What is CMMC?

CMMC (Cybersecurity Maturity Model Certification) is a unified cybersecurity standard mandated by the U.S. Department of Defense for all contractors and subcontractors who handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

Quick Answer

What is CMMC, in one breath?

CMMC consolidates various cybersecurity standards into a single framework with three levels of certification. It introduces external verification requirements for many contracts, with level-specific assessment methods.

Who this applies to

US Defense Industrial Base contractors handling FCI or CUI

Timeline

Level 1: 3-6 months. Level 2: 6-12 months. Level 3: 12+ months

Investment

Planning ranges only; actual cost depends on scope and inherited controls

Audience

Who needs CMMC?

Organizations handling covered DoD information typically need the level specified in contract requirements. This can include:

  • Prime contractors working directly with DoD
  • Subcontractors at any tier in the supply chain
  • Suppliers providing products or services containing CUI
  • Software vendors and cloud service providers to DoD contractors

Levels

The three CMMC levels.

Level 1: Foundational

17 basic cybersecurity practices for protecting Federal Contract Information (FCI). Allows annual self-assessment. Required for contracts involving FCI only.

Level 2: Advanced

110 practices aligned with NIST SP 800-171 for protecting Controlled Unclassified Information (CUI). Requires third-party assessment by C3PAO. Most common level for DoD contractors.

Level 3: Expert

Additional safeguards beyond Level 2 for higher-sensitivity DoD programs, as defined by applicable program requirements. Assessed by government personnel.

Requirements

Key requirements across levels.

  • Scope Definition: Clearly define your CMMC Assessment Scope boundary
  • Security Controls: Implement required practices for your level
  • Documentation: Maintain evidence of control implementation
  • Third-Party Assessment: Pass evaluation by certified assessor (Levels 2 & 3)
  • Continuous Compliance: Maintain controls and pass re-assessment every 3 years

Planning ranges

Timeline and costs by level.

Planning ranges only. Actual results vary based on scope boundary, inherited controls, and assessor availability.

Level 1:

3-6 months | $15K-$50K total cost

Level 2:

6-12 months | $100K-$500K total cost

Level 3:

Typically 12-18+ months | $500K-$2M+ total cost

Next steps

Getting started.

The first step is conducting a gap assessment to understand your current security posture versus CMMC requirements. This identifies which controls you already have and what needs implementation.

Need Help with CMMC Compliance?

Pilotcore provides CMMC gap assessments, implementation guidance, and certification preparation support for defense contractors. Our CISSP-certified consultant helps teams assess readiness, prioritize controls, and prepare evidence for the assessment process.

Related

Related resources.

Next step

Ready to get started?

Choose how you'd like to begin your engagement with Pilotcore.

Full engagement

Full consultation

Discuss your complete cloud and security strategy with the principal consultant. For comprehensive transformations and multi-quarter engagements.

Recommended start

Start with a pilot

Test the engagement with a focused 1-4 week scope. See real results, on a fixed timeline, before committing to anything larger.