What is CMMC and does my business need it?

If you do any work for the Department of Defense — even as a subcontractor three tiers down the supply chain — CMMC is something you need to understand. Here’s what it is, who it affects, and what you need to do about it.

What Is CMMC?

CMMC = Cybersecurity Maturity Model Certification

It’s a cybersecurity framework created by the U.S. Department of Defense (DoD) to protect sensitive information that flows through its defense supply chain. Before CMMC, defense contractors were expected to self-attest that they met cybersecurity requirements under DFARS (Defense Federal Acquisition Regulation Supplement). The problem? Many contractors claimed compliance without actually implementing the necessary controls.

CMMC changes that by requiring third-party verification for most contractors. You can no longer just check a box and say you’re compliant. An independent assessor needs to confirm it.

Why it matters

The DoD estimates that adversaries steal hundreds of billions of dollars in intellectual property annually, with a significant portion coming from weakly secured contractor networks. CMMC is the DoD’s response to that problem.

Does My Business Need CMMC?

Here’s the straightforward test:

Do you have a contract (or subcontract) with the Department of Defense?

If yes — or if you’re planning to bid on DoD contracts — CMMC applies to you.

You Need CMMC If You:

• Hold a prime contract with any DoD agency
• Are a subcontractor to a DoD prime contractor
• Are a supplier in the defense industrial base (DIB)
• Handle Federal Contract Information (FCI) in connection with DoD work
• Handle Controlled Unclassified Information (CUI) for DoD
• Plan to bid on future DoD contracts that include CMMC requirements

You Probably Don’t Need CMMC If You:

• Only work with non-DoD federal agencies (though similar requirements may be coming)
• Only sell commercial off-the-shelf (COTS) products to DoD with no access to FCI or CUI
• Have no connection to the defense supply chain

Key point

CMMC flows down the supply chain. If your customer is a DoD contractor and they share CUI with you, you’ll need CMMC certification too — even if you never interact with the DoD directly.

Understanding FCI and CUI

Two terms you’ll hear constantly in CMMC discussions:

Federal Contract Information (FCI)

Information provided by or generated for the government under a contract that isn’t intended for public release. Think: contract terms, project specs, internal communications about government work.

Controlled Unclassified Information (CUI)

A broader category of sensitive-but-unclassified information that requires protection. Examples include:

• Technical drawings and specifications
• Engineering data
• Test results
• Proprietary manufacturing processes shared under contract
• Personnel information
• Export-controlled data
• Law enforcement sensitive information

CUI is the bigger deal. If you handle CUI, you’ll need Level 2 certification at minimum, which is significantly more rigorous than Level 1.

How to tell if you handle CUI

Check your contracts. CUI should be identified and marked by the government or your prime contractor. Look for DFARS clause 252.204-7012 in your contracts — if it’s there, you almost certainly handle CUI.

The Three CMMC Levels

CMMC 2.0 simplified the framework from five levels down to three:

Level 1: Foundational

Who needs it: Contractors who handle FCI but not CUI

What it requires: 17 basic cybersecurity practices from FAR 52.204-21

Assessment type: Annual self-assessment

Think of it as: Basic cyber hygiene — the minimum any business should be doing anyway

Level 1 requirements include

• Use antivirus software and keep it updated
• Use passwords that meet complexity requirements
• Limit system access to authorized users
• Control who can access physical systems
• Identify and authenticate users before granting access
• Sanitize or destroy media containing FCI before disposal
• Limit information system access to the types of transactions and functions that authorized users need
• Verify and control connections to external systems
• Control information posted on publicly accessible systems
• Protect communications at system boundaries
• Monitor, control, and protect organizational communications
• Implement subnetworks for publicly accessible system components

These are the basics. If you’re running a business without most of these in place, you have bigger problems than CMMC.

Level 2: Advanced

Who needs it: Contractors who handle CUI

What it requires: 110 security controls aligned with NIST SP 800-171 Rev 2

Assessment type: Third-party assessment by a C3PAO (CMMC Third-Party Assessment Organization) for critical CUI, or self-assessment for select programs

Think of it as: Comprehensive cybersecurity — this is where it gets serious

Level 2 control families

Control Family	Number of Controls	What It Covers
Access Control	22	Who can access what, and under what conditions
Awareness and Training	3	Security training for personnel
Audit and Accountability	9	Logging, monitoring, and audit trails
Configuration Management	9	Controlling system configurations and changes
Identification and Authentication	11	User identity verification and MFA
Incident Response	3	Detecting, reporting, and responding to incidents
Maintenance	6	System maintenance procedures
Media Protection	9	Protecting digital and physical media
Personnel Security	2	Screening and managing personnel
Physical Protection	6	Physical access controls
Risk Assessment	3	Identifying and managing risk
Security Assessment	4	Evaluating security effectiveness
System and Communications Protection	16	Protecting data in transit and at rest
System and Information Integrity	7	Detecting and correcting flaws

Level 2 is where most small and mid-sized DoD contractors will land. It’s a substantial commitment, and the 110 controls touch every part of your IT environment.

Level 3: Expert

Who needs it: Contractors working with the most sensitive CUI or critical DoD programs

What it requires: 110+ controls from NIST SP 800-171 plus additional controls from NIST SP 800-172

Assessment type: Government-led assessment (DIBCAC — Defense Industrial Base Cybersecurity Assessment Center)

Think of it as: Near-government-grade cybersecurity — advanced threat protection

Most small businesses will not need Level 3. This is reserved for contractors involved in the most sensitive defense programs.

The SPRS Score: Where You Stand Today

If you’re already a DoD contractor, you should have a Supplier Performance Risk System (SPRS) score. This is a numerical score (-203 to 110) based on your self-assessment against the 110 NIST SP 800-171 controls.

How SPRS Scoring Works

• Start with 110 points (perfect score)
• Each unmet control deducts points based on its weighted value
• Common values range from 1 to 5 points per control
• Your score must be uploaded to the SPRS portal

The Problem with Current Scores

Many contractors submitted inflated SPRS scores based on incomplete assessments. Under CMMC, these scores will be verified. If your reported score doesn’t match reality during a C3PAO assessment, you face:

• Loss of contracts
• Potential False Claims Act liability (which can include treble damages)
• Suspension or debarment from government contracting

If your SPRS score isn’t accurate, fix it now. An honest low score is far better than a fraudulent high one.

CMMC Enforcement Timeline

CMMC has been in development since 2019, and the timeline has shifted multiple times. Here’s where things stand:

• 2024: Final CMMC rule published (32 CFR Part 170)
• 2025: Phased rollout begins — CMMC requirements start appearing in select new contracts
• Phase 1: Level 1 self-assessments and select Level 2 self-assessments required in applicable contracts
• Phase 2: Level 2 C3PAO assessments required in applicable contracts
• Phase 3: Level 2 C3PAO assessments for all applicable contracts; Level 3 assessments begin
• Phase 4: Full implementation across all applicable DoD contracts

Key point

Don’t wait for CMMC to show up in your contract to start preparing. The assessment process takes time, and C3PAO availability is limited. Contractors who wait until the last minute will face backlogs and may lose contract opportunities.

How to Prepare for CMMC

Step 1: Determine Your Required Level

Review your DoD contracts and subcontracts. If you handle only FCI, you’ll likely need Level 1. If you handle CUI, plan for Level 2. Your prime contractor or contracting officer can help clarify.

Step 2: Scope Your CUI Environment

Identify where CUI lives in your organization:

• Which systems process, store, or transmit CUI?
• Which employees access CUI?
• Which networks carry CUI traffic?
• Which physical locations house CUI?

The smaller your CUI environment, the easier (and cheaper) compliance will be. Consider creating an enclave — a segregated network and set of systems dedicated to CUI handling.

Step 3: Conduct a Gap Assessment

Compare your current security posture against the requirements for your target level. For Level 2, this means a control-by-control assessment against NIST SP 800-171.

Common gaps we see

• No multi-factor authentication — still using passwords alone for system access
• Flat networks — no segmentation between CUI systems and general business systems
• Missing audit logging — systems don’t log access or changes, or logs aren’t reviewed
• No incident response plan — or a plan that’s never been tested
• Inadequate access controls — shared accounts, excessive permissions, no regular access reviews
• Encryption gaps — CUI not encrypted at rest or in transit
• Missing or outdated System Security Plan (SSP) — the foundational document for your security program
• No Plan of Action and Milestones (POA&M) — untracked deficiencies

Step 4: Build Your Core Documentation

CMMC assessors will expect thorough documentation:

• System Security Plan (SSP) — describes your system boundaries and how each of the 110 controls is implemented
• Plan of Action and Milestones (POA&M) — documents known gaps with remediation timelines (must be closed within 180 days of conditional certification)
• Network diagrams — current, accurate, and detailed
• Data flow diagrams — how CUI moves through your systems
• Policies and procedures — for every control family
• Evidence of implementation — screenshots, configurations, logs, training records

Step 5: Implement Technical Controls

This is typically the most time-consuming and expensive step:

• Deploy MFA across all systems handling CUI
• Implement network segmentation (enclave your CUI environment)
• Deploy SIEM or equivalent logging solution
• Enable encryption at rest and in transit
• Implement endpoint detection and response (EDR)
• Configure system baselines and change management
• Set up vulnerability scanning and remediation processes
• Consider migrating to a GCC High cloud environment for CUI handling

Step 6: Implement Administrative Controls

• Write and adopt security policies covering all 14 control families
• Establish a security awareness training program
• Create and test an incident response plan
• Implement personnel screening procedures
• Establish vendor and supply chain security requirements

Step 7: Schedule Your Assessment

For Level 1, complete your self-assessment and submit your score to SPRS.

For Level 2, engage a C3PAO through the Cyber AB (formerly the CMMC Accreditation Body). Assessment timelines vary, but expect 2-4 weeks for the actual assessment process. Book well in advance — demand is high and C3PAO availability is limited.

Cost Estimates

CMMC costs vary widely based on your starting point, company size, and target level:

Level 1 Costs

Item	Estimated Cost
Gap assessment	$2,000 - $10,000
Remediation (basic controls)	$5,000 - $25,000
Documentation	$2,000 - $5,000
Annual self-assessment effort	Internal staff time
Total first-year estimate	$10,000 - $40,000

Level 2 Costs

Item	Estimated Cost
Gap assessment	$10,000 - $30,000
SSP and policy development	$10,000 - $40,000
Technical remediation (110 controls)	$50,000 - $300,000+
Security tools (SIEM, EDR, encryption, MFA)	$15,000 - $60,000/year
GCC High cloud migration	$10,000 - $50,000
C3PAO assessment	$30,000 - $100,000+
Managed IT/security services	$1,000 - $5,000/month
Total first-year estimate	$100,000 - $500,000+

Why the range is so wide

A company that already has strong cybersecurity practices may need only modest changes. A company running on a flat network with no MFA, no logging, and no policies will need to build from the ground up. Most small DoD contractors fall somewhere in between.

The Business Case

Yes, CMMC is expensive. But consider:

• The average DoD contract value far exceeds compliance costs — losing contract eligibility is far more expensive than getting compliant
• Competitors who achieve CMMC first will have a bidding advantage while non-compliant contractors are locked out
• The security improvements benefit your entire business, not just your DoD work
• Cyber insurance carriers increasingly recognize CMMC-aligned security as favorable for premium calculations

Common Mistakes to Avoid

1. Waiting Too Long

The most common and most costly mistake. CMMC preparation takes 6-18 months for Level 2. C3PAO availability is limited. Start now.

2. Scoping Too Broadly

If your entire network handles CUI, your entire network is in scope. Establish a CUI enclave to reduce the systems, people, and processes that need to meet Level 2 requirements.

3. Treating It as an IT-Only Project

CMMC touches HR (personnel security, training), physical security, legal (contracts, data flow), management (risk assessment, governance), and IT. It’s an organizational effort.

4. Inflating Your SPRS Score

The DoD is actively pursuing False Claims Act cases against contractors who misrepresented their cybersecurity posture. An honest assessment protects you legally. Fix your score before an assessor does it for you.

5. Ignoring the Supply Chain

If you share CUI with subcontractors, they need CMMC certification too. Assess your supply chain early and help your subcontractors understand their obligations.

6. Underestimating Documentation

Many businesses have decent security practices but poor documentation. For CMMC, undocumented controls don’t count. If you can’t show evidence of a control, the assessor will mark it as not met.

CMMC and Your IT Provider

Your IT provider or managed service provider (MSP) plays a critical role in CMMC readiness. But there’s an important distinction.

What Your IT Provider Should Help With

• Deploying and managing security tools (SIEM, EDR, MFA, encryption)
• Network architecture and CUI enclave design
• GCC High cloud environment setup and management
• Configuration management and hardening
• Patch management and vulnerability remediation
• Logging and monitoring
• Incident detection and response support
• Technical documentation (network diagrams, configurations)

What Your IT Provider Cannot Do For You

• Own your compliance — you are responsible for your own CMMC certification
• Write all your policies — many policies involve business processes, not just technology
• Handle personnel security and HR procedures
• Manage your physical security
• Guarantee assessment outcomes

Questions to Ask Your IT Provider

1. Do you have experience supporting CMMC or NIST SP 800-171 compliance?
2. Can you help design and implement a CUI enclave?
3. Can you support a GCC High environment?
4. Do you offer SIEM and security monitoring services?
5. How do you handle incident response?
6. Can you support the technical components of a C3PAO assessment?
7. Are you CMMC-certified yourself (if they handle your CUI)?

Red flags

• They’ve never heard of CMMC or NIST SP 800-171
• They can’t explain what CUI is
• They suggest commercial Microsoft 365 is sufficient for CUI (it’s not)
• They don’t offer MFA, SIEM, or EDR services
• They say you can “just self-certify” for Level 2

The Bottom Line

CMMC is not optional if you want to do business with the Department of Defense. The framework is real, enforcement is underway, and contractors who aren’t prepared will lose opportunities.

The good news: the requirements are clear, the path to compliance is well-defined, and the security improvements you’ll make along the way protect your entire business — not just your DoD contracts.

The key steps:

1. Determine your required CMMC level
2. Scope and minimize your CUI environment
3. Assess your gaps against NIST SP 800-171
4. Build your documentation (SSP, POA&M, policies)
5. Implement technical and administrative controls
6. Schedule your assessment early

Start now. The contractors who move first will have a significant competitive advantage.

---

Need help preparing for CMMC? centrexIT works with defense contractors to implement the technical controls, network architecture, and security monitoring required for CMMC Level 1 and Level 2. Contact us to discuss your compliance roadmap.