When during the SBIR cycle do I need CMMC Level 2?

Typically when you receive a Phase II award that flows down DFARS 252.204-7012 or transmits Controlled Unclassified Information (CUI). For many DoD topics, Phase II is the first stage where the agency shares technical data that meets the CUI definition. The 48 CFR CMMC clause (DFARS 252.204-7021) is rolling into new DoD solicitations on a phased schedule from November 10, 2025 through November 10, 2028, so your specific contract's clause-flow-down is what matters, not the rule's existence in the abstract.

How long does it take to get CMMC Level 2 ready from a Phase I baseline?

For a typical 3-10 person SBIR startup, 6 to 12 months of focused effort, plus the C3PAO assessment scheduling time (often 2-4 months out). Phase I performance periods are usually 6-9 months. If your topic anticipates a Phase II that touches CUI, start the Level 2 readiness work at month 2 of Phase I — don't wait for the Phase II award letter to land.

Can I use a third-party platform or MSP for SBIR CMMC?

Yes, and it's usually the right move for small SBIR teams. Phase I (Level 1) is self-assessed and well-suited to a guided platform that drafts your system security plan, walks you through evidence collection, and posts your affirmation in SPRS. Phase II (Level 2) requires a third-party C3PAO assessment, but you can still use a platform or MSP to handle the bulk of implementation and evidence work leading up to that assessment.

Does a Phase I award include CUI?

Usually not. Most Phase I work is feasibility study and concept development, and the agency typically does not transmit Controlled Unclassified Information during this phase. Check the data rights clause and any technical reference documents in your award package for CUI banner markings. If you see CUI in your Phase I — or DFARS 252.204-7012 in your contract — you are a Level 2 contractor from day one.

Just Won an SBIR Phase I? Here's Your CMMC Timeline (2026 Edition)

Q: Does SBIR Phase I require CMMC?

Usually yes — but at Level 1, not Level 2. Most DoD SBIR Phase I awards include FAR 52.204-21, which obligates you to meet the 15 basic safeguarding requirements and (under 32 CFR Part 170) post an annual CMMC Level 1 affirmation in SPRS. Some Phase I awards involving Controlled Unclassified Information (CUI) include DFARS 252.204-7012 and require Level 2; check the clauses in your award letter. If you only see FAR 52.204-21, you owe Level 1.

The SBIR-to-CMMC question lands the same way every time. A founder gets the award letter, the contracting officer introduces the cybersecurity flow-downs, and the founder — who is two months out of a PhD lab or three years deep into a startup — opens a Google search and falls into a Slack channel arguing about “NIST 800-171” and “Level 2” and panics that they need a $150K third- party assessment to begin Phase I.

You probably don't. Here's the actual timeline.

TL;DR — your CMMC timeline

Day 1 of Phase I:Read your award for the clauses. FAR 52.204-21 only → Level 1. DFARS 252.204-7012 present → Level 2 from day one.
Month 1–2 of Phase I (Level 1 path): Knock out the 15 requirements and post the annual affirmation in SPRS. Most SBIR teams finish in 1–3 weeks of focused founder time.
Month 2–3 of Phase I: If your topic anticipates a Phase II with CUI, start Level 2 readiness (implementation of NIST 800-171, SSP draft, evidence collection).
Phase II award:Be ready to either affirm Level 2 readiness or be on a credible POA&M.
Phase III: Sustain whichever level applies. Re-affirm annually for Level 1; reassess every 3 years for Level 2.

Phase I: which level applies?

Open your award letter and search for two things:

The clause “FAR 52.204-21” (Basic Safeguarding of Covered Contractor Information Systems) — almost certainly present.
The clause “DFARS 252.204-7012” (Safeguarding Covered Defense Information and Cyber Incident Reporting) — present only if the agency anticipates CUI.

What you find determines your tier:

Found in your award	Your CMMC tier	What you owe
Only FAR 52.204-21	Level 1	15 safeguarding requirements + annual SPRS affirmation
DFARS 252.204-7012 (with or without 52.204-21)	Level 2	110 NIST 800-171 controls + C3PAO assessment every 3 years
Neither (rare for DoD)	Likely none	Confirm with your contracting officer in writing

Phase II: when Level 2 enters the picture

Phase II is where the SBIR program shifts from feasibility study to prototype development. For many DoD topics, that's also where the agency starts handing you the kind of technical data that meets the CUI definition— export- controlled drawings, threat intelligence, sensor-system specifications, weapon-adjacent R&D, designated technical data packages.

Two things drive your obligation at Phase II:

What clauses appear in the Phase II contract. DFARS 252.204-7012 + DFARS 252.204-7021 (the CMMC clause) = Level 2 with a C3PAO assessment.
The 48 CFR phased rollout. The final DFARS rule (90 Fed. Reg. 41,765 from September 10, 2025) phases the CMMC clause into new solicitations starting November 10, 2025 and reaches steady state on November 10, 2028. Phase II awards issued after their slot in the phase-in schedule will carry the clause.

Phase III: commercialization and sustainment

Phase III is open-ended — it can run for years as the SBIR-developed technology gets commercialized through full contracts. Whatever level you carried into Phase III is the level you sustain. The annual affirmation (Level 1) or triennial reassessment (Level 2) doesn't pause because the work is going well.

The Phase I → Phase II readiness milestones

If your topic anticipates a Phase II with CUI, the practical sequence is:

When	Milestone	Why
Month 1	Complete CMMC Level 1 self-assessment & affirmation	Required for Phase I performance under FAR 52.204-21.
Month 2–3	Boundary diagram + SSP shell for Level 2	Hardest piece to get right; easiest to start early.
Month 4–6	Implement the NIST 800-171 control gaps	MFA, audit logging, encryption-at-rest, vulnerability scanning, incident response plan.
Month 6–9	Internal NIST 800-171 Basic Assessment (score in SPRS)	Required by DFARS 252.204-7019 as soon as 7012 is in a contract.
Month 9–12	Schedule C3PAO assessment (book early — months out)	Phase II award letters often condition payment on Level 2 status.

What this actually costs an SBIR team

For a typical small SBIR team (1–10 people), planning ranges:

Level 1, DIY:1–3 weeks of founder time. Out-of-pocket cost: low hundreds (mostly tooling like MFA, password manager, endpoint security).
Level 1, guided platform:Few hours of founder time. Platform fee under $1K per year. Useful when you want a defensible paper trail and don't want to be the one drafting the SSP from scratch.
Level 2, full readiness + C3PAO: $50K–$250K+ in the first cycle including implementation work, plus 6–12 months of calendar time.

For most SBIR teams the right move is to land Level 1 cheaply in month 1 and decide about Level 2 once the Phase II topic and clauses are visible.

Four mistakes SBIR founders make

Assuming Phase I = Level 2.You've been scared into thinking the worst case is the only case. Read your award.
Waiting until the Phase II award letter to start. By the time you read “DFARS 252.204-7021” in the PWS, you have 30 days and a C3PAO that's six months out.
Posting a fabricated SPRS score to satisfy a PM. Federal false statement under 18 U.S.C. § 1001. Read our response template instead.
Choosing “use my personal laptop” as the scope.That puts your spouse's tax returns inside the assessment boundary. Separate work and personal environments before you scope.

What to do this week

Open your Phase I award. Search for “52.204-21” and “7012.” Confirm your tier.
Take the free CMMC check (5 minutes, no signup) to confirm independently.
If you're Level 1, plan a one-week sprint with a guided platform — most SBIR teams finish in 5 working days.
Subscribe to the Monday Bid Digest — we surface follow-on opportunities that align with common Phase I topic areas.

FAQ

Does SBIR Phase I require CMMC?

Usually Level 1 (not Level 2). Phase I awards typically include FAR 52.204-21 but not DFARS 252.204-7012, putting you at Level 1.

When does SBIR Phase II require Level 2?

When the Phase II contract flows down DFARS 252.204-7012, or when the agency starts transmitting CUI. Many DoD topics hit this at Phase II; some never do.

How long does Level 2 readiness take from a Phase I baseline?

6–12 months for a 3–10-person team, plus C3PAO scheduling lead time of 2–4 months.

Can I use a platform or MSP for SBIR CMMC?

Yes — usually the right move for small teams. A guided platform handles Level 1 end-to-end; for Level 2 it carries the implementation work up to the C3PAO assessment.

Does Phase I include CUI?

Usually not. Phase I is feasibility study. Check your award for CUI banner markings or DFARS 252.204-7012 to be sure.