The Complete CMMC 2.0 Compliance Guide for Defense Contractors (2026)

What is CMMC 2.0?

CMMC (Cybersecurity Maturity Model Certification) is the US Department of War's mandatory cybersecurity framework for its supply chain. The original CMMC 1.0 was released in January 2020 with five maturity levels. CMMC 2.0 was announced in November 2021, streamlining the model to three levels and aligning it more closely with existing NIST standards. The CMMC Program rule (32 CFR Part 170) became effective in December 2024, and the acquisition rule (48 CFR) that puts CMMC clauses into contracts took effect November 10, 2025 — beginning a four-phase rollout that requires Level 2 C3PAO certification from November 10, 2026 and reaches full implementation on November 10, 2028.

CMMC is not a voluntary framework. It is enforced through the Defense Federal Acquisition Regulation Supplement (DFARS), specifically clause 252.204-7021, which contractors must flow down to all subcontractors handling covered information. Misrepresenting your CMMC status can trigger False Claims Act liability with treble damages.

Who needs CMMC certification?

If your company holds or bids on DoW contracts and handles any of the following, CMMC applies to you:

• Federal Contract Information (FCI) — Any information provided by or generated for the government under a contract that is not intended for public release. Requires CMMC Level 1.
• Controlled Unclassified Information (CUI) — Technical data, engineering drawings, export-controlled information, procurement-sensitive information, or other information the government designates as CUI. Requires CMMC Level 2 (or Level 3 for the most sensitive programs).

This applies to prime contractors and all subcontractors at every tier. If you are a sub to a prime handling CUI, you must comply. Small businesses are not exempt — though the DoW has indicated it will prioritize enforcement on higher-risk contracts first.

The three CMMC levels explained

CMMC Level 1 — Foundational (17 practices)

Level 1 covers the 17 basic cybersecurity practices from FAR 52.204-21. These are the absolute fundamentals: limit system access to authorized users, control physical access, use antivirus, implement multi-factor authentication for privileged accounts, and similar baseline controls. Level 1 contractors may self-attest annually via a senior company official and do not need a third-party assessor.

CMMC Level 2 — Advanced (110 practices)

Level 2 is where most defense contractors focus. It covers all 110 security requirements from NIST SP 800-171 Rev 2 across 14 practice domains. For contracts the DoW designates as "critical," third-party certification by a C3PAO is required every three years. For non-critical programs, self-assessment may be permitted — but this distinction is made by the contracting officer in each solicitation.

CMMC Level 3 — Expert (110+ practices)

Level 3 is reserved for contractors on the most sensitive DoW programs, particularly those involving Advanced Persistent Threat (APT) risk. It is based on a subset of NIST SP 800-172 requirements and requires a government-led assessment by the Defense Contract Management Agency (DCMA). Very few contractors will need Level 3.

The 14 CMMC domains and 110 security requirements

CMMC Level 2 assesses all 14 practice families from NIST SP 800-171. Here is what each domain covers:

No single domain can be ignored. A gap in any domain impacts your overall SPRS score, your certification eligibility, and your exposure if an assessment identifies unaddressed weaknesses.

Understanding your SPRS score

The Supplier Performance Risk System (SPRS) score is a numeric representation of your NIST SP 800-171 compliance posture. It ranges from -203 to +110. A score of 110 means you have fully implemented all 110 requirements. Each unimplemented requirement carries a weighted penalty (1–5 points depending on criticality). Partial implementation earns partial credit.

Contractors must self-report their SPRS score in the PIEE (Procurement Integrated Enterprise Environment) portal and update it when controls are remediated. Your SPRS score is visible to DoW contracting officers and is increasingly used as a qualification factor in source selection. A negative SPRS score is a significant red flag.

C3PAO assessments: what to expect

A C3PAO (Certified Third-Party Assessment Organization) is an accredited firm authorized by the CyberAB to conduct official CMMC Level 2 certification assessments. The assessment process typically involves:

1. Scoping: Define the assessment boundary — which systems, locations, and personnel are in scope for CUI handling.
2. Evidence submission: Provide documentation proving control implementation: policies, procedures, configuration screenshots, audit logs, training records.
3. Assessment activities: C3PAO assessors interview personnel, review documentation, and test controls. This typically takes 1–4 weeks on-site or hybrid.
4. POA&M review: Gaps identified during the assessment are documented in a Plan of Action & Milestones. The assessor evaluates whether gaps are remediable within 180 days and whether they are blocking.
5. Certification decision: The C3PAO uploads findings to the CyberAB's eMASS instance. If requirements are met, your organization receives CMMC Level 2 certification valid for three years.

Working with an RPO (Registered Practitioner Organization) like Dragonfli Group before your C3PAO assessment dramatically improves your first-time pass rate and reduces total cost by ensuring your documentation and evidence packages are complete.

What CMMC compliance costs

Total CMMC compliance costs vary enormously by organization size, current security posture, and the complexity of your IT environment. Here are realistic estimates based on our engagement experience:

How long CMMC compliance takes

The timeline to CMMC Level 2 compliance depends heavily on your starting point. Here is a realistic breakdown:

How to prepare: your first steps

The best first step is always a gap assessment. You cannot build a remediation plan without knowing where you stand. Here is the sequence we recommend for every defense contractor:

1. 1
   Run a readiness assessment
   Get your current CMMC score across all 14 domains. Understand your SPRS estimate. This is the foundation of everything that follows. Our Full Report ($3,500) does this in 15 minutes.
2. 2
   Build your SSP and POA&M
   Your System Security Plan (SSP) documents how you meet each requirement. Your Plan of Action & Milestones (POA&M) documents how you will close gaps. These are required for C3PAO assessment.
3. 3
   Calculate and submit your SPRS score
   Even if you have gaps, you must report your current SPRS score in the PIEE portal. A submitted score — even a low one — is better than no score.
4. 4
   Remediate gaps by priority
   Focus on Critical and High priority gaps first (score < 65%). Use your POA&M as the project plan. Your Dragonfli consultant will help sequence this efficiently.
5. 5
   Engage a C3PAO when ready
   When your POA&M shows 180-day closure for remaining gaps and your documentation is complete, schedule your C3PAO assessment. Do not engage a C3PAO before your RPO says you are ready.