CMMC Compliance for Small Defense Contractors: What You Need to Know

CMMC Is Now a Real Requirement for DoD Contractors

The Cybersecurity Maturity Model Certification (CMMC) program has moved from proposal to enforcement reality. Small businesses that contract with the Department of Defense — including subcontractors and suppliers throughout the defense industrial base (DIB) — are required to meet specific cybersecurity standards as a condition of contract award. For many small contractors, this represents the most significant compliance requirement they have ever faced.

This guide explains what CMMC requires, which level applies to your business, what the practical compliance steps look like, and what happens if you are not compliant when a contract requires it.

CMMC 2.0: The Current Framework

CMMC 2.0, finalized in late 2024, streamlined the original five-level model into three levels tied to the sensitivity of the information your contracts involve:

CMMC Level 1 — Foundational

Level 1 applies to contractors who handle Federal Contract Information (FCI) — information provided by or generated for the government under a contract that is not intended for public release. Level 1 requires compliance with 17 basic cybersecurity practices drawn from FAR 52.204-21, the existing basic safeguarding requirement that has been in contracts for years.

Level 1 allows annual self-assessment — you evaluate your own compliance and affirm it in a Supplier Performance Risk System (SPRS) score. This is the entry-level requirement for most small government contractors without classified or sensitive defense information.

CMMC Level 2 — Advanced

Level 2 applies to contractors who handle Controlled Unclassified Information (CUI) — sensitive but unclassified government information that requires protection under law, regulation, or policy. CUI includes export-controlled technical data, privacy information, law enforcement sensitive information, and many other categories that appear routinely in defense contracts.

Level 2 requires compliance with all 110 practices in NIST SP 800-171 — the full standard for protecting CUI. Most contracts involving CUI will require third-party assessment by a CMMC Third Party Assessor Organization (C3PAO) rather than self-assessment. This is the level that creates the most significant compliance burden for small contractors.

CMMC Level 3 — Expert

Level 3 applies to contractors working on the most sensitive DoD programs — those involving advanced persistent threat (APT) concerns. Level 3 builds on the 110 NIST 800-171 practices and adds requirements from NIST SP 800-172. Government-led assessments are required. Level 3 affects a small subset of specialized contractors.

How to Determine Your Required CMMC Level

Your required CMMC level is determined by the sensitivity of the information in your contracts:

1. Review your current and anticipated contracts for references to CUI, Federal Contract Information, or specific CMMC level requirements.
2. Check the DD Form 254 (Department of Defense Contract Security Classification Specification) if applicable — it specifies information handling requirements.
3. If you are a subcontractor, your prime contractor is required to flow down CMMC requirements to you if the prime is handling CUI relevant to your work.
4. If uncertain, contact your contracting officer or prime contractor directly to ask what CMMC level the contract requires.

NIST SP 800-171: The Core of Level 2 Compliance

NIST Special Publication 800-171 contains 110 security requirements organized into 14 control families. Understanding the families helps prioritize your compliance work:

• Access Control (22 requirements)
• Awareness and Training (3 requirements)
• Audit and Accountability (9 requirements)
• Configuration Management (9 requirements)
• Identification and Authentication (11 requirements)
• Incident Response (3 requirements)
• Maintenance (6 requirements)
• Media Protection (9 requirements)
• Personnel Security (2 requirements)
• Physical Protection (6 requirements)
• Risk Assessment (3 requirements)
• Security Assessment (4 requirements)
• System and Communications Protection (16 requirements)
• System and Information Integrity (7 requirements)

Practical Compliance Steps for Small Contractors

Step 1: Conduct a Gap Assessment

Before spending money on tools or consultants, understand where you stand. The DoD provides a free self-assessment tool — the CMMC Assessment Scope guidance — and NIST provides the SP 800-171A assessment procedures. Walk through each of the 110 requirements and document your current compliance status: Met, Partially Met, or Not Met. This gap assessment becomes the foundation of your System Security Plan (SSP).

Step 2: Document Your System Security Plan

A System Security Plan (SSP) is a required artifact that describes your information systems, the security requirements that apply, and how each requirement is implemented. Every CMMC Level 2 contractor must have an SSP. It does not need to be a lengthy document — it needs to accurately describe your environment and controls.

Step 3: Create a Plan of Action and Milestones (POA&M)

For requirements you cannot meet immediately, document them in a Plan of Action and Milestones — a roadmap showing what corrective actions you will take, who is responsible, and by when. The POA&M demonstrates to assessors that you have identified gaps and are actively remediating them.

Step 4: Implement Priority Controls

Not all 110 requirements carry equal weight or complexity. High-priority, high-impact controls to address first:

• Multi-factor authentication on all user accounts and remote access (3.5.3)
• Encryption of CUI at rest and in transit (3.13.10, 3.13.8)
• Endpoint protection on all systems handling CUI (3.14.2)
• System and security event logging (3.3.1, 3.3.2)
• Regular vulnerability scanning and patch management (3.11.2, 3.14.1)
• Incident response capability and documented procedures (3.6.1, 3.6.2)

Step 5: Submit Your SPRS Score

Your self-assessment score is submitted to the Supplier Performance Risk System (SPRS) at sprs.navy.mil. The score is calculated based on the point value of each unmet requirement, starting from a maximum of 110 points with deductions for each unmet control. A positive score indicates fully compliant. Negative scores indicate gaps — the score reflects the severity of those gaps. Contracting officers can view your SPRS score.

CMMC Third-Party Assessment: What to Expect

For Level 2 contracts requiring third-party assessment, a C3PAO conducts a formal assessment of your implementation against all 110 NIST 800-171 requirements. The assessment involves document review, interviews, and technical testing. Assessments typically take two to four days on-site for small businesses plus a documentation review phase. Certification, once awarded, is valid for three years.

Finding a C3PAO: the CMMC Accreditation Body maintains a marketplace of authorized assessment organizations at cyberaccreditation.us/marketplace.

Bottom Line

CMMC compliance is no longer optional for DoD contractors handling CUI — it is a contract requirement with real enforcement. Level 1 self-assessment is achievable for most small contractors already implementing basic security practices. Level 2 requires a systematic program built on NIST 800-171. Start with a gap assessment to understand your current posture, document an SSP and POA&M, prioritize high-impact controls, and engage a C3PAO for third-party assessment if your contracts require it. The businesses that begin this process now rather than waiting for contract award pressure will have a significant competitive advantage in the defense marketplace.