Logo Menu

Platform

Best Auditors Directory Software Cost Calculator

By Country

πŸ‡ΊπŸ‡Έ United States πŸ‡¬πŸ‡§ United Kingdom πŸ‡¨πŸ‡¦ Canada πŸ‡¦πŸ‡Ί Australia πŸ‡©πŸ‡ͺ Germany

Free Tools

SOC 2 Readiness Assessment Cost Calculator Timeline Calculator Find My Auditor Framework Selector

Resources

Compliance Frameworks SOC 2 Buyer Guides What is SOC 2? Pricing Guide Insights Find Near Me

About

How We Review For Vendors For Auditors
US defense Β· Last verified 2026-05-13

CMMC

Bottom line

CMMC is a certification mandated by the DoD for contractors handling FCI or CUI. Level 1 is self-assessed, Level 2 requires a C3PAO third-party assessment, Level 3 requires a government-led DIBCAC assessment. Costs run $5K–$500K+ over 1–18 months.

Cost & timeline $5K–$500K+ / 1–18 months

One of 10 compliance framework explainers we maintain.

Key facts

Controls
Level 1: 17 practices (FAR 52.204-21). Level 2: 110 practices (NIST SP 800-171 Rev 2). Level 3: 110 plus 24 enhanced from NIST SP 800-172.
Recertification cycle
3-year certification (Level 2 C3PAO; Level 3 DIBCAC)
Ongoing oversight
Annual self-affirmation in the Supplier Performance Risk System (SPRS)
Common gap categories
Access control (AC); Configuration management (CM); System and communications protection (SC); Audit and accountability (AU); Incident response (IR); Media protection (MP)
Related standards
NIST SP 800-171NIST SP 800-172DFARS 252.204-7012FedRAMPFISMA

What is CMMC?

The Cybersecurity Maturity Model Certification 2.0 (US Department of Defense, codified in 32 CFR Part 170, final rule effective December 16, 2024) is a mandatory framework for DoD contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), with three levels aligned to NIST SP 800-171 and SP 800-172.

Is CMMC a certification or an attestation?

CMMC issues a certification with a Certificate of CMMC Status. Level 1 is self-assessed (annual affirmation in SPRS). Level 2 requires a C3PAO-led third-party assessment (valid 3 years). Level 3 requires a government-led DIBCAC assessment on top of Level 2.

Who needs CMMC?

Mandatory for any company in the US Defense Industrial Base (DIB) bidding on DoD contracts that involve CUI. Phase 1 (self-assessments) began in early 2025; Phase 2 (C3PAO requirements written into contracts) begins November 2026.

What does CMMC cost and how long does it take?

Range

$5K–$500K+ / 1–18 months

Level 1 (self): $5K–$30K over 1–3 months. Level 2 (C3PAO): $100K–$500K total over 6–18 months (the assessment fee itself is $35K–$75K; the rest is remediation, tooling, documentation). Level 3 (DIBCAC): $200K+ / 18+ months.

Source: 32 CFR Part 170: CMMC final rule (Federal Register) β†—

One thing to watch

Phase 2 contract requirements only hit solicitations from late 2026 onward. Buyer urgency messaging should reflect this timeline rather than imply CMMC is universally enforced today.

Other frameworks buyers ask about

SOC 2 Type 1 $7.5K–$30K / 3–6 months SOC 2 Type 2 $12K–$100K / 6–15 months ISO 27001 $10K–$80K audit / 6–18 months HIPAA $4K–$60K assessment / 2–8 weeks PCI DSS $1K–$200K / 3–12 months GDPR €30K–€500K+ program / 6–18 months

See all frameworks β†’