SOC 2 Auditors
Get quotes

CMMC

Certification · $25K–$200K+ · 6–18 months

Controls
Based on NIST 800-171 (Level 2) and 800-172 (Level 3)
Recertification
Three-year certification cycle
Oversight
Cyber AB; C3PAOs
Common gaps
CUI scoping, SSP, POA&M, access control
Related
FedRAMP, NIST CSF
Public registry
Cyber AB

What is CMMC?

CMMC is the US Department of Defense's certification program for contractors that handle controlled unclassified information (CUI). It builds on NIST 800-171.

Is CMMC a certification or an attestation?

It is a certification, assessed by an authorized C3PAO at the required level, on a three-year cycle.

Who needs CMMC?

Defense contractors and subcontractors in the DoD supply chain.

What does it cost and how long does it take?

Cost depends heavily on level and CUI scope; Level 2 third-party certification is a significant, multi-month effort.

Sources

Other frameworks buyers ask about

SOC 2 Type 2$15K–$400K · 6–15 monthsSOC 2 Type 1$10K–$150K · 4–10 weeksISO 27001$15K–$120K · 3–12 monthsHIPAA$10K–$60K · variesPCI DSS$15K–$200K · 3–9 monthsGDPRVaries · ongoingFedRAMP$250K+ · 12–24 monthsHITRUST CSF$40K–$200K · 6–18 monthsNIST CSFNo cert · ongoing

Get 3 quotes that fit.

Tell us your stage, framework, and timeline once. We match you with three firms that fit — one short call, not five sales pitches.

Get 3 quotesBrowse the directory

Free for buyers · No spam · Independent of every firm listed