CMMC Level 2 requires small defense contractors to implement 97 active security requirements from NIST 800-171 Revision 3, organized across 17 control families, with 520+ individual assessment objectives. Compliance typically costs $75,000–$150,000 and takes 6–12 months of focused work. Phase 2 enforcement requiring C3PAO third-party assessments begins November 2026.
This guide walks through what Level 2 actually requires, what it costs, how long it takes, what trips small contractors up, and a step-by-step plan for getting started. It is written for non-technical owners and operators — machine shop owners, engineering firm partners, IT subcontractors — not for cybersecurity professionals. Plain English where possible, specifics where they matter.
Take the free assessmentWhat Is CMMC Level 2 and Do You Need It?
CMMC stands for the Cybersecurity Maturity Model Certification. It is the Department of Defense's program for verifying that companies in its supply chain — anyone with a DoD contract — actually do the things they claim to do to protect sensitive government information. Before CMMC, contractors self-attested to NIST 800-171 compliance on the honor system. CMMC adds verification: third-party assessments, certifications, and real consequences for misrepresentation.
The three CMMC levels
There are three levels, each tied to the type of information you handle.
- Level 1 covers 15 basic safeguarding requirements, drawn from FAR 52.204-21. It applies if you only handle Federal Contract Information (FCI). Self-assessment is permitted, repeated annually.
- Level 2 covers 97 security requirements from NIST 800-171 Revision 3. It applies if you handle Controlled Unclassified Information (CUI). Most Level 2 contracts require a C3PAO third-party assessment every three years; a small subset of contracts with less sensitive CUI allow continued self-assessment.
- Level 3 layers an additional 24 requirements from NIST 800-172 on top of Level 2. It applies to programs involving the most sensitive CUI. Level 3 assessments are conducted by the government's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not third parties.
The simple test
If your contracts involve Controlled Unclassified Information, you need Level 2. CUI is information that is not classified but that the government still considers sensitive enough to protect — technical drawings, manufacturing specifications, export-controlled data (ITAR and EAR), defense software source code, program-tied personnel records, and dozens of other categories.
If you only handle Federal Contract Information — basic contract details, performance metrics, financial information that is not public — Level 1 may suffice.
If you do not know which applies, look at your contract for DFARS clause 252.204-7012. Its presence signals CUI handling and points to Level 2. When in doubt, ask your contracting officer or prime contractor in writing.
| Level 1 | Level 2 | Level 3 | |
|---|---|---|---|
| Information type | FCI only | CUI | Sensitive CUI |
| Requirements | 15 | 97 (NIST 800-171r3) | 97 + 24 (NIST 800-172) |
| Assessment | Self | C3PAO (most contracts) | Government (DIBCAC) |
| Typical cost (first year) | $5K–$15K | $75K–$150K | $150K–$500K+ |
| Who needs it | Most small subcontractors | Most prime/sub contractors with CUI | Programs with critical CUI |
The free assessment evaluates your environment against all 97 Level 2 requirements and tells you whether Level 1 might be sufficient instead.
The Current State of CMMC (May 2026)
CMMC rolled out in phases starting November 2025. Here is where things stand as of May 2026.
Phase 1 has been active since November 2025. New DoD contracts at Level 1 and Level 2 require contractors to upload a current self-assessment score to the Supplier Performance Risk System (SPRS) and provide an annual affirmation. For most Level 2 contractors, this is the year of grace before third-party assessments become mandatory.
Phase 2 begins November 2026 — six months from now. From that date, the majority of Level 2 contract awards will require a C3PAO third-party assessment. Self-attestation will no longer be sufficient for most contracts.
Phase 3 begins November 2027 and brings Level 3 third-party requirements online.
The numbers tell the story
At today's pace, full DIB compliance is not expected until 2029. The C3PAO bottleneck is real: there are only 83 authorized C3PAOs in the entire country, and their schedules are booked 6–9 months in advance. Most small contractors will not have an assessment slot reserved in time for Phase 2 enforcement.
That does not mean Phase 2 is moving — it means contractors who cannot complete an assessment in time will be unable to bid on new CMMC-tagged contracts until they can.
Most CMMC content on the internet still references 110 controls in 14 families. That is the old standard. NIST 800-171 Revision 3, published in May 2024, restructured the requirements into 97 controls across 17 families with 520+ assessment objectives and approximately 80 organization-defined parameters. If your current tool or consultant references the old numbers, they are working from a withdrawn standard.
The False Claims Act risk
Misrepresenting compliance is no longer just a paperwork issue. The Department of Justice has stated that materially false claims about cybersecurity compliance — when used to win contracts — can trigger False Claims Act liability. Penalties include treble damages plus per-claim civil fines. Several enforcement actions are already underway against contractors who self-reported inflated SPRS scores.
The practical takeaway: do not claim compliance you have not actually achieved. A truthful low score with a documented Plan of Action and Milestones (POA&M) is safer than an inflated one.
What CMMC Level 2 Actually Requires
Level 2 maps directly to NIST Special Publication 800-171 Revision 3, published in May 2024. Revision 3 changed the structure of the standard significantly — and most CMMC content still references the old structure.
Revision 3 contains 97 active security requirements organized across 17 control families. The previous version (Revision 2) had 110 requirements across 14 families. The reduction comes from consolidations and reorganization, not from lower expectations. NIST also added three new families addressing planning, acquisition, and supply chain.
The 17 requirement families
- 3.1 Access Control (AC) — Who can access which systems and data, and from where.
- 3.2 Awareness and Training (AT) — Making sure your people understand their security responsibilities.
- 3.3 Audit and Accountability (AU) — Logging who did what, when, and being able to investigate.
- 3.4 Configuration Management (CM) — Locking down system configurations and tracking changes.
- 3.5 Identification and Authentication (IA) — Verifying users and devices before granting access.
- 3.6 Incident Response (IR) — Detecting, responding to, and recovering from security incidents.
- 3.7 Maintenance (MA) — Securing how systems are maintained and serviced.
- 3.8 Media Protection (MP) — Protecting data on physical media and during transport.
- 3.9 Personnel Security (PS) — Screening, training, and offboarding employees.
- 3.10 Physical Protection (PE) — Securing the physical environment where CUI lives.
- 3.11 Risk Assessment (RA) — Identifying and prioritizing security risks.
- 3.12 Security Assessment (CA) — Continuously monitoring your own security program.
- 3.13 System and Communications Protection (SC) — Encryption, segmentation, secure transmission.
- 3.14 System and Information Integrity (SI) — Monitoring, malware protection, vulnerability management.
- 3.15 Planning (PL) — New in Revision 3. Strategic security planning and rules of behavior.
- 3.16 System and Services Acquisition (SA) — New in Revision 3. Security requirements in procurement, contracts, and external services.
- 3.17 Supply Chain Risk Management (SR) — New in Revision 3. Identifying and managing risks from suppliers, vendors, and component sources.
Planning, System and Services Acquisition, and Supply Chain Risk Management did not exist in Revision 2. They reflect what assessors have learned over the past decade: many breaches happen through suppliers, undocumented procurement decisions, or the absence of a real security plan. If your gap assessment does not cover all three of these new families, you are working from an obsolete map.
520+ assessment objectives — what assessors actually evaluate
Each high-level requirement breaks into multiple "determine if" statements — specific questions an assessor will ask to determine whether the requirement is met. Across all 97 requirements, there are 520+ individual assessment objectives.
This matters because contractors who only understand the high-level requirements often get blindsided during their C3PAO assessment. The assessor is not asking "do you have access control?" — they are working through dozens of specific objectives like "determine if account types are identified," "determine if account managers are notified when accounts are no longer required," and so on.
~80 Organization-Defined Parameters (ODPs)
Revision 3 introduced Organization-Defined Parameters — values that you, not NIST, must specify. Examples:
- How long do you retain audit logs?
- How often do you review user access?
- How quickly do you patch vulnerabilities classified as critical?
- How frequently do you train users on incident reporting?
There are approximately 80 ODPs across the standard. Your answers become part of your System Security Plan (SSP) and are evaluated during assessment. There is no single right answer — but the answer must be specific, documented, and consistently applied.
| Family | Controls | Assessment objectives |
|---|---|---|
| 3.1 Access Control (AC) | 12 | ~80 |
| 3.2 Awareness and Training (AT) | 3 | ~20 |
| 3.3 Audit and Accountability (AU) | 8 | ~55 |
| 3.4 Configuration Management (CM) | 8 | ~50 |
| 3.5 Identification and Authentication (IA) | 7 | ~45 |
| 3.6 Incident Response (IR) | 4 | ~30 |
| 3.7 Maintenance (MA) | 4 | ~20 |
| 3.8 Media Protection (MP) | 6 | ~30 |
| 3.9 Personnel Security (PS) | 2 | ~15 |
| 3.10 Physical Protection (PE) | 5 | ~25 |
| 3.11 Risk Assessment (RA) | 5 | ~30 |
| 3.12 Security Assessment (CA) | 5 | ~25 |
| 3.13 System and Communications Protection (SC) | 14 | ~70 |
| 3.14 System and Information Integrity (SI) | 8 | ~45 |
| 3.15 Planning (PL) — new | 2 | ~10 |
| 3.16 System and Services Acquisition (SA) — new | 2 | ~10 |
| 3.17 Supply Chain Risk Management (SR) — new | 2 | ~15 |
This is not 110 controls in 14 families. If your current tool or consultant references those numbers, they are working from a withdrawn standard — and that gap will surface in your assessment.
How Much Does CMMC Level 2 Cost?
CMMC Level 2 cost ranges from roughly $42,000 for a well-prepared small machine shop to over $300,000 for a large or complex environment. The biggest cost drivers are the size of your CUI environment, how much remediation you need from your current baseline, and whether you outsource everything to a consultant or do the work yourself with platform support.
Cost breakdown by phase
| Phase | What you are paying for | Typical cost |
|---|---|---|
| Gap assessment | Identifying which of the 97 requirements you currently fail | $5,000–$8,000 (or free with a self-serve tool) |
| Technology implementation | MFA, EDR, logging, encryption, secure file sharing | $20,000–$150,000 |
| Documentation (SSP, POA&M, policies) | Writing your System Security Plan and supporting policies | $10,000–$30,000 |
| C3PAO assessment | The actual third-party assessment | $30,000–$70,000 |
| Ongoing MSSP monitoring | 24×7 monitoring, alerting, log retention | $2,000–$5,000/month |
| Total first year | All of the above | $75,000–$150,000 |
| Ongoing annual | MSSP + maintenance + annual affirmation | $20,000–$40,000 |
Consultant vs MSP vs DIY vs Platform
There are four common approaches to getting to Level 2. None is wrong — they trade cost, time, and risk differently.
| Approach | Cost | Timeline | Best for |
|---|---|---|---|
| Full-service consultant | $75K–$150K+ | 9–18 months | Larger contractors who can afford to outsource end-to-end |
| Managed Security Service Provider (MSSP) | $2K–$5K/month + setup | 6–12 months | Contractors who want ongoing monitoring bundled with compliance |
| DIY (internal IT) | $15K–$50K (tools only) | 12–24 months | Contractors with experienced internal IT and time to learn |
| Platform-assisted (e.g., CMMCGap + targeted help) | $25K–$60K | 6–12 months | Most small contractors who want guidance without consultant pricing |
A real example
A 20-person machine shop running Microsoft 365 Business Premium, with one in-house IT contractor and a clear CUI boundary, has been documented to achieve Level 2 compliance for approximately $42,000 all-in, including the C3PAO assessment. That figure assumes the contractor used existing M365 capabilities (MFA, conditional access, audit logging), added an EDR product, used a self-serve compliance platform for gap analysis and documentation, and worked with a part-time consultant only on the SSP and assessment prep.
The same shop could spend $150,000+ if they outsourced everything to a full-service consultant who treated every requirement as net-new work. Most of the cost difference is in scope and approach, not in tools.
Once you know which of the 97 requirements you already meet — and which you do not — you can build a real budget instead of a worst-case quote.
The Realistic Timeline
Most small contractors underestimate how long Level 2 takes. The actual work — scoping, planning, implementation, documentation, evidence collection, and assessment — takes 6–12 months in a well-resourced shop. The C3PAO scheduling queue adds another 3–9 months on top of that.
- 012–4 weeksScoping and gap assessment
Define which systems, people, and data are in scope for CUI. Run a gap assessment to see which of the 97 requirements you currently meet.
- 022–4 weeksRemediation planning
Build your Plan of Action and Milestones (POA&M). Prioritize critical gaps. Decide what to buy, build, change, or outsource.
- 032–6 monthsTechnical implementation
MFA everywhere, EDR rollout, encrypted file sharing for CUI, centralized logging, conditional access, vulnerability management. This is the longest phase.
- 041–3 months (overlaps)Documentation
Write your System Security Plan, supporting policies, and procedures. Capture your ~80 Organization-Defined Parameter values.
- 052–4 weeksInternal testing and evidence collection
Walk through every control. Collect screenshots, configurations, logs, and policy attestations. Fix anything that fails.
- 061–2 weeks on-siteC3PAO assessment (when scheduled)
The assessment itself is short. The scheduling queue is not — most C3PAOs are booked 3–9 months in advance.
If you start today (May 2026), you are looking at a November 2026 – February 2027 assessment slot in the best case. If you wait until October 2026 to begin, you are looking at a late-2027 assessment. Starting now is not early — it is barely on time.
The 5 Most Common Mistakes Small Businesses Make
Patterns repeat across small contractors who fail or stall their assessments. Five mistakes account for most of them.
1. Over-scoping the CUI boundary
The most expensive mistake is including systems that do not need to be in scope. Every laptop, server, and SaaS app that "touches" your network is not automatically in your CUI environment. If you can architect a smaller boundary — for example, by isolating CUI to a specific enclave with strict ingress/egress controls — you reduce the number of systems that have to meet all 97 requirements.
The cost difference between a small, well-scoped CUI enclave and an unscoped "everything is in scope" environment is often 5x. Spend time on scope before you spend money on tools.
2. Under-scoping
The opposite mistake is worse. If a system actually handles CUI but you excluded it from scope, the assessor will identify it during walkthroughs and you will fail the assessment. A common example: a back-office quoting system that ingests technical drawings from primes, marked CUI, but treated as "just our quoting tool." If it touches CUI, it is in scope.
Document your CUI flows end-to-end. Where does CUI enter? Where is it stored? Where does it leave? Every system in that flow is in scope.
3. Using outdated standards
Many existing tools, templates, and consultant deliverables still reference NIST 800-171 Revision 2 — the 110-control, 14-family version. That standard was withdrawn in 2024. Revision 3 has fewer controls (97) but added three new families and 80+ Organization-Defined Parameters. A Revision 2 gap analysis will miss everything in Planning, System and Services Acquisition, and Supply Chain Risk Management.
When evaluating a tool or consultant, ask which revision their content maps to. If they hedge or say "we cover both," dig deeper.
4. Documentation without implementation
A System Security Plan that says you require multi-factor authentication on all systems handling CUI, when in fact MFA is only enforced on email, is not a compliance plan — it is a problem. Assessors do not just read your documentation. They test it. They will ask to see the configuration. They will pick a user and verify their access controls. They will look at logs.
The fix is straightforward: write the SSP based on what you actually do, then close the gap between what you do and what you should do — before the assessor arrives.
5. Waiting for the deadline
C3PAO assessment slots are booked 3–9 months in advance and the queue is getting longer. Contractors who wait until October 2026 to start serious work cannot realistically be assessed before mid-2027. By then, they have lost a year of new contract opportunities. The contracts they hold may continue, but bids on new CMMC-tagged work will be unavailable to them.
The most expensive mistake is the one made by doing nothing. Start now, even if "now" only means a free gap assessment to understand your starting point.
Run the free gap assessmentHow to Start (Step by Step)
A practical, ordered approach. None of these steps require a consultant to begin, although you may bring one in at various points.
Step 1 — Determine if you handle CUI
Read your active contracts. Look for DFARS 252.204-7012, which signals CUI handling. Look for ITAR or EAR markings on the technical data you receive. Ask your primes in writing whether the data they share with you is CUI. If you handle CUI, you need Level 2.
Step 2 — Assess where you stand today
Before you spend money, understand your baseline. A gap assessment maps your current environment against the 97 Level 2 requirements and tells you which ones you already meet, which you partially meet, and which you fail. Free tools can do directional gap analysis; paid consultants can do certified analysis. Either way, get a baseline before you buy anything.
Step 3 — Define your CUI boundary
Document where CUI lives: which systems store it, which users access it, which vendors process it, how it enters and leaves your environment. The CUI boundary is the set of all assets in that flow. Everything inside the boundary is in scope for Level 2. Everything outside is not.
Smaller boundaries are cheaper to defend. Spend time here.
Step 4 — Create your remediation plan (POA&M)
Your Plan of Action and Milestones lists every failed or partial requirement, why you failed it, what you will do to fix it, who is responsible, and a target completion date. The POA&M is a required deliverable for both your SPRS submission and your C3PAO assessment.
Prioritize by risk and dependency. Foundational controls (MFA, access control, logging) come first. Specialized controls (supply chain risk management, advanced incident response) come after.
Step 5 — Implement technical controls
This is where the time and money go. Common implementations for small contractors include:
- Multi-factor authentication on every account that touches CUI
- Endpoint detection and response (EDR) on every endpoint in scope
- Centralized logging with retention long enough to meet your ODPs
- Conditional access to restrict CUI access by location, device, and risk
- Encrypted file sharing for CUI in transit and at rest
- Vulnerability scanning and patching on a defined cadence
Most small contractors can build the technical foundation on Microsoft 365 Business Premium plus a focused EDR product. Specialized enclaves (PreVeil, GCC High) are options for contractors with high-sensitivity CUI but are not always necessary.
Step 6 — Build your documentation
The System Security Plan is the centerpiece. It describes your environment, your CUI boundary, every requirement, how you meet it, and your ODP values. Supporting documents include incident response plans, configuration management plans, access control policies, and personnel security policies.
Document what you actually do. Then make sure what you do is enough.
Step 7 — Collect evidence and test internally
For every control, an assessor will want artifacts: screenshots, configuration exports, policy attestations, training records, log samples. Build an evidence repository as you implement, not in the week before the assessment. Run an internal walkthrough against the 520+ assessment objectives and fix anything that fails.
Step 8 — Schedule your C3PAO assessment
Reach out to multiple C3PAOs early. Their schedules are tight. Some pre-screen contractors and may decline engagements where the SSP is incomplete. Plan for 3–9 months of lead time.
Step 9 — Maintain ongoing compliance
Certification is valid for three years, but you must submit an annual affirmation in SPRS and keep your environment current. New systems and contracts may expand your scope. Treat compliance as ongoing maintenance, not a one-time project.
Free Resources for Small Businesses
You do not need to pay a consultant to begin. Several federally funded and free resources exist for small defense contractors.
- APEX Accelerators (formerly PTACs) — Free, in-person and remote counseling for businesses pursuing government contracts. Many APEX offices now offer CMMC-specific advisory services. Find your local office at apexaccelerators.us.
- Project Spectrum — A DoD-funded initiative that provides free cybersecurity tools, training, and assessments for small businesses in the defense industrial base. See projectspectrum.io.
- SBA Cybersecurity Resources — The Small Business Administration offers guides, webinars, and access to the SBA Cybersecurity for Small Business curriculum. See sba.gov/business-guide/manage-your-business/strengthen-your-cybersecurity.
- NIST MEP (Manufacturing Extension Partnership) — Especially relevant for manufacturers. Local MEP centers provide hands-on CMMC and cybersecurity support, often at reduced cost. See nist.gov/mep.
- CMMCGap free assessment — A self-serve gap assessment built on NIST 800-171 Revision 3. Covers all 97 active requirements and 520+ assessment objectives. No credit card, no sales call.
- NIST 800-171 Rev 3 and 800-171A Rev 3 — The authoritative standard and its assessment companion. Download both directly from NIST: csrc.nist.gov/publications.
Frequently Asked Questions
Where to go from here
The first step is knowing where you stand. The CMMCGap free assessment evaluates your environment against all 97 active NIST 800-171 Revision 3 security requirements in about 20 minutes — plain English, no credit card, no sales call. The result is an estimated SPRS score, a prioritized list of gaps, and a sense of how big the lift actually is for you.
It is the cheapest, fastest, and most honest way to begin.
20 minutes. 97 requirements. Plain English. You get an estimated SPRS score and your top critical gaps before you provide an email.