What is CMMC?

CMMC (Cybersecurity Maturity Model Certification) is a unified cybersecurity standard mandated by the U.S. Department of Defense for all contractors and subcontractors who handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

Quick Answer

CMMC consolidates various cybersecurity standards into a single framework with three levels of certification. It introduces external verification requirements for many contracts, with level-specific assessment methods.

Who Needs CMMC?

Organizations handling covered DoD information typically need the level specified in contract requirements. This can include:

  • Prime contractors working directly with DoD
  • Subcontractors at any tier in the supply chain
  • Suppliers providing products or services containing CUI
  • Software vendors and cloud service providers to DoD contractors

The Three CMMC Levels

Level 1: Foundational

17 basic cybersecurity practices for protecting Federal Contract Information (FCI). Allows annual self-assessment. Required for contracts involving FCI only.

Level 2: Advanced

110 practices aligned with NIST SP 800-171 for protecting Controlled Unclassified Information (CUI). Requires third-party assessment by C3PAO. Most common level for DoD contractors.

Level 3: Expert

Additional safeguards beyond Level 2 for higher-sensitivity DoD programs, as defined by applicable program requirements. Assessed by government personnel.

Key Requirements

  • Scope Definition: Clearly define your CMMC Assessment Scope boundary
  • Security Controls: Implement required practices for your level
  • Documentation: Maintain evidence of control implementation
  • Third-Party Assessment: Pass evaluation by certified assessor (Levels 2 & 3)
  • Continuous Compliance: Maintain controls and pass re-assessment every 3 years

Timeline & Costs

Planning ranges only. Actual results vary based on scope boundary, inherited controls, and assessor availability.

Level 1:

3-6 months | $15K-$50K total cost

Level 2:

6-12 months | $100K-$500K total cost

Level 3:

Typically 12-18+ months | $500K-$2M+ total cost

Getting Started

The first step is conducting a gap assessment to understand your current security posture versus CMMC requirements. This identifies which controls you already have and what needs implementation.

Need Help with CMMC Compliance?

Pilotcore provides CMMC gap assessments, implementation guidance, and certification preparation support for defense contractors. Our CISSP-certified consultant helps teams assess readiness, prioritize controls, and prepare evidence for the assessment process.

Related Resources

Ready to Get Started?

Choose how you'd like to begin your journey with Pilotcore

Full Consultation

Discuss your complete cloud and security strategy with our experts. Perfect for comprehensive transformations and enterprise initiatives.

Popular Choice

Start with a Pilot

Test our expertise with a focused 1-4 week engagement. See real results before committing to larger initiatives.

View Pilot Projects →
Schedule Free Assessment →