What Is CMMC Compliance? A Complete Guide for Defense Contractors (2026)

What is CMMC compliance and who needs it?

CMMC — Cybersecurity Maturity Model Certification — is a U.S. Department of Defense framework that requires defense contractors to verify their cybersecurity practices before bidding on or retaining DoD contracts. Any company in the Defense Industrial Base (DIB) that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must meet CMMC requirements. That includes approximately 300,000 companies across the supply chain — primes, subcontractors, and suppliers alike. The CMMC 2.0 program rule was published October 15, 2024 and took effect December 16, 2024, and the companion acquisition rule (48 CFR / DFARS) took effect November 10, 2025 — the date DoD began inserting CMMC clauses into new solicitations.

What are the three CMMC 2.0 levels?

CMMC 2.0 has three levels. Level 1 (Foundational) requires 17 basic security practices and allows annual self-assessment — it applies to companies handling only FCI. Level 2 (Advanced) requires all 110 controls from NIST SP 800-171 and applies to most defense contractors handling CUI — critical programs require a third-party C3PAO assessment. Level 3 (Expert) adds 24 controls from NIST SP 800-172 on top of the 110 from NIST SP 800-171 — 134 practices in total — and involves a government-led assessment by DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center, which operates under DCMA) for the highest-priority programs.

What happens if a defense contractor is not CMMC compliant?

Non-compliance means you cannot be awarded or retain DoD contracts — full stop. Contracts now include CMMC requirements as a go/no-go condition, not a factor weighed against price or past performance. Additionally, contractors must post a self-assessment score in the Supplier Performance Risk System (SPRS). A missing or inaccurate score raises flags with contracting officers today, before formal certification is required. Misrepresenting compliance status can also trigger False Claims Act liability.

CMMC 2.0: The Three Levels Side by Side

Understanding which level applies to your business is the first step. The level is determined by the type of information you handle — not your company size.

Level 1 — Foundational (17 practices)

Applies to companies handling FCI only — basic contract data that is not publicly releasable but is not sensitive CUI. Self-assessment with annual senior official affirmation. Examples: basic administrative contractors, COTS-adjacent suppliers who handle contract paperwork.

Level 2 — Advanced (110 practices)

Applies to the vast majority of defense contractors — anyone handling CUI. This covers technical specifications, engineering drawings, export-controlled data, and program-sensitive information. For critical programs: triennial C3PAO third-party assessment required. For non-critical programs: annual self-assessment with affirmation accepted.

Level 3 — Expert (110 + 24 = 134 practices)

Applies to the highest-risk DoD programs — advanced weapons systems, classified-adjacent work. Requires a government-led assessment by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center, under DCMA) — not DCSA. Affects a small subset of the overall DIB. If you are on a Level 3 program, you already know it.

The 110 NIST SP 800-171 Controls: Key Practice Domains

Level 2 requires implementing all 110 practices across 14 domains. The six that generate the most gaps in assessments:

Access Control (22 practices). Who can access what, and under what conditions. Includes user permissions, remote access, and separation of duties. This is the most common gap domain — especially for companies that have never done a formal permissions audit.

Identification and Authentication (11 practices). Multi-factor authentication, password management, identity verification. MFA alone eliminates a massive category of breach risk. Non-negotiable.

Configuration Management (9 practices). Baseline configurations for all systems, change tracking, software installation restrictions. If users can install anything on their machines, this domain will be a problem.

System and Communications Protection (16 practices). Encryption in transit and at rest, network segmentation, boundary protection. This is where Microsoft GCC High requirements for CUI in cloud environments become critical.

Audit and Accountability (9 practices). Activity logging, log protection, and review schedule. Assessors want to see that logs are actually capturing events and someone is actively reviewing them.

Incident Response (3 practices). Documented, tested response plan for security incidents. Fewer practices, but assessors want evidence of real drills — not a plan that lives in a drawer.

CMMC 2.0 Timeline and What Is Required Now

The CMMC 2.0 program rule (32 CFR Part 170) was published October 15, 2024 and took effect December 16, 2024. The companion acquisition rule (48 CFR amendment to the DFARS) was published September 10, 2025 and took effect November 10, 2025 — the date DoD began inserting CMMC clauses into new solicitations. DoD is phasing enforcement in over three years across four phases:

Phase 1 — began November 10, 2025. CMMC Level 1 and Level 2 (self) self-assessments are a condition of contract award in applicable new DoD solicitations. SPRS scores are required and actively reviewed by contracting officers.

Phase 2 — begins approximately one year after Phase 1 (late 2026). Third-party C3PAO certification assessments required for Level 2 (certification) contracts at scale. C3PAO slots are limited — contractors without an assessment already scheduled risk losing bids.

Phase 3 — begins approximately two years after Phase 1 (late 2027). Level 3 DIBCAC assessments required for the highest-risk programs.

Phase 4 — begins approximately three years after Phase 1 (late 2028). Full enforcement — CMMC requirements included in all applicable DoD solicitations and contracts, including option periods on existing contracts.

If you are waiting until a contract forces CMMC compliance to start preparing, you are already behind. C3PAO assessment slots are limited, remediation takes months, and gaps found during assessment can delay or kill contract awards.

How Much Does CMMC Compliance Cost?

Costs vary by company size, starting posture, and certification level required. Realistic ranges for Southern California defense contractors:

Level 1 (self-assessment): $5,000–$20,000. Gap assessment, control documentation, self-attestation support.

Level 2 (self-assessment path): $15,000–$60,000. Full 110-control gap assessment, remediation, System Security Plan development, and annual affirmation support.

Level 2 (C3PAO assessment required): $50,000–$150,000+. Add C3PAO assessment fees ($20,000–$50,000+ depending on scope) plus remediation of any findings and retesting costs.

Ongoing compliance: $10,000–$30,000/year in managed services and monitoring to maintain certification status.

One cost that surprises contractors: Microsoft GCC High. If your team uses Microsoft 365 to collaborate on anything CUI-related, commercial M365 is not authorized. DoD requires GCC High — a separate government-certified cloud — for CUI. Migration adds cost but it is a compliance requirement, not optional.

Frame it this way: a $5M/year defense contractor who loses their contracts because they cannot certify has lost $5M in annual revenue. A $50,000–$100,000 compliance investment is straightforward ROI protection.

Why HD Tech for CMMC Compliance

HD Tech has supported defense contractors in Orange County and across Southern California for over 30 years. We have built a clear five-step process to get clients from gap assessment to certification-ready without disrupting operations.

Our process: gap assessment against all 110 NIST 800-171 controls → prioritized remediation roadmap → technical implementation (MFA, EDR, encryption, GCC High migration) → SSP and POA&M documentation → pre-assessment audit and C3PAO support. We stay engaged after certification to maintain your controls and prepare for re-assessments on schedule.

Start Your CMMC Compliance Journey

The CMMC final rule is in effect. DoD contracts are including certification requirements now. If you are a defense contractor in Southern California and have not started your CMMC preparation, the right time is today. Call HD Tech at 877-540-1684 or schedule a free CMMC readiness review to find out where you stand.

Areas Served

HD Tech is headquartered in Seal Beach, Orange County, California, supporting defense contractors across Anaheim, Irvine, Long Beach, Torrance, El Segundo, and throughout the greater Los Angeles and Orange County region, with CMMC compliance services available to defense contractors nationwide.