The Cybersecurity Maturity Model Certification program is not optional if you have a DoD contract. This guide covers everything you need to know: what CMMC is, who it affects, what the levels mean, the documents you need, and what it actually costs to comply.
CMMC stands for Cybersecurity Maturity Model Certification. It is a DoD (Department of Defense) program that sets cybersecurity requirements for the defense supply chain. The program requires contractors to demonstrate that they meet specific security standards before they can hold or win certain DoD contracts.
The DoD finalized the CMMC 2.0 rule on November 10, 2025. Starting from that date, CMMC requirements can appear in new DoD contracts. The program is rolling out in phases through 2026 and beyond.
The underlying security framework is NIST SP 800-171 Rev 2, which lists 110 security requirements across 14 domains. CMMC Level 2 requires demonstrating compliance with all 110 of those requirements. CMMC is not a new cybersecurity standard invented by the DoD; it is an enforcement and certification mechanism layered on top of an existing standard.
Any company that handles DoD contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) needs to comply with CMMC. That includes:
Manufacturers that make parts or components under DoD contracts. Engineering firms that produce design documents or technical data. IT services companies that provide systems or support to DoD programs. Research and development companies that handle ITAR or EAR controlled data. Staffing firms that place workers on cleared programs. Professional services firms that review sensitive documents as part of their work.
The size of your company does not determine whether you need CMMC. The content of your contract does. If your contract has a CMMC clause, you must comply. If you hold a contract with FCI, you need at minimum Level 1. If your contract involves CUI, you need Level 2.
The requirement flows down the supply chain. If a prime contractor has a CMMC clause, they can flow that requirement to their subcontractors. You might receive a CMMC requirement from your customer even if you do not have a direct contract with the DoD.
CMMC 2.0 has three levels. Most defense contractors fall into Level 1 or Level 2.
The vast majority of small contractors need either Level 1 or Level 2. If your contract involves CUI, assume Level 2. If you are not sure, look at your contract for the DFARS clause 252.204-7012. That clause requires Level 2 compliance. If you have it, you need Level 2.
Level 1 allows self attestation: a senior company official certifies annually that the company meets the 17 requirements. There is no outside auditor.
Level 2 (for most CUI contracts) requires a third party assessment by a C3PAO. The C3PAO comes to your organization, reviews your evidence, interviews your people, and issues a formal certification. You cannot certify yourself for Level 2 in most cases.
Some Level 2 contracts allow annual self attestation rather than a C3PAO assessment. This is determined by the requiring activity in the DoD (who writes the contract), not by you. If the contract requires a C3PAO assessment, self attestation is not an option.
Think of the SSP as a written answer to the question: "For each of these 110 security requirements, how does your company actually handle it?" The answer for each control might be "we do this using [specific tool or process], configured [this way], owned by [this person]." Or it might be "we do not yet do this, and here is our plan to implement it."
Every contractor seeking Level 2 certification needs a current, accurate SSP. If you hire a C3PAO to assess you, the first thing they will ask for is your SSP. A complete, accurate SSP before the assessment begins shortens the assessment timeline and reduces the risk of findings you did not anticipate.
The NIST SP 800-171 Rev 2 guide specifies what an SSP should contain. At minimum: the company's name and address, a description of the systems in scope, the network boundary, a description of how each of the 110 controls is implemented (or planned), and the date.
In practice, a thorough SSP for a 20-person contractor might run 80 to 200 pages. Each control gets its own section with an implementation statement. Strong implementation statements are specific to your environment: they name the actual tools, configurations, and processes in place, not generic descriptions of the control concept.
Verdiex generates your SSP from your questionnaire answers. The tool produces implementation statements for each control based on what you describe about your environment. You then edit those statements to add detail specific to your environment, attach evidence, and export the document.
Defense contractors with CMMC Level 2 requirements are required to submit their SPRS score to the DoD Supplier Performance Risk System. This score is visible to DoD contracting officers evaluating bids and managing supplier relationships.
The DoD scoring methodology assigns point values to each of the 110 controls based on their criticality. Unimplemented controls deduct either 1, 3, or 5 points from the 110 maximum:
Controls worth 1 point each: basic practices with lower criticality, such as session lock policies or password length requirements.
Controls worth 3 points each: important controls covering access management, audit logging, and configuration management.
Controls worth 5 points each: the highest value controls covering things like multifactor authentication for privileged access and FIPS-validated cryptography.
A contractor who has implemented most controls but is missing all controls worth five points could have a score well below zero. The score is not a simple percentage.
The required minimum SPRS score for contracts is not a universal fixed number; the requirement varies by contract. However, a score well below 110 signals gaps that need to be in a POA&M with a credible remediation timeline. A score near or at 110 signals readiness for a C3PAO assessment.
A POA&M does not excuse gaps. It acknowledges them honestly and demonstrates that you have a concrete plan to close them. A good POA&M includes: the specific control not yet met, why it is not yet met, what it will take to implement it, who is responsible, and a realistic target date.
Having a POA&M that honestly describes your gaps is better for compliance and better for your defensibility than pretending the gaps do not exist. A C3PAO reviewing your SSP will identify unmet controls. It is better to have them already in your POA&M than to have them discovered during the assessment.
Verdiex generates a POA&M entry automatically for every control that is not fully implemented. You fill in the owner, the target date, and the remediation steps. The POA&M updates in real time as you close gaps and your SPRS score adjusts accordingly.
C3PAOs employ Certified CMMC Assessors (CCAs) who have passed the Cyber AB assessment examination. During an assessment, the C3PAO reviews your SSP, interviews key personnel, and tests the actual implementation of controls. They issue findings and, if you pass, a certification valid for three years.
A C3PAO assessment for a small to medium sized contractor typically costs between $35,000 and $75,000 or more, depending on the complexity of your environment, the number of systems in scope, and the C3PAO's pricing. Some assessments run higher.
You can find accredited C3PAOs on the Cyber AB Marketplace at marketplace.cyberab.org. Demand for C3PAOs has significantly exceeded supply since the CMMC rule took effect, which means scheduling lead times can be long. Contractors who wait until the last minute before a contract deadline may struggle to find availability.
Verdiex is a preparation tool, not an assessment organization. The product helps you build the SSP, understand your SPRS score, and document your compliance posture so that when you engage a C3PAO, you are ready. A contractor who arrives at a C3PAO assessment with a thorough, accurate SSP and an evidence vault in order is in a much stronger position than one who does not.
We use the phrase "prepare, not certify" throughout the site because this distinction matters legally and practically. We can help you get ready for the C3PAO. We cannot do the C3PAO's work.
CMMC 2.0 was finalized in November 2025. The rollout is phased, with requirements appearing in contracts progressively over time.
The DoD rule (32 CFR Part 170) took effect. CMMC requirements can now be included in new contracts. The clock for the supply chain is running.
New contracts and contract renewals begin including CMMC requirements. Phase 1 covers contracts that require Level 2 self attestation. Phase 2 covers contracts that require Level 2 C3PAO assessment.
CMMC requirements expected to appear in the majority of new DoD contracts involving CUI. C3PAO demand will continue to rise as more contractors need formal assessments.
CMMC requirements expected to be included in all applicable DoD contracts. Contractors without the required CMMC level will not be eligible for contract awards.
The window for preparation is now. There are an estimated 78,000 contractors who need Level 2 but are not yet compliant. C3PAO capacity is limited. Contractors who start the process today are ahead of those who wait for their contracting officer to ask for their CMMC status.
The cost of CMMC compliance varies widely depending on how compliant you are today, how complex your environment is, and how you choose to get there. Here is an honest breakdown.
| Path | Typical cost | Notes |
|---|---|---|
| MSP or consultant retainer | $800 to $1,500 per month, 12 to 18 months | The most common approach. Total cost often $15,000 to $25,000 before the C3PAO assessment begins. |
| Independent SSP project | $25,000 to $75,000 or more | Hiring a consultant to produce the SSP. Hourly rates run $250 to $400 per hour. |
| C3PAO assessment | $35,000 to $75,000 or more | The formal assessment by an accredited C3PAO. Required for most Level 2 contracts. Separate from preparation costs. |
| Technical remediation | Highly variable | Implementing unmet controls (MFA, encryption, log management, etc.). Can range from a few thousand dollars to six figures depending on current state. |
| Verdiex Professional | $799 per month | Covers the SSP generation, SPRS scoring, POA&M tracking, and evidence vault. Does not replace the C3PAO assessment or technical remediation. |
Verdiex eliminates the documentation and scoring work, which is typically what drives the large consulting engagements. You still need to actually implement the controls (Verdiex helps you understand which ones), and you still need to hire a C3PAO for Level 2 certification. But the $15,000 to $75,000 consulting engagement to produce the SSP and understand your score is replaced by a software subscription.
Technical remediation costs are separate and depend entirely on your current infrastructure. No tool or consultant can implement the controls for you; you have to actually change your systems and policies. Verdiex tells you exactly what to implement and in what priority order.
When a company attests CMMC compliance or submits a SPRS score to the DoD, it is making a certification to the federal government. If that certification is inaccurate, intentionally or through willful ignorance, it can trigger False Claims Act (FCA) liability.
The False Claims Act allows the government and whistleblowers (including your own employees) to sue contractors who submit false claims to the government. Penalties can include treble damages (three times the contract value) plus substantial fines for each false claim.
Submitting a SPRS score that is significantly higher than your actual implementation level. Attesting compliance with CMMC Level 2 when you have not completed the required assessment or do not actually meet the requirements. These are not hypothetical risks: the Department of Justice has brought FCA cases against defense contractors for exactly this kind of misrepresentation.
An accurate SSP, an honest SPRS score, and a thorough POA&M that documents known gaps with credible remediation timelines are evidence of good faith. They demonstrate that your compliance program is real, that you know where your gaps are, and that you are working to close them. They do not eliminate liability for actual compliance failures, but they establish a documented, credible compliance posture.
Verdiex walks you through the questionnaire, generates your SSP, calculates your SPRS score, and tracks your POA&M. Get on the early access list and we will notify you when it opens.
Verdiex prepares you for assessment. A C3PAO performs the assessment and issues certification.