Free Tool
CMMC 2.0 Readiness Assessment
15 questions. 5 minutes. Find out where your company stands on CMMC 2.0, which gaps need to close before your next DoD contract, and what it will cost to get there.
Does your company handle Controlled Unclassified Information (CUI) for the Department of Defense?
Key CMMC 2.0 Facts
- CMMC Level 2 requires contractors to implement all 110 security requirements in NIST SP 800-171 Rev 2 under DFARS 252.204-7021.
- Contractors must post their NIST 800-171 assessment score to SPRS (Supplier Performance Risk System) before contract award under DFARS 252.204-7019.
- DFARS 252.204-7012 requires contractors to report cyber incidents to the DoD Cyber Crime Center (DC3) within 72 hours of discovery.
- CMMC Level 2 third-party assessments by a C3PAO typically cost $30,000 to $100,000 for small businesses and must be renewed every three years.
- CMMC requirements flow down to all subcontractors handling CUI under DFARS 252.204-7021 — there are no dollar thresholds for flow-down.
CMMC 2.0 Frequently Asked Questions
Answers to the most common questions about CMMC certification, costs, and requirements.
CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for ensuring defense contractors protect sensitive unclassified information. It replaced CMMC 1.0 in 2021 and reduced the structure from 5 levels to 3. Level 1 covers basic cyber hygiene (17 practices, annual self-assessment). Level 2 aligns with all 110 NIST SP 800-171 practices and requires third-party assessment by a C3PAO for most contracts involving CUI. Level 3 is reserved for the most sensitive programs and requires DCSA-led assessments.
Costs vary significantly by company size and current readiness. For Level 1, the primary cost is staff time for your annual self-assessment — typically $5,000–$15,000 for small businesses. Level 2 is the big one: a C3PAO assessment typically runs $30,000–$100,000 for small businesses and $100,000–$300,000+ for larger firms. Add remediation costs if gaps exist — the average company needs $50,000–$250,000 in system and process improvements before passing a Level 2 assessment. Budget 12–24 months for the full Level 2 process.
Level 1 covers Federal Contract Information (FCI) and requires 17 basic cybersecurity practices — things like using antivirus software, controlling who has system access, and sanitizing media before disposal. It's self-assessed annually and doesn't require an outside auditor. Level 2 covers Controlled Unclassified Information (CUI) and requires implementing all 110 security requirements in NIST SP 800-171. Most Level 2 contracts require a third-party assessment by a DoD-approved C3PAO every three years. If your contract includes DFARS 252.204-7021 and specifies Level 2, you cannot self-certify.
Yes, if your subcontractor handles CUI or FCI, CMMC requirements flow down. DFARS 252.204-7021 explicitly requires prime contractors to flow down the appropriate CMMC level to all subcontractors who will process, store, or transmit CUI. The subcontractor must achieve the same CMMC level as required under the prime contract. Subcontractors who only receive non-sensitive information generally don't need CMMC certification, but primes are responsible for making that determination.
A C3PAO (CMMC Third-Party Assessment Organization) is a company authorized by the Cyber AB to conduct official CMMC Level 2 assessments. They employ certified CMMC assessors and follow a standardized assessment process. You cannot self-certify for Level 2 — the DoD requires an independent evaluation from an accredited C3PAO. The full list of authorized C3PAOs is maintained on the Cyber AB Marketplace at cyberab.org. Expect to submit a formal Request for Quote, go through a scoping process, and schedule your assessment 3–9 months in advance.