The Department of Defense is increasing enforcement across its supply chain. For companies dealing with Federal Contract Information or Controlled Unclassified Information, CMMC 2.0 certification is required for DoD contracts.

With Phase 1 implementation active as of November 2025, certification is mandatory for contractors and vital for remaining active in the defense ecosystem. Contractors often underestimate the full cost of the certification by excluding remediation, tech upgrades, documentation, and ongoing monitoring, as well as focusing solely on the assessment costs.

In this article, I will break down everything you need to know about CMMC 2.0, including certification levels, costs, and timelines. This guide will help you comply with the DoD contracts and help you prepare for the assessment

What Is CMMC 2.0?

CMMC 2.0 is a cybersecurity framework by the Department of Defense that is mandatory and concerns the implementation of protective measures for sensitive data and documentation throughout the defense supply chain. This means that contractors and subcontractors must utilize specific security measures to protect FCI and CUI from cyber threats.

Think of it as the DoD's way of saying: "If you want our contracts, prove you can protect our data."

Why CMMC Was Updated from 1.0 to 2.0

The first version of the CMMC included five maturity levels, spanning almost 200 practices. While the CMMC 1.0 was comprehensive, it was not always the most clear. CMMC 2.0 now focuses on the most important features:

• Simplified Levels: CMMC 2.0 has only three levels, instead of five. Allowing for a simpler and clearer structure.

• Restructured to NIST standards: NIST SP 800-171 pertains to level 2, and level 3 is NIST SP 800-172.

• Flexible assessments: Self-assessments for specific companies have been introduced, lowering costs

• Removed formal process requirements: Pre-defined process means nothing if the practices are not completed. Prioritize the actions.

The update focused on improving the compliance process while still maintaining the necessity of strong security requirements.

Who Needs CMMC Certification in 2026?

CMMC certification is required if you are:

• A prime contractor working directly with the DoD.

• A subcontractor at all tiers handling FCI or CUI.

• A cloud service provider that supports DoD systems.

• A small defense supplier that is part of the Supply Chain.

The requirements are the same whether you are a domestic or foreign contractor, and regardless of the size of your company, whether you are a sole practitioner or a large multinational company.

The only exception will be the supplier of Commercial Off-the-Shelf items, and only if they are selling to the DoD.

Quick Qualification Checklist

You probably require CMMC certification if you:

• Bid on DoD contracts.

• Handle CUI (sensitive unclassified information).

• Store DoD data in internal or cloud systems.

• Provide services to a prime contractor in the defense ecosystem

If a contract requires certification, it can create a significant risk to your company’s revenue. Committing to preparing for certification can reduce your costs and reduce your risks of disruption in your company.

The 3 Levels of CMMC 2.0 Explained

CMMC 2.0 takes a tiered approach relative to data sensitivity and the level of threat. Here is the breakdown of the levels:

(Illustration Request)

Level 1 – Foundational

Who needs it: Companies that only have FCI (which is non-CUI contract information).

Requirements: Implement 15 basic cybersecurity practices that cover:

• Access control

• Identification and authentication

• Media protection

• Physical protection

• System and communications protection

• System and information integrity

Assessment: Self-assessment is done yearly and submitted to SPRS.

Key point: No Plans of Action and Milestones (POA&M) are permitted, and to pass, you must have all 15 requirements met.

Level 2 – Advanced

Who needs it: Companies that deal with CUI.

Requirements: Implement all 110 NIST SP 800-171 R2 controls that are spread through 14 security domains, including:

• Access Control

• Awareness and Training

• Audit and Accountability

• Configuration Management

• Identification and Authentication

• Incident Response

• Maintenance

• Media Protection

• Personnel Security

• Physical Security

• Risk Assessment

• Security Assessment

• System and Communications Protection

• System and Information Integrity

Assessment options:

• Self-assessment (for select programs): Every three years, with annual affirmations.

• C3PAO Certification (most common): Third-party assessment every three years, with annual affirmations.

POA&M: Permitted for up to 180 days ONLY if 80% of the controls are in place.

Key point: The DoD decides whether self-assessment or C3PAO certification is necessary for a particular contract based on its risk level.

Level 3 – Expert

Who it’s for: Companies that handle the most sensitive CUI, like critical national security programs.

Requirements:

• All 110 controls from NIST SP 800-171 R2 (Level 2)

• Plus 24 additional controls from NIST SP 800-172, including:

• Advanced threat detection

• Enhanced incident response

• Sophisticated security monitoring

• Supply chain risk management

Assessment: Conducted by the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center.

Prerequisite: A current Level 2 (C3PAO) certification is necessary to pursue Level 3.

Note: Level 3 is uncommon and only pertains to the highest-risk programs. Most contractors will not require this.

CMMC 2.0 Requirements & Timeline Explained

Regardless of which level you are aiming for, the steps for the certification process are the same:

1. Scoping

• Identify all systems that process, store, or transmit FCI or CUI.

• You will need to map the data flows and define system boundaries.

• Determine your CMMC assessment scope.

• Consider segmentation or enclaves for scope reduction.

2. Gap Assessment

• Evaluate your security posture to determine your existing and required security controls.

• Identify missing or weak controls.

• Document your gaps and estimate your remediation effort and cost.

3. Remediation

• Address missing controls.

• Create or update your current policies, and develop the other outstanding policies.

• Implement the missing tools and policies (e.g., MFA, encryption, SIEM, endpoint protection)

• Train your personnel, and include this in your system security plan.

4. Assessment

• Level 1: Perform a self-assessment and submit to SPRS.

• Level 2 (Self): Every three years, you are required to do a self-assessment and submit to SPRS.

• Level 2 (C3PAO): You must hire a certified C3PAO assessor to do an official review.

• Level 3: You will need to work with DIBCAC to have a government-led assessment.

5. Certification

• You will receive your CMMC status (it may be conditional or final).

• Submit the affirmation to SPRS.

• All POA&M items must be resolved within 180 days.

• You will obtain your final certification.

6. Maintenance

• Annual affirmations must be submitted.

• You must continuously monitor and maintain the controls.

• Re-certification occurs on a specific timeline, annually for Level 1, and every three years for Levels 2 and 3.

CMMC 2.0 Rollout Timeline

The DoD is implementing CMMC 2.0 in four phases over three years:

How Much Does CMMC 2.0 Compliance Cost?

Here’s the reality: assessment fees are just one piece of the puzzle. According to Sprinto, the real cost of CMMC 2.0 compliance includes preparation, remediation, tools, consulting, and ongoing maintenance. Many companies underestimate the total investment by focusing only on the assessment. Let’s break it down.

Important Note: These figures are estimates. Actual costs vary depending on scope, geography, selection of certification bodies, consulting support, and internal readiness.

DoD's Official Assessment Fee Estimates

Based on the Federal Register (32 CFR Part 170), small companies should anticipate formal assessment costs as follows:

• Level 1 Self-Assessment: $5,977 (initial) + $560 (annual reaffirmation)

• Level 2 Self-Assessment: $34,277 (initial) + $1,459 (annual reaffirmation)

• Level 2 C3PAO Certification: $101,752 (initial) + $1,459 (annual reaffirmation)

• Level 3 Certification: Level 2 costs + $9,050 (government assessment) + an additional $2.7M–$4.1M for implementing enhanced controls

Those numbers look manageable, but they only represent assessment and regulation cost modeling, not total implementation costs.

Internal Preparation Costs

Staffing: This can be quite substantial, generally Internal IT or security staff need to be involved for anywhere from 50 - 200+ hours, and this depends on the maturity of your security team. You will also need to involve a security officer or a vCISO for this, and there will be costs associated with some staff training.

Policy Development: This can involve developing or revising existing policies and procedures, documenting your controls within an SSP, and drafting some POA&Ms if these are required.

Tooling: Your tooling costs can include solutions for MFA encryption, endpoint detection and response, SIEM or log management, and Vulnerability Scanning, and Backup and Disaster Recovery solutions. The estimated range for these tools is from $10,000 to more than $100,000, depending on your existing gaps.

Third-Party Assessment Costs

C3PAO Fees (Level 2):

• Certification assessment: $75,000-$150,000

• Varies based on scope, complexity, and assessor

Consultants and vCISOs:

• Hourly rates: $250-$400/hour

• Total engagement: $50,000-$300,000 for larger projects

Gap assessments (pre-certification): $3,500-$20,000

Note: C3PAOs cannot consult on your remediation if they will conduct your certification assessment.

Technology & Ongoing Monitoring Costs

CUI Enclave Setup:

• Cloud-based enclave: $300-$400 per user/month

• Managed environment: $3,000-$4,000+ per month

Security Tools (annual):

• SIEM: $5,000-$15,000

• EDR: $3,000-$10,000

• Vulnerability management: $2,000-$8,000

• MFA: $1,000-$5,000

• Encryption: $2,000-$7,000

Total tooling: $10,000-$50,000+ annually, depending on architecture.

How Long Does CMMC Certification Take?

The timeline for CMMC certification depends on your current security setup, what levels of certification you plan to meet, and what certifications your staff holds. Below is a rough estimate for certification:

• Level 1 (Small Company): 3-6 months

• Level 2 (Small Company): 6-12 months

• Level 2 (Mid-Size Contractor): 9-18 months

• Level 3 (Enterprise): 12-24+ months

Early preparation is essential. Waiting until the last minute to prepare for deadlines will significantly raise the costs for your company.

Common CMMC Compliance Mistakes to Avoid

1. Underestimating Scoping

Not segmenting the systems where the CUI is processed is a common scoping mistake, as is assuming all of the systems within the enterprise are in scope. CMMC scoping is concerned with the systems that process, transmit, and/or store FCI and CUI, and with the security of the connected systems. Conduct extensive scoping to establish enclaves, in both a logical and physical sense. Proper segmentation enclaves can create control Level 2 needed to simplify and reduce the number of assets.

2. Treating It Like a Checklist

CMMC is not a documentation exercise. Assessors assess not just on whether a control has a policy, but whether a control is in place and is operational. Many companies copy documentation and policy templates on their controls end up with staff inadequate to operationalize controls. Implementing access control and logging, and incident response testing are real.

3. Weak Documentation Practices

Common amenities include incomplete SSPs, outdated policies, and missing oversight. Your SSP should be able to clearly and comprehensively cover your environment and clearly describe how NIST SP 800-171 controls are put into effect. Use evidence, document version control, and make sure your practices are prudent, not aspirational.

4. Waiting Too Long for a Readiness Assessment

Skipping a readiness assessment and going straight to C3PAO assessments is risky. Certain gaps discovered will cost additional time and money. To prepare for a certification, a gap analysis needs to be completed 6-12 months in advance. This will provide time to remediate, update documentation, and validate. Remember, C3PAOs can’t provide any consultation to you during your assessment. Separate readiness support must be used.

5. Ignoring Continuous Monitoring

CMMC is not a task that can be completed and considered done. To maintain compliance, work must be done between certification periods, and that is part of the Continuous Monitoring. This will help with control drift, policy deviations, and any configuration changes. It is only a snapshot of time in an instance that you are ready that will provide the result that you are granting to your company’s annual affirmation, and those are done to maintain compliance, as well as the recertification every three years at that interval.

How Roz Accelerates CMMC 2.0 Readiness

CMMC 2.0 preparation involves a lot of documentation, control mapping, and evidence review. We support advisory and risk assurance teams by automating the first pass of their work, providing greater structure, traceability, and engagement efficiency.

Roz is an AI-native audit-delivery platform designed for CMMC readiness assessment and control-based reporting.

1. AI-Assisted Evidence Collection & Control Mapping - Teams can create structured workspaces where customers can upload policies, procedures, and evidence. The AI will automatically:

• Extracts documented controls.

• Maps evidence to CMMC Level 2 or Level 3 requirements.

• Maintains full source traceability.

This reduces manual cross-referencing and simplifies the documentation alignment.

2. Gap Analysis & First-Pass Control Testing - Our tool will cross-analyze your documentation against CMMC control criteria, identifying missing controls, weak policies, and evidence gaps. Our first pass structured review will pinpoint the areas that need some help, and the sufficiency of the evidence will help the engagement team to allocate their resources where they are needed the most. Final evaluation is ultimately the engagement team’s responsibility.

3. Audit-Ready Documentation - Our tool helps companies create proper documentation to be ready for the C3PAO assessments by generating structured workpapers, docket outlines for the SSP, and gap reports, all with audit trails and source links.

4. Greater Efficiency, Lower Manual Effort - By reducing repetitive drafting and structuring control evaluation, we help companies improve engagement consistency, increase margin, and scale delivery without compromising rigor.

Conclusion

CMMC 2.0 compliance is becoming a must-have for companies in the DoD supply chain, and enforcement is becoming stricter. Delaying compliance increases costs and risk. Understanding which level applies to you, like required controls, the costs of certification, and the timelines, can help you plan, as opposed to rushing at the last minute.

Starting compliance early, documenting thoroughly, and using automation (like Roz) will lower the burden of manual compliance tasks, make it easier to complete the required assessments, and enable you to complete the C3PAO reviews with ease. Don’t look at CMMC 2.0 as a check box; look at it as an investment in your companies cyber security, and you will remain a serious contender for contracts in the defense sector.

FAQs

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 requires an annual self-reported assessment to confirm that there are 15 basic protective measures in place to safeguard FCI. CMMC Level 2 requires an advanced assessment to not only self-report 110 protective policies (in alignment with NIST SP 800-171) that protect CUI; this assessment must include a C3PAO review and is conducted every three years.

How long does CMMC certification last?

It is 1 year for level 1, 3 years for level 2, and 3 years for level 3 (with annual affirmations for both level 2 and level 3).

Can small Companies afford CMMC compliance?

Yes, but it involves some planning. Start as soon as possible, gradually implement tools, and use automation (like Roz) to cut down on manual effort. Non-compliance will cost you contracts and is a much higher cost than compliance.