On November 10, 2026, third-party certification becomes mandatory for most small defense contractors that handle Controlled Unclassified Information. That date, the start of Phase 2 of the CMMC rollout, is the one to circle in red.
The framework itself has been binding since the 32 CFR program rule took effect on December 16, 2024, and certification clauses began appearing in new contracts on November 10, 2025. Roughly 73 percent of the Defense Industrial Base (DIB) is made up of small businesses, and a 20-person machine shop now faces the same control set as a prime with a dedicated security team. This guide breaks down what the CMMC requirements for small business actually demand: the levels, the controls, the documentation, the real cost, and the route to certification.
What Is CMMC and Who Needs to Comply?
The Cybersecurity Maturity Model Certification is the Department of Defense’s program for verifying that contractors protect sensitive federal information on their own systems. For years, contractors simply self-attested compliance with NIST Special Publication 800-171. CMMC ends the honor system. It keeps self-assessment for lower-risk work and adds independent audits for everything else.
Two regulations run the program.
- 32 CFR Part 170 defines the structure, the three levels, and the assessment rules.
- 48 CFR amends the Defense Federal Acquisition Regulation Supplement and embeds CMMC into contracts through clause DFARS 252.204-7021.
The first sets the standard, the second makes it a condition of the award.
Compliance is not optional based on company size. If you process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in the performance of a DoD contract or subcontract, CMMC applies. The requirement flows down from prime contractors to subcontractors and suppliers at every tier. The main carve-out is for companies that supply only commercially available off-the-shelf (COTS) products.
The distinction between the two data types drives everything. FCI is information not meant for public release that is provided by or generated for the government under a contract. CUI is more sensitive: technical drawings, specifications, and procurement data the government requires you to safeguard. Which one you handle sets your level. The fastest way to check is your contract itself. Clauses such as DFARS 252.204-7012, 7019, and 7020 are strong signals that CUI is in scope.
CMMC Levels Explained for Small Businesses
CMMC has three levels. Most small contractors land at Level 1 or Level 2. Level 3 is reserved for a tiny fraction of the supply chain handling the most sensitive programs.
Level 1 covers basic safeguarding of FCI. It maps to the 15 requirements in FAR 52.204-21, things most businesses already do, like using passwords and limiting who can access systems. Self-assessment is permitted and the cost is modest.
Level 2 is where the majority of CUI-handling contractors sit. It requires all 110 security requirements in NIST SP 800-171 Revision 2, organized across 14 control families. Some non-prioritized contracts allow an annual self-assessment, but DoD estimates that around 95 percent of Level 2 contractors handle CUI critical enough to require a C3PAO assessment.
Level 3 adds 24 selected enhanced requirements from NIST SP 800-172 on top of the full 110, for high-value programs targeted by advanced persistent threats. Assessments are conducted by the government’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and a contractor must already hold Level 2 certification before a Level 3 assessment can begin. Fewer than 1 percent of contractors will need it.
To determine your level, read the solicitation and ask your prime directly. If any data you touch is CUI, plan for Level 2 and assume a third-party assessment until a contract tells you otherwise.
Prepare Your Business for CMMC Compliance
Get ready for the November 2026 CMMC deadline with expert guidance.
Core CMMC Requirements Small Businesses Must Meet
Level 2 requirements break into 14 control families covering 110 individual requirements and 320 assessment objectives. Access Control and System and Communications Protection are the two heaviest domains.
In practice, these families fall into two buckets.
- The technical controls govern how your systems behave: limiting access to authorized users, requiring multi-factor authentication, logging system activity, hardening configurations, encrypting data, and detecting and responding to incidents.
- The administrative controls govern how your organization behaves: training staff, screening personnel, controlling physical spaces, assessing risk, and documenting everything.
A small business cannot skip a family because it is inconvenient. There is no partial credit and no small-business exemption from the 110.
Documentation Requirements for Small Business Compliance
Assessors evaluate evidence, not intentions.
Two documents anchor the entire effort.
- The System Security Plan (SSP) describes your environment, your CUI boundary, and how you implement each of the 110 controls. It is a living document and the first thing any assessor reads.
- The Plan of Action and Milestones (POA&M) records gaps, owners, and timelines for fixing them.
CMMC scores Level 2 on a 110-point scale weighted by control importance. A score of at least 88 (80 percent) can earn conditional status, but only if certain high-value controls are fully met.
Conditional status gives you 180 days to close every remaining item on your POA&M and pass a closeout assessment. Some critical controls cannot be deferred to a POA&M at all. Beyond the SSP and POA&M, you need written policies and procedures for each domain, plus concrete evidence that controls operate as documented: configuration screenshots, training logs, access reviews, and audit records.
Pro Tip: Build your SSP
Build your SSP before you spend a dollar on tools. Mapping your current state against all 110 requirements first tells you exactly where the gaps are, so you remediate the right things in the right order instead of buying software you may not need.
Technical Requirements and Controls
A handful of technical controls account for most assessment failures, and they deserve direct attention. The most effective cost and risk lever is scoping: isolating CUI into a dedicated enclave, a defined set of systems and networks, so the 110 controls apply only there rather than across your entire IT estate. Segregating CUI and segmenting the network this way shrinks both your remediation bill and your assessment fee.
Multi-factor authentication is required for network and privileged access and is among the most-cited gaps. Encryption must use FIPS 140-2 or 140-3 validated modules, not merely strong encryption, a distinction assessors check closely. You need endpoint protection and monitoring that can detect and log suspicious activity. If you use a cloud service to store or process CUI, that service must meet FedRAMP Moderate authorization or demonstrable equivalency. Where a contractor relies on a FedRAMP Moderate or higher authorized provider, the contractor is not responsible for the provider’s own compliance, which is one reason platforms like Microsoft GCC High are common in the DIB.
Physical and Administrative Requirements
CMMC is not only a technical standard. The Physical Protection family requires you to limit physical access to systems that handle CUI, escort and log visitors, and secure your facilities, which is achievable even for a single small office. On the administrative side, every employee who touches CUI needs security awareness training appropriate to their role, and the Personnel Security family requires screening individuals before granting access to covered systems. For a small team, these controls are often more about consistent documentation than expensive infrastructure.
Self-Assessment vs. Third-Party Assessment Requirements
The assessment path depends entirely on the contract.
- Level 1 is always a self-assessment, performed annually, with results entered into the Supplier Performance Risk System (SPRS).
- Level 2 splits in two. Some non-prioritized contracts permit a Level 2 self-assessment, but most CUI-handling contracts require certification by an accredited C3PAO every three years.
- Level 3 is always a government-led assessment by DIBCAC.
Regardless of the path, a senior company official must submit an annual affirmation in SPRS confirming continued compliance. That affirmation is a legal statement, and it is where False Claims Act risk enters the picture.
Insider Note: There are only around 85 authorized C3PAOs in the country and thousands of contractors needing assessment before Phase 2. Assessor availability, not your own readiness, may become the bottleneck. Booking early is now a competitive move, not just good planning.
Cost Considerations for Meeting CMMC Requirements
Cost is the question that keeps small contractors up at night, and the honest answer is that it varies widely with your starting posture. The DoD’s own published estimates give a baseline, and market data from the 2026 assessment cycle fills in the rest.
The headline number most people fixate on, the C3PAO fee, is usually only 20 to 40 percent of the total. The higher costs sit in gap remediation and technology: rolling out MFA, upgrading endpoint protection, standing up a CUI enclave, and writing documentation. The DoD estimates that a small contractor will spend over $100,000 to reach Level 2 through a C3PAO assessment, with the assessment itself near $76,700 and preparation and reporting making up the balance. Ongoing maintenance typically runs 20 to 30 percent of that first-year figure each year, and recertification recurs every three years.
Several programs exist to cut that bill. The DoD-funded APEX Accelerators network offers free advisory support and referrals across roughly 90 centers nationwide. Project Spectrum provides free cyber-hygiene tools and a SPRS readiness check. The NIST Manufacturing Extension Partnership funds state-level assistance for small manufacturers, and several states run their own subsidized programs. Crucially, CMMC compliance costs are allowable costs under DoD contracts, meaning they can be built into your pricing and recovered over the life of a contract. A proposed federal tax credit of up to $50,000 for firms with 50 or fewer employees has been floated in Congress but was not enacted as of early 2026, so treat it as a possibility, not a plan. For tailored budgeting and remediation support, Axipro’s CMMC compliance services can help right-size the scope before you spend.
Timeline to Meet CMMC Requirements
Most small businesses need 6 to 12 months to implement NIST SP 800-171, validate compliance, and pass an assessment, with 9 to 12 months being typical for those starting from a low baseline. That clock starts from wherever your security posture sits today, not from the day you decide to act.
The rollout follows four phases, each beginning one year after the last. Phase 1 began November 10, 2025, requiring Level 1 and Level 2 self-assessments in applicable contracts, with DoD discretion to require C3PAO assessments on priority work. Phase 2 begins November 10, 2026, making third-party Level 2 certification mandatory for most CUI contracts. Phase 3 (November 10, 2027) introduces Level 3, and Phase 4 (November 10, 2028) reaches full implementation across all applicable contracts and option periods. The phased schedule does not permit waiting. Because the gap between a solicitation dropping and an award is usually far shorter than the time needed to get ready, primes are already demanding certification ahead of the formal dates.
Consequences of Not Meeting CMMC Requirements
The most immediate consequence is simple: no certification, no contract. Since late 2025, CMMC status has functioned as a go or no-go criterion. A contracting officer must check SPRS and cannot award to an offeror without the required CMMC status posted. For a small business that depends on DoD revenue, losing eligibility is an existential threat, not a line item.
The second consequence is legal. Because compliance now rests on annual affirmations submitted by a senior official, knowingly misrepresenting your security posture can trigger False Claims Act liability. The Department of Justice’s Civil Cyber-Fraud Initiative has already pursued contractors for false cybersecurity attestations, and settlements have reached into the millions. The third consequence is competitive: as more of the supply chain certifies, uncertified subcontractors quietly drop off prime contractors’ approved vendor lists and lose work they never even see bid out.
Worth Knowing: False Claims Act
False Claims Act cases can be initiated by whistleblowers, often current or former employees, who are entitled to a share of any recovery. That means your compliance attestations are not just reviewed by the government, they are visible to your own staff.
Practical Steps for Small Businesses to Achieve Compliance
Start with a gap analysis scored against all 110 requirements, marking each control as implemented, partially implemented, or not implemented. This produces your SSP baseline and your initial POA&M in one pass. Next, scope your CUI environment aggressively. Identify every system, application, and data flow that touches CUI, then consolidate it into the smallest defensible enclave. Every system you pull out of scope is money saved.
Then decide how to execute. An in-house approach is cheapest if you already have IT depth, but most small contractors lack a CMMC specialist. A managed service provider that functions as a security protection asset can cover monitoring and tooling, and falls inside your assessment boundary without needing its own certification. A consultant or Registered Practitioner is useful for documentation and readiness. Many small businesses combine all three. Finally, run an internal assessment using the NIST 800-171A methodology before you engage a C3PAO, then book the assessment early given the assessor shortage. A readiness review, sometimes available through Axipro’s gap analysis support, reduces the risk of a costly failed audit.
Prepare Your Business for CMMC Compliance
Get ready for the November 2026 CMMC deadline with expert guidance.
Conclusion
CMMC is no longer a future initiative. The rule is in effect, clauses are in contracts, and the Phase 2 deadline of November 10, 2026 makes third-party Level 2 certification the price of staying in the defense market for most small contractors handling CUI. The requirements are demanding but finite: 15 safeguards at Level 1, the full 110 NIST 800-171 controls at Level 2, solid documentation, and an honest assessment. The businesses that scope tightly, start early, and use the free support available will absorb the cost far better than those who wait for a solicitation to force their hand.
Frequently Asked Questions
What is the minimum CMMC level for most small business DoD subcontractors?
It depends on the data. Subcontractors that handle only FCI need Level 1. Those that receive CUI through flow-down need Level 2, and most of them will require a C3PAO assessment rather than a self-assessment.
Can a small business achieve CMMC compliance without a consultant?
Yes, especially at Level 1, which is a self-assessment. Level 2 is achievable in-house if you have genuine IT and security expertise, but most small businesses use a mix of internal effort, a managed service provider, and a consultant or Registered Practitioner to manage documentation and readiness.
How long does it take to become CMMC certified?
Plan on 6 to 12 months for Level 2, with 9 to 12 months typical for organizations starting from a weak baseline. The timeline depends heavily on how mature your current controls are and, for certification, on C3PAO availability.
Do small businesses without CUI still need certification?
If you handle FCI under a DoD contract, yes, at Level 1 via annual self-assessment. If you handle neither FCI nor CUI, or you supply only COTS products, CMMC generally does not apply.
How often must small businesses recertify?
An internal audit is conducted by or for the organization itself to check and improve its own EMS. An external audit is conducted by an outside party — either a certification body awarding or maintaining the certificate, or a second party such as a customer assessing a supplier.
Can cloud services like Microsoft GCC High satisfy CMMC requirements?
Yes, a free template is a reasonable starting point, but treat it as a skeleton. Any generic template must be adapted to your significant environmental aspects, your compliance obligations, and your operations — and as of 2026 it must be updated for the new and revised clauses. An unedited template will leave gaps that produce findings.
What happens if a small business fails a CMMC assessment?
You analyze the cause, define corrections and corrective actions, and implement them. Certification bodies typically require this within a set window after the audit and then verify it. Major nonconformities must be closed before a certificate is granted or maintained. Minor nonconformities are usually verified at the next surveillance visit.