The Plain-Language Guide to CMMC Compliance
New to CMMC? Just saw it in a contract and not sure what it means? This guide explains everything you need to know — what CMMC is, which level applies to you, what it requires, and how the program has evolved — all in language that makes sense.
What's Covered in This Guide
What Is CMMC? Who Has to Comply? FCI vs. CUI — Understanding the Difference Which Level Do I Need? What Are the 15 Level 1 Practices? What Does Level 2 Require? Key Terms You'll Encounter How CMMC Has Evolved — From DFARS to CMMC 2.0 CMMC Enforcement Timeline What Does the Compliance Process Look Like? Frequently Asked QuestionsThe Basics
What Is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It is a Department of Defense (DoD) requirement that defense contractors and subcontractors must meet in order to handle government information. If you've seen "CMMC" referenced in a contract or solicitation — you're in the right place.
In practical terms, CMMC is the government's way of verifying that the companies it does business with have adequate cybersecurity protections in place. Before CMMC, defense contractors were expected to self-certify their own cybersecurity — and many either didn't do it properly or didn't do it at all. CMMC changes that by requiring documented proof of compliance before you can win or retain DoD contracts.
The framework has three levels, but the vast majority of defense contractors will fall into Level 1 or Level 2. Which level applies to you depends on the type of information you handle.
Bottom line: CMMC is not optional. If your contract or solicitation mentions CMMC, you must demonstrate compliance at the specified level — or you won't be eligible for the work.
Applicability
Who Has to Comply with CMMC?
CMMC applies to any company — large or small — that stores, processes, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a Department of Defense contract or subcontract. This includes prime contractors, subcontractors, and even small suppliers in the defense supply chain.
The DoD estimates that approximately 63% of the Defense Industrial Base will need at least a Level 1 self-assessment. If your company does any work for the DoD that goes beyond selling commercial off-the-shelf products, CMMC likely applies to you.
Importantly, CMMC requirements also flow down to subcontractors. Even if your direct contract doesn't mention CMMC yet, your prime contractor may require you to demonstrate compliance as part of their supply chain obligations.
Understanding the Information Types
FCI vs. CUI — Understanding the Difference
The single most important distinction in CMMC is between two types of government information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The type of information you handle determines which CMMC level applies to your organization.
| Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
|---|---|
| Information provided by or generated for the government under a contract that is not intended for public release | Government-created or -owned information that requires safeguarding and controlled dissemination |
| Examples: Contract schedules, delivery details, pricing data, general project information, logistics coordination | Examples: Technical drawings, engineering specifications, test data, export-controlled information, anything marked "CUI" |
| Requires CMMC Level 1 | Requires CMMC Level 2 |
| Annual self-assessment submitted in SPRS | Third-party assessment by a C3PAO (for most contracts) |
| 15 security requirements from FAR 52.204-21 | 110 security requirements from NIST SP 800-171 |
Not sure which you handle? Look at your contracts and the data you receive from or create for the government. If your contract references DFARS 252.204-7012 or you see "CUI" markings on documents, you likely handle CUI and fall under Level 2. If you only handle general contract details, you're probably looking at Level 1. A free discovery call with our team can help you determine this quickly.
Choosing Your Path
Which CMMC Level Do I Need?
For the overwhelming majority of defense contractors, the answer comes down to two levels:
| Attribute | Level 1 | Level 2 |
|---|---|---|
| Information Type | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Requirements | 15 basic security practices from FAR 52.204-21 | 110 security requirements from NIST SP 800-171 |
| Assessment | Annual self-assessment, submitted in SPRS | Third-party assessment by a C3PAO (most contracts) or self-assessment (some contracts) |
| Complexity | Achievable for most small organizations with structured guidance | Significantly more involved — requires detailed documentation, evidence, and technical controls |
| Cost with Compliance Cavalry | $7,000 flat fee + $150/mo GRC Tool | $15,000 flat fee + $150/mo GRC Tool |
There is also a Level 3, which applies to a very small number of contractors handling the most sensitive CUI on behalf of critical DoD programs. Level 3 assessments are conducted by the government itself (DIBCAC). Most contractors won't encounter Level 3 requirements.
Quick self-check: If your contracts involve basic government information like schedules, pricing, or delivery details — that's likely FCI, and you need Level 1. If you're handling technical drawings, engineering data, specifications, or anything explicitly marked CUI — that's Level 2. If you're not sure, schedule a free discovery call and we'll help you figure it out in minutes.
Level 1 Breakdown
What Are the 15 Level 1 Practices?
CMMC Level 1 requires compliance with 15 basic cybersecurity practices derived from FAR 52.204-21. These are grouped into six categories. Here's what they cover at a high level — and the good news is that many of these are things your organization may already be doing in some form:
Access Control (4 practices)
Limit who can access your systems and what they can do. Only authorized users should have access, and their permissions should match their role. Control access to information shared externally and posted publicly.
Identification & Authentication (2 practices)
Verify that users are who they say they are before granting access. This covers user identification and password/authentication requirements for anyone accessing your systems.
Media Protection (1 practice)
Properly dispose of or sanitize media (hard drives, USB drives, papers) that contain FCI before disposal or reuse.
Physical Protection (4 practices)
Limit physical access to your facilities and systems. Control and monitor visitors. Keep audit logs of physical access. Manage physical access devices like keys, badges, and access cards.
System & Communications Protection (2 practices)
Monitor and protect communications at system boundaries — your firewalls, routers, and network perimeter. Separate public-facing systems from internal networks.
System & Information Integrity (2 practices)
Identify and fix system flaws in a timely manner (patching and updates). Protect systems from malicious code with antivirus or endpoint detection tools.
These aren't exotic requirements. They cover fundamentals like using passwords, limiting who has access, keeping software updated, and locking your doors. Most small organizations are already doing some of this — the challenge is documenting it properly and collecting the evidence that proves it. That's where structured guidance makes the difference.
Want to see how Compliance Cavalry walks you through all 15? Explore our Level 1 service →
Level 2 Breakdown
What Does Level 2 Require?
CMMC Level 2 is based on the 110 security requirements in NIST SP 800-171 Revision 2, organized across 14 control families. These requirements go well beyond the basics — they address everything from multi-factor authentication and encrypted communications to incident response plans and audit logging.
The key difference from Level 1 is both depth and verification. Level 2 doesn't just require that you have practices in place — it requires that you can prove they are effectively implemented, that you have formal documentation describing your security posture (an SSP — System Security Plan), and that any gaps have a formal remediation roadmap (a POA&M — Plan of Action & Milestones).
For most contracts requiring Level 2, a Certified Third-Party Assessment Organization (C3PAO) will evaluate your environment. This is not a self-assessment — assessors will interview your staff, review your documentation, and test your evidence.
Why organizations start with a gap assessment: Jumping straight into implementation without knowing your actual compliance picture is like starting construction without blueprints. The gap assessment maps your current state against all 110 controls and tells you exactly what needs to happen — before you spend money on remediation. Learn more about our Level 2 Gap Assessment →
Glossary
Key Terms You'll Encounter
CMMC comes with a lot of acronyms. Here's what the most important ones actually mean.
| Term | What It Means |
|---|---|
| CMMC | Cybersecurity Maturity Model Certification — the DoD's framework for verifying contractor cybersecurity |
| FCI | Federal Contract Information — non-public information provided by or created for the government under a contract |
| CUI | Controlled Unclassified Information — sensitive government information that requires specific handling and safeguarding controls |
| SPRS | Supplier Performance Risk System — the government database where you submit and record your self-assessment score |
| C3PAO | Certified Third-Party Assessment Organization — an authorized assessor that conducts formal Level 2 evaluations |
| SSP | System Security Plan — a document describing your security environment, controls, and how they are implemented |
| POA&M | Plan of Action & Milestones — a documented plan for remediating identified compliance gaps with timelines and owners |
| NIST SP 800-171 | The National Institute of Standards and Technology publication that defines the 110 security requirements for protecting CUI |
| FAR 52.204-21 | The Federal Acquisition Regulation clause that defines the 15 basic safeguarding requirements for FCI (the basis for Level 1) |
| DFARS 252.204-7012 | The Defense acquisition clause requiring contractors to safeguard CUI — if this is in your contract, you likely need Level 2 |
| GRC Tool | Governance, Risk, and Compliance platform — software that helps you track compliance controls, store evidence, and manage documentation in one place (like the Cavalry GRC Tool) |
| DIB | Defense Industrial Base — the collective network of companies that provide products and services to the Department of Defense |
Program History
How CMMC Has Evolved
CMMC didn't appear overnight. It's the culmination of years of evolving cybersecurity requirements for defense contractors. Understanding this history helps make sense of why things are the way they are now.
The Pre-CMMC Era: DFARS 252.204-7012
Before CMMC, defense contractors handling CUI were already required to implement the security controls in NIST SP 800-171 under DFARS clause 252.204-7012 (often called "DFARS 7012"). However, compliance was based on self-attestation with minimal verification. Many contractors reported high compliance scores without actually meeting the requirements — which left sensitive defense information vulnerable.
CMMC 1.0 (2020)
The DoD introduced the original CMMC framework in January 2020 with five maturity levels and a requirement for third-party assessments at every level. The defense industry raised significant concerns about the cost and complexity, particularly for small businesses. CMMC 1.0 was never implemented in contracts.
CMMC 2.0 (2021–2024)
In response to industry feedback, the DoD streamlined the framework to three levels, aligned the requirements more closely with existing NIST standards, and allowed self-assessment for Level 1 and some Level 2 contracts. The program rule (32 CFR Part 170) was finalized in October 2024 and became effective December 16, 2024.
CMMC Becomes Contractual (2025)
The final DFARS acquisition rule was published on September 10, 2025, making CMMC a contractual requirement starting November 10, 2025. This is the rule that gives CMMC teeth — contracting officers can now include CMMC requirements in solicitations, and contractors must have a current CMMC status in SPRS to be eligible for award.
Implementation Schedule
CMMC Enforcement Timeline
CMMC is being rolled out in four phases. Here's what each phase means for defense contractors:
Nov 10, 2025
Self-Assessment Requirements Begin
DoD begins including Level 1 (Self) and Level 2 (Self) requirements in new solicitations and contracts. The DoD may also require Level 2 (C3PAO) for select high-priority contracts at its discretion. This is happening now.
Nov 10, 2026
Third-Party Assessments Expand
Level 2 C3PAO certification assessments become a standard requirement for contracts involving CUI. Level 1 self-assessment continues for FCI contracts.
Nov 10, 2027
Level 3 Requirements Introduced
Level 2 certification requirements extend to option exercises. Level 3 (government-led) assessments begin for the most sensitive programs.
Nov 10, 2028
Full Implementation
CMMC requirements are included in all applicable DoD contracts and solicitations. The phased rollout is complete.
Why you shouldn't wait: Even during Phase 1, contracting officers have discretion to include CMMC in any new solicitation or option exercise. Contractors who are already compliant have a competitive advantage — those who aren't risk being ineligible when CMMC language appears in their next contract opportunity.
What to Expect
What Does the Compliance Process Look Like?
Whether you're pursuing Level 1 or Level 2, the compliance journey follows a structured path. Here's what to expect when working with Compliance Cavalry:
Discovery Call
A free 30-minute conversation where we help you determine whether you need Level 1 or Level 2, understand your current posture, and outline the right starting point. No commitment, no pressure.
Scoping & Gap Analysis
We define exactly which systems, processes, and people are in scope — then map your current practices against the required controls to identify every gap.
Documentation & Evidence
We develop policies, procedures, and implementation documentation — then collect and organize the evidence that proves your controls are in place. Everything lives in your Cavalry GRC Tool.
Remediation & Readiness
Gaps are addressed through a structured remediation plan (POA&M). For Level 1, this leads to SPRS submission. For Level 2, this prepares you for a formal C3PAO assessment.
The timeline varies based on your starting point. Level 2 engagements typically take 8–16 weeks. Level 1 timelines depend on how quickly your team can review and adopt documentation and collect evidence. Every engagement moves at your pace — there's no one-size-fits-all timeline.
Common Questions
Frequently Asked Questions About CMMC
Cybersecurity Maturity Model Certification. It is a DoD framework that establishes cybersecurity requirements for defense contractors handling FCI and CUI.
Non-compliant organizations risk being unable to bid on, win, or retain DoD contracts that include CMMC requirements. As the mandate phases in, the risk increases with every new solicitation.
It varies by level. Compliance Cavalry charges $7,000 flat for Level 1 and $15,000 flat for Level 2 gap assessment, plus $150/month for the Cavalry GRC Tool. When you purchase both Level 1 and Level 2 together, we bundle the two required GRC Tool instances at $250/month combined. These are among the most competitively priced, fully-scoped engagements available.
Yes — because Level 1 and Level 2 assess against different control frameworks, each requires its own GRC Tool instance. Level 1 tracks the 15 FAR 52.204-21 requirements, while Level 2 tracks the 110 NIST SP 800-171 controls. When you engage Compliance Cavalry for both levels, we bundle both tool instances at $250/month combined (instead of $300/month separately).
A self-attestation (or self-assessment) is an annual evaluation your organization conducts against the required security practices. For Level 1, you assess against 15 practices from FAR 52.204-21, then submit your score in SPRS (Supplier Performance Risk System) — a government database. A designated senior official must affirm your organization's continuing compliance annually.
A Certified Third-Party Assessment Organization. C3PAOs are authorized by the CMMC Accreditation Body to conduct formal Level 2 assessments. They are independent evaluators — not consultants. Compliance Cavalry is not a C3PAO; we prepare you for the assessment, which eliminates any conflict of interest.
NIST SP 800-171 defines the 110 security requirements for protecting CUI. CMMC is the DoD's verification framework that ensures those requirements (and the 15 Level 1 requirements from FAR 52.204-21) are actually implemented — through documented assessments submitted in SPRS. Think of NIST 800-171 as the standard and CMMC as the enforcement mechanism.
Yes. Phase 1 of the CMMC enforcement timeline began on November 10, 2025. Contracting officers can now include CMMC requirements in new solicitations, option exercises, and contract extensions. While not every contract includes CMMC yet, the rollout is underway and expanding.
Yes — Compliance Cavalry serves defense contractors across the entire country. All engagements are fully remote-capable.
Have Questions? That's Exactly What the Discovery Call Is For.
Schedule a free 30-minute conversation. We'll help you understand whether you need Level 1 or Level 2, what your timeline should look like, and what the right starting point is for your organization.