The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s framework for protecting sensitive data in federal contracts. If your business plans to bid on DoD work, CMMC compliance is becoming a requirement.

The CMMC 2.0 final rule, published on October 15, 2024, and effective on December 16, 2024, outlines a phased rollout beginning in fiscal year 2025 and continuing through 2028. Even if it does not appear in your next solicitation, CMMC language will likely show up soon, especially if your contract involves sensitive information.

Whether you provide maintenance, IT services, logistics, or manufacturing, your eligibility will depend on your CMMC level.

The Origin of CMMC: From 1.0 to 2.0

CMMC was first introduced in January 2020 as a response to the rising number of cyberattacks targeting the Defense Industrial Base. That initial model, known as CMMC 1.0, included five certification levels, each representing increasing cybersecurity maturity. The goal was to create a scalable system that protected both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at various sensitivity levels.

However, after feedback from industry and internal evaluation, the Department of Defense acknowledged that the original model was too complex, difficult to implement, and expensive for small businesses.

To address these concerns, DoD announced the CMMC 2.0 revision in November 2021, which consolidated the model to three levels and more closely aligned with NIST SP 800-171. It also introduced a clearer path for self-assessments at Level 1 and some Level 2 scenarios.

The final rule for CMMC 2.0 was published in the Federal Register on December 26, 2024, making it official. This final rule locked current compliance requirements to NIST SP 800-171 Revision 2 and established a three-year phased implementation, starting with selected contracts in fiscal year 2025.

The new model aims to reduce the burden on contractors while still protecting DoD data. Understanding the shift from CMMC 1.0 to 2.0 helps explain why current requirements are structured the way they are, and what contractors should expect during rollout.

How Has CMMC 2.0 Changed from Version 1.0?

Breakdown of CMMC Levels 1–3

Level 1 (Foundational)
Level 1 applies to contractors that handle only Federal Contract Information (FCI). This includes companies offering janitorial services, landscaping, maintenance, deliveries, and basic facility support.

It requires 17 practices from FAR 52.204-21, such as:

• Limiting system access to authorized users

• Creating and enforcing strong password policies

• Installing antivirus and anti-malware software

• Controlling physical access to systems

• Regularly applying software and system updates

• Documented system security plans (SSPs)

Contractors must:

• Complete an annual self-assessment

• Submit their results in the Supplier Performance Risk System (SPRS)

• Maintain written documentation and evidence of implementation

Level 2 (Advanced)
This level is for companies that handle Controlled Unclassified Information (CUI). It requires compliance with all 110 controls from NIST SP 800-171 Revision 2. While Revision 3 was published in 2024, the DoD currently mandates compliance with Revision 2 under DFARS 252.204-7012.

Requirements include:

• Documented system security plans (SSPs)

• Implementation of technical and administrative safeguards

• Use of multi-factor authentication and access logs

• Secure transmission and storage of CUI

• Formalized incident response processes

Most Level 2 contractors must:

• Undergo a third-party assessment by a Certified Third Party Assessment Organization (C3PAO)

• Expect audit costs between 50,000 and 80,000 dollars

• Submit results to the DoD's eMASS platform once fully operational

• Level 2 compliance is currently taking about 18 months to be completed, and the timeframe will continue to raise as more contractors are required to achieve the level of compliance. There are a limited number of C3PAOs.

Some low-risk contracts may temporarily allow:

• Annual self-assessment and SPRS submission

• Ineligibility for certain higher-value or sensitive awards without C3PAO certification

Level 3 (Expert)
Level 3 is for contractors supporting the most sensitive national security missions. These are typically top-tier suppliers handling advanced weapons systems, encrypted data environments, or projects tied to military readiness.

Level 3 requires:

• Full compliance with NIST SP 800-171 Revision 2

• Additional controls from NIST SP 800-172 focused on advanced persistent threats

Examples of these additional protections include:

• Threat hunting and real-time detection

• Behavioral analytics to detect unusual activity

• Secure enclave creation and monitoring

• Adaptive network segmentation and access control

• Insider threat identification and response capabilities

Assessment is conducted:

• Directly by DoD personnel

• With continuous monitoring and long-term evaluation

• In environments that require higher-than-normal operational security

How Much Does CMMC Compliance Cost?

CMMC costs vary by level, and for many contractors, understanding the financial impact is a key part of planning. While the government does not charge for certification directly, there are indirect and third-party costs to consider. Here's a general breakdown:

• Level 1 (Foundational)
  Most Level 1 contractors can complete their self-assessment in-house. While there is no certification fee, you may still need to invest in documentation, system upgrades, or help from a compliance consultant. For many small businesses, these costs range from a few thousand dollars to under $10,000 depending on readiness.

• Level 2 (Advanced)
  Level 2 is where costs increase significantly. Most contractors will need a third-party assessment by a C3PAO. Prices vary, but typical assessments fall between $50,000 and $80,000. Additional expenses may include system upgrades, technical documentation, policy development, and staff training.

• Level 3 (Expert)
  Level 3 is assessed directly by the Department of Defense and is intended for contractors supporting the most sensitive programs. These businesses often operate in secure environments already and must maintain continuous monitoring, internal audit teams, and enhanced threat protections. Total investment for Level 3 compliance often exceeds six figures annually, depending on company size and contract requirements.

Costs also depend on:

• Your current cybersecurity maturity

• How much documentation or infrastructure you already have

• Whether you need consulting or managed IT services to fill in the gaps

While some costs may seem high, early preparation usually lowers the overall financial burden. Contractors who wait until CMMC is written into a solicitation risk having to rush compliance at a much higher cost.

CMMC Compliance Deadline 2025: What You Need to Know

CMMC requirements begin appearing in contracts starting in fiscal year 2025. The rollout will continue through 2028. Some agencies and prime contractors are already enforcing compliance early, especially on high-value contracts.

If you plan to pursue DoD opportunities in 2025, now is the time to verify your level, assess your gaps, and prepare your documentation.

Tips to Stay Contract-Ready During the CMMC Phased Rollout

• Know your level by identifying whether you handle FCI or CUI

• Confirm whether you qualify for self-assessment or require third-party review

• Budget in advance for audits and necessary upgrades

• Monitor NIST standard changes, especially the transition from Revision 2 to Revision 3

• Use tools like the Advanced Procurement Portal to find eligible opportunities

FAQs

Is NIST SP 800-171 Revision 3 now required for CMMC?
No. DoD has locked compliance to Revision 2 for now, but contractors should review Revision 3 in preparation for future changes.

How much does a Level 2 CMMC assessment cost?
Expect to pay between $50,000 and $80,000 depending on your company size, scope of systems, and readiness.

When will all contracts require CMMC?
The rollout starts in fiscal year 2025 and continues through 2028. You may already see requirements appear depending on the agency and contract type. Many primes are also enforcing readiness early.

Need Help with CMMC? Schedule a Free Consultation

From SPRS reporting to third-party assessment prep, we can help you stay eligible for future DoD awards.