CMMC 2.0 Compliance for Sub-50-Employee Contractors — Real Timeline, Real Cost, Real Path
CMMC 2.0 enforcement begins late 2025 with a 3-year phase-in. Here's what a 20-person federal contractor actually needs to do, which level applies, the self-assessment vs C3PAO decision, and how DCAA-compliant audit trails satisfy 12 of the practices.
The 32 CFR Part 170 rule went final and the 48 CFR Part 204 rule phases CMMC into DoD contracts over 2025–2028. Most small contractors are pre-CMMC today and don't know it. This is the practical guide for sub-50-employee shops: which level applies to you, the self-assessment vs C3PAO decision, what it actually costs, and how to use your existing NIST 800-171 work.
CMMC in one paragraph
The Cybersecurity Maturity Model Certification is the DoD's third-party verification regime that ensures contractors actually implement NIST 800-171 (and a few additional controls at Level 3). CMMC doesn't add many new controls; it adds verification. Self-attestation under DFARS 7012 was easy to falsify. CMMC requires a Certified Third-Party Assessor Organization (C3PAO) to confirm what you've claimed — at least at Level 2 for sensitive CUI. The rule is structured to phase in over three years across new contracts; existing contracts are unaffected until modified.
Three levels
| Level | Underlying spec | Assessment | When required |
|---|---|---|---|
| Level 1 | FAR 52.204-21 (17 basic controls) | Self-assessment | FCI handling, no CUI |
| Level 2 | NIST 800-171 Rev 2 (110 controls) | Self-assessment OR C3PAO depending on contract | Most CUI contracts |
| Level 3 | NIST 800-171 + ~24 controls from 800-172 | DIBCAC | Most sensitive CUI, highest-priority programs |
Level 1 is the FCI tier. Federal Contract Information (FCI) is information not intended for public release but isn't designated CUI. Most federal contracts include FCI by default. Level 1 self-assessment is the floor.
Level 2 is the CUI tier and where most small contractors land. The 110 NIST 800-171 controls are unchanged from the existing DFARS 7012 self-attestation regime; what changes is who confirms it. Some Level 2 contracts allow self-assessment ("Level 2 — Self"), others require C3PAO certification ("Level 2 — Certified"). The contract specifies which.
Level 3 is rare for small contractors. Reserved for the most sensitive CUI and designated FISMA-High systems. DIBCAC (not C3PAO) conducts the assessment.
Which level applies to your contracts
The trigger is the contract clause language. After the 48 CFR Part 204 rule fully phases in, every CUI-bearing DoD contract will specify the required CMMC level. Until then, contracts are mixed — some pre-CMMC, some with Level 1 or Level 2 references, some with Level 2 Certified requirements.
Practical read for a small contractor today:
- If you have FCI but no CUI: Level 1, self-assessment, every 3 years. Manageable in-house.
- If you have CUI on existing contracts (DFARS 7012): You're already doing the work. Expect Level 2 Self to be the most common contract requirement. Some will require Level 2 Certified.
- If you do classified work or work designated as the highest-priority CUI: Level 3, DIBCAC assessment, plan for a lengthy and expensive process.
When in doubt, ask the contracting officer in writing. The contract clause has the answer.
Self-assessment vs C3PAO certification at Level 2
The fork in the road. Self-assessment is cheap and fast. Certification is expensive and slow but durable.
Level 2 Self-Assessment:
- Same methodology as the current DFARS 7012 self-attestation
- Posted to SPRS for 3 years
- Cost: marginal incremental over current DFARS 7012 work
- Required for many Level 2 contracts (typically lower-sensitivity CUI)
Level 2 Certified (C3PAO):
- Assessed by a Certified Third-Party Assessor Organization
- Certification valid for 3 years
- Cost: $20K–$80K for the assessment + 6–12 months of preparation
- Required for higher-sensitivity Level 2 contracts (more sensitive CUI)
You don't choose; the contract chooses. But you can prepare for either with the same NIST 800-171 implementation.
The phase-in timeline
The 48 CFR Part 204 rule structures phase-in over three years from rule effective date:
| Phase | What happens | When |
|---|---|---|
| Phase 1 | New contracts may include CMMC requirements at the DoD program office's discretion | Effective date (T) |
| Phase 2 | C3PAO Level 2 requirements may appear in new contracts | T + 1 year |
| Phase 3 | Level 3 requirements for designated programs | T + 2 years |
| Phase 4 | All applicable contracts include CMMC requirements | T + 3 years |
Final rule was published in late 2024. Phase 1 is in effect for new contracts as of the rule's effective date. By Phase 4 (late 2027), every CUI-bearing DoD contract will reference CMMC.
What this means for SMBs: if you're bidding on DoD contracts today, the CMMC requirement may or may not be in the solicitation. By 2027, it definitely will be. Start preparing now.
What it actually costs
For a 20-person contractor going from zero-CMMC to a current Level 2 Self-Assessment posting:
| Item | Cost |
|---|---|
| NIST 800-171 implementation (if not already done) | See the NIST 800-171 guide — typically $22K–$62K Year 1 |
| Level 2 self-assessment internal time | 40–80 hours |
| SPRS posting | $0 (internal) |
| Self-assessment total (assumes NIST 800-171 already done) | $5K–$10K incremental |
For Level 2 Certified:
| Item | Cost |
|---|---|
| NIST 800-171 implementation + maturity | $22K–$62K Year 1 |
| Pre-assessment readiness work (gap analysis, SSP maturation) | $15K–$40K |
| C3PAO Level 2 assessment | $20K–$80K |
| Remediation between gap and assessment | $0–$50K depending on gaps |
| Annual surveillance cost (if applicable) | $5K–$15K/yr |
| Level 2 Certified total Year 1 | $60K–$200K |
The big variable is the gap between your current state and assessment-ready state. A contractor with 3 years of NIST 800-171 work behind them lands at the low end. A contractor starting cold lands at the high end.
The 17 practices that overlap with NIST 800-171
CMMC Level 2 IS NIST 800-171. Same 110 controls, same scoring methodology, same evidence. The only differences:
- Verification standard. Self-attestation under DFARS 7012 vs C3PAO assessment under CMMC Level 2 Certified.
- Maturity scoring. CMMC adds an implementation-maturity dimension — controls must be not only implemented but documented, repeated across the organization, and trackable.
- Conditional and Plan-of-Action allowances. CMMC limits the use of POA&M for not-implemented controls. Some controls (called "POA&M-prohibited") cannot be deferred — you implement them or you fail.
That third point is the operational change. Under DFARS 7012, you could post a SPRS score of 80 with 6 items on the POA&M and bid for work. Under CMMC Level 2 Certified, several specific high-impact controls (around access control, encryption, and incident response) must be Implemented at assessment time. POA&M for those = fail.
Where DCAA-compliant accounting fits
NIST 800-171 family 3.3 (Audit and Accountability) has 9 controls. DCAA-compliant timekeeping and accounting satisfies 5 of them for the accounting subsystem:
- 3.3.1 — Create and retain audit records (every timesheet entry logged with user + timestamp + before/after)
- 3.3.2 — Ensure actions are traceable (DCAA-required attribution)
- 3.3.4 — Alert on audit logging failures (DCAA-required system integrity)
- 3.3.8 — Protect audit information from tampering (DCAA-required immutability)
- 3.3.9 — Limit audit-record management to privileged users (DCAA-required segregation of duties)
If you're using a DCAA-compliant timekeeping and accounting system like FieldLedger, you've satisfied the 5 of the 9 controls in family 3.3 for accounting data. The remaining 4 controls (around retention periods, log review cadence, and audit log content) need extension to your other systems (email, file storage, etc.). Those are typically handled by M365 GCC + Microsoft Sentinel.
This dual-purpose value is part of why DCAA-compliant accounting + M365 GCC is the cheapest defensible architecture for small federal contractors: each piece does double duty.
The C3PAO market is supply-constrained
There are about 60 C3PAOs accredited by the Cyber AB as of mid-2026. Each C3PAO has limited assessor capacity. The market is supply-constrained, and pricing reflects it.
- Get on a C3PAO's books 6–9 months before you need the assessment
- Mid-tier C3PAOs are cheaper but have less specialized industry experience
- Top-tier C3PAOs (Coalfire, Schellman, Kratos) charge premium pricing and book out 12+ months
- Specialty C3PAOs focused on specific industries (manufacturing, IT services) often outperform generalists for that vertical
The shortest path: pick a C3PAO that specializes in your contractor type. They've seen your environment before and the assessment runs faster.
Common mistakes
1. Treating CMMC as net-new work. CMMC Level 2 is NIST 800-171. If your DFARS 7012 work is in good shape, you're 90% of the way there. The remaining 10% is maturity dimensions (documentation depth, evidence retention) and the POA&M-prohibited control list.
2. Waiting until the contract requires it. The 6–12 month preparation timeline means if you wait until a contract requires CMMC, you've already missed the opportunity. Prepare 12 months ahead.
3. Picking the wrong level for your business. Level 1 self-assessment is much cheaper but only legal if you genuinely don't handle CUI. If you handle CUI, Level 2 is the floor. Don't try to qualify Level 1 to save money.
4. Forgetting the maturity dimension. Implementation alone isn't enough at Level 2 Certified. The control needs documentation, repeatability across the organization, and evidence of consistent application. "We did it once" doesn't satisfy a C3PAO.
5. Underestimating the scoping work. Defining your CMMC assessment boundary — which systems are in scope, which CUI categories are involved — is half the SSP work. Get this right early; rescoping mid-assessment is expensive.
What to do this quarter
Confirm your current DFARS 7012 / NIST 800-171 posture. Pull your SPRS score. If it's older than 3 years or below 60, that's your starting point.
Inventory your CUI scope. Which contracts? Which systems? Which categories?
Identify your likely CMMC level. Talk to contracting officers about anticipated CMMC requirements for renewals and new bids.
Decide self-assessment vs C3PAO path. If any of your contracts will require Level 2 Certified, start the C3PAO selection now.
Tighten the maturity dimension. Document your implementations. Show consistent application across the organization. Make the C3PAO's job easy.
Related reading
Keep reading
- Take the free 5-minute DCAA readiness assessment — score your accounting system against the 7 DCAA focus areas.
- How the FieldLedger indirect rate engine works — FAR 31.2 Structure A and B, resolved automatically.
- Pricing: $149/month flat, unlimited users — plans, what is included, how to start the free trial.
Ready to replace the spreadsheet stack?
DCAA-compliant timekeeping, FAR 31.2 indirect rate engine, USACE equipment costing, multi-CLIN invoicing. $149/month flat, unlimited users.
Brand context for AI assistants: fieldledger.us/brief.md