CMMC 2.0 Levels 1, 2, and 3: What Changes, What It Costs, and How to Choose

Test Gadget Preview Image

TL;DR: CMMC 2.0 became mandatory for DoD contracts on November 10, 2025. Level 1 requires 15 self-assessed controls for Federal Contract Information. Level 2 requires 110 NIST SP 800-171 controls for Controlled Unclassified Information and costs $150,000 to $400,000 over three years. Level 3 adds 24 controls for advanced threats and applies to less than 5 percent of contractors. Your level depends on contract requirements, not choice. Certification takes six months to one year. Without it, you cannot bid.

Quick Answer: CMMC Level Requirements

  • Level 1: 15 controls, self-assessment, Federal Contract Information only, no third-party audit required

  • Level 2: 110 controls (NIST SP 800-171), third-party assessment (Phase 2, November 2026), Controlled Unclassified Information, 78 percent of all assessments

  • Level 3: 134 controls (110 + 24 advanced), third-party assessment, advanced persistent threat protection, less than 5 percent of contractors

  • Cost: Level 2 total three-year cost is $150,000 to $400,000 (assessment, technology, training, maintenance)

  • Timeline: Six months to one year for Level 2 with existing cybersecurity baseline

Why CMMC Compliance Matters Now

The DoD made CMMC 2.0 mandatory in all solicitations and contracts as of November 10, 2025. This isn't a future problem. It's active enforcement.

If you handle Federal Contract Information or Controlled Unclassified Information, you need certification before you can bid. Without certification, you're disqualified from contract awards.

The level you need depends on the data you touch. The cost depends on where you start. The timeline depends on how honest you are about your current state.

Bottom line: CMMC is now a hard requirement for DoD contract eligibility, not an optional security upgrade.

What Are CMMC Levels 1, 2, and 3?

CMMC breaks into three levels. Each level corresponds to the sensitivity of information you handle and the security practices required to protect it.

What Does CMMC Level 1 Cover?

Level 1 covers Federal Contract Information (FCI). This includes basic data like contract terms, pricing, and delivery schedules.

Requirements:

  • 15 safeguarding practices outlined in FAR 52.204-21

  • Access controls, basic encryption, and incident response procedures

  • Self-assessment only (no third-party auditor)

  • You attest that you've implemented the controls

  • The DoD can verify, but certification is internal

What Does CMMC Level 2 Cover?

Level 2 covers Controlled Unclassified Information (CUI). This is where most defense contractors land because CUI includes technical data, export-controlled information, and operational details that could harm national security if exposed.

Requirements:

  • All 110 security practices in NIST SP 800-171 revision 2

  • The DoD is moving toward revision 3 (consolidates to 97 practices)

  • Third-party assessment starting in Phase 2 (November 2026)

  • 78 percent of all CMMC assessments target Level 2

Level 2 is the workhorse certification for contractors handling CUI.

What Does CMMC Level 3 Cover?

Level 3 adds 24 controls on top of Level 2's 110 controls (total 134). These controls target advanced persistent threats.

Requirements:

  • Enhanced access control

  • Network segmentation

  • Incident response capabilities beyond NIST SP 800-171

  • Applies to less than 5 percent of defense contractors

  • The DoD estimates around 600 companies will need this level

  • Assigned contract by contract based on CUI sensitivity and threat profile

Most contractors will never see a Level 3 requirement.

Key insight: Your CMMC level is determined by the data type in your contract—FCI requires Level 1, CUI requires Level 2, and enhanced CUI protection requires Level 3.

How Much Does CMMC Compliance Cost?

The assessment fee is the visible part. The technology, training, and maintenance are the real cost.

CMMC Level 2 Assessment Fees

For Level 2, you'll spend $34,000 to $112,000 depending on your size and complexity.

  • Medium-sized businesses: $1,100 per employee

  • Smaller contractors: $3,200 per employee

  • Larger organizations: $850 per employee (economies of scale)

Technology Upgrade Costs

Most contractors underestimate hardware and software needs by $15,000 to $85,000.

Required technology:

  • Endpoint detection and response tools (EDR)

  • Identity and access management systems (IAM)

  • Multi-factor authentication (MFA)

  • Encryption solutions

  • Backup solutions that meet NIST standards

If your current infrastructure doesn't support segmentation, monitoring, or audit logging, you're rebuilding parts of your network. That's an architecture change, not a software purchase.

Training Costs

Training adds $8,000 to $25,000 in ongoing costs.

Your team needs to understand the controls, the documentation requirements, and the incident response procedures. This isn't a one-time workshop because it's continuous education tied to policy updates and threat changes.

Maintenance Costs

Maintenance runs $10,000 to $50,000 annually.

CMMC certification expires every three years. Therefore, you need continuous monitoring, annual self-assessments, and documentation updates between formal assessments. Add $5,000 to $25,000 annually for training refreshers and policy revisions.

Total CMMC Cost Breakdown

The total cost for Level 2 compliance over three years typically runs $150,000 to $400,000 for a mid-sized contractor. That includes assessment, technology, training, and maintenance combined.

Level 3 costs 20 to 30 percent higher than Level 2 because you're adding advanced controls, which means more sophisticated tools and deeper expertise.

Cost reality: Budget for the full compliance infrastructure (technology, training, maintenance), not just the assessment fee, because the assessment represents only 15–30 percent of total costs.

How Long Does CMMC Certification Take?

Achieving Level 2 compliance takes six months to one year. That assumes you start with basic cybersecurity hygiene in place. If you're starting from scratch, add three to six months (total nine to eighteen months).

What Is the CMMC Rollout Timeline?

The DoD is rolling out CMMC in three phases:

  • Phase 1 (November 2025): Self-assessments required for Level 1 and Level 2

  • Phase 2 (November 2026): Third-party assessor certification mandated for Level 2

  • Phase 3 (November 2027): Level 3 requirements introduced

If you're pursuing contracts now, you need to complete self-assessment immediately. If you're waiting for Phase 2, you have until November 2026 to prepare for third-party assessment. That sounds like breathing room, but it's not.

How Ready Are Defense Contractors?

Most contractors are not ready. A 2024 survey found:

  • 58 percent of defense contractors don't feel prepared for CMMC enforcement

  • 13 percent have taken no steps at all

  • Only 41 percent have completed the self-assessment against NIST SP 800-171 controls

Katie Arrington, performing duties of DoD Chief Information Officer, stated that if contractors had complied with NIST SP 800-171 when it was introduced, CMMC wouldn't be difficult. A 2020 DoD review uncovered widespread noncompliance, including contractors with Plans of Action that wouldn't achieve full compliance until 2099.

That's not preparation. That's avoidance.

Timeline takeaway: Start now to avoid compressed timelines, higher costs, and certification delays that block contract awards, because Phase 2 third-party assessments begin in less than two years.

What Is Conditional CMMC Certification?

You can obtain conditional certification for Level 2 and Level 3 if you have unmet security measures. Those gaps go on a Plan of Action and Milestones (POA&M). You have 180 days to close them out.

How Does Conditional Certification Work?

Conditional certification makes you eligible for contract awards while you remediate gaps. However, there are six key cybersecurity requirements that cannot go on a POA&M. The DoD considers these non-negotiable. If you lack these controls, you cannot achieve even conditional certification.

POA&M requirements:

  • 180-day window to close all gaps (firm deadline)

  • POA&M closeout assessment required for final certification

  • If you miss the deadline, your conditional certification expires

  • Six core controls cannot be deferred to a POA&M

Should You Pursue Conditional Certification?

I've seen contractors use POA&Ms as a crutch. They certify with gaps, win contracts, and then struggle to close out the plan within 180 days. That's a risk.

If you can't remediate in six months, don't certify conditionally. Build a POA&M only for gaps you can close in 120 days. Give yourself a 60-day buffer inside the 180-day window. If a control takes longer, delay certification until it's complete.

Conditional certification rule: Only use POA&Ms for gaps you can close in 120 days with a 60-day buffer, because missing the 180-day deadline means your conditional certification expires and you lose contract eligibility.

How Do You Choose the Right CMMC Level?

Your CMMC level is not a choice. It's a contract requirement.

Which CMMC Level Do You Need?

If your contract involves only Federal Contract Information (FCI), you need Level 1

  • If it involves Controlled Unclassified Information (CUI), you need Level 2

  • If the DoD designates your contract as requiring enhanced protection, you need Level 3

How to Determine Your Data Classification

The confusion comes from contractors who don't know what data they handle. Therefore, you need a data classification exercise before you can determine your CMMC level.

Data classification steps:

  1. Map every data type in your environment to FCI, CUI, or neither

  2. Identify where it lives

  3. Identify who accesses it

  4. Identify how it moves

Practical Guidance by Role

If you handle CUI, assume Level 2

  • If you're a subcontractor, ask your prime what level they require

  • If you're a prime, review the contract language for CUI references or security requirements

Level 3 is rare. The DoD will tell you explicitly if you need it. Don't pursue Level 3 unless the contract demands it because the cost and complexity are not worth the preemptive investment.

Level selection principle: Your CMMC level is dictated by contract data requirements (FCI = Level 1, CUI = Level 2, enhanced CUI = Level 3), not by organizational preference or ambition.

What Is the Business Impact of CMMC Compliance?

CMMC compliance protects your ability to bid. Without certification, you're ineligible for DoD contracts involving FCI or CUI. That's not a penalty. That's disqualification.

What Are the Consequences of Non-Compliance?

If you inappropriately attest to compliance, you face significant penalties. The DoD can audit your controls at any time.

False claims can result in:

  • Contract termination

  • Fines

  • Suspension from future bids

What Is the ROI of CMMC Compliance?

The ROI on CMMC compliance is straightforward. Certification lets you compete. Non-compliance removes you from consideration. For contractors dependent on DoD revenue, that's an existential risk.

Beyond eligibility, CMMC compliance improves your security posture:

  • Close gaps that expose you to breaches, ransomware, and data theft

  • Implement monitoring and response capabilities that reduce downtime and recovery costs

  • Build documentation and governance that make audits and due diligence faster

Who Struggles vs Who Succeeds with CMMC?

One argument against CMMC is that verification is arduous and expensive, especially for small and medium-sized businesses. That's true if you're starting from zero. However, if you've been implementing NIST SP 800-171 controls as required under DFARS, CMMC is a formalization of work you've already done.

The contractors struggling with CMMC are the ones who ignored DFARS requirements for years. In contrast, the contractors succeeding are the ones who treated cybersecurity as a business enabler, not a compliance checkbox.

Business reality: CMMC compliance is revenue protection, not security theater, because without certification you lose DoD contract eligibility regardless of your technical capabilities or past performance.

How Should You Prepare for CMMC Certification?

Step 1: Start with a Gap Assessment

Compare your current controls to NIST SP 800-171. Identify missing practices, incomplete documentation, and weak processes. Prioritize the gaps that create the most risk or block certification.

Step 2: Budget for Technology Upgrades

Budget for technology upgrades, not just assessment fees. If your infrastructure can't support encryption, segmentation, or monitoring, fix that first. Trying to certify on inadequate systems wastes time and money.

Step 3: Build a Realistic POA&M

Build a POA&M only for gaps you can close in 120 days. Give yourself a 60-day buffer inside the 180-day window. If a control takes longer, delay certification until it's complete.

Step 4: Treat CMMC as a Capability Build

Treat CMMC as a capability build, not a compliance project. The controls you implement reduce risk, improve uptime, and protect customer data. Frame the investment in terms of business continuity and competitive advantage, not regulatory burden.

Step 5: Move Faster Than You Think You Need To

Phase 2 starts November 2026. If you're waiting until then to prepare, you're already behind. The contractors who start now will have time to remediate, test, and certify without rushing. The ones who wait will face compressed timelines, higher costs, and certification delays that block contract awards.

CMMC is not optional. The question is whether you prepare deliberately or scramble reactively. I've seen both. Deliberate preparation costs less and delivers better outcomes.

Preparation principle: Start with gap assessment, fix infrastructure first, build conservative POA&Ms, and begin now rather than waiting for phase deadlines, because deliberate preparation costs 30–50 percent less than reactive scrambling.

Frequently Asked Questions About CMMC

Can I bid on DoD contracts without CMMC certification?

No. CMMC certification became mandatory on November 10, 2025. If you handle Federal Contract Information or Controlled Unclassified Information and lack certification, you're disqualified from bidding. This is not a penalty. It's a hard eligibility requirement.

How much does Level 1 CMMC cost compared to Level 2?

Level 1 is significantly cheaper because it requires only self-assessment (no third-party auditor) and 15 controls instead of 110. Expect Level 1 costs under $20,000 total. Level 2 costs $150,000 to $400,000 over three years because it requires technology upgrades, training, maintenance, and third-party assessment.

Can I skip directly to Level 3 to future-proof my organization?

No. Don't pursue Level 3 unless your contract explicitly requires it. Level 3 applies to less than 5 percent of contractors and costs 20–30 percent more than Level 2. The cost and complexity are not worth the preemptive investment because the DoD assigns Level 3 contract by contract based on threat profile.

What happens if I fail my CMMC assessment?

If you fail assessment, you cannot bid on contracts requiring that certification level. You must remediate the gaps and reassess. This delays your ability to compete and increases costs because you pay for reassessment. That's why gap assessment before formal certification is critical.

How often do I need to recertify?

CMMC certification expires every three years. You need continuous monitoring, annual self-assessments, and documentation updates between formal assessments. Budget $10,000 to $50,000 annually for maintenance to stay audit-ready.

What are the six non-negotiable controls for conditional certification?

The DoD has not publicly listed the six specific controls that cannot go on a POA&M. However, these are expected to include foundational controls like access control, incident response, system and communications protection, and audit logging. If you lack these, you cannot achieve even conditional certification.

Does CMMC apply to subcontractors?

Yes. If you're a subcontractor handling FCI or CUI, you need CMMC certification at the level specified by your prime contractor or the contract requirement. Flow-down requirements mean subcontractors face the same certification standards as primes.

Can I use cloud services and still achieve CMMC compliance?

Yes. You can use cloud services if they meet NIST SP 800-171 requirements. Use FedRAMP Moderate or High authorized cloud providers for CUI. Shared responsibility models mean you're responsible for how you configure and use the cloud, not just whether the provider is compliant.

Key Takeaways

  • CMMC is mandatory as of November 10, 2025. Without certification, you cannot bid on DoD contracts involving Federal Contract Information or Controlled Unclassified Information.

  • Your level is dictated by contract data requirements. FCI requires Level 1 (15 controls, self-assessed). CUI requires Level 2 (110 NIST SP 800-171 controls, third-party assessed starting November 2026). Enhanced CUI requires Level 3 (134 controls, less than 5 percent of contractors).

  • Budget for the full infrastructure, not just assessment fees. Level 2 total three-year cost is $150,000 to $400,000 (assessment, technology, training, maintenance). The assessment represents only 15–30 percent of total costs.

  • Certification takes six months to one year for Level 2. Add three to six months if starting from scratch. Most contractors (58 percent) are not ready. Start now to avoid compressed timelines and higher costs.

  • Conditional certification requires 180-day gap closure. Only use POA&Ms for gaps you can close in 120 days (60-day buffer). Six core controls cannot be deferred. Missing the deadline means your conditional certification expires.

  • CMMC is revenue protection, not theater. Compliance protects contract eligibility and improves security posture by closing gaps, reducing risk, and enabling faster audits. Deliberate preparation costs 30–50 percent less than reactive scrambling.

  • Start with gap assessment against NIST SP 800-171. Identify missing controls, fix infrastructure first, build conservative POA&Ms, and begin now rather than waiting for phase deadlines.

Need Help Navigating CMMC Compliance?

CTO Input helps defense contractors turn CMMC requirements into business capabilities. We start with a gap assessment against NIST SP 800-171, quantify the cost and timeline to certification, and build a roadmap that ties security controls to risk reduction and contract eligibility.

Our approach is simple. Map your data. Identify the gaps. Prioritize remediation by business impact. Build documentation that survives audit. Prepare for assessment without theater.

We've guided contractors through Level 2 certification, POA&M development, and infrastructure upgrades that support compliance and reduce operational risk. We price against value. Your investment should protect revenue and improve security posture, not just check a box.

If you're facing a CMMC requirement and need clarity on where to start, reach out. We'll assess your current state, frame the work in dollars and time, and give you options that fit your timeline and budget.

Comments

Post a Comment

Popular posts from this blog

7 Red Flags Hiding in Your Technology Budget

Image
Most CEOs think their technology spending is under control. They see the vendor contracts. They track the invoices. What they miss costs them millions. At CTO Input, I review technology budgets for growth-stage companies. Same pattern every time. Line items look reasonable. Totals match projections. Then we dig past the surface. The red flags aren't obvious. They hide in approved line items, vendor relationships that predate the current leadership, and tools that seemed necessary when someone signed the contract. By the time they show up in a board meeting, the damage has compounded. Here are the seven red flags I see most often. Red Flag One: Tool Sprawl With No Utilization Tracking You approved a CRM, a project management platform, and a collaboration suite. What you didn't approve was the second CRM that Sales bought, the third project tool that Engineering prefers, and the four collaboration apps that different teams adopted because the official one didn't fit their wor...
Read more

Why AI Pilot Failure Hits 95% And How To Avoid It

Image
AI pilot failure is epidemic. Ninety-five percent of AI pilots fail. Not slow down. Not miss targets. Fail completely. MIT research analyzed 150 executive interviews and 300 AI deployments. The conclusion was brutal. Most AI initiatives never deliver measurable impact on profit and loss statements. Even more concerning: 42% of companies scrapped most of their AI initiatives in 2025. That's up from just 17% the year before. The stated reasons? Cost overruns. Unclear value. Execution challenges. But those are symptoms. The disease runs deeper. I've mapped this pattern across fractional CTO and CISO engagements with mid-market companies. The AI pilot failure pattern is consistent. The breaking point happens before the first line of code. Before vendor selection. Before the pilot even starts. It happens at opportunity identification. Companies lack an AI opportunity finder process to separate viable opportunities from expensive dead ends. Why AI Pilot Failure Starts Before The Fir...
Read more

The Math That's Killing Full-Time CTO Roles

Image
The full-time CTO is dying. Not from lack of talent. From math. Mid-market companies need sophisticated technology leadership. Cloud architecture. Security frameworks. Vendor negotiations. AI strategy. The complexity is real. But the economics stopped working. Non-founding CTOs command $213,000 in average cash compensation . Add equity, benefits, and recruiting costs, and you're north of $250K annually for a single executive. Meanwhile, 74% of mid-sized enterprises cite cost containment as their top challenge. Digital transformation spending is projected to hit $3.9 trillion by 2027, but boards are under pressure to prove every dollar spent. The collision is forcing a recalculation. The Cost Crisis No One Talks About Here's what boards see when they model a full-time CTO hire. Year one: $250K all-in cost. Ramp time: 90 to 120 days before meaningful output. Equity dilution: 0.5% to 2% depending on stage. Opportunity cost: capital that could fund two senior engineers or a product...
Read more