Frequently Asked Questions

What is CMMC 2.0 and when does it take effect?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for verifying that defense contractors adequately protect Controlled Unclassified Information, streamlined from the original 5-level model down to 3 levels. The CMMC final rule took effect in late 2024, with phased implementation rolling CMMC requirements into new DoD contracts throughout 2025 and 2026. Contractors should begin preparing immediately, as achieving compliance can take 12–18 months—our CMMC compliance guide provides a complete roadmap for getting started.

What’s the difference between CMMC Level 1, 2, and 3?

CMMC Level 1 (Foundational) requires 17 basic practices and allows annual self-assessment for companies handling only Federal Contract Information. Level 2 (Advanced) maps to all 110 NIST SP 800-171 controls and requires third-party assessment by a C3PAO for most contractors handling CUI. Level 3 (Expert) adds controls from NIST SP 800-172 for the most sensitive programs and requires government-led assessments—most defense contractors will need Level 2, which impacts everything from your CRM systems to your collaboration tools.

How much does CMMC certification cost?

CMMC certification costs vary significantly based on your organization's size, current security posture, and target level. For Level 2, expect to budget $50,000–$200,000+ for the assessment itself, plus potentially $100,000–$500,000+ in remediation costs for upgrading systems, implementing controls, and migrating to compliant platforms like GCC High environments. The best way to control costs is to start with a thorough gap assessment and reduce your CUI boundary—every system you can remove from scope, including non-essential AI and CRM tools, directly reduces your compliance costs.

Do subcontractors need CMMC certification?

Yes, subcontractors who handle CUI or FCI must achieve the CMMC level specified in their subcontract flow-down requirements—prime contractors are responsible for ensuring their entire supply chain meets the required certification level. This means even small subcontractors performing niche work must invest in compliance if CUI flows to them. Understanding these requirements is critical when structuring teaming arrangements for federal contracts, as a non-compliant subcontractor can disqualify an entire team.

What happens if I fail a CMMC assessment?

If you fail a CMMC assessment, you will not receive certification and cannot bid on or continue performing contracts that require that CMMC level—but it is not the end of the road. You will receive a detailed report identifying the gaps, and you can remediate the findings and schedule a reassessment, though this adds cost and delays your ability to compete for new work. The best strategy is to conduct a thorough internal readiness assessment before engaging a C3PAO, using resources like our CMMC compliance guide and working with a Registered Practitioner to identify and close gaps proactively.