Skip to main content
INS // Insights

Small Business Cybersecurity for DoD: CMMC Essentials

Updated May 2026 · 6 min read

The Cybersecurity Maturity Model Certification (CMMC) program has reshaped what DoD small business contractors must do to protect federal contract information and controlled unclassified information. Understanding the requirements, which level applies to your work, and the path to compliance is essential for any small business that handles DoD contracts or wants to pursue them.

What CMMC Is and Why It Changed

CMMC began as a response to documented failures in the defense industrial base (DIB) cybersecurity posture — multiple government reports identified widespread non-compliance with the existing DFARS 252.204-7012 cybersecurity requirements, which relied on self-attestation without verification. Adversaries exploited this gap through sustained attacks on defense contractors, targeting design data, intellectual property, and program-sensitive information.

CMMC 2.0 — the current version — streamlines the original CMMC model and aligns it more directly with NIST SP 800-171 (for Level 2) and NIST SP 800-172 (for Level 3). The key change from the self-attestation model: Level 2 and Level 3 certifications require assessment by a CMMC Third-Party Assessment Organization (C3PAO) or government assessor, eliminating pure self-attestation for programs handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

CMMC 2.0 Levels: Which Applies to You?

CMMC Level 1 — Foundational: - Applies to: Contractors handling only Federal Contract Information (FCI) — contract data but not specifically designated CUI - Requirements: 17 practices from FAR 52.204-21 - Assessment: Annual self-assessment with senior company official affirmation - Who this is: Manufacturers, suppliers, and service providers whose work involves contract performance data but not sensitive defense program data

CMMC Level 2 — Advanced: - Applies to: Contractors handling Controlled Unclassified Information (CUI) - Requirements: 110 practices aligned with NIST SP 800-171 Rev 2 - Assessment: Triennial C3PAO assessment (for prioritized acquisitions) or annual self-assessment (for non-prioritized) - Who this is: Most defense prime and subcontractors involved in design, development, testing, or production of defense systems and components

CMMC Level 3 — Expert: - Applies to: Contractors handling the most sensitive CUI, particularly for critical programs - Requirements: NIST SP 800-172 practices (20+ additional practices beyond Level 2) - Assessment: Triennial government-led assessment by DIBCAC - Who this is: A smaller set of contractors on the highest-priority programs

Most small businesses pursuing DoD contracts will be either Level 1 (if handling only FCI) or Level 2 (if handling CUI from technical data, design documents, test reports, or program-sensitive information).

NIST SP 800-171 Requirements for Level 2 — The Key Domains

NIST SP 800-171 Rev 2 organizes its 110 security requirements into 14 domains. For small businesses, the most challenging domains are often:

Access Control (22 requirements): Controlling who can access CUI, enforcing least privilege, managing remote access, and separating duties. Key requirement: Multi-factor authentication for all CUI system access.

Audit and Accountability (9 requirements): Creating, protecting, and retaining audit logs sufficient to detect and investigate security events. Requires automated log collection and log review processes.

Configuration Management (9 requirements): Maintaining baseline configurations for all systems, controlling changes, managing vulnerabilities, and preventing use of unauthorized software.

Incident Response (3 requirements): Establishing an incident response capability, testing it, and reporting incidents to US-CERT/CISA (and DoD for CUI incidents).

Media Protection (9 requirements): Controlling and protecting media containing CUI — encryption of mobile media, secure disposal, and media sanitization procedures.

System and Communications Protection (16 requirements): Encrypting CUI in transit, implementing network segmentation, monitoring network traffic.

For many small businesses, the most impactful first steps are: enable MFA everywhere, enable full-disk encryption on all devices, implement centralized log collection, and create written policies for each of the 14 domains.

The Assessment Process for Level 2

When DoD requires CMMC Level 2 certification for a contract:

  1. Prepare a System Security Plan (SSP): Document your CUI environment — what systems process CUI, what controls are implemented, and your Plan of Action and Milestones (POA&M) for any gaps
  2. Conduct a self-assessment: Assess your practices against all 110 NIST SP 800-171 requirements, score using the CMMC assessment methodology (DoD CMMC Scoring Guide)
  3. Engage a C3PAO: The C3PAO conducts a formal assessment — typically 1–3 days on-site plus documentation review
  4. Remediate findings: Address any findings from the C3PAO assessment
  5. Certification issued: Upon successful assessment, certification is entered into SPRS (Supplier Performance Risk System)

Timeframe: Small businesses that begin preparation 6–12 months before contract award are in the best position. Rushing preparation creates gaps that C3PAO assessments will find.

Cost: C3PAO assessments for small businesses typically cost $30,000–$80,000 depending on the complexity of your CUI environment. Implementation costs to achieve Level 2 compliance vary widely — $20,000–$200,000+ depending on current state.

Practical Steps for Small Business CMMC Preparation

  1. Identify your CUI scope: What systems, networks, and people touch CUI? Minimizing the CUI scope minimizes the assessment burden.
  2. Consider a CUI enclave: Isolate CUI processing to a separate, controlled environment rather than spreading it across the entire organization. Cloud-based CUI enclaves (Microsoft GCC High, AWS GovCloud) can simplify compliance significantly for small businesses.
  3. Microsoft 365 GCC High: For small businesses already using Microsoft 365, migrating to GCC High provides a FedRAMP High authorized environment that addresses a significant subset of 800-171 controls for email, collaboration, and file storage.
  4. Fill the policy gap: Most small businesses have adequate technology but inadequate documented policies. Create written policies for each CMMC domain — even simple, clear policies demonstrate intent and process.

Rutagon provides CMMC advisory and implementation support for small defense contractors. Contact us to discuss your CMMC preparation.

Frequently Asked Questions

Does every DoD contractor need CMMC?

CMMC requirements apply to contractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on DoD contracts. Contractors who do not handle FCI or CUI — commercial item sellers, some research contractors — may not be required to obtain CMMC certification. The specific contract solicitation will identify the required CMMC level. If you're unsure whether your work involves CUI, ask the contracting officer.

What is CUI and how do I know if I have it?

CUI (Controlled Unclassified Information) is a category of government information that requires safeguarding but is not classified. It includes technical data from defense programs, export-controlled technical information (EAR/ITAR), personally identifiable information, law enforcement sensitive information, and many other categories. The CUI Registry at archives.gov/cui lists all CUI categories. If DoD contracts involve technical drawings, specifications, test data, or program-sensitive information, it almost certainly involves CUI.

How long is CMMC certification valid?

CMMC Level 2 C3PAO certification is valid for three years (triennial certification). Annual affirmations are required to maintain the certification between triennial assessments. If significant changes occur to the CUI environment, a new assessment may be required before the three-year cycle completes.

Can a small business self-certify for CMMC Level 2?

Some Level 2 contracts allow self-assessment rather than C3PAO assessment — specifically "non-prioritized acquisitions" identified by DoD as lower risk. However, DoD has indicated that most contracts involving CUI will require C3PAO assessment. Self-assessments still require scoring, SSP documentation, and SPRS reporting — the difference is the absence of third-party verification. Check the specific contract solicitation language for the CMMC level and assessment type required.