CMMC certification for organizations: Step-by-step guide to getting certified

The Department of Defense began implementing CMMC requirements in contracts on November 10, 2025, fundamentally changing how defense contractors demonstrate cybersecurity compliance. Organizations across the Defense Industrial Base (DIB) must now achieve the required CMMC status or certification assessment outcome to remain eligible for applicable DoD contracts. 

Starting in November 2025, contracting officers began including CMMC requirements in solicitations and contracts, with full implementation scheduled by November 2028. This isn't self-attestation anymore. CMMC requires verifiable evidence through third-party assessments or formal self-assessments submitted to the DoD's Supplier Performance Risk System (SPRS).

Note: ISACA took over as the CMMC Assessor & Instructor Certification Organization (CAICO) in April 2026. Learn how this affects your organization’s journey to CMMC certification in our webinar with ISACA.

How CMMC impacts your organization

Without the required CMMC status, you may not be able to bid on or retain DoD contracts requiring CMMC compliance.

For a large defense industrial base supplier community, CMMC certification for contractors represents a significant undertaking that requires careful planning, substantial investment and dedicated resources. The complexity varies dramatically based on your required level, but all organizations face documentation requirements, technical implementation challenges and ongoing compliance obligations.

This comprehensive guide walks through the complete CMMC 2.0 certification process, from initial level determination to long-term maintenance. Whether you're pursuing Level 1 for FCI protection or Level 2 for CUI handling, understanding the path ahead helps you plan effectively and avoid costly mistakes.

Who needs CMMC certification?

CMMC applies to any DIB organization handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under DoD contracts. CMMC certification for contractors encompasses prime contractors, subcontractors and suppliers at any tier that process, store or transmit FCI or CUI on contractor information systems.

Mandatory requirements

You need CMMC status at the required level and assessment type if your organization:

• Bids on or currently holds DoD contracts that process, store or transmit FCI or CUI
• Serves as a subcontractor on DoD contracts where sensitive information flows through your systems
• Provides managed services, cloud hosting or IT support to defense contractors handling FCI or CUI and your services process, store or transmit CUI or provide security protection for CUI assets
• Plans to compete for future DoD work that will involve FCI or CUI

The information type determines your required level. FCI includes non-public information the government provides or you generate under contract — such as nonpublic contract information, delivery schedules or contract terms. Technical specifications may be FCI or CUI depending on content and contract context. It's not classified, but it's not meant for public release either.

CUI is more sensitive. It represents information requiring safeguarding controls under federal law or regulation. Examples include export-controlled technical data (ITAR), operationally sensitive information, cybersecurity vulnerability details or personally identifiable information tied to defense work. If your contract involves CUI, expect Level 2 requirements at a minimum.

Phased implementation timeline

The DoD is rolling out CMMC in four distinct phases:

• Phase 1 (November 2025–November 2026): Contracting officers begin requiring self-assessed Level 1 and Level 2 status in applicable solicitations. In some Phase 1 procurements, the DoD may also implement Level 2 C3PAO certification requirements.
• Phase 2 (November 2026–November 2027): C3PAO-assessed Level 2 certifications become the standard for more organizations handling CUI. In some Phase 2 procurements, the DoD may also implement Level 3 certification requirements.
• Phase 3 (November 2027–November 2028): DIBCAC-assessed Level 3 certifications start appearing in applicable solicitations and contracts for the most sensitive programs.
• Phase 4 (November 2028 onward): Full implementation achieved. All applicable DoD solicitations and contracts include CMMC status requirements. 

The timeline matters because certification takes time. Level 2 preparation typically requires 18–30 months, and C3PAO scheduling grows increasingly difficult as demand surges. Organizations waiting until requirements appear in their solicitations often find themselves unable to compete. Start your certification process now, well ahead of when you'll need it.

Determining your required level

CMMC defines three certification levels with progressively stricter requirements. Your required level depends on the sensitivity of information in your systems and what your specific contracts mandate.

Level 1: Foundational

Level 1 targets organizations handling only FCI — no CUI involved. This foundational level requires implementing 15 security requirements derived from FAR 52.204-21, covering access control, identification and authentication, media protection, physical protection, system and communications protection and system and information integrity.

The DoD estimates approximately 63% of DIB organizations will fall into Level 1. Assessment consists of annual self-assessments conducted internally, with results submitted to SPRS and an annual affirmation completed by an affirming official. No third-party assessor involvement required.

If your contracts involve only basic administrative information and you never handle CUI, Level 1 likely applies. Think non-sensitive contract documents, standard business communications and general administrative data.

Level 2: Advanced

Level 2 is the most common and consequential requirement. It applies to organizations handling CUI in any capacity. This level implements all 110 security requirements from NIST SP 800-171 Rev. 2, covering 14 control families including access control, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity and awareness and training.

Many defense contractors will require Level 2 CMMC status. The assessment requirements vary based on the solicitation or contract requirement:

Self-assessment option: Organizations handling CUI under contracts that specify Level 2 (Self) may qualify for triennial self-assessments with annual affirmations. This option significantly reduces assessment costs but remains available only when specified for the contract.

C3PAO assessment: Organizations handling CUI under contracts that specify Level 2 (C3PAO) must undergo rigorous triennial third-party assessments conducted by accredited or authorized C3PAO organizations. The C3PAO independently verifies that you've implemented all 110 requirements effectively. Expect comprehensive documentation review, staff interviews, technical testing and detailed findings reports.

All Level 2 organizations must submit assessment results to SPRS and maintain annual compliance affirmations signed by affirming officials.

Level 3: Expert

Level 3 applies to a narrow set of contractors supporting critical DoD programs involving highly sensitive CUI and facing advanced persistent threat (APT) scenarios. This level requires Final Level 2 (C3PAO) status for the same assessment scope, then adds 24 selected enhanced security requirements from NIST SP 800-172. The enhanced requirements address sophisticated threat scenarios, including supply chain risks, insider threats and advanced adversary tactics.

Level 3 assessments are government-led, conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Organizations must achieve Final Level 2 (C3PAO) status for the same scope before pursuing Level 3. The DoD determines Level 3 eligibility based on program criticality and threat profile.

The DoD estimates that less than 1% of DIB organizations will require Level 3 certification.

Confirming your required level

Your contracts will specify required CMMC levels through DFARS clause 252.204-7021 and solicitations will identify the required CMMC level through DFARS provision 252.204-7025. Review all current and anticipated contracts carefully. If there is any ambiguity, contact your contracting officer for clarification before beginning your certification journey. Pursuing the wrong level wastes time and money.

The presence of CUI in your information systems typically triggers Level 2 requirements. FCI-only handling generally means Level 1 suffices. When uncertain, conduct a thorough data classification assessment to determine precisely what information types flow through your environment and where they reside.

Step-by-step certification process

Step 1: Determine your required level

Review contracts to identify FCI versus CUI handling. Confirm the required level with the contracting officer.

Step 2: Conduct gap assessment

Identify gaps between the current posture and requirements. Level 1 can be done internally. Level 2 typically requires RPO or consultant help. Expect 4–8 weeks. Gap assessments reveal missing controls, technical gaps and resource needs.

Step 3: Develop an implementation plan

Create an actionable project plan with responsibilities, timelines, budgets and milestones. Build buffer time for complications.

Step 4: Implement required controls

This phase represents the bulk of certification work. Implementation varies dramatically based on starting security maturity.

Technical controls: Deploy multi-factor authentication across privileged accounts, implement FIPS-validated encryption where required to protect CUI, establish network segmentation to isolate CUI environments, configure comprehensive audit logging systems to capture security-relevant events, harden system configurations according to security baselines and implement endpoint protection with behavior-based detection capabilities.

Policies and procedures: Develop or update formal security policies covering all required domains, create detailed incident response plans with clear escalation procedures, establish access control procedures defining who can access what and under what conditions, document change management processes preventing unauthorized modifications, formalize risk management approaches including assessment and mitigation strategies and establish configuration management procedures.

Training programs: Conduct security awareness training for all personnel covering roles, responsibilities and security practices. Provide role-specific training for system administrators, security staff and incident responders. Document all training through attendance records, materials retention and test results demonstrating comprehension.

Evidence collection: Begin systematically collecting evidence demonstrating control implementation. Maintain configuration screenshots, policy documents, training records, audit logs, vulnerability scan results, penetration test reports and access control lists. Well-organized evidence significantly streamlines formal assessment.

For Level 2 organizations with moderate security maturity, expect implementation to take 12-18 months. Organizations already compliant with NIST 800-171 can compress timelines. Less mature organizations may require 18-24 months or longer, depending on technical debt and resource availability.

Step 5: Develop required documentation

Comprehensive documentation is mandatory. Assessors evaluate not just whether you've implemented controls, but whether you can demonstrate and explain your implementations through documentation.

System security plan (SSP): The SSP serves as your authoritative document that describes precisely how every required control is implemented in your environment. A mid-sized contractor's SSP commonly exceeds 200 pages and demands 3-4 months of dedicated work. The SSP must cover all information systems within your assessment boundary, detailing each security control's implementation approach, responsible parties, testing procedures and supporting evidence locations. This isn't optional documentation — it's the foundation of your assessment.

Policies and procedures: Formal documentation covering security policies, standard operating procedures, incident response plans, access control processes, configuration management procedures and change management workflows. Policies define what you do; procedures explain precisely how you do it.

Network architecture documentation: Create detailed network diagrams showing logical and physical topology, CUI and FCI data flows, security control placement, network segmentation boundaries and connection points to external networks. Visual representations help assessors quickly understand your environment's security architecture.

Training records: Maintain comprehensive records of all security awareness and role-based training, including attendance rosters, training materials used, test results demonstrating comprehension and dates of completion. Training records prove your people understand their security responsibilities.

Configuration documentation: Document system hardening measures, security configuration settings, technical control implementations and baseline configurations. Configuration documentation demonstrates intentional, documented security decisions rather than ad hoc approaches.

Quality documentation demonstrates security program maturity and makes an assessment significantly smoother.

Step 6: Conduct internal testing

Run mock assessments, test procedures and verify evidence completeness. This takes 4–8 weeks and significantly improves first-attempt pass rates.

Step 7: Self-assessment or assessor selection

• Level 1: Complete self-assessment and submit to SPRS with affirming official affirmation.
• Level 2: Select C3PAO from Cyber AB marketplace if Level 2 (C3PAO) is required. Research assessors, request proposals and check references. Allow 2–4 weeks. Some Level 2 organizations qualify for self-assessment. 
• Level 3: Coordinate with DIBCAC after achieving Level 2.

Step 8: Prepare for assessment

Organize evidence, prepare staff and confirm controls function properly. C3PAO assessments may take 2-4 weeks of evaluation activities.

Step 9: Undergo assessment

Assessors systematically evaluate each control through documentation review, interviews, process observation and technical testing. Assessment concludes with a findings discussion. 

Step 10: Address findings

POA&M option (Level 2 & 3 only): Organizations that meet the minimum passing score of 80% (88/110 for Level 2) but have remaining allowable unmet requirements receive a Conditional CMMC Status. All POA&M items must be closed out within 180 days via a formal closeout assessment. Certain critical controls are ineligible for POA&M and must be fully met. POA&Ms are not available for Level 1, and failure to close within 180 days results in an expired CMMC status.

If findings can't use POA&M, remediate and re-assess.

Step 11: Receive CMMC status

The appropriate assessment path records the resulting CMMC status after confirming that requirements are met. You're now eligible for DoD contracts at your achieved level.

Step 12: Maintain certification

• Level 1: Annual self-assessments, SPRS submissions and affirmations.
• Level 2: Continuous monitoring, annual affirmations, triennial reassessment preparation.
• Level 3: Enhanced monitoring, annual affirmations and triennial government re-assessment.

System changes, network modifications or CUI handling changes may require updated assessments outside normal cycles.

Scoping your assessment

Proper scoping defines which systems require evaluation, reducing assessment complexity and cost. Focus on your "assessment boundary" — systems that process, store or transmit FCI or CUI.

Effective strategies: Network segmentation separating CUI from corporate networks, dedicated enclaves for DoD work, cloud services meeting FedRAMP Moderate or FedRAMP Moderate-equivalent requirements where CUI is processed, stored or transmitted, and clearly documented boundaries. Narrow, well-defined scopes achieve faster, less expensive certification.

Timeline expectations

Level 1

• Gap assessment (1–2 months)
• Implementation (3–6 months)
• Documentation (1–2 months)
• Self-assessment (1–2 weeks)
• Total: 5–10 months

Level 2

• Gap assessment (2–4 months)
• Implementation (12–18 months)
• C3PAO selection if required (1–2 months)
• Assessment prep (2–3 months)
• Assessment (1–2 months)
• Total: 18–30 months

Level 3

• Achieve Final Level 2 (C3PAO) first
• Additional implementation plus DIBCAC coordination (6–12 months)
• Total: 24–36+ months after Level 2, depending on scope and starting maturity

Organizations with minimal security posture should add 6–12 months. Those already NIST 800-171 compliant can compress timelines.

Cost breakdown

CMMC certification requires substantial investment. Costs vary based on organization size, security maturity and scope complexity. Treat the following only as market estimates:

Level 1

• Implementation: $10,000–$100,000
• Self-assessment support: $3,000–$15,000
• Annual maintenance: $5,000–$20,000
• First year: $15,000–$120,000

Level 2

• Gap assessment: $5,000–$25,000
• Implementation: $100,000–$1,000,000+ (technology, consultants, labor, training)
• C3PAO assessment: $35,000–$100,000+ (if Level 2 (C3PAO) is required)
• Annual maintenance: $25,000–$100,000
• First year: $170,000–$1,500,000+

DoD estimates that small entities spend approximately $105,000 for a C3PAO assessment, including a triennial assessment and two annual affirmations.

Level 3

• Additional implementation: $500,000–$3,000,000+
• DIBCAC assessment: TBD
• Annual maintenance: $100,000–$300,000+
• First year: $600,000–$3,000,000

Cost factors include organization size, current maturity, scope complexity, external support needs and timeline urgency. Cost recovery depends on contract type, allowability, allocability, timing and negotiated terms; consult your contracting officer and government-contracts cost advisor before assuming CMMC costs can be passed to DoD.

Common certification challenges

• Resource constraints: Small businesses struggle with budget and personnel allocation. Solutions: phased implementation, managed services and small business assistance programs.
• Technical gaps: Legacy systems often can't support modern controls. Solutions: proper scoping, system upgrades, compensating controls and managed security services.
• Documentation burden: SSPs, policies and evidence overwhelm organizations. Solutions: templates, technical writers, dedicated resources and compliance tools.
• Staff buy-in: Security disrupts workflows. Solutions: executive sponsorship, clear communication, training, cultural integration and incentives.
• Maintaining compliance: Controls drift, and documentation becomes outdated. Solutions: continuous monitoring, quarterly reviews, change management, automated evidence collection and permanent operational budgeting.

Certification vs. ongoing compliance

Certification is point-in-time verification. Compliance is continuous daily adherence. Your contracts require ongoing compliance, not just certification snapshots. Security incidents revealing inadequate control maintenance can trigger contract termination, suspension or False Claims Act liability.

Maintain both through continuous improvement, regular internal assessments, ongoing evidence collection and staying audit-ready. Treat CMMC as a permanent operational requirement, not a one-time project.

Next steps

Start your CMMC certification journey with these immediate actions:

• Determine your level: Review contracts, identify information types and confirm requirements with the contracting officer.
• Conduct gap assessment: Understand current state and required work. Engage qualified assessors or readiness consultants, as appropriate.
• Develop implementation plan: Create a realistic timeline with appropriate resources, milestones and accountability.
• Begin immediately: Don't wait for CMMC in solicitations. Preparation takes 18–30 months for Level 2. Organizations starting now position themselves for contract eligibility as full implementation approaches November 2028.

For deeper guidance on specific aspects of the certification process, explore these additional resources:

• Find providers
• DoD contractor requirements
• Government solutions

As an Approved Training Provider (ATP) and Approved Publishing Partner (APP), Infosec Institute offers training for CMMC Certified Professional (CCP) and CMMC Certified Assessor (CCA) credentials, administered by ISACA under the CMMC Assessor & Instructor Certification Organization (CAICO) brand.

Frequently asked questions

How long does certification take?

• Level 1: 5–10 months
• Level 2: 18–30 months
• Level 3: 24–36+ months after Level 2

The time required depends on the starting posture and resources.

How much does it cost?

• Level 1: $15,000–$120,000 first year
• Level 2: $170,000–$1,500,000+ first year
• Level 3: $600,000–$3,000,000+

Varies by size, maturity and scope. The above figures are only planning estimates.

Can we self-assess Level 2?

Some Level 2 contracts allow Level 2 (Self) assessment. Others require Level 2 (C3PAO). Check with the contracting officer.

What if we fail assessment?

Levels 2 and 3 may use POA&M for certain findings (180-day remediation window). Otherwise, remediate and re-assess.

How long is certification valid?

• Level 1: Annual self-assessment
• Level 2: Three years
• Level 3: Three years

All require annual affirmations.

What if we don't get certified?

You become ineligible for DoD contracts requiring CMMC as phased rollout continues.

Can we operate under POA&M indefinitely?

No. Conditional CMMC status lasts only 180 days. Must close all POA&M items through closeout assessment.

Do subcontractors need certification?

Yes. Primes must flow down requirements. Subcontractors must be certified or have CMMC status at the level and assessment type appropriate for the FCI or CUI they process, store or transmit under the subcontract.