If you ship anything to the Department of Defense — from machined parts to software, from logistics services to engineering drawings — there is a clock running on your business. The Cybersecurity Maturity Model Certification (CMMC) program officially entered DoD contracts on November 10, 2025, and the third-party certification phase that follows on November 10, 2026 will quietly disqualify thousands of small subcontractors who assumed they had more time.
The most uncomfortable fact about CMMC is that it is not really a new rulebook. It is a verification mechanism for cybersecurity requirements that have been embedded in the Defense Federal Acquisition Regulation Supplement (DFARS) since 2017. Industry surveys still show that fewer than 15 percent of defense contractors have fully implemented those underlying NIST SP 800-171 controls. That is the gap CMMC is designed to expose — and the gap that is now contractually material to whether you win or lose a bid.
This guide is for the owners, COOs, and IT leads at small businesses who suddenly find themselves needing to translate a 110-control framework, a 320-objective assessment guide, and a three-tier certification model into something they can budget for, plan, and deliver before the next solicitation closes.
The Three Levels in Plain English
CMMC 2.0 collapses the original five-level model into three. The level you need is determined by the kind of government information you handle, not by the size of your company or the dollar value of your contract.
Level 1 (Foundational) applies if your only DoD-related information is Federal Contract Information (FCI) — the non-public information generated under or for a contract that the government has not designated for public release. Think purchase orders, delivery schedules, basic statement-of-work data. Level 1 maps to the 17 basic safeguarding controls in FAR clause 52.204-21 and is satisfied through annual self-assessment with a senior official's affirmation in the DoD's Supplier Performance Risk System (SPRS).
Level 2 (Advanced) applies the moment any Controlled Unclassified Information (CUI) touches your environment. CUI is a broader category that includes export-controlled technical data, controlled technical information, naval nuclear propulsion information, certain types of personally identifiable information, and other categories defined in the CUI Registry. Level 2 requires implementation of all 110 controls in NIST SP 800-171 Revision 2, evaluated against the 320 assessment objectives in NIST SP 800-171A. Most Level 2 contracts require a triennial assessment by a Certified Third-Party Assessor Organization (C3PAO). A narrow slice of "non-critical CUI" contracts may permit annual self-assessment, but you should not assume your contract qualifies unless the contracting officer says so explicitly.
Level 3 (Expert) is reserved for contractors handling CUI associated with the DoD's highest-priority programs. It adds 24 controls from NIST SP 800-172 on top of the 110 from 800-171, and is assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). If you do not already know you are Level 3, you are almost certainly not.
The practical implication: if your business ever receives technical drawings, specifications marked CUI, ITAR-controlled data, or anything that the prime contractor describes as "controlled," you are a Level 2 shop and you need to budget accordingly.
What Changed in the Final Rule
The DFARS amendment that codifies CMMC took effect on November 10, 2025, with a phased four-year rollout. Two pieces of the rule deserve attention because they are commonly misunderstood.
First, DFARS clause 252.204-7019 — the standalone requirement to perform a Basic NIST SP 800-171 self-assessment and post a score in SPRS — has been folded into the CMMC clauses and no longer exists as a separate provision. Many small businesses are still operating under the assumption that posting a self-assessment score is the end of their compliance obligation. After November 10, 2025, it is the bare minimum needed to bid, and after November 10, 2026, it is no longer sufficient for most CUI contracts at all.
Second, DFARS 252.204-7021 makes CMMC certification a condition of contract award and requires the contractor to maintain that certification throughout the period of performance. That means your certification cannot quietly lapse mid-contract; if it does, you have a compliance problem that travels up the supply chain to the prime.
Third, DFARS 252.204-7012 — the incident reporting clause that has been in place since 2017 — remains intact. You still have 72 hours to report a cyber incident affecting covered defense information, and you still need to provide media for forensic analysis on request.
The 14 Control Families, Demystified
Level 2's 110 controls are organized into 14 families that mirror NIST SP 800-171's structure. Reading them in plain English helps you see where the work actually lives.
Access Control (22 controls) governs who can log in, what they can see, and what they can do once inside. Expect to inventory every user, role, and shared account in your environment.
Awareness and Training (3 controls) requires documented security awareness training for all users and role-based training for privileged users. Generic phishing modules are not enough on their own.
Audit and Accountability (9 controls) demands that your systems produce, protect, and review logs sufficient to reconstruct what happened during an incident. Many small shops fail here not because they cannot generate logs but because no one is reviewing them.
Configuration Management (9 controls) asks you to establish baselines for every system that handles CUI and to manage changes to those baselines. This is where unauthorized software and "shadow IT" become an audit finding.
Identification and Authentication (11 controls) is the multi-factor authentication family. MFA on privileged accounts is non-negotiable. MFA on all accounts that access CUI is the practical interpretation auditors apply.
Incident Response (3 controls) requires a tested incident response capability with documented procedures, training, and reporting. The DFARS 7012 72-hour clock makes this concrete.
Maintenance (6 controls) controls how you perform maintenance on systems handling CUI, including remote maintenance and the supervision of vendors who touch your environment.
Media Protection (9 controls) covers labeling, transport, sanitization, and destruction of media containing CUI — yes, including the USB drive that holds backup copies of engineering data.
Personnel Security (2 controls) requires screening before granting access to CUI and ensures access is terminated when employment ends.
Physical Protection (6 controls) governs physical access to facilities where CUI is processed, including visitor logs and equipment safeguards.
Risk Assessment (3 controls) requires periodic risk assessments and vulnerability scans of your in-scope systems.
Security Assessment (4 controls) demands a documented System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) — the two artifacts every assessor opens first.
System and Communications Protection (16 controls) covers boundary protection, encryption in transit, encryption at rest, and architectural separation of CUI from other data.
System and Information Integrity (7 controls) covers flaw remediation, malicious code protection, and monitoring.
The 110 controls expand into 320 assessment objectives in NIST SP 800-171A. Each objective is a discrete yes-or-no question the assessor will ask, and each requires evidence — a policy, a configuration screenshot, a log sample, a signed acknowledgment. Builders of compliance evidence repositories typically estimate 600 to 1,200 individual pieces of evidence for a clean Level 2 assessment.
What This Actually Costs a Small Business
The DoD's own regulatory impact analysis estimates that approximately 229,818 of the 337,968 affected entities are small businesses. The cost reality varies more than any vendor pitch deck will admit.
Gap assessments from independent consultants run from roughly $3,500 on the low end to $20,000 for a thorough Rev. 2 review including a draft SSP. This is the single best money you can spend before committing to remediation, because it tells you the size of the actual project.
Remediation costs for small businesses commonly land between $35,000 and $115,000 depending on the gap. The expensive items are usually: a compliant Microsoft 365 GCC High tenant (or the equivalent), endpoint detection and response (EDR), multi-factor authentication everywhere, a managed security information and event management (SIEM) service, and the labor to write and operate the required policies.
C3PAO assessment fees for Level 2 certification typically range from $20,000 to $75,000 for a small environment, with larger or more complex environments running higher. Lead times are currently 3 to 6 months and lengthening — there are fewer than 100 authorized C3PAOs serving an estimated 80,000 Level 2 contractors, and the pipeline is not yet keeping pace with demand.
Ongoing operating costs — managed services, training, tooling, internal personnel time — typically add $10,000 to $20,000 per year for a small business, every year, indefinitely.
Total cost of ownership for a small Level 2 shop, including the first certification cycle, commonly lands between $80,000 and $250,000 over three years. Level 1 is dramatically cheaper, often achievable for under $10,000 if your environment is already moderately well managed.
These numbers are uncomfortable. They are also bid-able. If your contracts cannot absorb them, that is a strategic question worth answering before you spend another quarter chasing DoD work.
The Plan of Action and Milestones Loophole
The final rule preserves a limited POA&M mechanism for Level 2. You can achieve conditional certification with open items, provided that:
- Your overall SPRS score is at or above an 88 (out of 110).
- The open items are not on the list of high-value controls that must be fully met at the time of assessment (multi-factor authentication, FIPS-validated cryptography, security continuous monitoring, and a small number of others).
- You close every open item within 180 days, at which point a closeout assessment converts your conditional status to final.
POA&Ms are useful, but they are not a substitute for preparation. A conditional certification with a failed 180-day closeout is materially worse than a delayed initial assessment, because it can result in losing certification mid-contract.
A 90-Day Path for a Small Contractor Starting Now
If you are reading this in mid-2026 and have not started, here is a realistic compressed schedule. It assumes Level 2 is your target and your environment is roughly representative of a small business with 10 to 50 employees.
Days 1 to 14: Scope and Inventory. Identify every system, user account, and data flow that touches CUI. Most small businesses dramatically overestimate the scope of CUI in their environment; the goal is the smallest defensible enclave that still meets contractual obligations. Decide whether you will use a dedicated CUI enclave (a separated Microsoft 365 GCC High tenant or equivalent) or attempt enterprise-wide compliance. Enclaves are almost always cheaper for small shops.
Days 15 to 30: Gap Assessment. Engage a registered practitioner organization (RPO) or qualified consultant to perform a NIST SP 800-171 Rev. 2 gap assessment against the 110 controls and 320 objectives. Insist on a written report with control-by-control findings, recommended remediation, and a draft SSP.
Days 31 to 60: Remediation Sprints. Tackle the high-value controls first because they cannot live on a POA&M. Stand up MFA on every account that touches CUI. Migrate CUI workloads into a compliant tenant. Deploy EDR. Stand up centralized log collection. Write or buy the 14 policy documents that the assessment guide expects.
Days 61 to 75: Documentation and Training. Finish the SSP, complete role-based security training, conduct your first internal incident response tabletop exercise, and update your SPRS score. Build the evidence repository the assessor will request.
Days 76 to 90: Pre-Assessment and Booking. Conduct an internal mock assessment using NIST SP 800-171A as the rubric. Close any remaining gaps. Submit a request for C3PAO scheduling — and accept that the actual assessment may be 90 to 180 days out from the request date. Use the waiting time to operate the controls; assessors look for evidence of sustained operation, not freshly minted policies.
This is aggressive. It is achievable for an organization with executive commitment, an honest scope, and a willingness to spend. Organizations that try to retrofit compliance onto a sprawling, undocumented environment routinely take 9 to 12 months instead.
Bookkeeping for the Compliance Project
Two financial-management mistakes routinely complicate CMMC projects at small businesses.
The first is treating compliance spending as a single bucket. A clean chart of accounts separates one-time remediation costs (capitalizable in many cases), recurring software subscriptions (operating expense), labor for internal staff (often allocable across multiple programs), and assessment fees (a contract-level cost that may be allowable under indirect cost rates for cost-reimbursable work). Defense contractors with DCAA-relevant accounting systems particularly need to track these categories precisely; misclassification can show up years later as questioned costs.
The second is failing to track CMMC costs by contract. If your compliance investment was driven by a specific contract requirement, you may be able to recover a portion through allowable costs or pricing on follow-on awards. If you cannot point to which contract a given dollar supported, you cannot make the case.
Plain-text, version-controlled accounting fits this environment well precisely because it leaves an auditable trail. Every transaction is human-readable, every change is in version control, and the books themselves can be reviewed by a DCAA auditor without specialized vendor tooling. Several controls in NIST SP 800-171 — especially in the Audit and Accountability and Configuration Management families — call for similar properties in IT systems, and there is a quiet elegance in having the financial records meet the same standard.
Common Failure Modes to Avoid
A few patterns repeat across small contractors who fail their first assessment.
Treating MFA as optional. Multi-factor authentication on privileged accounts is the single most common control failure. It is also the cheapest to fix. Resolve this in week one.
Misclassifying CUI. Either marking too much as CUI (expanding scope and cost unnecessarily) or marking too little (creating real exposure). Push your contracting officer for clarity on CUI categories before you scope the project.
Conflating IT security with cybersecurity compliance. A managed service provider that keeps your laptops patched is not the same thing as an RPO or C3PAO. The skills overlap, but the documentation, evidence, and assessment-readiness work is a different discipline.
Underestimating documentation. Assessors do not give credit for verbal explanations. Every control needs evidence that exists today, not evidence the company could produce if asked. Build the evidence repository as you remediate.
Believing the prime will handle it. Primes flow down their compliance requirements through subcontracts. They are not your assessor and not your auditor, but they will absolutely walk away from a sub that puts their certification at risk.
Keep Your Compliance Costs Visible and Auditable
Cybersecurity compliance is now a line item that every defense contractor will carry for the rest of the program's life. Tracking those costs cleanly — by contract, by control family, by remediation versus operating expense — is the difference between a project you can defend in a DCAA audit and a project that quietly erodes your margin. Beancount.io offers plain-text accounting that gives you complete transparency and version control over every financial record, with no vendor lock-in and no black-box reports. Get started for free and bring the same audit-readiness to your books that CMMC asks of your IT environment.