Fortinetics
← Frameworks · DEFENSE · CUI

CMMC Level 1, 2, and 3 certification — by a team that helped draft the standard.

CMMC Phase 2 begins November 10, 2026. From that date, Level 2 certification is required at contract award for every defense subcontractor handling Controlled Unclassified Information. A member of our team contributed to CMMC itself at the Department of Defense in 2019. Our track record is perfect 110/110 C3PAO scores, typically in six to nine months.

Book a scoping call →
110/110
Perfect C3PAO scores
6–9 mo
Typical engagement
2019
Team helped draft CMMC

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's cybersecurity certification program for the Defense Industrial Base. Under CMMC 2.0, contractors are assessed at one of three levels:

  • Level 1 — basic cyber hygiene (17 controls), self-assessed annually.
  • Level 2 — protection of Controlled Unclassified Information (110 NIST SP 800-171 Rev 2 controls), assessed every three years by a C3PAO.
  • Level 3 — protection against advanced persistent threats (Level 2 + a subset of NIST SP 800-172 controls), assessed by DIBCAC.

The assessment framework and contractual enforcement arrived in 32 CFR Part 170 — the CMMC Program rule, published October 15, 2024 and effective December 16, 2024. CMMC Phase 2 — the point at which Level 2 certification is required at contract award for all covered contracts — begins November 10, 2026.

Who needs CMMC Level 2?

Any organization holding or subject to a DoD contract that involves Controlled Unclassified Information — which, in practice, is the majority of the Defense Industrial Base's roughly 70,000 contractors. If your DFARS 252.204-7012 clause is in the contract, Level 2 is likely in your near future.

Typical Level 2 targets include defense subcontractors, prime contractors with CUI-handling subcontracts to flow down, cloud service providers supporting DoD work, and any vendor whose product or service touches CUI at any stage of the federal supply chain.

Level 1 applies when the contract involves only Federal Contract Information, not CUI. Level 3 applies to a narrow set of programs where the adversary threat model justifies the enhanced control set.

What a realistic CMMC Level 2 engagement looks like

Six to nine months is the realistic window from kickoff to certificate for a prepared organization with consistent executive support. The engagement breaks roughly into four parallel workstreams:

  • Technical — CUI enclave design, identity + MFA, endpoint + EDR, centralized logging, boundary protection.
  • Policy — drafting and aligning the policy library to CMMC practice statements.
  • Evidence — designing the evidence pipeline so artifacts are produced as a byproduct of operations (not reconstructed at assessment time).
  • Assessor — C3PAO selection, scheduling, dry-run rehearsal, and the assessment itself.

The single most common cause of schedule slips is treating evidence as an end-of-engagement sprint rather than a continuous byproduct. The team that wins 110/110 scores consistently is the team whose operations produce audit-grade artifacts by default.

Why Fortinetics for CMMC

Authorship-level knowledge. A member of our team contributed to the CMMC standard itself at the U.S. Department of Defense in 2019. The framework is not abstract to us; we helped shape what assessors now test against.

Perfect track record. Multiple CMMC Level 2 engagements to perfect 110/110 assessor score, typically in six to nine months from first engagement to certification. The pattern is repeatable because we design the program around evidence-as-byproduct, not assessment-time reconstruction.

Architecture, not audit. We design, implement, document, and sit with you through the actual assessment. Not a gap-analysis-and-leave firm. The client owns the outcome; we are present for every step that shapes it.

Pragmatic commercial model. Firm fixed-price engagements with milestone-based payments, or time-and-materials for more ambiguous scopes. No retainers, no surprise change orders, no reselling of tools.

Recent regulatory changes

What changed in CMMC, recently.

  • April 2026
    Phase 2 cliff is November 10, 2026 — ~8% of required contractors ready

    DoD estimates 76,000+ organizations need Level 2 certification by Phase 2 activation; fewer than 1,100 had completed it as of February 2026. C3PAO assessor capacity is the binding constraint. Subcontractors kicking off engagements after July 2026 face compressed timelines.

    Read more →
  • February 2026
    DFARS 7019 deleted, 7020 renumbered to 7997 (Revolutionary FAR Overhaul)

    The February 1, 2026 DFARS restructuring consolidates assessment obligations into DFARS 252.204-7021 (CMMC), eliminating the parallel self-assessment track. DFARS 252.204-7012 and 7021 themselves remain unchanged.

    Read more →
  • December 2025
    First subcontractor-level DOJ FCA settlement — $421K

    An Illinois precision machining subcontractor settled with DOJ in December 2025, the first enforcement action against a sub rather than a prime. Cybersecurity-related FCA cases rose 156% year-over-year in 2025. False Claims Act liability attaches to the SPRS certification itself — no breach required.

    Read more →
  • May 2025
    DoD published NIST 800-171 Rev 3 Organization-Defined Parameters

    DoD staged the Rev 3 transition by publishing ODPs before formal rulemaking. CMMC Level 2 is still assessed against Rev 2, but Tier-1 primes are starting to ask subs about Rev 3 readiness in pre-award evaluations.

    Read more →
Frequently asked

Questions we get about CMMC.

What score do I need to pass a CMMC Level 2 assessment?
Perfect 110/110 on the NIST SP 800-171 Rev 2 controls. Any 'Other than Satisfied' finding fails the assessment unless it can be converted to a POA&M item under narrow DoD eligibility rules. Most contractors plan to the 110/110 bar rather than rely on POA&M flexibility.
When does CMMC Level 2 actually become mandatory?
CMMC Phase 2 — the point at which Level 2 certification is required at contract award — begins November 10, 2026. Self-assessment has been required since the Phase 1 rollout for DoD solicitations that invoke the DFARS 7021 clause. Phase 3 (Level 3 for specific programs) and Phase 4 (full program rollout) follow in subsequent years.
What's the difference between self-assessment and C3PAO assessment?
Level 1 and a narrow subset of Level 2 contracts accept self-assessment. Most Level 2 contracts under Phase 2 require third-party assessment by a C3PAO — an organization accredited by the Cyber AB. The technical work is identical; the difference is who signs the certificate and whether that signature is trusted by the contracting officer.
How much does CMMC Level 2 certification cost?
Assessment fees alone run $50k–$150k depending on C3PAO choice and scope. Preparation — the work before the assessment — ranges from $150k–$500k+ depending on starting posture, scope, and whether IT buildout is required. We quote every engagement after a scoping call; pricing is scope-dependent and not published.
Can we use a compliance platform like Vanta or Drata instead of hiring Fortinetics?
The platforms handle evidence collection and auditor workflow well; they do not handle control design, architecture decisions, or gap remediation. For a simple SaaS with a clean architecture, the platform is often enough. For CMMC — which involves CUI enclave design, DFARS 7012 incident reporting path, and assessor-grade evidence — most contractors use a firm for the judgment work and a platform (or our evidence pipeline) for the automation.
CMMC insights
CMMC · 8 min read
CMMC Level 2: What assessors actually look for — and what they quietly ignore
CMMC · 8 min read
CMMC Level 2 timeline: what 6 to 9 months actually looks like
CMMC · 8 min read
CMMC self-assessment vs C3PAO: which path applies, and when it matters
CMMC · 9 min read
CMMC POA&M done right: what to include, anonymized examples, and what assessors accept
CMMC · 8 min read
Designing a CUI enclave: seven architectural mistakes that survive through implementation
CMMC · 7 min read
DFARS 252.204-7012: the 72-hour reporting gap most contractors miss until their first incident
Case studies
Defense Industrial Base · 8 mo
CMMC Level 2 certification with a perfect 110/110 assessor score for a defense subcontractor
Software · 6 mo
Zero to CMMC Level 2 certification in six months: greenfield IT buildout for a venture-backed startup
Next step

Book a scoping call.

Thirty minutes. We'll walk through your specific CMMC target, current posture, and what a realistic engagement shape looks like. NDA-first when the scoping needs sensitive detail.

Book a scoping call →