Published by Three Fours
If you’re a defense contractor, you’ve probably been hearing about CMMC for years. Maybe you’ve attended a briefing, received a communication from a prime contractor, or seen it mentioned in a contract modification. You know it’s coming. You know it matters. But if you’re honest, you’re still not entirely sure what it actually requires — or what it’s going to take to get there.
You’re not alone. Most companies in the Defense Industrial Base are in exactly the same position.
This post is meant to answer the question plainly: what is CMMC Level 2, and what does it actually take to get certified?
What CMMC Is — and Why It Exists
CMMC stands for Cybersecurity Maturity Model Certification. It’s a framework developed by the U.S. Department of Defense to verify that defense contractors are protecting sensitive government information — specifically Controlled Unclassified Information, or CUI — with a defined set of cybersecurity controls.
The DoD created CMMC because self-attestation wasn’t working. For years, defense contractors were required to certify their own compliance with NIST SP 800-171, the underlying cybersecurity standard for CUI handling. The problem was that many companies were checking the box without actually implementing the controls. Adversaries — particularly nation-state actors — were exploiting those gaps.
CMMC changes the model from self-attestation to third-party verification. You can no longer simply declare that you’re compliant. A certified independent assessor has to verify it.
The Three Levels
CMMC has three certification levels, each building on the last:
Level 1 — Foundational 17 basic cybersecurity practices drawn from FAR 52.204-21. Annual self-attestation. Applies to companies that handle Federal Contract Information (FCI) but not CUI.
Level 2 — Advanced 110 security practices drawn directly from NIST SP 800-171. Third-party assessment required for most contracts. Applies to companies that handle CUI. This is the level that affects the majority of the Defense Industrial Base.
Level 3 — Expert 130+ practices, includes requirements from NIST SP 800-172. Government-led assessment. Applies to the most critical defense programs handling the most sensitive information.
For most defense subcontractors, Level 2 is the target — and the focus of this post.
What CUI Actually Is
Before going further, it’s worth clarifying what Controlled Unclassified Information means, because there’s significant confusion around it.
CUI is not classified information. It doesn’t require a security clearance to access. But it is sensitive — it’s information the government has determined requires safeguarding or dissemination controls under law, regulation, or government-wide policy.
In a defense contracting context, CUI typically includes things like:
- Technical data related to defense systems or weapons
- Export-controlled information (ITAR, EAR)
- Procurement-sensitive information
- Personally identifiable information (PII) in certain government contexts
- Critical infrastructure information
If your work involves any of this — and most defense subcontractors’ work does — you’re in scope for CMMC Level 2.
The 110 Controls
CMMC Level 2 maps directly to the 110 security requirements in NIST SP 800-171, organized across 14 domains:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Each domain contains multiple specific requirements. Some are straightforward. Others require significant technical infrastructure to implement. Taken together, they represent a comprehensive cybersecurity program — not a checklist you can complete in an afternoon.
Here’s something most people don’t realize: you don’t have to build all 110 controls yourself. Many of them can be met — or substantially supported — by your technology environment and your managed service provider. At Three Fours, our platform natively addresses 72 of the 110 controls. The remaining 38 require a combination of client-side practices, policy documentation, and third-party services to complete.
This is why selecting the right MSP is so consequential. Your MSP’s capabilities directly determine how many of those 110 controls you already have covered before you do anything else.
The Assessment Process
To achieve CMMC Level 2 certification, your organization must be assessed by a C3PAO — a Certified Third-Party Assessment Organization. These are independent organizations that have been authorized by the CMMC Accreditation Body (Cyber AB) to conduct CMMC assessments.
The assessment is not a documentation review. It’s a technical evaluation. Assessors will verify that controls are actually implemented and functioning — not just that you have a policy that says they should be.
The process typically includes:
Documentation review — Your System Security Plan (SSP), policies, procedures, and evidence of control implementation are reviewed prior to the on-site assessment.
On-site or remote technical assessment — Assessors interview personnel, observe system configurations, and test controls to verify implementation.
Findings and POA&M — If any controls are not fully implemented, a Plan of Action and Milestones (POA&M) documents the gaps and the timeline for remediation.
Certification decision — Based on the assessment results, the C3PAO submits findings to the Cyber AB, which issues the certification.
How Long Does It Take?
This is the question everyone asks — and the honest answer is: longer than most people expect.
The industry average for achieving CMMC Level 2 certification from a standing start is 18 to 24 months. That timeline reflects the reality of building or remediating a compliant environment, developing the required documentation, implementing the technical controls, and preparing for a rigorous third-party assessment.
With the right MSP and the right preparation approach, that timeline can be compressed significantly. With an integrated platform and the right preparation approach, that timeline can be compressed significantly. Three Fours is built to deliver operational readiness in 6 to 9 months and a path to certification in 12 to 14 months — roughly twice as fast as the industry average.
The variables that most affect timeline are:
- The current state of your IT environment
- Whether your MSP is already CMMC-certified
- How quickly policy documentation and evidence can be assembled
- The availability of a C3PAO for assessment scheduling
What Does It Cost?
Cost varies significantly based on the size of the organization, the complexity of the environment, and the current gap between where you are and where you need to be.
Industry estimates for a company of 50 to 250 employees typically range from $250,000 to $500,000 for the full journey — including MSP costs, assessment fees, tooling, and internal labor. Ongoing annual maintenance costs typically run $100,000 to $200,000 or more depending on the scope of managed services.
These are real numbers. The companies that get into trouble are the ones who underestimate the investment and try to do it on the cheap — only to face a failed assessment or a rushed remediation effort under deadline pressure.
The companies that succeed treat CMMC certification as a capital investment in their ability to hold and grow defense contracts — which is exactly what it is.
The Timeline You Need to Know
CMMC contract requirements began phasing into defense contracts in November 2025. Full mandatory enforcement across all applicable DoD contracts arrives November 10, 2027.
That deadline is real. Contracts issued after that date will require CMMC Level 2 certification as a condition of award. Companies that aren’t certified won’t be eligible — regardless of their past performance, their relationships, or their technical capabilities.
Given the 12 to 14 month timeline for certification, companies that haven’t started the process yet are already approaching the point where the margin for error is thin.
Where to Start
If you’re just beginning to think about CMMC Level 2, the right first step is a gap assessment — an honest evaluation of where your current environment stands against the 110 required controls.
A gap assessment will tell you:
- Which controls you already meet
- Which controls require remediation
- Which controls require new infrastructure or tooling
- What your realistic timeline and cost look like
Done well, a gap assessment becomes the foundation of your System Security Plan and your POA&M — two documents that will be central to your C3PAO assessment.
The important thing is to do it with partners who are truly qualified. Your C3PAO should be independent. Your MSP should be certified. Your vCISO or advisor should have deep CMMC experience. When those roles are clearly separated and properly staffed, the journey becomes navigable.
A Final Word
CMMC Level 2 is not a bureaucratic hurdle. It’s a meaningful cybersecurity standard designed to protect sensitive information that adversaries are actively trying to steal. The companies that approach it that way — as a genuine improvement to their security posture, not just a compliance checkbox — tend to move through the process more smoothly and come out the other side with a stronger organization.
The compliance journey is complex. But it’s a mapped path. And with the right team, it’s entirely achievable.
Three Fours is built specifically to support defense contractors on the journey to CMMC Level 2. Our platform natively addresses 72 of the 110 required controls — among the highest coverage available through a single integrated environment.