CMMC
Cybersecurity Maturity Model Certification
CMMC is the US Department of Defense's cybersecurity certification requirement for contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), assessed by accredited C3PAOs (Level 2) or the government's DIBCAC (Level 3).
Q&A
What is CMMC?
CMMC is the US Department of Defense's cybersecurity certification requirement for contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), assessed by accredited C3PAOs (Level 2) or the government's DIBCAC (Level 3).
Who needs CMMC?
Any US Department of Defense prime contractor or subcontractor whose contract includes DFARS 252.204-7021 and handles Federal Contract Information or Controlled Unclassified Information.
How long does CMMC take?
6–9 months to secure an assessment slot today, with industry backlog projected to reach 24–30 months by late 2026
How much does a CMMC audit cost?
$75,000–$300,000 all-in for Level 2 certification (C3PAO assessment fee alone: $25,000–$120,000)
What does a CMMC audit cover?
A Cyber-AB authorized C3PAO tests your environment against the applicable NIST SP 800-171 (Level 2) or SP 800-172 (Level 3) controls and issues a certification decision. Level 1 remains an annual self-assessment. The deliverable is a formal certification recorded in the DoD's SPRS system.
What it is
CMMC (Cybersecurity Maturity Model Certification) is the US Department of Defense's program to verify that contractors and subcontractors in the Defense Industrial Base implement the cybersecurity practices required to protect Federal Contract Information (FCI) at Level 1 and Controlled Unclassified Information (CUI) at Levels 2 and 3. Level 1 is a self-assessment against 15 FAR-based practices. Level 2 covers the 110 NIST SP 800-171 controls, with most contracts requiring a third-party assessment by a Cyber-AB authorized C3PAO. Level 3 adds a subset of NIST SP 800-172 enhanced controls and is assessed directly by the government's DIBCAC.
Any US Department of Defense prime contractor or subcontractor whose contract includes DFARS 252.204-7021 and handles Federal Contract Information or Controlled Unclassified Information.
A Cyber-AB authorized C3PAO tests your environment against the applicable NIST SP 800-171 (Level 2) or SP 800-172 (Level 3) controls and issues a certification decision. Level 1 remains an annual self-assessment. The deliverable is a formal certification recorded in the DoD's SPRS system.
6–9 months to secure an assessment slot today, with industry backlog projected to reach 24–30 months by late 2026
$75,000–$300,000 all-in for Level 2 certification (C3PAO assessment fee alone: $25,000–$120,000)