A Note Before We Begin

If you're reading this, you probably just found out you need "CMMC Level 2" to keep bidding on DoD contracts, and you have no idea where to start. Maybe a prime contractor sent you a flowdown clause that made your eyes glaze over. Maybe you Googled "CMMC cost" and nearly had a heart attack.

Take a breath. You're not alone.

We've helped dozens of small contractors (5-50 people) navigate this process. Some panicked. Some overspent. Some did it smart. This guide contains everything we wish someone had told them—and us—at the start.

No sales pitch. No jargon soup. Just the truth about what CMMC is, what it costs, and how to get through it without bankrupting your company or losing your sanity.

Let's get into it.

Chapter 1: What CMMC Actually Is

The 30-Second Version

CMMC stands for Cybersecurity Maturity Model Certification. It's the DoD's way of making sure companies that handle sensitive defense information actually protect it—instead of just saying they protect it.

Before CMMC, contractors self-attested: "Yeah, we're secure." The DoD trusted them. Breaches happened. A lot of them. Sensitive data ended up in the wrong hands.

CMMC changes the game: now you have to prove you're secure, often through a third-party audit.

The Three Levels (You Probably Need Level 2)

Level	What It Means	Who Needs It	How You Prove It
Level 1	Basic cyber hygiene	FCI only (Federal Contract Information)	Self-assessment
Level 2	110 security controls (NIST 800-171)	CUI handlers (most contractors)	Self or C3PAO audit
Level 3	Advanced (110+ controls)	High-value programs	Government audit

Chapter 2: The Timeline That Actually Matters

CMMC 2.0 Rollout Schedule

Phase	Date	What Happens
Phase 1	Now	Self-assessments begin appearing in contracts
Phase 2	Late 2026	C3PAO assessments required for certain contracts
Phase 3	2027	Full implementation across DoD contracts

Chapter 3: What This Really Costs

The Honest Numbers

Company Size	DIY (Tools + Time)	With Consultant	C3PAO Assessment
1-10 employees	$15K-30K	$40K-80K	$15K-25K
11-50 employees	$30K-60K	$80K-150K	$25K-50K
50-200 employees	$50K-100K	$150K-300K	$50K-100K

Where the Money Actually Goes

• Tools & Software: $5K-20K/year (SIEM, endpoint protection, encryption)
• Documentation: 100-300 hours of your time (or consultant fees)
• Training: $1K-5K (security awareness, role-based training)
• Gap Remediation: Varies wildly based on current state
• C3PAO Assessment: $15K-50K+ depending on scope

Chapter 4: The 110 Controls, Prioritized

Start Here: The Critical 20

Not all controls are equal. These are the ones assessors look at first and where most companies fail:

1. AC.L2-3.1.1 — Limit system access to authorized users
2. AC.L2-3.1.2 — Limit system access to authorized functions
3. IA.L2-3.5.1 — Identify system users and processes
4. IA.L2-3.5.2 — Authenticate users and processes
5. SC.L2-3.13.1 — Monitor communications at boundaries
6. SC.L2-3.13.2 — Employ architectural designs to protect CUI
7. AU.L2-3.3.1 — Create and retain system audit logs
8. AU.L2-3.3.2 — Ensure actions can be traced to users
9. CM.L2-3.4.1 — Establish and maintain configuration baselines
10. CM.L2-3.4.2 — Track and control configuration changes

Chapter 5: Your First 10 Actions

Do these this week. Seriously.

1. Identify your CUI — Where does it live? Who touches it? Map it.
2. Enable MFA everywhere — Email, VPN, critical systems. No exceptions.
3. Encrypt laptops — BitLocker (Windows) or FileVault (Mac). Today.
4. Review who has admin rights — Cut the list by 50%. Minimum.
5. Turn on audit logging — You can't prove compliance without logs.
6. Document your network — Diagram showing where CUI flows.
7. Check your backups — Test a restore. When did you last do that?
8. Update everything — OS, applications, firmware. Patch now.
9. Run a vulnerability scan — Nessus, Qualys, or even free OpenVAS.
10. Start your SSP — System Security Plan. The master document.

Chapter 6: Mistakes That Will Burn You

The Expensive Ones

• Buying tools before understanding requirements — Don't buy a $50K SIEM when you need a $5K solution.
• Hiring a consultant too early — Do the discovery yourself first. You'll waste less of their time (your money).
• Ignoring the POA&M — The Plan of Action & Milestones is your friend. Use it.
• Scope creep — Only include systems that actually touch CUI. Smaller scope = lower cost.
• Waiting until you need it — A contract requiring CMMC drops, and you're 18 months from compliant? You just lost that bid.

Chapter 7: Choosing Tools and Consultants

What You Actually Need (Minimum Viable Stack)

Need	Budget Option	Premium Option
Endpoint Protection	Microsoft Defender	CrowdStrike, SentinelOne
Email Security	Microsoft 365 built-in	Proofpoint, Mimecast
SIEM/Logging	Microsoft Sentinel, Wazuh	Splunk, LogRhythm
Vulnerability Scanning	OpenVAS, Nessus Essentials	Tenable.io, Qualys
Documentation	Word/SharePoint + discipline	GRC platform (Archer, ServiceNow)

Red Flags When Hiring a Consultant

• Guarantees certification (no one can guarantee that)
• Won't explain their methodology
• Pushes specific tool vendors hard (kickbacks?)
• No references from companies your size
• Quote seems too low (they'll upsell later)

Chapter 8: Self-Assessment vs. C3PAO

When Self-Assessment Works

• Contracts that don't require third-party certification (yet)
• You want to find gaps before paying for an assessment
• Building your compliance program incrementally

When You Need C3PAO

• Contract explicitly requires it
• You handle particularly sensitive CUI
• Prime contractor demands it
• You want the competitive advantage of certified status

Chapter 9: Resources and Next Steps

Official Sources

• CMMC-AB (Cyber-AB) — cyberab.org — The accreditation body
• NIST 800-171 — The actual control requirements
• NIST 800-171A — Assessment procedures
• DoD CIO CMMC Page — Official program updates

Your Next Steps

1. This week: Complete the First 10 Actions from Chapter 5
2. This month: Conduct a gap assessment against all 110 controls
3. Next 90 days: Build your SSP and start remediation
4. 6 months: Internal audit — are you actually compliant?
5. 12 months: Ready for C3PAO assessment