CMMC compliance for small defense contractors: costs, timeline, and Level 2 steps

If you are a small defense contractor, the short answer is this: CMMC is no longer a future problem. DoD says Phase 1 began on November 10, 2025, and Level 2 now shows up in solicitations. Your real work is scoping CUI correctly, closing the ugly 800-171 gaps, and producing evidence that survives assessment.

Sources: DoD CMMC program, DoD CIO CMMC overview, SPRS NIST SP 800-171 page

What changed as of 2026

The two dates that matter are not vague.

DoD says the final DFARS rule was published on September 10, 2025, took effect on November 10, 2025, and started a three-year rollout of CMMC requirements into contracts. Under DoD's phased schedule, Phase 1 runs roughly one year from November 10, 2025 and focuses primarily on Level 1 and Level 2 self-assessments, while still allowing some Level 2 C3PAO requirements earlier in specific procurements.

That means many small contractors are now in the awkward middle period: the assessment requirement is real, but the exact assessment type still depends on the solicitation.

What Level 2 means for a small contractor

DoD's current Level 2 model is still tied to the 110 security requirements in NIST SP 800-171 Revision 2. The DoD CIO CMMC page is explicit about that. It also says Level 2 requires either:

• a self-assessment every three years for select programs, or
• a C3PAO assessment every three years when the solicitation requires certification

In both cases, annual affirmation is still required.

That detail matters because owners often hear "CMMC" and assume every small contractor needs to buy a third-party assessment immediately. That is not the current rule. Some do. Some do not. The contract decides.

If your immediate problem is the SPRS score behind that assessment, a NIST 800-171 self-assessment and SPRS scoring guide is the more tactical next read.

The four cost buckets that actually matter

Small contractors usually ask the wrong cost question first.

The expensive part is not just "what does the assessment cost?" The more useful question is "what will it take to make our environment assessable?"

For most small firms, cost shows up in four buckets:

1. Scoping and architecture cleanup

If you have never drawn a hard line around where CUI lives, the first cost is time. Bad scoping creates fake savings early and very expensive remediation later. The smaller you can credibly keep the CUI boundary, the less you have to harden, monitor, document, and defend.

2. Control remediation

This is where the money usually goes. Common gap areas are MFA coverage, privileged access, endpoint coverage on every in-scope asset, log review, secure configuration, backup testing, and vendor access control. If your current environment already meets the operational bar discussed in what controls cyber insurers require in 2026, your CMMC remediation list is usually shorter, not because the frameworks are the same, but because the hygiene is real.

3. Documentation and evidence

A small contractor can have decent controls and still fail the "show me" part. The system security plan, policies, diagrams, account-management evidence, training records, restore-test evidence, and POA&M discipline all take labor. This is where many MSP-only environments start to wobble.

4. Assessment and closeout

Once you are actually ready, then the assessment cost matters. If the solicitation requires a self-assessment, your direct external spend can be lower. If it requires a C3PAO assessment, budget pressure goes up and weak preparation becomes expensive.

The timeline small contractors should plan around

A realistic timeline is usually shorter than people fear if the environment is already disciplined, and much longer than they expect if access sprawl and undocumented exceptions have piled up for years.

Use this working model:

Weeks 1-2: decide scope

Identify which systems actually process, store, or transmit CUI and which systems protect them. If you cannot answer that cleanly, stop there first. Everything else depends on scope.

Weeks 2-6: score current state honestly

Run the self-assessment against the current DoD methodology, not against the version of your environment you wish you had. Build the SSP and POA&M from what is true now. Remember that SPRS stores the result; it does not perform the assessment for you.

Weeks 6-12: close the hard gaps

Fix the control failures that change the outcome of an assessment: identity, admin access, endpoint visibility, logging, configuration management, backups, and documented response. For many firms, this is where managed detection and response and managed ITDR stop being tool purchases and start being evidence-producing controls.

Final prep: evidence review and affirmation

Before you affirm anything, make sure the evidence matches the answer. Underwriters, assessors, and contracting officers all punish the same weakness: saying Yes to a control that only exists on paper.

Can you use a POA&M at Level 2?

Yes, but not as a parking lot for unfinished basics.

The DoD CIO page says POA&Ms are permitted for Level 2 under the rule in 32 CFR Part 170, must meet the rule's limits, and must be closed through a closeout assessment within 180 days of the conditional status date. It also points out that some critical requirements cannot be placed on a POA&M.

That means a POA&M is a narrow remediation bridge, not a strategy for entering assessments half-built.

The practical Level 2 checklist

If you want the plain-English order of operations, use this:

1. Confirm whether the solicitation points you to Level 2 self-assessment or Level 2 C3PAO certification.
2. Draw the CUI boundary and remove systems that do not belong in scope.
3. Build or update the SSP around the actual environment, not planned future state.
4. Score the environment using the current DoD assessment methodology and identify the weighted misses.
5. Fix identity, privileged access, endpoint, logging, backup, and configuration gaps first.
6. Clean up vendors, remote access paths, local admin sprawl, and training records.
7. Re-check evidence before affirmation or assessment.
8. Enter and maintain the required information in SPRS where applicable.

Where small contractors lose time

Three mistakes cause most schedule slips:

• treating CMMC as a policy project instead of an operations project
• leaving shared admin habits in place because "everyone is trusted here"
• assuming the SSP can be written after remediation instead of during it

That last one is costly. The SSP is not a brochure. It is the map of what you are claiming exists.

Where Obsidian Ridge fits

The practical help most small contractors need is not a giant compliance binder. It is tightening the operating environment so the compliance story becomes defensible: endpoint coverage, identity monitoring, access discipline, restore evidence, and plain-English documentation.

That is why the useful adjacent pages here are managed detection and response, managed ITDR, and cyber insurance readiness. Different frameworks, same reality: if the evidence is weak, the answer is weak.

FAQ

Is CMMC already in contracts now?

Yes. DoD says Phase 1 began on November 10, 2025 and contracting officers now include CMMC requirements in new solicitations and contracts during the rollout.

Does every small defense contractor need a C3PAO right away?

No. The DoD CIO guidance says Level 2 may be a self-assessment or a C3PAO assessment depending on what the solicitation requires.

How long is a Level 2 result valid?

DoD says Level 2 status is valid for three years from the status date, with annual affirmation required in between.

Can we do the assessment inside SPRS?

No. SPRS stores NIST SP 800-171 assessment results. The SPRS site says the Basic Assessment itself is not performed in SPRS.

What is the first thing to fix if we are behind?

Start with scope and identity. If you do not know where CUI lives or who has admin-level access into that environment, every later answer gets weaker.