New: Autonomous AI risk intelligence is live — your compliance program in 12 minutes. Get started →

Framework Guide · CMMC

CMMC 2.0 (Cybersecurity Maturity Model Certification)

The DoD's cybersecurity gate. Miss the deadline, lose the contract.

Who needs it: Any organization in the DoD supply chain — prime contractors and every subcontractor handling FCI or CUI.

Overview

CMMC 2.0 has three levels. Most defense subcontractors handling Controlled Unclassified Information (CUI) need Level 2, which maps to NIST SP 800-171's 110 controls and requires third-party assessment.

Timeline

6–12 months to Level 2 assessment readiness for most SMBs.

Typical cost

$40k–$150k depending on scope, existing maturity, and enclave decisions.

What it covers

Access ControlAwareness & TrainingAudit & AccountabilityConfiguration ManagementIdentification & AuthenticationIncident ResponseSystem & Communications Protection

How Scarlet Risk helps

  • Gap analysis

    Automated scoring against all 110 NIST 800-171 controls.

  • POA&M tracking

    Manage remediation with SPRS-ready evidence.

  • CMMC readiness reports

    Board-Ready and Policy Gap reports mapped to DoD language.

Frequently asked

Do I need CMMC Level 2?

If you touch CUI (Controlled Unclassified Information), yes. Level 1 covers FCI only. If your contracts reference DFARS 252.204-7012, you're almost certainly Level 2.

When does CMMC take effect?

The final rule is phased in through late 2026. New DoD contracts progressively require CMMC certification, and primes are already flowing it down.

What's an SPRS score?

The Supplier Performance Risk System score is a self-assessment against NIST 800-171 (max 110). DoD contracts require you to post one; a low or missing score is a real risk.

Can I self-attest?

Level 1 and a subset of Level 2 allow self-attestation. Most Level 2 contracts require assessment by a Certified Third-Party Assessor Organization (C3PAO).

Ready to shortcut CMMC?

Scarlet Comply and our on-demand reports collapse months of prep into hours.

Other frameworks