CMMC 2.0 Compliance Assessment
Are Your DoW Contracts at Risk?
The Pentagon now requires cybersecurity certification for all defense contractors. Find out exactly where you stand — and what to fix — this week, not next quarter.
26+
Years of delivery experience
18
Years Dragonfli has operated
110
Security requirements assessed
Days
To your Dragonfli-reviewed report — not months
Dragonfli Group has delivered federal cybersecurity programs for 18 years across US government agencies, Fortune 500 financial institutions, and defense contractors. This is not a generic compliance checklist. It is built on real assessment experience. Dragonfli Group is a CMMC Registered Practitioner Organization (RPO), officially recognized by the Cyber Accreditation Body (CyberAB).
Glenn Ballard
Founder and CEO, Dragonfli Group
I have spent 26 years building and auditing cybersecurity programs — first at a large systems integrator, then across federal agencies and regulated industries, and since 2008 as Founder and CEO of Dragonfli Group. The CMMC Accelerator is built on the same assessment methodology we deliver to federal agencies and Fortune 500 clients — made accessible to every defense contractor: manufacturers, technology firms, professional services companies, and everyone in between.
"The gap analysis identified exactly what we needed to fix before our C3PAO assessment. We went from not knowing our SPRS score to having a documented SSP and remediation roadmap in a single afternoon."
Director of IT, Defense Subcontractor, Virginia
The Requirement
What Is CMMC 2.0 and Do You Need It?
What it is
The Cybersecurity Maturity Model Certification (CMMC) is the DoW's mandatory cybersecurity framework for defense contractors. Finalized in December 2024, it is now appearing in active solicitations across all DoW services and agencies.
Who it applies to
Any company in the Defense Industrial Base (DIB) — prime contractors and all subcontractors — that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must comply. No exemptions for small businesses.
What happens if you don't comply
Non-compliant contractors are ineligible to win or keep DoW contracts. Misrepresenting your compliance status triggers False Claims Act liability. CMMC requirements are embedded in contracts via DFARS 252.204-7021.
The three CMMC levels
Level 1 — Foundational — 17 practices
Annual self-attestation. Covers basic cyber hygiene required of all DoW contractors with FCI.
Level 2 — Advanced — 110 practices
Aligned to NIST SP 800-171. Required for contractors handling CUI. Third-party C3PAO assessment for critical programs.
Level 3 — Expert — 110+ practices
Aligned to NIST SP 800-172. Required for contractors on the most sensitive DoW programs. Government-led assessment.
The CMMC timeline
CMMC 2.0 final rule effective — requirements now enforceable in contracts
CMMC requirements began appearing in active DoW solicitations; phased rollout by acquisition pathway
Broad inclusion across DoW contracts requiring CUI handling — enforcement is active
Source: DoW CMMC Program Office. Timelines are subject to contracting officer discretion.
How It Works
Three Steps to Know Where You Stand
Adaptive Tracks
Built for Every Size Business
No IT Staff
You handle your own computers and email. Our questions are written in plain English with no technical terms.
Small IT Team
You have an IT person or small team. We go deeper on your existing tools and processes.
Security Team in Place
You have dedicated security staff. We assess your full technical environment and evidence documentation.
Full Coverage
Every Requirement Checked
We assess all 110 security requirements the Pentagon checks — across every category.
AC
Access Control
AT
Awareness & Training
AU
Audit & Accountability
CM
Configuration Management
IA
Identification & Authentication
IR
Incident Response
MA
Maintenance
MP
Media Protection
PE
Physical Protection
PS
Personnel Security
RA
Risk Assessment
CA
Security Assessment
SC
System & Comms Protection
SI
System & Info Integrity
What You Receive
Your Complete Compliance Package
Every document you need, generated automatically from your answers.
See a full sample report (fictional company, real engine) →
Your Score
Estimated SPRS score from the DoD Assessment Methodology weights — control by control.
Fix-It Playbook
Prioritized next steps for every gap you have.
Security Plan (SSP)
The primary document your certifier will review.
Action Plan (POA&M)
Your remediation schedule in the required DoW format.
Certification Timeline
A prioritized path from your score today to assessment-ready.
Dragonfli Review
Every document reviewed by a CMMC Registered Practitioner before delivery.
Free Pulse Check or Full Report Package
The free Pulse Check covers the 5 highest-risk requirement areas in 10 minutes and shows your exposure. The Full Report — $3,500— covers all 110 CMMC Level 2 requirements and includes your complete SSP draft, POA&M, gap analysis, and remediation playbook, each reviewed by a CMMC Registered Practitioner before delivery.
The Value Case
What Cybersecurity Firms Charge for the Same Assessment
A traditional CMMC readiness assessment from a cybersecurity consulting firm costs $10,000–$20,000 — and takes 6–12 weeks. The same document set consultants deliver — SSP draft, POA&M, gap analysis, roadmap — reviewed by a CMMC Registered Practitioner and delivered in days, not months. $3,500, credited in full toward your remediation engagement.
Traditional CMMC Assessment
$10,000–$20,000
Typical market rate, 2025–2026
- ✗6–12 weeks of interviews and site visits
- ✗Static PDF report — typically filed and forgotten
- ✗Single deliverable, no ongoing dashboard access
- ✗No guarantee of CyberAB verified credentials
- ✗Assessment fee is a sunk cost — no credit toward remediation
Dragonfli CMMC Accelerator
$3,500
Full Report Package — one-time fee
- Dragonfli-reviewed report delivered in days, not months
- Live dashboard — access your results anytime
- SSP draft, POA&M, gap analysis, and remediation roadmap
- CyberAB Registered Practitioner Organization (RPO) verified
- $3,500 credited in full toward your T1, T2, or T3 engagement
Traditional assessment pricing based on 2025–2026 market rates from CMMC consulting engagements.
Start Here
Self-Service Assessment
Free Pulse Check
$0
No credit card required
- 10 minutes to complete
- 5 highest-risk areas
- Instant score across 5 critical areas
Full Report Package
$3,500
Consulting firms charge $10,000–$20,000 for the same document set
Card payment up front · invoice/ACH available on request
- 60–90 minutes, save and resume anytime
- All 110 CMMC Level 2 requirements
- Complete SSP draft and POA&M
- Gap analysis and remediation playbook
- Reviewed by a CMMC Registered Practitioner
Our guarantee: If your readout call doesn’t give you a clear, prioritized path to an 88+ SPRS estimate, we refund the full $3,500.
Card payment is collected up front; invoice/ACH available on request. Documents are drafted when you finish, then reviewed by a CMMC Registered Practitioner and delivered in days.
Dragonfli Team Works With You
Professional Services
Your assessment score automatically recommends the right engagement level. Our analysts implement the fixes alongside your team.
T1 Validate
Nearly ready — prove it
$5,000 – $12,000
- Evidence compilation and artifact review
- SSP and POA&M finalization
- C3PAO selection and assessment preparation
- Mock-assessment readiness review
T2 Remediate
Defined gaps, structured closure
$12,000 – $30,000
- Close defined control gaps
- Policy and procedure development
- Technical control implementation support
- POA&M execution and tracking
T3 Build
Full program build-out
$30,000+ (custom scoped)
- Full security program build-out
- CUI enclave design and implementation
- Managed remediation across all 14 domains
- Ongoing support through C3PAO assessment
All professional service engagements include the Full Assessment Report at no additional charge.
Common Questions
CMMC 2.0 Questions, Answered
What is CMMC 2.0?+
CMMC 2.0 (Cybersecurity Maturity Model Certification) is the US Department of War's mandatory cybersecurity framework for defense contractors. It replaced the original 5-level CMMC model in 2021, consolidating to 3 levels aligned with NIST SP 800-171 and NIST SP 800-172. All DoW contractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must meet CMMC requirements to win and keep DoW contracts.
Who needs CMMC certification?+
Any company in the Defense Industrial Base (DIB) that bids on or holds DoW contracts is subject to CMMC. This includes prime contractors and subcontractors at all tiers. If your company handles Federal Contract Information (FCI), you need CMMC Level 1. If you handle Controlled Unclassified Information (CUI) — including technical data, export-controlled information, or DoW contract requirements data — you need CMMC Level 2.
What is the difference between CMMC Level 1 and Level 2?+
CMMC Level 1 covers 17 basic cybersecurity practices from FAR 52.204-21 and allows annual self-attestation by a senior company official. CMMC Level 2 covers all 110 security requirements from NIST SP 800-171 across 14 practice domains. Most DoW contractors with CUI must achieve Level 2, which — for critical programs — requires a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) every 3 years.
How much does a CMMC assessment cost?+
A CMMC readiness assessment from Dragonfli Group is $3,500 for the Full Assessment & Dragonfli-Reviewed Report Package, which includes your complete SSP draft, POA&M, gap analysis, and remediation roadmap — every document reviewed by a CMMC Registered Practitioner. The full $3,500 credits toward your follow-on remediation engagement, which is scoped to your gap profile. A formal C3PAO certification assessment itself typically costs $50,000–$200,000+ depending on scope.
How does $3,500 compare to hiring a cybersecurity consulting firm?+
Traditional cybersecurity firms charge $10,000–$20,000 for a CMMC readiness assessment — with typical delivery timelines of 6–12 weeks, usually ending in a static PDF report. The same document set consultants deliver — SSP draft, POA&M, gap analysis, roadmap — is reviewed by a CMMC Registered Practitioner and delivered in days, not months, for $3,500, credited in full toward your remediation engagement. Dragonfli is also a CyberAB verified Registered Practitioner Organization — not a generic cybersecurity vendor.
What is a SPRS score and how is it calculated?+
The Supplier Performance Risk System (SPRS) score is a numeric score (-203 to 110) that DoW uses to evaluate a contractor's cybersecurity posture. It is calculated by assessing all 110 NIST SP 800-171 requirements: each unimplemented requirement carries a weighted penalty. A score of 110 means full implementation. Contractors must self-report their SPRS score in the PIEE portal and update it as controls are implemented. A low SPRS score is visible to contracting officers and can affect contract awards.
What are the 14 CMMC domains?+
CMMC Level 2 assesses all 14 NIST SP 800-171 practice families: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI).
What is the difference between an RPO and a C3PAO?+
An RPO (Registered Practitioner Organization) like Dragonfli Group is a CyberAB accredited firm that provides consulting, assessment preparation, and implementation support. An RPO helps you get ready for certification. A C3PAO (Certified Third-Party Assessment Organization) is the independent auditor that conducts the official CMMC Level 2 certification assessment. You work with an RPO to prepare, then engage a C3PAO for the official assessment.
How long does CMMC compliance take?+
For organizations that are largely compliant with current cybersecurity practices, CMMC Level 2 self-assessment and documentation (SSP, POA&M) can be completed in 30–90 days. For organizations with significant gaps, full technical implementation and third-party certification typically takes 6–18 months depending on scope, budget, and remediation complexity. Starting with a Dragonfli Group readiness assessment is the fastest way to understand your specific timeline.
What happens if a defense contractor does not comply with CMMC?+
Non-compliant defense contractors risk losing existing DoW contracts and being ineligible for new awards. CMMC requirements are embedded in contracts via DFARS clause 252.204-7021. Intentional misrepresentation of your CMMC status can also trigger False Claims Act liability. CMMC requirements are now actively enforced across DoW contracts — non-compliance is a direct barrier to DoW business.
Can a small business achieve CMMC Level 2 compliance?+
Yes — CMMC Level 2 is achievable for small businesses, though the path varies by size and current IT maturity. Many small defense contractors are closer to compliance than they realize. The CMMC Accelerator is specifically designed to guide businesses without dedicated IT or security staff through a plain-English assessment and generate the documentation they need. Dragonfli Group's tiered engagements are sized to your gap profile, so small businesses pay for the help they actually need.
Still have questions? Email cmmc@dragonfligroup.com →
Your Next DoW Contract Depends on This
The free Pulse Check takes 10 minutes. The full assessment and Dragonfli-reviewed document package is $3,500 — paid up front, credited in full toward your remediation engagement.
Start My Free AssessmentFree Pulse Check · No credit card · 10 minutes
Already a customer? Sign in to resume your assessment →