CMMC: A Practical Guide
Note: This is general information and not legal advice.
On this page
Executive Summary
- It can determine contract eligibility.
- It drives operational requirements (access, devices, logging, retention, evidence).
- It impacts vendors and subcontractors, not just primes.
- You handle CUI or work in the Defense Industrial Base (DIB).
- A prime, contracting officer, or customer is asking for 800-171 alignment, evidence, or an SPRS score.
- Scope is defined (where CUI lives, who touches it).
- Controls are implemented in a supportable way (not checkbox theater).
- Evidence is organized and stays current as systems change.
- We build a roadmap and help implement controls aligned to your environment.
- We help connect operations (MSP/MSSP) to compliance evidence needs.
Timeline and urgency: CMMC 2.0 is now in force
The CMMC 2.0 final rule published in October 2024 and took effect December 2024. The procurement rule (48 CFR) becomes effective November 10, 2025. This means CMMC requirements will appear in new DoD contracts starting late 2025, with a phased rollout through 2028.
What this means practically: If you handle CUI on DoD contracts, you need a readiness plan now. Organizations that wait until contract clauses appear often discover gaps that take 12-18 months to close.
Cost reality: budget accordingly or risk failure
Research from defense compliance consultants shows 78% of organizations spend between $138,000–$285,000 for their first CMMC assessment cycle. Assessment fees alone range from $35,000–$55,000 depending on scope and assessor.
Yet 70% of contractors budget less than $100,000. This gap explains why so many organizations fail initial assessments or need multiple rounds. The cost breakdown typically includes:
- Assessment: $35K–$55K (C3PAO fees)
- Consulting/Gap remediation: $60K–$150K
- Technology/infrastructure: $25K–$80K (varies widely by starting state)
Small businesses with simple environments may land at the lower end. Organizations with complex infrastructure, multiple locations, or heavy CUI volume should plan for the upper range.
The readiness crisis: only 1% are audit-ready
A 2025 readiness study found that only 1% of defense contractors are fully prepared for CMMC audits. More striking: 62% lack critical governance controls entirely.
This is not a capability problem—it is a preparation problem. Organizations that start early, treat compliance as operations, and build evidence incrementally have dramatically higher success rates.
The competitive angle: If you are ready when CMMC clauses appear in your contracts, you have an advantage over the 99% who are scrambling. If you are not ready, you may face contract delays or eligibility questions.
Top failed controls: what auditors flag most
DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) data from 2023 assessments shows clear patterns in what organizations fail. The most commonly failed controls are:
- 3.13.11 FIPS-validated cryptography — Using non-compliant encryption or failing to document validation
- 3.1.1 Access control enforcement — Policies exist but are not technically enforced
- 3.5.2 Authenticator management — Weak password policies, no MFA, or shared credentials
- 3.3.2 Audit record review — Logs collected but not reviewed
- 3.4.2 Separation of duties — Same person can approve and execute critical changes
Notice the pattern: these are not exotic technical requirements. They are foundational security practices that require consistent execution and documentation. See our Assessment Guide for the full list and remediation guidance.
Where to start without overcomplicating it
- Govern: assign an owner and a review cadence (roadmap, exceptions, evidence).
- Scope the data: confirm where CUI exists, how it flows, and who touches it. See our CUI Guide for categorization help.
- Choose an operating model: enclave vs broader rollout based on how much of the business touches CUI. See Enclave Guide for decision criteria.
- Gap assess: compare current state to NIST 800-171 requirements and prioritize fixes.
- Implement controls + evidence: build proof as you deploy changes (not at the end).
- Run remediation visibly: track open gaps with a POA&M so progress is defensible.
Scope first: CUI boundaries decide the size of the problem
Most CMMC pain comes from unclear scope. If you do not know where CUI lives, you either over-scope (expensive, disruptive) or under-scope (assessment surprises).
- Data: which documents, systems, and workflows contain CUI?
- People: which roles need access (and which do not)?
- Systems: what endpoints, file shares, SaaS tools, and integrations are in the access path?
See our CUI Categories Guide for what counts as CUI and how to scope it. Related: Defense & Aerospace brief.
Enclave vs enterprise rollout: pick deliberately
If only part of the organization touches CUI, an enclave can reduce scope. If CUI is everywhere, forcing an enclave can create operational friction.
- Enclave: smaller compliance footprint, higher operational complexity. See our Enclave Implementation Guide for details.
- Broader rollout: simpler workflows, broader control implementation and evidence burden.
Identity and access controls are the fastest leverage
- Start with identity foundations so access is consistent and revocable.
- Enforce MFA on CUI access paths and admin roles.
- Reduce privilege sprawl with RBAC and periodic access reviews.
- Use conditional access and device posture for sensitive apps.
Evidence that matters: run the program like operations
Assessment prep is not just policies. It is being able to show that controls are implemented and operated.
- SSP: keep a System Security Plan that matches reality.
- POA&M: track open gaps and milestones (guide).
- Logging: retain authentication and admin activity evidence (SIEM).
- Recovery: prove restores (Backup & DR testing).
Common pitfalls
- Over-scoping: applying the heaviest controls to the whole company when only a subset touches CUI.
- Under-scoping: missing SaaS tools, personal email, unmanaged devices, or vendor access paths.
- Evidence drift: controls exist, but proof is stale or scattered.
- Vendor blind spots: subcontractors and third parties touch CUI without clear boundaries.
Related: vendor risk management.
Common Questions
What is the difference between CMMC and NIST SP 800-171?
NIST SP 800-171 defines the security requirements for protecting CUI. CMMC is the program and assessment framework that verifies implementation for applicable DoD contracts. In practice, you implement 800-171 controls and use CMMC to structure assessment readiness and evidence.
What is the difference between Level 1 and Level 2?
Level requirements depend on what your contracts require and what data you handle. Level 1 is commonly associated with basic safeguarding for Federal Contract Information (FCI). Level 2 is commonly associated with protecting Controlled Unclassified Information (CUI) and aligns closely to NIST SP 800-171.
Do we need CMMC if we only handle FCI (not CUI)?
If you only handle FCI (not CUI), your requirements may be different than organizations handling CUI. The practical starting point is to scope the data you touch and confirm which clauses apply in your contracts.
What is an enclave and when should we use one?
An enclave is a segmented environment where CUI is isolated from general business systems. It can reduce compliance scope when only a subset of your workflows touch CUI. The tradeoff is operational complexity: you must run and support two modes of work. See our CMMC Enclave Guide for implementation details.
What evidence do assessors actually ask for?
Evidence typically includes: a current System Security Plan (SSP), policies and procedures that match how you operate, configuration proof (exports/screenshots), logging and retention proof, access review records, and restore testing evidence where recovery controls apply.
What is SPRS and why does the score matter?
SPRS is a DoD system used to capture supplier risk information, including some self-assessment scoring for NIST 800-171. Your score may be visible to contracting stakeholders and can influence confidence and eligibility depending on the procurement.
Can I use cloud services and still meet CMMC expectations?
Often yes, but it requires clear architecture and evidence: how identity is controlled, where CUI lives, how logging/retention is handled, and how shared responsibility is addressed. Treat cloud as an operating model you document, not a shortcut.
What is a POA&M and when is it relevant?
A Plan of Action and Milestones (POA&M) is a structured remediation tracker for known gaps: what you will fix, owners, milestones, and evidence. It is often part of compliance workflows and should be run like an operational plan, not a paperwork artifact.
How do we handle subcontractors and vendors?
Start by identifying which vendors and subs touch CUI or have privileged access. Treat that as a vendor risk and access boundary problem: scope access, prefer Single Sign-On (SSO)/Multi-Factor Authentication (MFA), review privileges, and keep a small evidence pack you can reuse.
How long does CMMC readiness usually take?
It depends on scope, current controls, and how quickly you can implement changes without disrupting operations. Most organizations need 12-18 months for full readiness. The safest approach is to start with CUI scoping and an enclave strategy (if relevant), then build an evidence cadence while you close gaps. See our CMMC Assessment Guide for a detailed timeline.
Related CMMC resources
Deep-dive guides for specific CMMC topics.
Sources & References
Need a CMMC roadmap?
We can help scope, plan, and implement controls with a focus on practicality and evidence.
Contact N2CON