CMMC Quick Reference Guide 2026

→ Does your contract involve Controlled Unclassified Information (CUI)?

→ Yes → You need CMMC Level 2 (110 controls, third-party assessment)

→ No, just Federal Contract Information (FCI) → You need CMMC Level 1 (15 controls, self-assessment)

→ Not sure? → Check your contract for DFARS 252.204-7012. If it's there, assume Level 2.

CMMC LEVEL 1

CMMC LEVEL 2

Key Dates

Nov 2025

Phase 1 (Active Now): CMMC Level 1 and Level 2 self-assessments required in applicable contracts

Nov 2026

Phase 2: Level 2 C3PAO assessments required in all applicable new solicitations

Nov 2027

Phase 3: CMMC Level 2 for all option periods on existing contracts

Nov 2028

Phase 4 (Full): CMMC required across all applicable DoD contracts

Level 1 (self-assessment): Minimal direct cost — primarily internal time to verify 15 controls and submit SPRS score
Level 2 consulting (readiness): $55,000–$95,000 for boutique firms, $120,000–$285,000+ for Big Four firms
Level 2 C3PAO assessment: $30,000–$100,000+ depending on scope (separate from consulting)
Technology upgrades: Varies — GCC High migration, MFA, SIEM, encryption ($5,000–$50,000+)
Cost of non-compliance: Lost contracts, lost revenue, potential False Claims Act liability

SPRS Score — Your numerical compliance score submitted to the DoD. Without it, you cannot win contracts requiring CMMC. Check your readiness →
System Security Plan (SSP) — Documents how you implement each of the 110 NIST 800-171 controls. This is the single most critical artifact in a C3PAO assessment.
Plan of Action & Milestones (POA&M) — Your roadmap for addressing identified gaps. Must demonstrate credible, time-bound remediation plans. (Level 2 only)