Executive summary:
CMMC compliance determines whether defense contractors can bid on, win, or continue certain Department of Defense contracts. The CMMC framework has three compliance levels arising from data sensitivity and contract requirements, and it uses verified assessments for specified higher-level contracts. Contractors must understand which level applies to their work, implement and document required controls, validate readiness through gap analysis and assessments, and update evidence for continuing compliance. Costs and effort vary based on scope, maturity, assessment type, and your approach to them.
CMMC compliance means meeting Cybersecurity Maturity Model Certification standards set by the U.S. Department of Defense. It requires military contractors to verify their implemented data security practices through assessments. It’s a prerequisite for winning and maintaining many federal defense contracts.
Your specific CMMC requirements depend on the sensitivity of your data. Federal Contract Information (FCI) requires CMMC Level 1 (Foundational) protections, which involve basic safeguarding through annual self-assessments. In contrast, Controlled Unclassified Information (CUI) is more sensitive, so it requires CMMC Level 2 (Advanced) or CMMC Level 3 (Expert) compliance. These higher tiers have more security controls and, in many cases, require formal third-party or government assessments.
With the CMMC Final Rule in effect as of late 2025, compliance has become a gatekeeper for federal contract awards. In practice, CMMC requirements are incorporated into DoD solicitations and contracts through the Defense Federal Acquisition Regulation Supplement (DFARS), most notably DFARS 252.204-7021, which ties contract eligibility directly to a contractor’s CMMC status at award.
For covered contracts, contractors may also be required to report assessment results and keep up compliance status in the Supplier Performance Risk System (SPRS). Failure to maintain compliance or to provide documentation can result in immediate disqualification from bidding on or renewing lucrative defense contracts.
Organizations that perform work for the Department of Defense and handle covered contract information must meet CMMC requirements when those requirements appear in a solicitation or contract. This includes prime contractors and subcontractors.
In practice, CMMC applies to any contractor that processes, stores, or transmits sensitive information under a DoD contract. That obligation flows down the supply chain. If a prime contractor shares covered information with a subcontractor, that subcontractor must meet the required CMMC level for the scope of work they perform.
Their required CMMC level depends on the data they handle and how they handle it. Contractors handling basic contract-related information are typically subject to Level 1 requirements, while those working with more sensitive data must meet Level 2 or, in limited cases, Level 3. The determining factor is not job title or business function, but whether the contractor’s systems are used to handle covered data under the contract.
CMMC requirements are contract-driven, but readiness must come earlier. Contractors pursuing DoD work that is likely to include CMMC requirements need to prepare before bidding, because the required CMMC level is evaluated as a condition of award, not after the contract is in hand.
If you want to know whether CMMC preparation should already be on your roadmap, ask these questions:
If your organization answers yes to any of these, CMMC readiness affects whether you can compete for, win, and continue performing defense contracts, even before a specific solicitation is released. See more on why contractors shouldn’t wait for CMMC compliance.
“Many contractors who get caught off guard by CMMC aren’t ignoring the rules — they simply didn’t realize how early the requirements flow down the supply chain,” says Micah Spieler, Chief Product Officer at Strike Graph. “If you touch covered information for a prime, even indirectly, you’re already in scope whether you planned for it or not.”
CMMC 2.0 is the updated version of the Cybersecurity Maturity Model Certification program used by the Department of Defense to verify contractor cybersecurity compliance. It simplifies the initial model from five to three levels, aligns requirements with established federal standards, and formally links CMMC levels to contract eligibility.
Under CMMC 2.0, the three levels are based on the sensitivity of information involved. Level 1 focuses on basic safeguarding requirements from FAR 52.204-21 for Federal Contract Information (FCI). Level 2 aligns to the full set of requirements in NIST SP 800-171, Revision 2, for protecting Controlled Unclassified Information. Level 3 applies to a small group of high-priority programs and builds on Level 2 by adding selected requirements from NIST SP 800-172.
The original CMMC model, now commonly referred to as CMMC 1.0, was the DoD’s first attempt to put consistent, enforceable verification behind existing cybersecurity requirements across the Defense Industrial Base. While standards such as NIST SP 800-171 defined what contractors were expected to do, compliance largely relied on self-attestation. CMMC 1.0 addressed that gap by requiring third-party assessments at all five levels, but its universal assessment model and expanded structure proved overly complex and costly for many contractors.
CMMC 2.0 reflects what the DoD learned from that initial rollout. The core goal remains the same: verifiable cybersecurity tied to contract eligibility. But the execution is more targeted.
Level 1 relies on annual self-assessments. Level 2 may be verified through either self-assessment or third-party assessment, depending on the contract, with third-party assessments conducted by Third-Party Assessment Organizations (C3PAOs), which are overseen by the Cyber AB. Level 3 assessments are conducted by the government and led by the Defense Contract Management Agency’s DIB Cybersecurity Assessment Center (DIBCAC).
From a governance standpoint, CMMC 2.0 is enforced through two connected rule sets. The program rules define assessment methods, scoring, documentation, and continuing compliance obligations. The acquisition rules determine when CMMC requirements appear in solicitations and contracts and make compliance a condition of award.
For more, see Strike Graph’s “Secure Talk” podcast episodes on the arrival of CMMC and CMMC’s future in cybersecurity.
CMMC requirements are grouped by level based on information sensitivity and contract risk. Each level defines a set of practices that contractors must implement, document, and back with evidence. The requirements scale in rigor and assessment type.
CMMC Level 1 applies to contractors that handle Federal Contract Information (FCI) and includes 15 foundational practices and 17 assessment objectives. These draw from basic safeguarding requirements in FAR 52.204-21 and focus on controlling unauthorized information access.
Level 1 requirements are organized into a small number of core domains, such as access control, identification and authentication, media protection, physical protection, and system and communications protection. The emphasis is on straightforward, verifiable actions, such as controlling system access, protecting devices, and having unique user identification.
Although Level 1 is the least complex tier, all requirements must be fully implemented at the time of assessment. There is no allowance for partial implementation or remediation plans, which makes accurate preparation and documentation critical.
Contractors can learn more about how these controls are evaluated in practice in Strike Graph’s article on how to conduct a CMMC Level 1 self-assessment.
CMMC Level 2 applies to contractors that handle Controlled Unclassified Information (CUI) and includes 110 security requirements aligned to NIST SP 800-171, Rev. 2. These requirements are organized across 14 security domains, covering areas such as configuration management, risk assessment, system and information integrity, and audit and accountability.
At this level, requirements emphasize institutionalized security practices. Contractors must demonstrate not only that controls exist, but also that they are consistently applied, monitored, and documented. You need to maintain a current System Security Plan, retain objective evidence, and make sure that technical controls match documented policies and procedures.
Because Level 2 assessments might be self-assessed or third-party, depending on the contract, contractors often underestimate how much rigor is required. Strike Graph’s breakdown of CMMC Level 2 requirements describes how the domains map to real-world security operations, and its walkthrough on how to conduct a CMMC Level 2 self-assessment explains how those requirements are scored and validated.
CMMC Level 3 is reserved for a limited set of high-priority DoD programs and builds on Level 2 by adding selected enhanced requirements from NIST SP 800-172. These additional requirements are designed to address more advanced threats and adversarial behavior.
Rather than introducing an entirely new control framework, Level 3 deepens expectations in areas such as threat awareness, incident response maturity, and resilience vs. persistent attacks. Contractors must already meet all applicable Level 2 requirements before they can be evaluated at Level 3.
Because Level 3 applies to a narrow portion of the DIB, most contractors will never need to meet these requirements. For those that do, the additional controls and government-led assessment process significantly increase preparation effort. Strike Graph’s overview of CMMC Level 3 compliance explains how these enhanced requirements contrast in practice from Level 2 expectations.
The most important takeaway is that CMMC requirements are not interchangeable across levels. Each level carries different expectations for controls, documentation, assessment rigor, and ongoing maintenance. Accurately identifying your target level, and preparing specifically for that level’s assessment model will help you avoid delays, rework, or loss of eligibility.
To get ready for CMMC certification, you need to implement and document your compliance program well before your assessment. Contractors must scope the right systems, implement the controls for their required level, and organize documentation and evidence.
Most organizations that struggle with CMMC don’t fail because they lack controls; they fail because preparation happens out of order or too late.
Effective CMMC preparation follows a sequence:
For organizations early in the process, following a preparation framework can prevent costly rework. Strike Graph’s free CMMC implementation guide walks through scoping, control implementation, documentation, and readiness checks in a logical order that matches how assessments are conducted.
Preparation should not stop once controls are in place. Contractors should revisit scope, documentation, and evidence regularly to account for system changes, new vendors, or evolving contract requirements. Treating CMMC as an ongoing discipline makes certification far more predictable and sustainable.
A CMMC gap analysis is the process of comparing your current security posture against the specific requirements of your target CMMC level to identify what is missing, incomplete, or unsupported by evidence. It turns preparation work into a remediation plan before a formal assessment occurs.
A gap analysis is most effective after scoping is complete and initial controls are in place, but before an assessment is scheduled. At this stage, you need to understand risk. Contractors use gap analyses to determine which requirements are fully met, which are partially met, and which require remediation before compliance can be credibly claimed.
“The most effective gap analyses happen before a deadline is looming,” Spieler notes. “When teams use them as a planning tool instead of a last-minute check, you can prioritize fixes realistically and avoid discovering problems during an active assessment.”
A well-run CMMC gap analysis seeks five core outcomes:
For many organizations, the value of a gap analysis isn’t just identifying missing controls. It’s avoiding surprises. Discovering gaps during an assessment is far more costly and disruptive. A designed approach may also help you to justify the work internally.
For a deeper look, see Strike Graph’s article on how to conduct a CMMC gap analysis.
CMMC readiness depends on four core documentation types that demonstrate how security requirements are implemented, validated, and maintained. The four types are the self-assessment, evidence, System Security Plan (SSP), and Plan of Action and Milestones (POA&M).
Each document serves an individual purpose, but assessors evaluate them as a program. Inconsistencies between documentation, evidence, and actual practices are one of the most common causes of assessment delays and failed findings.
Contractors looking for standardized starting points can reference Strike Graph’s free CMMC templates, which map these artifacts to assessment expectations.
CMMC self-assessments describe whether and how required practices are implemented and operating as intended for a given CMMC level. They are required for Level 1 and may be required for Level 2, depending on the contract.
Self-assessments are more than checklists. They involve reviewing each requirement, confirming implementation against assessment objectives, and validating that supporting evidence exists. The results are used to determine compliance status and, in many cases, are formally reported as part of contract eligibility.
Scoring accuracy matters. Overstating compliance or overlooking gaps can create risk later, especially if assessment results are relied on during contract award decisions or follow-on evaluations. Strike Graph’s free CMMC self-assessment tools and its guides on how to conduct a CMMC Level 1 self-assessment and conduct a CMMC Level 2 self-assessment explain how assessments are structured and how results are evaluated.
Evidence documentation consists of the artifacts used to prove that each CMMC requirement is met. Assessors rely on evidence to validate compliance.
Common forms of evidence for CMMC include:
Evidence must reflect the current environment and align to documented controls. Controls that lack traceable evidence are often treated as unmet. Strike Graph’s guidance on CMMC audit preparation outlines how assessors review evidence and where concerns often lie.
The System Security Plan (SSP) is the central document that describes the system boundary, the environment in scope, and how each applicable CMMC requirement is implemented. It gives context and details for your assessor to see how controls work together.
A well-maintained CMMC System Security Plan:
Assessors use the SSP as a roadmap during an assessment. If it is outdated or overly generic, it raises immediate concerns. Strike Graph’s article on how to create a CMMC SSP outlines what assessors expect to see.
A Plan of Action and Milestones (POA&M) documents known gaps that require remediation, along with the steps and timing to close them. POA&Ms are not permitted at all CMMC levels and are subject to strict limitations where they are allowed.
When used appropriately, a CMMC POA&M helps contractors:
However, POA&Ms are not a substitute for implementation. You can’t defer certain requirements, and unresolved POA&M items can prevent certification or cause compliance status to expire. Strike Graph’s guidance on how to create a CMMC POA&M explains when POA&Ms are allowed and how they are evaluated during assessments.
The cost of CMMC certification varies widely from one contractor to another. There is no fixed price for compliance because contractors enter the process with different environments, contractual obligations, and levels of preparedness.
In practice, CMMC costs are driven by three primary factors: scope, required level, and organizational readiness:
Assessment-related costs should also be considered. While self-assessments reduce direct assessment fees, they still require internal time, tooling, and documentation effort. Third-party assessments introduce additional direct costs and scheduling considerations, and unresolved findings can lead to follow-on remediation work that increases total spend.
For a more detailed breakdown, Strike Graph’s guide to CMMC costs explains typical expense categories and what contractors should budget for at each level. Contractors looking to reduce unnecessary spend can also reference guidance on optimizing CMMC costs, which outlines practical strategies for controlling scope, avoiding rework, and aligning preparation efforts with assessment expectations.
Understanding cost drivers early allows contractors to plan realistically, prioritize the right work, and avoid last-minute expenses that delay certification or jeopardize contract eligibility.
To achieve faster CMMC compliance, contractors need a central platform to manage assessments, documentation, and evidence. Streamlining compliance reduces gaps, limits rework, and helps teams stay ready when CMMC requirements appear in a contract.
Strike Graph’s AI-native compliance platform gives defense contractors a single place to manage CMMC requirements, assessments, documentation, and evidence as an ongoing program, not a one-time scramble. This resolves the most common causes of CMMC delays: manual tracking, inconsistent documentation, scattered evidence, and last-minute preparation.
“What slows most CMMC efforts is the lack of visibility,” says Strike Graph CEO Justin Beals. “When teams can see requirements, documentation, and evidence together, compliance stops being reactive and becomes strategic.”
Instead of relying on spreadsheets and shared folders, contractors use Strike Graph to:
With Strike Graph’s compliance platform, you can better manage your CMMC timeline and costs and begin qualifying for more DoD contracts.
Schedule a demo today.
How does CMMC relate to earlier DFARS cybersecurity requirements?
Before CMMC, many contractors were already subject to cybersecurity obligations under clauses such as DFARS 252.204-7012 and DFARS 252.204-7020. CMMC builds on those requirements by adding formal verification and making cybersecurity compliance a condition of award, not just a post-award responsibility.
What role does eMASS play in CMMC assessments?
For certain government-led or higher-level assessments, results may flow through the Enterprise Mission Assurance Support Service (eMASS) as part of internal DoD risk management processes. Most contractors do not interact with eMASS directly.
What does “OSC” mean in CMMC documentation?
An Organization Seeking Certification (OSC) is the contractor pursuing CMMC compliance and assessment. The term is used in assessment documentation to distinguish the organization being assessed from assessors and government entities.
Do I need to hire a Certified CMMC Professional (CCP) or Certified CMMC Assessor (CCA)?
Not necessarily. A Certified CMMC Professional (CCP) may assist with preparation and readiness, while a Certified CMMC Assessor (CCA) participates in formal assessments conducted by a C3PAO. Most contractors do not need to hire either directly.
How does CMMC relate to NIST SP 800-53?
NIST SP 800-53 is a broad control catalog primarily used for federal systems. CMMC does not require contractors to implement NIST SP 800-53. Instead, CMMC relies on NIST SP 800-171, and selected NIST SP 800-172 requirements at Level 3.
Which DoD organizations oversee the CMMC program?
CMMC policy oversight sits within the Office of the Under Secretary of Defense for Acquisition & Sustainment. Operational security oversight across the defense supply chain also involves organizations such as the Defense Counterintelligence and Security Agency. Contractors typically interact with CMMC through contracts and assessments rather than directly with these offices.