CMMC

CMMC was created because self-attestation to cybersecurity standards (NIST SP 800-171) was not working — audits found widespread non-compliance among defense contractors. CMMC adds third-party assessment requirements to verify that companies actually implement the security controls they claim.

CMMC 2.0 has three levels. Level 1 requires 15 basic cyber hygiene practices and allows self-assessment. Level 2 aligns with NIST SP 800-171 (110 controls) and requires third-party assessment for contracts involving CUI. Level 3 adds additional controls from NIST SP 800-172 for the most sensitive programs.

For startups, CMMC compliance is increasingly a gate to defense contracts. Even subcontractors who handle CUI must meet Level 2 requirements. The cost of compliance can be significant — expect $50K-$200K+ for a small company to implement controls, document policies, and undergo assessment.

The phased rollout means CMMC requirements are appearing in new contracts progressively. Companies that achieve compliance early gain a competitive advantage, as many competitors will be excluded from bidding on contracts they cannot meet the cybersecurity requirements for.