What is CMMC? The plain-English guide

CMMC is how the Department of Defense checks that the companies it buys from protect federal information. This is the whole picture in plain language: what it is, the three levels, which one your contracts need, what it really costs, and the deadline that matters. Then the fastest path to compliant.

Last updated July 4, 2026 · Primary sources cited

CMMC in one paragraph

CMMC, the Cybersecurity Maturity Model Certification, is the Department of Defense's way of verifying that its contractors and subcontractors actually protect the federal information they are trusted with. Which level you need depends on the information your contracts hand you. Handle only Federal Contract Information and you are at Level 1. Handle Controlled Unclassified Information and you are at Level 2. You record your status in the government's SPRS system, and it is becoming a condition of winning the work.

The three CMMC levels

Level 1

Federal Contract Information (FCI)

15 safeguarding requirements (FAR 52.204-21)

Self assessed, affirmed in SPRS every year. No auditor.

Explore Level 1

Level 2

Controlled Unclassified Information (CUI)

110 requirements (NIST SP 800-171), 320 objectives

Self assessed or certified by a C3PAO. Scored out of 110.

Explore Level 2

Level 3

The most sensitive DoD programs

Level 2 plus a subset of NIST SP 800-172

Assessed by the government (DIBCAC). Highest bar.

What Level 3 means

Which level do you need? One question decides

Everything hinges on the kind of information your contracts give you. Answer this and you know your level.

FCI only

You need CMMC Level 1

Purchase orders, statements of work, drawings, schedules, anything non public a contract hands you but nothing marked CUI. Fifteen safeguards, self assessed, often done in days.

Start with Level 1 →
Handling CUI

You need CMMC Level 2

Marked or controlled information, or a contract citing DFARS 252.204-7012. All 110 NIST SP 800-171 requirements, self assessed or certified by a C3PAO. This is the higher tier of federal work.

Explore Level 2 →

Not sure which information you handle? The free check reads your situation and tells you your level in about two minutes.

Take the free CMMC check →

The deadline that matters: Nov 10, 2026

CMMC is phasing into contracts now. The date to plan around is November 10, 2026, when Phase 2 begins and applicable DoD solicitations start requiring a current Level 2 status as a condition of award. Getting ready takes months, so the contractors who start early are the ones still eligible to bid when it lands. Follow the moving pieces on our state of CMMC tracker.

CMMC questions, answered

What is CMMC?+

CMMC stands for Cybersecurity Maturity Model Certification. It is how the U.S. Department of Defense verifies that its contractors and subcontractors protect sensitive federal information. If you want to win or keep DoD work, you have to meet the CMMC level your contracts require and record it in the government's SPRS system.

How many CMMC levels are there?+

Three. Level 1 covers Federal Contract Information (FCI) and is a self assessment of 15 safeguarding requirements. Level 2 covers Controlled Unclassified Information (CUI) and is 110 requirements from NIST SP 800-171, self assessed or certified by a C3PAO. Level 3 is the highest tier, for the most sensitive programs, assessed by the government.

Which CMMC level do I need?+

It comes down to what information your contracts hand you. If you only handle Federal Contract Information, non public information under a contract, you need Level 1. If the government sends you Controlled Unclassified Information, or your contract cites DFARS 252.204-7012, you need Level 2. Not sure which you handle? Take the free 2 minute check.

When is CMMC required?+

The rollout is phased. A current self assessment is already being written into DoD contracts. Phase 2 begins Nov 10, 2026, when applicable solicitations start requiring a current Level 2 status as a condition of award. The practical answer: if you touch federal work, get compliant before it costs you a bid.

How much does CMMC cost?+

Level 1 is inexpensive and self assessed, often done in days. Level 2 is heavier: traditional consultant readiness runs $35,000 to $150,000, though a platform compresses that to a fraction. The single biggest cost lever at Level 2 is scope, how much of your business actually touches CUI.

Can I self assess CMMC?+

Level 1 is always self assessed and affirmed in SPRS by a senior official, annually, with no third party auditor. Level 2 is self assessed for many contracts, and certified by an accredited C3PAO for others. Level 3 is government assessed.

Sources: 32 CFR Part 170 (CMMC Program final rule) · 48 CFR CMMC acquisition rule · FAR 52.204-21 · NIST SP 800-171 r2 · DFARS 252.204-7012 / 7021.