
A step-by-step guide for defense contractors who don't know where to start. Covers all 3 CMMC levels, costs, timelines, official resources, and everything you need to achieve certification.
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) program that requires defense contractors to prove their cybersecurity practices meet specific standards. Before CMMC, contractors simply self-attested that they followed the rules — and many didn't. CMMC adds an independent verification layer so the DoD can trust that sensitive defense information is actually protected.
If your company is part of the defense supply chain — whether you're a prime contractor, subcontractor, manufacturer, IT provider, or managed service provider — CMMC affects you. Without certification, you won't be able to bid on or maintain DoD contracts.
“The CMMC program is about protecting our warfighter. The information that flows through the defense industrial base is critical to national security, and we need to ensure it's protected.”
DIB companies affected
Enforcement begins
Of certification
Each level builds on the previous one. Most defense contractors handling CUI will need Level 2.
Security practices
Security controls
Security controls
Most small and medium defense contractors need Level 2 — if you handle CUI (which the vast majority of DIB contracts require), Level 2 with a C3PAO assessment is your target.
Click each step to expand the details. Work through them in order — each step builds on the previous one.
Figure out which level of certification your contracts require
The first step is understanding what type of data you handle. If your DoD contracts only involve Federal Contract Information (FCI), you need Level 1. If you handle Controlled Unclassified Information (CUI), you'll need Level 2 — and approximately 95% of contractors handling CUI will need a third-party C3PAO assessment rather than a self-assessment.
Define the boundaries of your CUI environment
Scoping is critical — it determines what systems, people, and processes are subject to CMMC requirements. A well-defined scope can dramatically reduce compliance costs. The CMMC Assessment Scope defines four asset categories: CUI Assets (process/store/transmit CUI), Security Protection Assets (provide security for CUI assets), Contractor Risk Managed Assets (can but don't process CUI), and Specialized Assets (IoT, OT, government-furnished equipment).
Evaluate your current security posture against CMMC requirements
A gap assessment compares your current security controls against NIST SP 800-171 requirements (for Level 2). This gives you a clear picture of what's already in place and what needs work. Your SPRS (Supplier Performance Risk System) score is calculated based on this assessment — a perfect score is 110, and you need a minimum of 88 with a POA&M plan to achieve Conditional certification.
Document how your organization implements each security control
The System Security Plan is the cornerstone of your CMMC compliance documentation. It describes your system boundaries, how each of the 110 controls is implemented, who is responsible, and what technologies support each control. A C3PAO assessor will review your SSP first — think of it as the blueprint they use to verify your compliance. It must be thorough, accurate, and current.
Close gaps across all 14 NIST 800-171 control families
This is typically the most time-intensive and costly step. The 110 controls span 14 families: Access Control (22 controls), Awareness & Training (3), Audit & Accountability (9), Configuration Management (9), Identification & Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System & Communications Protection (16), and System & Information Integrity (7). Start with the highest-impact areas first.
Create the documentation assessors expect to see
CMMC assessors don't just check technical controls — they verify that you have formal policies and procedures governing your security program. Each of the 14 control families should have an associated policy. These documents must be approved by management, communicated to employees, and reviewed at least annually. They should reflect your actual practices, not generic templates.
Ensure every employee understands their role in protecting CUI
CMMC requires security awareness training for all users, plus role-based training for personnel with specific security responsibilities. Training must cover CUI identification and handling, phishing awareness, incident reporting procedures, and your organization's specific security policies. Training records must be maintained as evidence for your assessment.
Get ready for your C3PAO or self-assessment
Before your formal assessment, ensure all documentation is current, evidence is organized, and your team is prepared. Select a C3PAO through the CyberAB Marketplace — but plan ahead, as wait times are often 6-12+ months. Consider a mock assessment to identify any remaining gaps. Remember: you need a minimum SPRS score of 88/110, and any controls on POA&M must be closed within 180 days of Conditional certification.
Feeling overwhelmed? You don't have to do this alone.
CMMC is rolling out in four phases. The clock is ticking — early preparation gives you a competitive advantage.
CMMC requirements appear in select contracts. Level 1 self-assessments begin.
Level 2 C3PAO assessments required for new contracts involving CUI.
Full Level 2 enforcement. Level 3 DIBCAC assessments begin for critical programs.
All CMMC levels enforced across all DoD contracts, option exercises, and extensions.
CMMC requirements appear in select contracts. Level 1 self-assessments begin.
Level 2 C3PAO assessments required for new contracts involving CUI.
Full Level 2 enforcement. Level 3 DIBCAC assessments begin for critical programs.
All CMMC levels enforced across all DoD contracts, option exercises, and extensions.
“We are committed to holding the defense industrial base accountable for the protection of controlled unclassified information. CMMC provides the verification mechanism we've been lacking.”
Transparent cost ranges so you can plan and budget. Costs vary based on organization size, current security posture, and environment complexity.
| Level | Controls | Assessment | Prep Cost | Assessment Cost | Timeline |
|---|---|---|---|---|---|
Level 1 | 15 | Self | $15K - $50K | N/A (self) | 1-3 months |
Level 2 | 110 | C3PAO | $100K - $300K+ | $50K - $150K | 6-18 months |
Level 3 | 134 | DIBCAC | $250K - $500K+ | Gov-led | 12-24 months |
$5K-$30K/year for compliance management tools
$10K-$50K/year depending on environment size
500-2,000+ hours over the compliance journey
Ongoing compliance maintenance costs
GCC High or Azure Government can be 2-3x commercial pricing
Without CMMC certification, you'll be locked out of DoD contracts entirely. Consider the math:
The question isn't whether you can afford CMMC — it's whether you can afford not to have it.

Bookmark these government and official sources. These are the authoritative references for CMMC compliance.
Official program information, policy documents, and assessment guides from the Department of Defense.
Find authorized C3PAOs, Registered Provider Organizations (RPOs), and Registered Practitioners (RPs).
The 110 security controls that form the basis of CMMC Level 2. The primary compliance framework.
Supplier Performance Risk System — where you submit your self-assessment score and annual affirmations.
The final CMMC rule published in the Federal Register. The legal basis for all CMMC requirements.
Free cybersecurity resources specifically designed for small businesses in the defense supply chain.
Perspectives from DoD leadership and the CMMC ecosystem on getting prepared.
“The CMMC program is about protecting our warfighter. The information that flows through the defense industrial base is critical to national security, and we need to ensure it's protected.”
Director, CMMC Program Management Office, DoD
“Organizations shouldn't wait until CMMC is in their contracts to start preparing. The assessment ecosystem takes time to scale, and early movers will have a significant advantage.”
CEO, CyberAB (CMMC Accreditation Body)
“We are committed to holding the defense industrial base accountable for the protection of controlled unclassified information. CMMC provides the verification mechanism we've been lacking.”
Deputy CIO for Cybersecurity, Department of Defense
Monthly updates on the CMMC ecosystem, C3PAO availability, and program changes.
cyberab.orgOfficial program announcements, rule changes, and implementation guidance from DoD CIO.
dodcio.defense.gov
Illumen specializes in helping SMBs in the defense supply chain achieve CMMC certification — from manufacturers to MSPs. We meet you wherever you are in the journey.
Know exactly where you stand
From $5,000Close gaps with expert guidance
CustomSSP, policies & procedures
From $8,000Audit-ready in as few as 3 months
All-inclusive fixed pricing. Dedicated expert. 100% pass guarantee.
Get a Custom QuoteCommon questions from defense contractors starting their CMMC journey.