CMMC Compliance Checklist

Step-by-step implementation guide from gap analysis to C3PAO certification

Affiliate Disclosure: This site contains affiliate links to security tools and consulting services. If you purchase through our links, we may earn a commission at no cost to you. We only recommend products we've thoroughly researched.
Updated March 2026 25 min read Defense Compliance Team

Somewhere in the last few months, somebody walked into your office (or pinged you on Teams) and said, "Hey, we need to figure out this CMMC thing." Maybe it was your prime contractor. Maybe it was your CEO after a conference. Either way, you're here now, and you're probably a little overwhelmed.

Good news: you're not behind just because you're confused. Most defense contractors are in the same boat — the DoD built a complicated framework and gave everyone a deadline that's now uncomfortably close. This checklist is the resource we wish existed when we first started digging into CMMC compliance. It's specific, it has real dollar figures, and it won't waste your time with vague advice like "implement robust cybersecurity practices."

What is CMMC and Why Should You Care?

CMMC stands for Cybersecurity Maturity Model Certification, which is a mouthful, so everyone just says "CMMC." In plain language, it's the DoD's way of making sure defense contractors can actually protect the sensitive information they're trusted with — because for years, a lot of them couldn't, and foreign adversaries were walking away with military secrets through poorly secured contractor networks.

The framework launched in 2020, and the core idea is straightforward: if you want DoD contracts, you need to prove — not just promise — that you have real cybersecurity controls in place. Specifically, you need to protect what's called Controlled Unclassified Information (CUI).

CUI sounds abstract until you realize it's stuff like technical drawings, proposal pricing, security documentation, research data, and software source code. Basically, if it's marked "For Official Use Only" or it relates to defense technology, it's CUI. And if your company touches any of it on a DoD contract, CMMC applies to you — not in some future state, but right now.

What Happens if You're Not Compliant?

The short answer is: you stop getting work. Primes won't sub to you. New bids get rejected. Existing contracts don't get renewed — or worse, they get terminated. You get flagged on SAM.gov. For a 30-person defense contractor whose revenue is 80% DoD, that's not an inconvenience. That's an existential threat.

And this isn't a hypothetical scenario we're painting to scare you into action. The November 2026 Phase 2 enforcement date is roughly 8 months away. If you haven't started the compliance process, you're already behind the curve — not hopelessly behind, but behind enough that every week you delay makes the timeline tighter.

CMMC 2.0 Timeline and Deadlines

CMMC 2.0 rolled out in 2024 and the DoD is phasing it in over four stages. Here's how the timeline breaks down — and pay attention to Phase 2, because that's the one breathing down everyone's neck:

Phase Date What Happens Who It Affects
Phase 1: Self-Assessment Nov 2024 – Nov 2026 Companies conduct self-assessments and submit to CISO Level 1 (optional), Level 2 candidates
Phase 2: C3PAO Certification Nov 2026 onward Certified assessors audit and certify your compliance Level 2 and 3 companies (mandatory)
Phase 3: Enforcement Nov 2027 DoD begins enforcing Level 3 requirements Large primes and high-risk sectors
Phase 4: Full Implementation Nov 2028 All contractors must be CMMC compliant All defense contractors

The date that matters most is the start of Phase 2, which DoD has targeted for late 2026 but ties to the effective date of the complementary acquisition rule. By that point, contractors subject to Level 2 C3PAO requirements will need the required CMMC status in place for covered solicitations and contract awards, so waiting for a formal solicitation before preparing is a bad bet.

What You Need to Know Right Now

Here's the math that should keep you up at night: a C3PAO assessment takes 3–5 months to schedule and complete. Implementation takes another 3–6 months before you're even ready for that assessment. Add those up, and you're looking at 6–11 months of work — and you have about 8 months left. The overlap is tight. If you haven't started, this week is the week.

CMMC Levels Explained

There are three CMMC levels, and they stack on top of each other. Most of the confusion comes from not knowing which one applies to your contracts — so let's clear that up.

CMMC Level 1: Foundational

Level 1 is the floor. It covers what you'd call basic cyber hygiene — changing default passwords, turning on MFA, keeping your software patched, and making sure your people have at least heard the phrase "phishing email." There are 17 practices total, and you self-assess (no outside auditor). Most companies can knock this out in 4–8 weeks for $4,000–$6,000, almost entirely internal labor.

Frankly, if your company can't pass Level 1, you have bigger problems than compliance. This is table stakes.

CMMC Level 2: Intermediate (Most Common)

Level 2 is where it gets serious, and it's where the vast majority of defense contractors land. You're looking at 110 practices across 17 domains, a mandatory third-party C3PAO assessment (no more self-assessing), and a meaningful investment of time and money.

Implementation runs 4–6 months and costs $37,000–$49,000 for the self-assessment track or $105,000–$118,000 when you add the C3PAO certification — which is required by November 2026 for most CUI-handling contractors. The assessment timeline itself adds another 3–5 months on top of implementation.

What does Level 2 actually look like in practice? You'll need a documented System Security Plan (SSP), formal risk assessments, written incident response procedures, a security training program that's more than a yearly slideshow, proper access controls, regular vulnerability scanning, and network segmentation that keeps your CUI systems isolated from the rest of your environment. It's not a box-checking exercise — you're building genuine security infrastructure, and the assessor will be able to tell the difference between a real program and a Potemkin village.

CMMC Level 3: Advanced

Level 3 exists for the big players — large primes, specialized defense technology firms, and anyone handling highly sensitive defense information or working on critical infrastructure programs. It expands to 171 practices, adds threat modeling, continuous monitoring, advanced incident response and forensics, supply chain risk management, and formal security architecture reviews. Implementation takes 6–12 months and costs $150,000–$300,000+, with another 3–5 months for the C3PAO assessment.

If you're reading this guide, you probably don't need Level 3. But if you do, you'll know it — your contracts will say so explicitly.

Which Level Do You Actually Need?

The fastest way to find out: call your prime contractor and ask. Literally pick up the phone and say, "What CMMC level do our contracts require?" If they say Level 2, that's your answer. If they're not sure, assume Level 2 — you can't go wrong with the higher standard, and roughly 85% of defense contractors fall into this bucket. Level 3 is only for primes and companies doing classified-adjacent work.

The Complete CMMC Compliance Checklist

Alright, here's the part you came for. We've broken CMMC compliance into eight phases with timelines and costs that reflect what companies actually experience — not the optimistic estimates you'll get from a consultant trying to close a deal.

Phase 1: Determine Your CMMC Level (Week 1)

Before you spend a dollar, figure out which level you actually need. Pull up your current DoD contracts and any pending bids. Check SAM.gov for CMMC language in your contracting officer's requirements. And most importantly, get on the phone with your prime contractor's capture manager or contract officer and ask them point-blank: "What CMMC level do our contracts require?" Write down whatever they say.

This takes 3–5 days and costs nothing beyond your team's time. Assign it to your IT director or compliance lead. If the answer comes back "Level 2" — and it almost always does — you know what you're dealing with.

Phase 2: Conduct a Gap Analysis ($10K–$30K, 2–4 weeks)

Think of the gap analysis as taking an honest inventory. You're auditing every security control you have in place today — policies, tools, processes — mapping your IT infrastructure end to end, and tracing every path CUI takes through your organization. Where does it come in? Where does it sit? How is it protected? Then you hold all of that up against the CMMC Level 2 requirements and see where the holes are.

A qualified CMMC consultant charges $150–$250/hour, and a typical gap analysis runs 60–120 hours of their time. That puts you at $10,000–$30,000 for this phase, spread across 2–4 weeks. Your IT director should be in the room for all of it.

We've seen companies try to skip this step to save money. It always backfires. They get to the C3PAO assessment, the assessor finds gaps nobody anticipated, and suddenly they're scrambling to fix issues under time pressure — which costs double what the gap analysis would have. If your budget is genuinely tight, a 1-week focused gap analysis ($5,000–$8,000) is better than nothing. And if even that's out of reach, download NIST SP 800-171 and start mapping your systems against it manually. It'll eat 40+ hours of your team's time, but it's free.

Phase 3: Define CUI Scope and System Boundaries (2–4 weeks)

This is the phase where more companies fail than any other, and it's not because it's technically hard — it's because it requires precision at a time when most people want to move fast. You need to draw a clear line around which systems touch CUI and which don't, then document those boundaries in a way that will survive scrutiny from a C3PAO assessor.

Start by creating a network diagram. Every server, every workstation, every database. For each one, ask a simple question: "Does CUI ever touch this system?" If the answer is yes or even maybe, it's in scope. If it's definitely no, write down why. Then map the boundaries between in-scope and out-of-scope systems — firewalls, access controls, data movement rules. Get sign-off from your compliance lead and IT director, and start building your System Security Plan (SSP) template.

This phase costs $0–$5,000 (mostly your team's time, with an optional consultant review) and takes 2–4 weeks. One piece of advice we can't stress enough: when you're on the fence about whether something should be in scope, include it. The assessor will challenge tight scoping, and it's far better to over-scope and demonstrate control than to exclude something and get caught. That's not paranoia — it's the single most common reason companies fail their first assessment.

Phase 4: Implement Technical Controls (3–6 months, $30K–$100K+)

This is the phase that separates "planning to get compliant" from "actually getting compliant." It's also where most of the money goes. You're not buying a single product here — you're building out security infrastructure piece by piece, and each piece has its own vendor, its own learning curve, and its own integration headaches.

Here's what you'll need for Level 2:

Control What It Means Estimated Cost
Patch Management Keep all systems updated with security patches (monthly or faster) $5K–$15K (tools + labor)
MFA (Multi-Factor Authentication) Require passwords + phone/authenticator for all users $2K–$8K
Network Segmentation Isolate CUI systems from general network $10K–$30K
Encryption Encrypt CUI at rest (on disk) and in transit (over network) $5K–$20K
Endpoint Detection & Response (EDR) Real-time monitoring of all computers for threats $8K–$25K/year
Vulnerability Scanning Automated scanning for security holes (monthly) $3K–$12K
Access Controls Tight permissions (least privilege, role-based access) $5K–$15K (tools + setup)
Audit Logging Record who accessed what, when (for forensics) $3K–$10K
Firewall & IDS Monitor network traffic for attacks $10K–$30K
Backup & Recovery Regular backups stored securely offsite $5K–$15K

How long does all this take? It depends on where you're starting from. A small company (5–20 people) that already has decent IT hygiene can usually get through implementation in 8–12 weeks for $30K–$50K. A mid-size shop (50–150 employees) is looking at 16–24 weeks and $75K–$150K. Larger organizations (150+) should plan on 24+ weeks and $150K–$300K or more. Your IT director and team will drive this, ideally with consultant support.

One thing we've learned from watching companies go through this: trying to tackle everything simultaneously is a recipe for burnout and half-finished implementations. Instead, sequence it. Start with patch management — it's the single biggest bang for your buck and assessors always check it first. Then MFA, which blocks 99% of account takeovers. Then network segmentation to isolate your CUI systems. Then encryption. Then monitoring and logging. That order gives you the most security value at each step.

And start getting vendor quotes now — today, if you can. EDR, vulnerability scanning, and network monitoring are your biggest line items, and the quoting process alone takes weeks. Look for solutions that play well together and have specific CMMC experience; you don't want to be a vendor's first compliance customer.

Phase 5: Create Documentation (2–4 weeks, $0–$10K)

If technical implementation is the foundation, documentation is the proof that the foundation exists. And CMMC requires a lot of it. Your assessor will want to see a System Security Plan (SSP) that describes your systems, how CUI flows through them, and what controls are in place. They'll want written policies and procedures — access control, incident response, security training, the works. They'll review your risk assessment (what could go wrong, and what you're doing about it), your Plan of Action and Milestones (POA&M) for addressing any remaining gaps, and hard evidence like screenshots, audit logs, and vendor attestation letters.

With technical controls already in place, documentation takes 2–4 weeks and costs $0–$10,000 (you might bring in a technical writer, or you can use templates and do it internally). Your compliance lead and IT director should own this jointly.

Here's something we've seen sink otherwise well-prepared companies: they implement controls perfectly but never document what they did. Then the assessor asks for evidence and nobody can find it. The assessment fails — not because the security wasn't there, but because nobody could prove it was. Don't make this mistake. The easiest fix is to document as you go. Every time you implement a control during Phase 4, take a screenshot, save the config file, grab the log export. Create a shared folder called "CMMC Evidence" and drop everything in there. When you get to Phase 5, you'll have 80% of your evidence already organized instead of scrambling to recreate it.

Phase 6: Conduct Internal Assessment (1–2 weeks, $0–$5K)

You wouldn't take the bar exam without a practice test, and you shouldn't walk into a C3PAO assessment cold either. This phase is about stress-testing your own readiness: Are all controls actually working (not just installed)? Can you produce evidence quickly when asked? Are your policies being followed in practice, or just written down? Are there obvious gaps that will make the assessor's eyebrows go up?

You can do this internally if you have someone with the right expertise, or you can bring in a consultant to play the role of the assessor. Most C3PAOs actually offer a pre-assessment service for $3K–$5K, and it's some of the best money you'll spend — they'll find the problems you can still fix before the real thing. Budget 1–2 weeks for this phase.

Phase 7: Schedule and Complete C3PAO Assessment ($105K–$118K, 3–5 months)

A C3PAO — Certified CMMC Professional Organization — is the third-party auditor the DoD authorizes to assess and certify your compliance. This is not optional for Level 2, and the process has more moving parts than most people expect.

Here's how it actually plays out: You submit an assessment request through the DoD's CMMC portal. Then you wait 2–4 weeks for a C3PAO to be assigned. Once assigned, the assessor reviews your documentation, systems, and evidence remotely, then schedules a kickoff call to align on scope. After that comes the on-site assessment — typically 3–5 days for a mid-size company — where the assessor visits your facility, interviews your staff, and tests your controls in person. Two weeks later, you get a detailed findings report. If you pass, you receive a 3-year CMMC certificate.

End to end, you're looking at 3–5 months from request to certificate — 8–16 weeks if everything goes smoothly, which it often doesn't. And the cost? The official C3PAO fee range is $105,000–$118,000. That breaks down to roughly $80K–$100K in assessment labor and $5K–$18K in administrative costs. There's no discount tier, no small-business rate, and no shortcut. That's what it costs.

The wildcard here is wait times. With the November 2026 deadline looming, C3PAOs are booking up. We've heard of wait times stretching past 3 months in some regions. If you haven't submitted your request yet, do it this week. Reach out to 2–3 C3PAOs directly (search for "C3PAO assessment" or browse the DoD CMMC portal) and ask about their current availability. If the wait is longer than you're comfortable with, that's your signal to accelerate everything upstream.

Phase 8: Address Findings and Maintain Compliance (Ongoing)

Most companies don't get a perfectly clean assessment. If yours comes back with findings, you'll receive a POA&M (Plan of Action and Milestones) spelling out what needs to be fixed and by when. Fix the issues, submit the evidence, and you're certified. It's stressful but manageable — the important thing is not to panic.

Once you have the certificate in hand, compliance doesn't stop. You'll need annual security training for all staff, quarterly patching to keep systems current, continuous threat monitoring, and a reassessment every 3 years. Budget $10,000–$50,000 per year for the ongoing tools and labor — less than the initial push, but not nothing. Your IT and security team owns this permanently from here on out.

CMMC Compliance Costs Breakdown

We've talked about costs throughout this guide, but let's put it all in one place so you can see the total picture. These numbers come from real engagements, not marketing estimates.

Cost Breakdown by Company Size

Phase Small (5–20 emp) Mid-Size (50–150 emp) Large (150+ emp)
Gap Analysis $5K–$10K $10K–$20K $20K–$30K
Technical Implementation $30K–$50K $75K–$150K $150K–$300K
Documentation & SSP $3K–$5K $5K–$10K $10K–$20K
Internal Assessment $0–$3K $3K–$5K $5K–$10K
C3PAO Assessment $105K–$118K $105K–$118K $105K–$118K
First Year Total $143K–$186K $198K–$303K $290K–$496K
Ongoing (Year 2+) $10K–$20K/year $20K–$40K/year $40K–$80K/year

And those numbers don't include some real costs that are easy to overlook: your IT director's time (which has an opportunity cost even if it's not a line item), hiring a compliance officer if you don't already have one, upgrading hardware that's too old to support the required security tools, or advanced training beyond basic security awareness. Factor those in and the real out-of-pocket is often 15–20% higher than the table suggests.

Practically speaking: small companies should budget $150K–$200K. Mid-size companies, $200K–$350K. Large organizations, $300K and up.

Is It Worth It?

The math isn't complicated. If your average DoD contract is worth $500K–$2M+ and CMMC compliance costs $150K–$300K, you only need one contract to make the investment pay for itself. Lose that contract because you're not certified? You've lost far more than compliance would have cost. If you have multiple DoD contracts — and most defense contractors do — this isn't even a decision. It's a cost of doing business.

Common Mistakes That Delay CMMC Certification

We've watched enough companies go through this process to spot the patterns. Here are the mistakes that cost the most time and money — and how to avoid them.

Mistake 1: Scoping Wrong (Most Common Failure)

This one kills more first-time assessments than anything else. Companies either cast the net too wide — declaring everything in scope until implementation becomes unmanageable — or too narrow, quietly excluding systems that actually touch CUI. The assessor always finds the ones you missed. Always.

The fix is straightforward: work with your prime contractor to identify exactly which systems handle CUI, document those boundaries in writing, and ask the assessor to review your scope before the full assessment. Most will do this at no charge, and it's infinitely cheaper than failing the audit because of a scoping error.

Mistake 2: Underestimating Timeline

Almost every company we've talked to thought implementation would take 6–8 weeks. In reality, it takes 3–6 months. The gap exists because you're running a business at the same time — vendors take weeks to deploy, staff training doesn't happen overnight, you'll discover surprises buried in your infrastructure, and C3PAO scheduling adds months on top. Whatever timeline your consultant quotes, add 50%. If they say 3 months, plan for 4–5. And submit your C3PAO request immediately — don't wait until implementation is done.

Mistake 3: Choosing Unqualified Consultants

A consultant who's good at general IT security is not automatically good at CMMC. These are different skill sets. You want someone who's supported at least 10 CMMC assessments and can name specific companies they've helped certify. Watch out for consultants who promise "quick compliance" or a "90-day guarantee" — that's a sales tactic, not a realistic timeline. Also be wary of anyone who's primarily a security tool reseller; they'll steer you toward their products whether they're the right fit or not.

The best due diligence is old-fashioned: ask for three references and actually call them. Ask whether the company passed on the first attempt, and if there were findings, ask what went wrong. You'll learn more from a 10-minute phone call than from any sales deck.

Mistake 4: Skipping the Gap Analysis

Companies that skip the gap analysis to "save $10K–$30K" almost always spend more in the long run. They get blindsided during the C3PAO assessment, discover massive gaps under time pressure, and end up redoing work that should have been caught months earlier. Just do the gap analysis. It pays for itself several times over.

Mistake 5: Poor Documentation

We mentioned this in Phase 5, but it's worth repeating because it's that common. You can have every control implemented perfectly, but if you can't produce evidence on demand, the assessor will mark it as a finding. Take screenshots as you go. Save logs. Collect vendor attestation letters. Keep it all in one place. The companies that breeze through their assessment are the ones that treated documentation as part of implementation, not an afterthought.

Mistake 6: Not Involving Leadership

Picture this: your IT director has been heads-down on CMMC for three months, and the CEO barely knows it's happening. Then the CFO sees a $150K budget request and pushes back. Or a key engineer needs two weeks for training and their manager says no. CMMC is a company-wide initiative, and it needs buy-in from the top. Brief your CEO and CFO early, frame it as what it is — "we lose DoD contracts if we're not certified by November 2026" — and get explicit sign-off on the budget and timeline. This 30-minute conversation prevents months of friction.

CMMC Compliance Software: What to Look For

There's no single product that handles CMMC compliance end-to-end — you'll need several solutions working together. We've done a deep comparison of the top CMMC compliance software tools with pricing, features, and recommendations by company size over in our CMMC software comparison guide. But here's a quick rundown of what capabilities you're shopping for:

Vulnerability Scanning

  • Scan your network for known security holes
  • Automated scanning (weekly or monthly)
  • Detailed reports with remediation guidance
  • Integration with your patch management system

Endpoint Detection & Response (EDR)

  • Real-time monitoring of all computers
  • Threat detection and alerting
  • Incident response capabilities (isolate a compromised computer)
  • Audit logging for compliance evidence
  • Should cover Windows, Mac, and Linux

Access Control & Identity Management

  • MFA enforcement
  • Privileged access management (PAM)
  • Role-based access control (RBAC)
  • Audit logging of who accessed what, when

Encryption, Backup & Recovery, Audit Logging & SIEM

  • Encryption: Full disk encryption for all computers with CUI access, file-level encryption, encrypted cloud storage
  • Backup & Recovery: Automated daily backups, offsite storage, recovery testing, encryption of backups
  • Audit Logging & SIEM: Centralized logging from all systems, long-term storage, real-time alerting, compliance reporting

Nice-to-Have Features

  • Integration with existing tools (your firewall, antivirus, etc.)
  • Mobile device management (MDM) for phones and tablets
  • Cloud security posture management (if you use cloud)
  • Automated compliance reporting
  • Pre-built CMMC evidence exports

Choosing a CMMC Consultant

Unless you happen to employ a cybersecurity specialist with deep CMMC experience (and most small-to-mid defense contractors don't), you're going to want a consultant. The domain expertise required is too specialized and the stakes too high to wing it. We've written a detailed guide to choosing a CMMC consultant with vetting questions and red flags, but here are the questions that matter most:

Questions to Ask Potential Consultants

  1. "How many CMMC Level 2 assessments have you supported?" — You want to hear 10 or more. Fewer than 5 means you're paying them to learn.
  2. "What's your first-time pass rate?" — Anything below 70% should give you pause.
  3. "Can you break the engagement into phases with fixed pricing?" — Open-ended billing and vague scopes are how consulting costs spiral.
  4. "Will you run a pre-assessment before the C3PAO audit?" — The good consultants insist on it. The mediocre ones skip it.
  5. "What happens if the C3PAO finds issues — do you help remediate, and is that included?" — Knowing this upfront saves an ugly surprise later.
  6. "Can you give me 3 references from companies like mine?" — Then actually call them. Ask if they passed on the first try.

FAQ

How long does CMMC certification take?

For a mid-size company, plan on 6–12 months end to end. That's 3–6 months of preparation and implementation, a few weeks of documentation work, 2–4 weeks waiting for the C3PAO to be assigned, 3–5 days of on-site assessment, and about 2 weeks for the final report. If you started today in spring 2026, you could realistically have certification by late summer or early fall — which would be tight against the November 2026 deadline, but doable. Next month? That's a real gamble.

How much does CMMC compliance cost?

First-year all-in costs run from about $150K for a small company to $300K+ for a large one — see the cost breakdown table above for the phase-by-phase numbers. After Year 1, ongoing costs drop to $10K–$50K per year (tool subscriptions, monitoring, training, plus the C3PAO reassessment every 3 years). The ROI calculation is simple: if you hold even one DoD contract worth $500K or more, compliance pays for itself. Losing that contract to non-compliance would cost far more.

Do I need CMMC Level 1 or Level 2?

The quickest way to find out: call your prime contractor and ask what level your contracts require. If they say Level 2 — and roughly 80% of defense contractors fall into this bucket — that's your answer. If they say Level 1, consider yourself lucky. If they're not sure, default to Level 2. You can't go wrong with the higher standard.

What happens if I'm not CMMC compliant by November 2026?

You lose your DoD work. New bids get rejected, existing contracts get terminated or not renewed, primes drop you from their authorized subcontractor lists, and you may get flagged as non-compliant on SAM.gov. For a company that depends on defense revenue, there's no softer way to put this — it's a business-ending scenario.

Can I do CMMC compliance myself without a consultant?

It's possible but risky. You'd need an in-house security person with genuine CMMC experience, 200+ hours of available IT staff time, and a willingness to absorb the risk of failing the C3PAO assessment on the first try (which is expensive and time-consuming to recover from). Most companies find the consultant's fee — while not small — is cheaper than the cost of getting it wrong. If you do go solo, expect the process to take 12+ months and budget $50K–$100K for tools and at least a pre-assessment from a consultant.

What if the C3PAO assessment finds problems?

It happens more often than people like to admit. The assessor produces a findings report, and you get a remediation window — typically 30–90 days — to fix the issues and submit evidence. Minor findings can usually be resolved with documentation. Major findings might trigger a partial re-assessment. The best insurance against findings is a thorough pre-assessment, meticulous documentation, and organized evidence. If you did Phases 5 and 6 well, you should be in decent shape.

Do I need cybersecurity insurance for CMMC compliance?

CMMC doesn't require it, but that doesn't mean you shouldn't have it. Cyber insurance covers breach costs, ransomware recovery, legal fees — all the things that can bankrupt a small contractor overnight. It runs $5K–$20K per year for a $1M–$5M policy. It's not a CMMC checkbox, but it's a smart business decision regardless.

What's the difference between CMMC 1.0 and CMMC 2.0?

CMMC 2.0 is the current version and it's meaningfully simpler than the original 1.0 proposal. The first version had 5 levels and 171 practices with mandatory third-party assessment at every level. Version 2.0 slimmed that down to 3 levels (17 practices for Level 1, 110 for Level 2, 171 for Level 3) and allows self-assessment for Level 1. If anyone's telling you to comply with CMMC 1.0, their information is outdated. CMMC 2.0 is what matters.

Your CMMC Compliance Action Plan (Starting This Week)

You've read enough. Here's what to do with the rest of your week:

This week:

  1. Call your prime contractor and ask what CMMC level your contracts require. (One hour, tops.)
  2. Confirm that you're handling CUI on DoD work — if you're not sure, you probably are.
  3. Name your IT director (or whoever's closest to that role) as the CMMC project owner.

Next week:

  1. Reach out to 2–3 CMMC consultants for gap analysis quotes.
  2. Contact 2–3 C3PAOs to ask about current assessment wait times — this number will dictate your entire timeline.
  3. Pick a consultant and get the gap analysis on the calendar.

The week after:

  1. Sit down with your CEO for 30 minutes. Explain the mandate, the deadline, and the budget. Get sign-off.
  2. Kick off the gap analysis.

From there, the roadmap writes itself. You'll have your gap analysis report in 4–6 weeks, implementation and documentation wrapped in 4–6 months, and you'll be sitting for your C3PAO assessment around month 7–10.

Companies that start now will be fine. Companies that put this off for another two months will be scrambling. And companies that wait until summer 2026 are going to miss the November deadline — full stop.

Final Thoughts

Nobody's going to tell you CMMC compliance is fun or cheap. It's neither. But thousands of defense contractors have gone through this process and come out the other side certified, and there's no reason your company can't do the same.

The companies that handle this best are the ones that stop treating CMMC as a bureaucratic hoop and start seeing it as the security foundation their business should have had all along. Fewer breaches, fewer fire drills, fewer uncomfortable conversations with your prime contractor about whether your network is actually secure. That's worth something beyond the certificate itself.

So close this tab and make the first phone call. Your prime contractor's number is in your contacts. Use it.

Stay Updated on CMMC Changes

The CMMC landscape shifts constantly. Get deadline updates, new requirements, and compliance tips delivered to your inbox.