CMMC Compliance Guide for Business Owners: Scope, Cost, Timeline, and What Auditors Actually Check

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense program that verifies contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on non-federal systems. For most suppliers that handle CUI, the core focus is CMMC Level 2, because CMMC Level 2 requirements align to the 110 security requirements in NIST SP 800-171 Rev. 2.

This guide explains what CMMC is, the key developments so far, what changes in Phase 2, and how to prepare for a Level 2 assessment without over-scoping your business.

What this article covers:

• CMMC history and what changed recently
• CMMC Phase timeline and what Phase 2 means
• CMMC Level 2 requirements
• What auditors look for, and what evidence you need
• Timeline and cost drivers, plus a practical readiness checklist

Quick history of CMMC and the biggest developments so far

CMMC was created to standardize cybersecurity requirements across the defense supply chain. It evolved into CMMC 2.0 and then into formal rules and a phased contracting rollout through Federal Register publications.

Here is the timeline that matters most for business owners:

History

• 2020: CMMC was introduced as a model to standardize cybersecurity expectations across the Defense Industrial Base.
• 2021: DoD announced CMMC 2.0, simplifying the model and aligning more directly with existing standards like NIST SP 800-171.

Key Milestones

• The CMMC Program Rule (32 CFR Part 170) was published on October 15, 2024, establishing program framework and oversight structure. It became effective December 16, 2024.
• The final DFARS rule that brings CMMC into DoD contracting was published on September 10, 2025 and became effective November 10, 2025.

CMMC phases and what is coming next?

According to DoD guidance, the rollout is structured in 4 phases.

• Phase 1 (Nov 10, 2025 to Nov 9, 2026): Early contract use, often involving Level 1 and Level 2 self-assessments where allowed.
• Phase 2 (starts Nov 10, 2026): Expanded use of CMMC Level 2 certification through a C3PAO for applicable awards.
• Phase 3 (starts Nov 10, 2027): Broader use, and Level 3 begins appearing for select programs.
• Phase 4 (starts Nov 10, 2028): Full implementation across applicable solicitations and option periods.

Business impact: Phase 2 is when many suppliers feel the pressure most, because you may need third-party certification completed to win certain awards.

What CMMC means for your business?

Most business owners do not struggle with the idea of CMMC. They struggle with the practical questions:

• Are we in scope?
• What level do we need?
• What will the audit require?
• How long will readiness take?
• What should we budget now, and what costs recur?

Let’s break it down in business terms.

Prefer video? Right Click co-CEO Baiju recorded a 3-part CMMC playlist that breaks down scope, audit requirements, timing, and cost. Start with Part 1 and watch the full series below.

What determines whether you are in scope for CMMC?

The single biggest lever you control is scope, meaning which people, devices, networks, and cloud services are considered part of the environment that handles CUI.

A common mistake is assuming “CMMC applies to our whole company.” For many suppliers, the better approach is to minimize where CUI lives and who touches it. That typically comes down to controlling three things:

• Where CUI is received
• Where CUI is stored
• Where CUI is sent

If you can design workflows so CUI stays inside a defined enclave, you reduce how many endpoints, users, and systems must be audited.

Cloud configuration matters as much as the platform:

Using Microsoft 365 does not automatically mean you are compliant. For CUI, many organizations use government cloud options and tighten configurations, so identity, access, logging, device controls, and data protections meet the required standard. The platform choice does matter, but the build and evidence matter more.

Which CMMC level applies to your business?

CMMC levels map to the sensitivity of the data and the contract requirement:

• Level 1 is generally for FCI and aligns to basic safeguarding expectations.
• Level 2 is for CUI and aligns to NIST SP 800-171 (the “110 requirements” most contractors hear about).
• Level 3 is reserved for the highest priority programs and adds advanced requirements beyond Level 2.

For most defense suppliers who handle CUI, Level 2 is the level that drives readiness work.

Where we are now, and what changes in Phase 2

Phase 1 began November 10, 2025 and runs through November 9, 2026. DoD guidance notes Phase 1 focuses primarily on Level 1 and Level 2 self-assessments in applicable contracts, along with required affirmations in DoD systems.

What Phase 2 changes (starting November 10, 2026)

Phase 2 is important because it expands the use of Level 2 third-party assessments (performed by a C3PAO) as a condition for award in applicable solicitations and contracts.

What that means in practice:

• More suppliers will need Level 2 certification completed (not just preparation in progress) to be eligible for certain awards.
• Scheduling, evidence quality, and audit readiness become more time-sensitive because third-party assessment capacity is finite.
• Primes tend to push suppliers earlier, since supplier status can impact proposal competitiveness and award timelines.

What the audit is really like?

CMMC audits are evidence driven. Assessors validate that you not only have controls in place, but also operate them consistently.

Expect three kinds of proof:

1. Policies and procedures that define what you do.
2. System evidence (configurations, settings, access controls, logs)
3. Operational evidence showing it is happening over time (tickets, reports, reviews, training completion, approvals)

This is why many organizations feel “close” but still fail readiness checks. They have the tools, but not the documentation and evidence trail that proves consistent execution.

Documentation is where most teams get stuck

CMMC Level 2 maps to 110 controls, but in audit reality, 110 controls break into 320 objectives. That means your team must be ready to show evidence in a structured, repeatable way.

A common gap appears in basic operational areas:

• user provisioning and deprovisioning
• access approvals
• periodic access reviews
• vulnerability management and remediation timelines
• training records and acknowledgements

If your process is informal, you may still be doing the right things. The issue is that auditors evaluate what you can prove.

How long it takes to get audit ready?

For many small to mid-sized organizations, a realistic planning range is 3 to 6 months depending on:

• How much CUI do you handle and where it lives?
• How many endpoints are in scope?
• whether you have a clean enclave or mixed-use systems
• How mature is your documentation and ticketing discipline today?

The technical build can move quickly when scope is small. Evidence gathering, policy alignment, and mock audit preparation often take longer than expected.

What does CMMC Level 2 cost?

Costs vary widely by scope, current maturity, and architecture, but business owners typically budget for:

• Readiness work: gap assessment, remediation, building the environment, policies, procedures, and evidence organization
• Assessment costs: the third-party assessment itself, plus internal time and preparation
• Ongoing costs: secure cloud licensing, endpoint management, security monitoring, and ongoing compliance effort

The fastest path to cost control is almost always the same: reduce scope and build a clean enclave so you have fewer systems to harden and fewer moving parts to prove.

Cost Map

Cost area	What it covers	Typical range	What drives it
C3PAO assessment	Formal Level 2 assessment (sometimes includes mock)	$40k–$50k	Scope size, sites, travel
Readiness prep	Scope, controls, documentation, evidence packaging	$40k–$50k	Current maturity, scope, workflow complexity
Compliant licensing	Secure environment and compliant collaboration stack	$3k–$10k per month	Number of in-scope users, architecture
Security tooling	Monitoring and endpoint protection	$30–$50 per device per month	Device count, log retention, EDR needs
Internal time	Ongoing governance and evidence discipline	5–10 hours per week	Cadence and process ownership

After certification: sustaining compliance

CMMC is not a one-time project. Once you are certified, you still need to sustain the program:

• keep evidence current
• monitor and respond to alerts
• document reviews and recurring activities
• manage changes carefully (new tools, new users, new workflows)

A steady weekly rhythm is usually more effective than scrambling quarterly.

How Right Click can help with CMMC audit preparation

Right Click helps businesses prepare for CMMC by scoping and reducing your CUI footprint, designing a compliant environment, implementing required technical controls, building the documentation and evidence your assessor will expect, and running a mock assessment so your real audit has no surprises.

If you want a clear plan for Phase 2 readiness and a timeline that matches your contract opportunities, schedule a call with our team and we will walk through your scope and next steps.

Want to see exactly how we support CMMC Level 2 readiness? Explore our CMMC compliance services.

FAQs

1. How do I know if I need CMMC Level 2?
   If you process, store, or transmit CUI in your environment, you are typically looking at CMMC Level 2 for applicable DoD work. The level you need is ultimately determined by what appears in the solicitation and contract requirements.
   
2. How often do we have to renew or reassess for CMMC Level 2?
   For Level 2 (Self), the rule requires performing a Level 2 self-assessment every three years and submitting results, along with annual affirmation to maintain compliance. For Level 2 (C3PAO), certification assessments are also on a three-year cycle, with ongoing affirmations.
   
3. Can Google Workspace be used for CMMC Level 2?
   It can be, but it typically requires more extensive configuration and controls (including ensuring only US persons support the environment), and it can be operationally heavier than other approaches.
   
4. Do we need a SIEM for CMMC Level 2 requirements?
   CMMC Level 2 requires audit logging, accountability, and the ability to detect and respond to events. Many organizations use a SIEM to centralize logs and demonstrate monitoring, but the key is being able to produce audit-ready evidence and response records.
   
5. What if we print CUI or move files via USB or thumb drives?
   Printed documents and removable media can complicate scope and controls because you now need strong physical protections, handling procedures, and evidence that the process is managed consistently.
   
6. Are subcontractors and suppliers “in scope” for our CMMC Level 2 effort?
   If you exchange CUI with subs or suppliers, they are often effectively in scope, and it becomes your responsibility to ensure those partners are compliant for that CUI handling.
   
7. How far back does evidence need to go for CMMC Level 2?
   There is no single number that fits every control. A practical approach is to show enough history to demonstrate the control is operating on its intended cadence (for example, recurring reviews, scanning, patching, training, and access checks).
   
8. What documents should we have ready for a Level 2 assessment?
   Most organizations prepare an SSP, policies and procedures aligned to the 14 control families, network and data flow documentation for CUI scope, and an organized evidence repository mapped to requirements. The Level 2 Assessment Guide is a useful reference for what assessors look for.
   
9. Can we “pass” CMMC Level 2 with a POA&M?
   Yes, but only in limited circumstances. The rules allow a Conditional Level 2 (C3PAO) status if the POA&M meets the program’s requirements, and the POA&M must be closed out within 180 days with a closeout assessment.
   
10. What happens if we do not close POA&M items in time?
    If the POA&M is not successfully closed out within 180 days, the Conditional Level 2 status expires.
    
11. What is the most common reason companies fail CMMC Level 2 readiness checks?Not having enough proof. Teams often have tools in place, but cannot produce consistent, audit-ready evidence that processes are actually happening over time (access reviews, patch timelines, incident handling, training records, and change control).