Skip to content
You’re a small business providing precision parts, advanced technologies, or other services to the Department of War (DoW — formerly Department of Defense). Maybe you’ve spent decades providing these goods and services, or perhaps you’ve just secured your first contract. Either way, the reason you’re reading this is likely because at one point you’ve encountered, whether via pressure from your customer or from language in your contract, requirements for cybersecurity. More specifically, you may have been told (or read) you must adhere to one or multiple cybersecurity-related DFARS clauses, and… may even be assessed against them? Something to do with a Cybersecurity Maturity Model Certification (CMMC)? And failing to do so would result in losing your contract? It’s likely this has resulted in a significant amount of confusion or stress, which is why in this post, we provide a start-to-finish guide of what small businesses should know in their journey towards CMMC compliance. We’ll provide some background on why CMMC exists, and we’ll keep it real with what you should expect along the journey, including costs, level of effort, where to find help, pitfalls to avoid, and how to ensure you succeed.
You can navigate to each section of interest via the menu below.
Pre-CMMC: A World of Self-Assessments
Did you know that defense contractors have had cybersecurity requirements in their contracts for over a decade?
That’s right. Anyone saying that cybersecurity requirements are a “new” thing for defense contractors is incorrect. Without getting too deep into the lore, requirements for cyber compliance were first introduced to defense contractors in the mid-2010s via the Federal Acquistion Regulation (FAR) clause 52.204-21 Defense FAR Supplement (DFARS) clause 252.204-7012; clauses that still exist today and may very well be in your contract right now.
The DFARS clause was created as the Department of Defense (DoD) recognized that its supply chain, which we refer to as the Defense Industrial Base (DIB), were becoming increasingly targeted via cyberattacks by adversaries of the United States. These cyberattacks were (and still are), largely, carried out with the intent to steal sensitive information, especially Controlled Unclassified Information (CUI), pertaining to defense programs, so as to give our adversaries access to intellectual property that the United States sunk billions of dollars into researching and developing.
Thus came DFARS 252.204-7012 as the DoD’s attempt to mitigate the risk of CUI handled by DIB contractors being stolen through cyberattacks. Eventually, this clause was updated to require implementation of NIST SP 800-171; another item which may or may not be familiar to you. NIST, the National Institute of Standards and Technology, is a federal laboratory that falls under the Department of Commerce and creates standards surrounding science and technology, including cybersecurity. NIST, upon being instructed to develop a standard which would ensure adequate cybersecurity protection of CUI handled by federal contractors (not just defense contractors), created NIST 800-171. NIST 800-171, derived from its significantly larger parent standard, NIST SP 800-53, contains 110 cybersecurity “controls” in its second revision, spanning 14 control families. While NIST 800-171 has been updated multiple times, most recently to a third revision, the second revision remains the DoD’s current standard at the time of this writing.
When DFARS 252.204-7012 was updated to require implementation of NIST 800-171, there was no mechanism by which the DoD could “peer” into the DIB to see how it was faring in implementing NIST 800-171. This led to the creation of two additional DFARS clauses, which also still exist today and may be in your current contract:
DFARS 252.204-7019 states that defense contractors will need to perform a self-assessment of their implementation of NIST 800-171, identifying which controls they have/have not implemented. DFARS 7019 also specifies that contractors need to use the DoD Assessment Methodology when doing a self-assessment. The DoD Assessment Methodology introduced a scoring system, with all 110 NIST 800-171 controls having a corresponding score. An example of NIST 800-171 controls and their corresponding scores is shown in the image below:
If a given NIST 800-171 control was not implemented at the time of self-assessment, the corresponding score value for that control would be subtracted from 110. Some controls are worth 5 points, some 3, and others only 1 point. As you may have inferred, with 110 controls and many having score values greater than one, it is possible to have a negative self-assessment score.
Once the self-assessment is completed (what is referred to as a “Basic” assessment) and a final score is generated, this score is to be reported to the DoD via the Supplier Performance Risk System (SPRS) portal. Reported scores cannot be older than three years. Under DFARS 252.204-7019, there is no minimum “passing” score, nor is there a penalty for reporting a score less than 110. Reporting a score of 110/110 would indicate the contractor has fully met all requirements.
At the same time the DoD implemented this self-assessment model for its supply chain, it also unveiled a new Government entity which would be tasked with performing verification assessments of defense contractors’ implementation of DFARS 252.204-7012/NIST 800-171: the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), part of the Defense Contract Management Agency (DCMA). DFARS 252.204-7020 states that defense contractors must be prepared for DIBCAC assessors to perform either of the following assessment types:
- Medium – DIBCAC does an off-site review of your System Security Plan (SSP) to verify your Basic assessment score
- High – DIBCAC conducts an in-depth off- or on-site assessment of your entire cybersecurity program, utilizing the assessment objectives published in NIST SP 800-171A
As DIBCAC is a federal entity with limited resources, it cannot assess all DIB members that have the DFARS 252.204-7012, 7019, and 7020 clauses in its contract. So, DIBCAC has been selective in who it targets for its assessments. While it remains unclear how DIBCAC comes to choose a contractor for assessment, evidence suggests that DIBCAC primarily targets companies that have reported a perfect score of 110/110 in SPRS or that manufacture critical weapons technologies, such as hypersonics.
As one can predict, DIBCAC’s assessments yielded some interesting results. Per Jacob Horne in 2023, only 15-20% of contractors that underwent a DIBCAC High assessment scored 110/110. Yet, 25% of contractors that had self-assessed reported a perfect score of 110. This, combined with the DoD continuing to see its CUI stolen from the DIB via cyberattacks, was enough for the DoD to attempt to pivot away from purely a self-assessment cybersecurity accountability model.
Enter the Cybersecurity Maturity Model Certification, or “CMMC”.
CMMC: The Accountability Rod
CMMC is an accountability mechanism for ensuring defense contractors implement cybersecurity requirements that have been around for 10+ years. NIST SP 800-171 is not new. FAR 52.204-21, mentioned briefly above, outlines 15 “basic” cybersecurity protections to protect Federal Contract Information (FCI) and applies to nearly all federal contractors, likewise is not new, as it has been in contracts since 2016.
CMMC exists because the DoD needed confidence that the DIB was implementing the required cybersecurity safeguards for protecting CUI and FCI. A first iteration of CMMC (“CMMC 1.0”) was released in early 2020 (and, to be fair, reflected more of a “maturity model” — true to CMMC’s name) but was ultimately overhauled. “CMMC 2.0” was introduced in late 2021, which simplified the process by linking the CMMC “level” a DIB contractor must target to the type of information (FCI or CUI) handled by that contractor:
As you can see in the model above, CMMC did not completely do away with self-assessments. So, what exactly did it change?
The answer is that CMMC introduced third-party assessment for select contracts where CUI is handled. Which of those “select contracts” is determined by the Government Program Manager or Prime Contractor entity responsible for “flowing” the requirements down the supply chain. Where required, companies handling CUI will need to, in addition to implementing NIST 800-171, hire a CMMC Third-Party Assessment Organization (C3PAO) from the CyberAB C3PAO marketplace to perform an assessment to verify their NIST 800-171 implementation adequately protects CUI. At the time of this writing, there are about 100 C3PAOs to choose from. With tens of thousands of defense contractors handling CUI, demand for these C3PAOs’ services is quite high. Some contractors handling CUI will be obviated from hiring a C3PAO but will still need to implement NIST 800-171 and perform a self-assessment of their implementation. So, CMMC Level 2 could either require a C3PAO or Self-assessment.
Contractors handling more sensitive CUI which deemed, by the DoD, to require additional protection, will need to target CMMC Level 3. This requires everything required by CMMC Level 2, plus implementation of another standard, NIST SP 800-172. A contractor targeting CMMC Level 3 will have its implementation of NIST 800-171 assessed by a C3PAO, then its implementation of NIST 800-172 assessed by DIBCAC. It’s not impossible that a small business be told to target CMMC Level 3; just depends on how the DoD views the mission sensitivity and criticality of the CUI handled on the contract. In fact, the DoD anticipates over a thousand small businesses will need a CMMC Level 3 certification at some point.
Contractors not handling CUI only need to target CMMC Level 1 and implement the 15 requirements in FAR 52.204-21. No third-party assessment is needed. They will perform an assessment and post an affirmation in SPRS (binary; yes/no) of continued compliance on an annual basis.
The bottom line is that the level of CMMC your small business must target depends upon the type of Federal government information you are handling (or will handle) in performance of your contract. If only FCI, Level 1. If CUI, very likely Level 2, and for select contractors, Level 3.
Because CMMC introduced binding legal obligations, it needed to go through a federal rulemaking process before it could go into contracts. The rulemaking process took multiple years to complete but officially went into effect on November 10th, 2025, kicking off a multi-year “phase-in” of CMMC. This brought about two new DFARS clauses:
The latter, DFARS 252.204-7025, exists to put contractors on notice that the former, DFARS 252.204-7021, will be included in their contract, and specifies which CMMC level and assessment status is required for a given contract. DFARS 7021 reiterates that expected CMMC level and details the CMMC assessment and status reporting requirements for each level. See the following language directly from the 7021 clause, which provides a list of possible CMMC statuses that may result from a CMMC self- or third-party assessment:
(1) Final Level 1 (Self).
(2) Conditional Level 2 (Self).
(3) Final Level 2 (Self).
(4) Conditional Level 2 (C3PAO).
(5) Final Level 2 (C3PAO).
(6) Conditional Level 3 (DIBCAC).
(7) Final Level 3 (DIBCAC)."
“Final” means the contractor has met all requirements and there were no deficiencies at the conclusion of the assessment. “Conditional” means the contractor has met enough requirements to pass their assessment but still had some allowable deficiencies to correct before receiving a Final certification.
There is no “Conditional” for CMMC Level 1; all FAR 52.204-21 controls must implemented or the contractor “fails”.
For CMMC Level 2, contractors must have at least an 80% (88/110), but cannot have any 3-point, 5-point, or any of the Level 1 controls deficient at time of assessment.
Within the portion of the contract that includes DFARS 252.204-7021/7025, there should be indication by the Contracting Officer of which CMMC level and type is required for the contract:
(1)(i) Have and maintain for the duration of the contract a current CMMC status at the following CMMC level, or higher: ____________ [Contracting Officer insert:
CMMC Level 1 (Self);
CMMC Level 2 (Self);
CMMC Level 2 (C3PAO); or
CMMC Level 3 (DIBCAC) ]
for all information systems used in performance of the contract, task order, or delivery order that process, store, or transmit FCI or CUI;"
Without a DFARS clause to inject into contracts, CMMC lacked a means of enforcement. Now that rulemaking has completed and this exists via 252.204-7021/7025, small businesses must understand what they are to do when (not if) they encounter CMMC.
How Small Businesses Can Achieve CMMC Compliance
Now that we’ve explored the why behind CMMC, it’s time to get into the how. This section draws from our experience supporting small businesses in the DIB through CMMC. We provide extensive training on these topics, so if you want to learn more, consider engaging with us!
We’ll preface this section by sharing that CMMC is not an IT problem. CMMC is a whole-of-business problem. In addition to technology requirements, there are many requirements that tie directly to business processes and senior official authorization. Additionally, CMMC is not something you can outsource entirely to another vendor. The best way to find CMMC success is to ensure that it is a team effort, starting from the top of the organization, and that the entire organization recognizes its responsibility in protecting FCI/CUI.
The first step towards CMMC compliance is not to go buy a shiny new firewall or the latest and greatest endpoint protection software. It’s actually rather simple: to understand your business. This includes answering the following questions:
What products/services are you providing to the DoD? Are these products sold in the same form commercially or are they built per the specifications of the DoD?
What percentage of revenue is DoD work for your company? How much DoD revenue is generated annually? (Note: small businesses that sell purely Commercial Off The Shelf (COTS) products to DoD, or their contract value falls below the current micro-purchase threshold of $15,000, need not meet FAR 52.204-21 or DFARS 252.204-7012, per the CMMC Final Rule and the aforementioned clauses).
How is the organization looking to expand in the DoD space, if at all?
What progress, if any, has already been made towards compliance with DFARS 252.204-7012 or FAR 52.204-21?
Which cybersecurity requirements are currently present or expected to be added to your contract?
Has your customer given any indication which CMMC level and type will be required for your contract?
How much can the organization reasonably budget towards CMMC compliance on an annual basis?
The second step towards CMMC compliance is to “scope” your environment. Getting this step right will set your organization up for great CMMC success in the long-term and help keep costs as low as possible.
Scoping can be a somewhat confusing process for those new to DoD cybersecurity. Essentially, this process starts with the organization pinpointing exactly which DoD information types (FCI and CUI) are handled by the organization. Again, all defense contractors handle FCI, and many handle CUI. Identifying what is/is not CUI can also be challenging; refer to our CUI identification blog for help. Also refer to NARA’s CUI Registry, specifically the Defense grouping, for the “source of truth” examples of how CUI typically appears in DoD contractor environments. We recommend being proactive in communicating with your customer about how CUI is flowed down to you (if at all) and discussing which CMMC level and assessment type (C3PAO or Self) will be applicable to your contract.
Once you determine if you handle CUI, you’ll need to better wrap your head around how that FCI and/or CUI flows throughout your environment. This includes describing how that FCI/CUI is received/generated, stored, accessed, sent externally, and destroyed. The end result of this exercise should be a list of assets — people, hardware, software, network equipment, facilities, and external service providers — that handle (store, process, or transmit) FCI/CUI. Don’t forget to include any cloud services (e.g., M365 or Google Workspace) in this exercise.
After you’ve generated your list of assets that handle FCI/CUI, you should assign each asset an asset category per the CMMC Scoping Guides referenced below, as there is some nuance to how a CMMC assessor may assess one asset type from another (at least for CMMC Level 2 — purely Level 1 assets will not be assessed by a third party). Asset categories for FCI are found in the CMMC Level 1 Scoping Guide, while asset categories for CUI are in the CMMC Level 2 Scoping Guide. Refer to our Scoping blog for clarity on the asset categories and take note of the “OSA Requirements” and “CMMC Assessment Requirements” columns in the Level 2 guide.
At the end of this effort, the organization will need to ask itself if it can afford to maintain the current scope over time. Are there opportunities to limit the scope, e.g., reduce the number of users or the cloud services handling FCI/CUI? Does the organization want to permit FCI/CUI across the enterprise, or is it more operationally feasible to build out (or leverage) an enclave?
Once you’ve determined your scope, you can move on to an initial self-assessment to determine the cybersecurity gaps that need to be filled.
If you have the DFARS 252.204-7019 clause in your contract and have yet to perform a self-assessment of your NIST 800-171 implementation and report through SPRS, it’s time to do so. This will give you a “snapshot” of your current state before you get into implementation. Our CMMC Planning Tool provides you with an easy-to-use Questionnaire to generate a quick self-assessment, and you can kick off a free trial today.
Many have asked us why DFARS 252.204-7012, 7019 and 7020 are included in contracts where no CUI is handled, since NIST 800-171 is the standard for protecting CUI. The answer is that Contracting Officers were directed to include these clauses in all contracts and solicitations. We’ve had clients successfully request (in writing) that DFARS 252.204-7012 be removed from the contract as no CUI was present, but less success with removal of 7019 or 7020. Typically, this means even if you don’t handle CUI, you might still need to perform a self-assessment against NIST 800-171 and report through SPRS. It’s unclear right now when DoD will recind the 7019 and 7020 clauses, which unfortunately will continue to result in a lot of confusion.
For those only handling FCI, if you’re going to self-assess against NIST 800-171 anyways, be sure to really focus on the 15 “basic” cybersecurity requirements in FAR 52.204-21. These are all included verbatim in NIST 800-171 (with one requirement being extrapolated out into three for a total of 17 controls). Again, our CMMC Planning Tool clearly lays out these controls and makes the self-assessment process easy.
Note that it’s very common for contractors to perform their self-assessment and, realizing the level of effort to remediate their compliance gaps, go back to Step 2 and re-define their scope. So, progression of these steps isn’t always linear.
Now that you’ve settled on a scope and completed your self-assessment against either FAR 52.204-21 (for CMMC Level 1) or NIST 800-171 (for CMMC Level 2), it’s likely you found quite a few deficiencies along the way. This is very common for small businesses just beginning their compliance journey. It’s now time to move into the Implementation phase, where you put in place the policies, procedures, and technologies to meet the requirements, and you document how you’ve done so, keeping an eye towards CMMC.
It is vital to ensure that you are using the NIST 800-171A standard when you begin implementation. While NIST 800-171 lists the 110 controls required for protection of CUI, the 800-171A companion document outlines a total of 320 “assessment objectives” — the items that must be individually addressed and a CMMC assessor will expect to see rationale and evidence for. It is not sufficient to just implement NIST 800-171 without following 800-171A. For those targeting CMMC Level 1, because the FAR 52.204-21 requirements are found in NIST 800-171, they also each have their own assessment objectives that you should use.
There are myriad ways to approach implementing the requirements. It’s a lot, maybe even overwhelming for some businesses. You could try to do it all yourself, or you could bring on a third-party to help. The latter is much more common for small businesses, particularly for those targeting Level 2. As you may have already discovered, there are many vendors in the CMMC space pitching their wares. Be careful when you encounter vendors making guarantees of certain outcomes (e.g., “Use our services and you’ll pass in 30 days!”). We understand that CMMC brings tight deadlines and a lot of stress, and hearing these guarantees can feel like weight is lifted from your shoulders. But as we stated earlier, no vendor can “do CMMC for you”; it is your organization that attests to cybersecurity compliance subject to the False Claims Act (FCA), and therefore your organization alone bears ownership of its CMMC compliance program. Therefore, we recommend you tread carefully when evaluating vendors.
Shared responsibility is a crucial (and helpful) concept when it comes to evaluating external service providers (ESP) to help with CMMC. Because the CMMC requirements are clearly listed, before you talk to any vendors, you need to pinpoint which requirements you need help with. Then, when you reach out to vendors, ask them for their Shared Responsibility Matrix (SRM), which (should) detail which NIST 800-171A assessment objectives their product/service helps fully/partially satisfy. You can then have the ESP map their services to your needs in their proposal. Another word of caution: you should quickly rule out a vendor claiming to help with CMMC implementation that does not have an SRM (or that doesn’t know what one is). A lack of an SRM could yield unmet or unclear expectations and large roadblocks during your assessment. So, again, choose your service providers carefully. Totem Technologies can introduce you to a few trusted MSP/MSSP partners if you’d like.
While not required for compliance, it is really helpful to leverage a resource for building and organizing your CMMC System Security Plan (SSP), Plan of Action & Milestones (POA&M), and sources of evidence, and keeping it all in one place. CMMC assessors certainly appreciate less rummaging around for the answers to their questions. Our CMMC Planning Tool gives you this single repository.
Once you’ve implemented your cybersecurity program plans and have adequately secured your CUI, a C3PAO CMMC Level 2 assessment may be on your radar. For contractors pursuing CMMC Level 2, there are several items you’ll want to ensure you have in place before you reach out to schedule a C3PAO assessment. Refer to our CMMC Readiness blog and ensure you meet all the criteria therein before you undergo your assessment.
Now that you’ve met all CMMC Readiness criteria, assuming you are pursuing CMMC Level 2 assessment with a C3PAO, it’s time get this scheduled and complete. If you are only self-assessing at either Level 1 or Level 2, you’ll need to go into SPRS and report this.
The time and cost of a C3PAO assessment depend greatly upon the scope of your system, as they are assessing the scope you give them. Be sure to get quotes from multiple C3PAOs before making a decision. Totem Technologies can introduce you to a few C3PAOs if you’d like.
Cybersecurity, and in particular cybersecurity certification, is not “one-and-done”. You will need to continue to adquately protecting the information, knowing that your system and the threat environment are inherently dynamic. You’ll also need to continue to gather evidence of program efficacy for your follow-on assessments.
Therefore, once your have your certification in hand, you move into the “continuous monitoring” phase, where you maintain the organization’s cybersecurity program that you’ve worked hard to build. In this phase you’ll periodically execute routine maintenance tasks and self-attest to continued compliance annually. Refer to our Continuous Monitoring blog for more information on what must happen after a successful assessment.
CMMC Costs and Level of Effort for Small Businesses
At last, we arrive at the most frequently asked question about CMMC: how much does all this cost?
Of course, since CMMC is simply the verification of requirements (FAR 52.204-21 and DFARS 252.204-7012) that have been around for many years, true CMMC costs would refer just to the cost of an assessment, or the time reporting results in SPRS, not the cost of implementation. However, for the sake of clarity, here we group the costs of implementation (e.g., implementing and documenting FAR 52.204-21, NIST 800-171, NIST 800-172) and the cost assessment, all under the umbrella of “CMMC”.
The answer for how much CMMC costs is directly tied to:
- Which CMMC level you are targeting
- Whether you are self-assessing or hiring a C3PAO
- The scope of your environment
- How much you are outsourcing to ESPs
- Other paid tools in use to support the cybersecurity program
For CMMC Level 1 and protection of FCI, with 17 controls and 59 assessment objectives to implement and document, a typical small business can expect to pay somewhere between $10,000 and $20,000 per year and take around two months to complete starting from scratch.
For CMMC Level 2 and protection of CUI, with 110 controls and 320 assessment objectives to implement and document, a typical small business can expect to pay somewhere around low $100,000+ and take between 6-12 months to complete starting from scratch. These costs also include all the costs within CMMC Level 1 and hiring a C3PAO every three years (with the C3PAO cost amortized across the three years).
For CMMC Level 3 and protection of more sensitive CUI, a typical small business can expect to pay $500,000+ annually and take between 1-2 years to complete starting from scratch. These costs include all the costs within CMMC Level 1 and 2.
While these numbers may be daunting, the reality is that small businesses can greatly reduce both cost and time by reducing their system scope. Reducing the number of assets (people, hardware, software, facilities, ESPs) will in-turn reduce your burden of securing those assets. This will trickle down and reduce assessment costs as well, as there will be fewer assets for a C3PAO to assess.
For small entities that can limit their scope down to a couple users, Totem Technologies offers a Single PC CUI Enclave, where we build the system for you, ship it to you, help you set it up, and provide a custom SSP & POA&M to support remaining gaps. Adopting such an approach can drastically reduce CMMC costs.
Wrapping Up
Whether you are new to the DIB and CMMC, or you’ve been preparing for CMMC for several years, if you’re a small business, you will face unique challenges. We created this blog to help ensure you know what the DoD expects of your organization for CMMC, and to ensure you are equipped with the right information and resources to succeed. Even on the small business budget, compliance is not impossible, but it will require careful planning.
If you’re a small business looking for help with CMMC, drop us a line, attend a hands-on CMMC Level 1 Workshop, or consider taking advantage of all the templates, training, and resources in our CMMC Planning Tool. Or, if you’re looking for more help, consider our Single PC CUI Enclave or engaging us for a gap assessment, where we’ll help you build a cybersecurity program in your unique environment.
Thanks for reading!
-Nathan
Related Posts
What the heck is a CMMC enclave?
US Department of Defense (DoD) contractors that handle Controlled Unclassified Information (CUI) are subject to the DoD’s Cybersecurity Maturity Model
What the heck is shared responsibility in CMMC?
Most Department of Defense (DoD) contractors, especially small businesses, rely on the help of External Service Providers (ESP) for their operational
What the CMMC Scoping Guide means for small businesses
The DoD Industrial Base (DIB) has long awaited guidance on what IT system components are in scope for cybersecurity protections