Logo Menu

Auditors

Best SOC 2 AuditorsAll SOC 2 Auditors
By Industry
SaaSStartupsAI CompaniesHealthcareFinTechMSPsGovernment Contractors
By Country
πŸ‡ΊπŸ‡Έ United StatesπŸ‡¬πŸ‡§ United KingdomπŸ‡¨πŸ‡¦ CanadaπŸ‡¦πŸ‡Ί AustraliaπŸ‡©πŸ‡ͺ GermanySOC 2 Auditors Near Me
By Platform
Vanta AuditorsDrata AuditorsSecureframe AuditorsSprinto Auditors
By Framework
SOC 2 + ISO 27001SOC 2 + HIPAAFedRAMP 3PAO + SOC 2CMMC C3PAO + SOC 2HITRUST + SOC 2PCI QSA + SOC 2
By Audit Type
SOC 2 Type 1SOC 2 Type 2

Get Ready

SOC 2 Readiness Assessmentsoc2.zip Prep Package

Compare service firms

SOC 2 Readiness FirmsPenetration Testing FirmsvCISO FirmsISO 27001 ConsultantsCompliance ConsultantsAll Service Firms

Software

SOC 2 Compliance SoftwareTool Reviews & Comparisons

Platform reviews

Vanta ReviewDrata ReviewSecureframe ReviewSprinto ReviewThoropass Review

Learn

SOC 2 InsightsSOC 2 Buyer Guides
Browse by topic
SOC 2 BasicsAudit PreparationCost & TimelineFramework ComparisonsSOC 2 by IndustryAuditor Selection
Start here
What is SOC 2?SOC 2 Audit CostHow to Choose an Auditor
Reference
Compliance FrameworksMethodology

Free Tools

Find My SOC 2 AuditorSOC 2 Readiness AssessmentSOC 2 Cost CalculatorSOC 2 Timeline CalculatorSOC 2 vs ISO 27001

US defenseΒ·Last verified

CMMC

Bottom line

CMMC is a certification mandated by the DoD for contractors handling FCI or CUI. Level 1 is self-assessed, Level 2 requires a C3PAO third-party assessment, Level 3 requires a government-led DIBCAC assessment. Costs run $5K–$500K+ over 1–18 months.

Cost and timeline $5K–$500K+ / 1–18 months

One of 10 compliance framework explainers we maintain.

Key facts

Controls
Level 1: 17 practices (FAR 52.204-21). Level 2: 110 practices (NIST SP 800-171 Rev 2). Level 3: 110 plus 24 enhanced from NIST SP 800-172.
Recertification cycle
3-year certification (Level 2 C3PAO; Level 3 DIBCAC)
Ongoing oversight
Annual self-affirmation in the Supplier Performance Risk System (SPRS)
Public registry
Cyber AB CMMC Marketplace β†—
Common gap categories
Access control (AC); Configuration management (CM); System and communications protection (SC); Audit and accountability (AU); Incident response (IR); Media protection (MP)
Related standards
NIST SP 800-171NIST SP 800-172DFARS 252.204-7012FedRAMPFISMA

What is CMMC?

CMMC (Cybersecurity Maturity Model Certification) is a mandatory US Department of Defense certification for contractors in the Defense Industrial Base that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It has three levels: Level 1 is self-assessed annually, Level 2 requires a third-party assessment by a DoD-authorized C3PAO firm, and Level 3 requires a government-led DIBCAC assessment. The final rule (32 CFR Part 170) took effect December 16, 2024.

Is CMMC a certification or an attestation?

CMMC issues a certification with a Certificate of CMMC Status. Level 1 is self-assessed (annual affirmation in SPRS). Level 2 requires a C3PAO-led third-party assessment (valid 3 years). Level 3 requires a government-led DIBCAC assessment on top of Level 2.

Who needs CMMC?

Mandatory for any company in the US Defense Industrial Base (DIB) bidding on DoD contracts that involve CUI. Phase 1 (self-assessments) began in early 2025; Phase 2 (C3PAO requirements written into contracts) begins November 2026.

What does CMMC cost and how long does it take?

Range $5K–$500K+ / 1–18 months

Level 1 (self): $5K–$30K over 1–3 months. Level 2 (C3PAO): $100K–$500K total over 6–18 months (the assessment fee itself is $35K–$75K; the rest is remediation, tooling, documentation). Level 3 (DIBCAC): $200K+ / 18+ months.

Source: 32 CFR Part 170: CMMC final rule (Federal Register) β†—

One thing to watch

Phase 2 contract requirements only hit solicitations from late 2026 onward. Buyer urgency messaging should reflect this timeline rather than imply CMMC is universally enforced today.

Go deeper on this

Other frameworks buyers ask about

SOC 2 Type 1 $7.5K–$30K / 3–6 months SOC 2 Type 2 $12K–$100K / 6–15 months ISO 27001 $10K–$80K audit / 6–18 months HIPAA $4K–$60K assessment / 2–8 weeks PCI DSS $1K–$200K / 3–12 months GDPR €30K–€500K+ program / 6–18 months

See all frameworks β†’