

Finalize SSP and POA&M. Calculate SPRS score. Senior official affirmation. Post score to SPRS.

Months 8–12

C3PAO engagement & scheduling

Select C3PAO from Cyber AB Marketplace. Schedule assessment — wait times typically 1–4 months. Conduct pre-assessment readiness review.

Months 12–15

Formal assessment

C3PAO conducts documentation review and interviews, followed by system testing. Results submitted to eMASS.

Month 15+

Certification received

DoD records certification in SPRS. Valid for 3 years. Year 2 and Year 3 annual affirmations required.

Common CMMC Mistakes — and How to Avoid Them

Scoping the CUI boundary too broadly

Every system in scope adds cost and complexity. Work to contain CUI to the smallest practical set of systems. Use dedicated enclaves, not company-wide networks.

Posting an inflated SPRS score

False SPRS scores are a False Claims Act violation with serious legal and financial consequences. Score accurately. If your score is low, focus on remediation — not score inflation.

Treating the SSP as a one-time document

Your System Security Plan must stay current. Changes to systems, personnel, or technology require SSP updates. An outdated SSP is a major finding in any assessment.

Ignoring POA&M follow-through

Assessors look closely at whether your POA&M has active progress. A POA&M with items sitting unresolved for 18 months raises serious flags. Assign owners and track remediation milestones monthly.

Forgetting subcontractor flow-down

Prime contractors are responsible for ensuring their subs comply. Include DFARS 252.204-7012 in all subcontracts involving CUI. Verify — do not just assume — sub compliance before award.

Starting too late

C3PAO wait times and remediation timelines mean 6 months is genuinely not enough. If you have a DoD target contract, start your CMMC program 12–18 months before you need the certification.

Frequently Asked Questions

Related Clause Pages

DFARS 252.204-7012 — CDI & Cyber Incident Reporting DFARS 252.204-7019 — NIST Assessment Requirements DFARS 252.204-7020 — DoD Assessments DFARS 252.204-7021 — CMMC Requirements

CMMC 2.0 Compliance Guide for Small Contractors (2026)

What is CMMC 2.0?

CMMC Level 1 vs Level 2 vs Level 3 — Comparison

The 4 DFARS Cybersecurity Clauses

NIST SP 800-171: The 110 Controls Explained

How to Get CMMC Certified — Step by Step

CMMC Level 2 Cost Estimates by Company Size

Realistic Timeline to CMMC Level 2 Certification

Common CMMC Mistakes — and How to Avoid Them

Check your CMMC readiness

Frequently Asked Questions

Related Clause Pages

Ready to find DoD contracts that fit your certifications?