CMMC Compliance Services for Defense Contractors
What Is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework developed by the U.S. Department of Defense (DoD) to protect sensitive defense information across the entire supply chain. CMMC 2.0 — the current version finalized through the 32 CFR Part 170 rulemaking process — replaced the original CMMC 1.0 model with a streamlined three-level structure.
For decades, defense contractors were expected to safeguard Controlled Unclassified Information (CUI) under DFARS clause 252.204-7012, which required compliance with the 110 security controls in NIST Special Publication 800-171. The problem? Compliance was self-attested, with no verification mechanism. DoD audits found that many contractors claimed compliance but hadn't actually implemented the required controls — leaving sensitive defense data exposed to nation-state adversaries.
CMMC was created to solve this accountability gap. Instead of trusting contractors to self-certify, CMMC requires independent third-party assessments for organizations handling CUI. The framework doesn't introduce new security requirements — it enforces the ones that already existed under NIST 800-171 and adds a verification layer that ensures contractors are actually doing what they claim.
The regulatory foundation includes:
- DFARS 252.204-7012 — The original clause requiring CUI protection per NIST 800-171
- DFARS 252.204-7021 — The CMMC-specific clause requiring certification at the appropriate level
- 32 CFR Part 170 — The final rule codifying CMMC 2.0 requirements (effective December 16, 2024)
- 48 CFR (DFARS updates) — The acquisition rule changes that insert CMMC into DoD solicitations
- NIST SP 800-171 Rev 2 — The 110 security controls that form the basis of CMMC Level 2
- NIST SP 800-172 — The enhanced security controls that form the basis of CMMC Level 3
CMMC 2.0 Levels Explained
CMMC 2.0 has three maturity levels. The level you need depends on the type of information you handle in your DoD contracts.
Level 1 — Foundational
Applies to: Contractors handling Federal Contract Information (FCI) only — information provided by or generated for the government under contract that is not intended for public release.
Requirements: 17 security practices derived from FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). These are fundamental cybersecurity hygiene practices including:
- • Limit system access to authorized users
- • Authenticate user identities before granting access
- • Sanitize or destroy media containing FCI before disposal
- • Monitor, control, and protect communications at system boundaries
- • Identify, report, and correct information system flaws in a timely manner
- • Update malicious code protection mechanisms when available
- • Perform periodic scans and real-time scans of files from external sources
Assessment: Annual self-assessment with results submitted to the Supplier Performance Risk System (SPRS). No third-party assessor required.
Cost: Typically $5,000–$15,000 for the initial assessment and remediation. Many small businesses already meet most Level 1 requirements with standard commercial IT practices.
Level 2 — Advanced
Applies to: Contractors handling Controlled Unclassified Information (CUI) — information that requires safeguarding or dissemination controls per law, regulation, or government-wide policy. This is the level most defense contractors need.
Requirements: All 110 security controls from NIST SP 800-171 Rev 2, organized across 14 control families. These controls cover:
- • Access Control (22 controls)
- • Audit & Accountability (9 controls)
- • Awareness & Training (3 controls)
- • Configuration Management (9 controls)
- • Identification & Authentication (11 controls)
- • Incident Response (3 controls)
- • Maintenance (6 controls)
- • Media Protection (9 controls)
- • Personnel Security (2 controls)
- • Physical Protection (6 controls)
- • Risk Assessment (3 controls)
- • Security Assessment (4 controls)
- • System & Communications Protection (16 controls)
- • System & Information Integrity (7 controls)
Assessment: Third-party assessment by an accredited C3PAO (Certified Third-Party Assessment Organization) for contracts involving critical CUI. Some Level 2 contracts may allow self-assessment — the solicitation will specify.
Cost: Typically $100,000–$500,000+ for full implementation including technology, documentation, and the C3PAO assessment itself ($50,000–$150,000). Costs vary significantly based on organization size and existing maturity.
Level 3 — Expert
Applies to: Contractors handling the most sensitive CUI associated with critical programs and high-value assets. Level 3 targets organizations that face Advanced Persistent Threats (APTs) — typically nation-state-level adversaries.
Requirements: All 110 NIST 800-171 controls plus a subset of enhanced controls from NIST SP 800-172. The exact number of additional controls (estimated at 20–30) will be specified by the DoD. These enhanced requirements address:
- • Dual authorization for critical operations
- • Advanced threat hunting and monitoring
- • Security operations center (SOC) capabilities
- • System resilience and redundancy
- • Supply chain risk management
- • Penetration testing and red team exercises
Assessment: Government-led assessment conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This is the highest level of scrutiny.
Cost: Typically $500,000–$1M+ due to the advanced technical requirements, dedicated security operations, and ongoing monitoring capabilities required.
CMMC 2.0 Timeline & Deadlines
CMMC is being phased into DoD contracts over a multi-year rollout. Here's where we stand and what's coming.
Phase 1 — December 16, 2024
The 32 CFR Part 170 final rule took effect, establishing CMMC as a program. DoD can begin including CMMC Level 1 (self-assessment) and Level 2 (self-assessment) requirements in new solicitations. Contractors must have a current SPRS score posted. This phase is active now.
Phase 2 — Expected 2025–2026
DoD begins requiring CMMC Level 2 C3PAO assessments in select solicitations. The 48 CFR DFARS rule update must be finalized before this phase can begin. Once active, contracts involving CUI will require third-party certification. Prime contractors will flow these requirements down to subcontractors handling CUI.
Phase 3 — 2026 and Beyond
CMMC Level 2 C3PAO assessments become widespread across DoD solicitations. Level 3 government-led assessments begin appearing in contracts for programs involving the most sensitive CUI. Full CMMC requirements are incorporated into all applicable DoD contracts.
⚠️ Don't Wait for a Contract to Require CMMC
Achieving CMMC Level 2 readiness takes 6–18 months depending on your starting point. C3PAO assessment scheduling already has backlogs. If you wait until a solicitation requires CMMC certification, you won't have time to prepare — and you'll lose the contract. The time to start is now.
The 14 NIST 800-171 Control Families
CMMC Level 2 requires implementation of all 110 controls across these 14 security domains. Each domain addresses a critical aspect of protecting Controlled Unclassified Information.
Access Control (AC)
22 controlsLimit system access to authorized users, processes, and devices. Enforce least privilege, session lock, remote access controls, and wireless access restrictions.
Audit & Accountability (AU)
9 controlsCreate, protect, and retain audit records. Monitor system events, generate alerts for failures, and correlate audit review to identify unauthorized activity.
Awareness & Training (AT)
3 controlsEnsure managers and users are aware of security risks. Provide role-based security training and insider threat awareness.
Configuration Management (CM)
9 controlsEstablish and maintain baseline configurations. Track, control, and restrict changes to systems. Enforce security settings.
Identification & Authentication (IA)
11 controlsIdentify and authenticate users, devices, and processes. Enforce multi-factor authentication, password complexity, and replay-resistant mechanisms.
Incident Response (IR)
3 controlsEstablish incident handling capabilities. Detect, report, and respond to cybersecurity incidents. Test incident response plans.
Maintenance (MA)
6 controlsPerform system maintenance. Control maintenance tools and personnel. Supervise non-escorted maintenance activities.
Media Protection (MP)
9 controlsProtect, control, sanitize, and destroy media containing CUI. Mark media with distribution limitations. Control transport of media.
Personnel Security (PS)
2 controlsScreen individuals before granting access to CUI. Protect CUI during personnel actions like termination and transfer.
Physical Protection (PE)
6 controlsLimit physical access to systems and equipment. Protect and monitor the physical facility. Control visitor access.
Risk Assessment (RA)
3 controlsAssess risk to organizational operations. Scan for vulnerabilities and remediate findings in accordance with risk assessments.
Security Assessment (CA)
4 controlsDevelop and implement plans of action to address deficiencies. Monitor security controls on an ongoing basis.
System & Communications Protection (SC)
16 controlsMonitor and protect communications. Implement cryptographic mechanisms (FIPS-validated). Enforce network segmentation and boundary protections.
System & Information Integrity (SI)
7 controlsIdentify and correct system flaws. Protect against malicious code. Monitor system security alerts and advisories.
The CMMC Assessment Process
Achieving CMMC certification is a structured process. Here's what the journey looks like from start to finish.
Step 1: Gap Assessment & CUI Scoping
2–4 weeksWe begin by identifying where CUI enters, flows through, is stored, and exits your organization. We then assess your current security posture against all 110 NIST 800-171 controls, documenting which controls are fully implemented, partially implemented, or not implemented. You receive your current SPRS score and a detailed gap analysis.
Step 2: Remediation Planning
1–2 weeksBased on the gap analysis, we develop a prioritized remediation plan. This includes technology deployments (MFA, SIEM, endpoint protection, encryption), policy and procedure development, process changes, and training requirements. We estimate timelines and costs for each remediation activity.
Step 3: Technical Implementation
2–6 monthsWe deploy and configure the technical controls required to close identified gaps. This includes FIPS 140-2 validated encryption, multi-factor authentication, security information and event management (SIEM), endpoint detection and response (EDR), access control systems, network segmentation, and backup and recovery systems.
Step 4: Documentation Development
4–8 weeksWe develop your System Security Plan (SSP), which documents how each of the 110 controls is implemented in your environment. We also create or update your Plan of Action & Milestones (POA&M) for any controls that are still being remediated, and develop the supporting policies and procedures your assessor will review.
Step 5: SPRS Score Update
1 weekWe calculate your updated SPRS score based on implemented controls and any remaining POA&M items. Your score is posted to the Supplier Performance Risk System at sprs.csd.disa.mil. A score of 110 means full implementation; any open POA&M items reduce the score.
Step 6: Mock Assessment
1–2 weeksBefore your official C3PAO assessment, we conduct a comprehensive mock assessment that mirrors the real thing. We review evidence artifacts, interview key personnel, test technical controls, and identify any remaining findings that need to be addressed.
Step 7: C3PAO Assessment
1–2 weeksYou engage an accredited C3PAO from the Cyber AB marketplace to conduct your official CMMC Level 2 assessment. The assessment typically takes 1–2 weeks and includes document review, technical testing, and personnel interviews. We support you throughout the assessment process.
Step 8: Certification & Continuous Monitoring
OngoingUpon passing the C3PAO assessment, you receive your CMMC Level 2 certification, valid for three years. We provide ongoing compliance monitoring, annual self-assessments, and continuous improvement to ensure you maintain certification through the next reassessment cycle.
Who Needs CMMC Certification?
CMMC applies to every organization in the Defense Industrial Base (DIB) that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This includes:
Prime Contractors
Any organization with a direct DoD contract that involves FCI or CUI. Primes are also responsible for ensuring their subcontractors meet the appropriate CMMC level — this is called flowdown.
Subcontractors (All Tiers)
If a prime contractor flows CUI or FCI down to you, you need CMMC certification at the level specified in the subcontract. This applies at every tier — if you're a sub-sub-contractor handling CUI, you still need Level 2.
Manufacturers & Machine Shops
If you manufacture parts, components, or assemblies for defense programs and receive technical drawings, specifications, or other CUI, CMMC Level 2 applies to your organization.
Engineering & Professional Services
Consulting firms, engineering companies, IT service providers, and other professional services organizations that handle CUI in support of DoD contracts must achieve the CMMC level specified in their agreements.
Understanding Flowdown Requirements
CMMC requirements flow down from the prime contractor through every tier of the supply chain. If you receive CUI from any source in the contract chain, you need CMMC Level 2 regardless of whether you have a direct DoD contract. Many subcontractors are surprised to learn they handle CUI — technical drawings, specifications, test results, and performance data are all common categories of CUI in the defense supply chain.
What Does CMMC Compliance Cost?
CMMC compliance costs vary widely depending on your current security maturity, organization size, and the level of certification required. Here are realistic ranges based on our experience working with defense contractors.
| Cost Category | Level 1 | Level 2 |
|---|---|---|
| Gap Assessment | $3,000–$8,000 | $15,000–$40,000 |
| Technical Remediation | $2,000–$10,000 | $50,000–$300,000 |
| Documentation (SSP, Policies) | $2,000–$5,000 | $20,000–$50,000 |
| C3PAO Assessment | N/A (self-assessment) | $50,000–$150,000 |
| Annual Maintenance | $1,000–$3,000/yr | $12,000–$60,000/yr |
| Total Estimated Range | $5,000–$25,000 | $100,000–$500,000+ |
What Drives Cost Up or Down?
Factors That Increase Cost
- ▲ Large CUI scope with many systems in the boundary
- ▲ Legacy systems that can't support modern security controls
- ▲ Need to migrate to GCC High or build a CUI enclave
- ▲ No existing security policies or documentation
- ▲ Multiple office locations or remote workforce
Factors That Decrease Cost
- ▼ Small, well-defined CUI boundary
- ▼ Modern cloud-based infrastructure
- ▼ Existing security controls (MFA, EDR already deployed)
- ▼ VDI/DaaS to isolate CUI processing
- ▼ Prior NIST 800-171 compliance efforts
How to Choose a C3PAO
A C3PAO (Certified Third-Party Assessment Organization) conducts your official CMMC Level 2 assessment. Choosing the right one matters — here's what to consider.
Verify Accreditation
Only use C3PAOs accredited by the Cyber AB (formerly the CMMC Accreditation Body). You can verify accredited C3PAOs on the Cyber AB Marketplace. Unaccredited organizations cannot issue valid CMMC certifications.
Assess Industry Experience
Look for a C3PAO that has assessed organizations similar to yours — same industry, similar size, comparable technology environments. A C3PAO experienced with manufacturing environments will understand your challenges differently than one focused on IT services companies.
Plan for Scheduling Delays
The number of accredited C3PAOs is still growing, and demand for assessments is increasing. Book your assessment well in advance — 3–6 months lead time is common. Delays in C3PAO scheduling can push back your certification timeline.
Understand the Cost Structure
C3PAO assessment costs typically range from $50,000 to $150,000 depending on the size and complexity of your assessment scope. Get quotes from multiple C3PAOs and understand what's included — some charge separately for travel, reassessments, and documentation review.
Independence Is Non-Negotiable
Your C3PAO cannot be the same organization that helped you prepare for CMMC. This is a conflict of interest under the CMMC ecosystem rules. BrightWorks IT prepares you for the assessment; the C3PAO independently verifies your compliance. We can recommend C3PAOs we've worked with, but the assessment relationship is between you and the C3PAO.
What BrightWorks IT Does for CMMC Compliance
We're not just consultants — we implement the technology, write the documentation, and manage the process from gap assessment to certification day.
CMMC Gap Assessment
Comprehensive evaluation of your environment against all 110 NIST 800-171 controls. Includes SPRS score calculation, CUI scoping, data flow mapping, and a prioritized remediation roadmap with timeline and budget estimates.
Learn More About CMMC Gap AssessmentSSP & Policy Development
Complete System Security Plan documenting how each control is implemented. Plus all required policies and procedures: access control, incident response, configuration management, media protection, and more.
Learn More About SSP & Policy DevelopmentCUI Scoping & Boundary Definition
We identify every system, application, and data store that processes CUI and define your assessment boundary. Proper scoping reduces compliance costs by focusing only on systems that actually handle CUI.
Learn More About CUI Scoping & Boundary DefinitionFIPS 140-2 Encryption
Deployment of FIPS 140-2 validated encryption for data at rest and in transit. This is a non-negotiable CMMC requirement that many commercial encryption solutions don.t meet.
Learn More About FIPS 140-2 EncryptionSPRS Score Management
We calculate, track, and improve your SPRS score. We help you post your score to the SPRS portal and develop plans to close gaps that are reducing your score.
Learn More About SPRS Score ManagementC3PAO Assessment Preparation
Mock assessments, evidence package compilation, personnel interview preparation, and technical validation. We ensure nothing is left to chance when the C3PAO assessor arrives.
Learn More About C3PAO Assessment PreparationGCC High & Enclave Deployment
Migration to Microsoft GCC High, Azure Government, or dedicated CUI enclave environments. We design and deploy FedRAMP-compliant cloud infrastructure for organizations that need it.
Learn More About GCC High & Enclave DeploymentSIEM & Continuous Monitoring
Deployment of security information and event management (SIEM) for the audit logging, monitoring, and alerting requirements in NIST 800-171. Includes 24/7 monitoring and incident response.
Learn More About SIEM & Continuous MonitoringSecurity Awareness Training
Role-based security awareness training for all personnel who handle CUI. Covers CUI identification, handling procedures, phishing awareness, incident reporting, and insider threat awareness.
Learn More About Security Awareness TrainingWhy Defense Contractors Choose BrightWorks IT
95% First-Attempt Pass Rate
Our CMMC clients pass their C3PAO assessments on the first attempt 95% of the time. That's because we don't leave gaps — every control is implemented, documented, and tested before assessment day.
Combined IT + Compliance Expertise
Unlike pure compliance consultants who write policies but can't deploy technology, we do both. Your controls aren't in a binder — they're implemented, configured, and operational in your actual IT environment.
Proven Track Record with DIB Companies
We work with defense contractors and subcontractors across manufacturing, engineering, and professional services. We understand the practical challenges of implementing CMMC in environments where production can't stop.
Ongoing Support Post-Certification
CMMC certification is valid for three years, but compliance is ongoing. We provide continuous monitoring, annual assessments, POA&M management, and change management to keep you compliant through the next reassessment.
"We needed CMMC Level 2 certification to keep a Department of Defense contract worth $3M annually. BrightWorks IT took us from a 60% SPRS score to full compliance in under 6 months. We passed our assessment on the first try."
CMMC Frequently Asked Questions
Frequently Asked Questions
Related Compliance Services
Many defense contractors need to comply with multiple frameworks. We help you identify overlapping controls to reduce cost and effort.
Ready to Make IT Your Competitive Advantage?
Schedule a free, no-obligation IT assessment with our team. We'll show you exactly where your technology stands — and where it should be.
Or fill out the form below and we'll get back to you within one business day: