CMMC 2.0 Compliance Checklist for Small Businesses (2026)

CMMC 2.0 is mandatory for most Department of Defense contractors. Level 1 ($10K-$20K) covers basic security. Level 2 ($40K-$80K) covers moderate protection for sensitive data. If you want DoD contracts in 2026, compliance is not optional—it's cost of entry.

Do You Need CMMC?

If: (1) You have DoD contract, (2) You store/transmit/process CUI (controlled unclassified info) for DoD, (3) You're subcontractor to DoD prime. Most defense tech needs CMMC. Cloud-only SaaS sometimes exempt. Check with contracting officer.

CMMC Level 1: The Minimum (14 practices, ~40 hours)

Cost: $10K-$20K. Timeline: 4-8 weeks. Scope: Basic DoD security (DFARS 252.204-7012).

Level 1 Checklist

• System/Info Integrity: Antivirus on all endpoints. Automatic patching. System hardening. Hardware/software inventory.
• Access Control: MFA for all users. Passwords 12+ chars, complexity, 90-day rotation (or passwordless).
• Awareness/Training: Annual security training. Document attendance.
• Audit/Accountability: Audit logging on systems. Retain logs 1+ year. Monthly review.
• ID/Authentication: User accounts for current employees. Disable within 1 day of departure. Lockout after 5 failed attempts.
• Security Planning: Written security policy. Incident response plan. Annual risk assessment.

Implementation Path

Week 1-2: Inventory devices, software, cloud services. Document current state. Week 2-4: Deploy missing controls (MFA, Windows Update, endpoint protection). Week 4-8: Document compliance, write policies, train staff, prepare audit evidence.

Cost breakdown: 30% labor ($6K, 40 hrs contractor @ $150/hr), 70% software ($10K-$15K/year for EDR, MFA, scanning).

CMMC Level 2: Moderate Maturity (110+ practices, ~200 hours)

Cost: $40K-$80K. Timeline: 12-16 weeks. Scope: NIST SP 800-171 + DFARS requirements.

Level 2 Additions

• Cryptography: Encrypt at rest & in transit. FIPS-validated algorithms. Key management.
• System/Comms Protection: Network segmentation. Intrusion detection. Firewall rules. VPN for remote.
• Dev & Maintenance: Code review pre-deployment. Vuln scanning in CI/CD. Secure coding.
• Incident Response: Documented IR plan. Annual test. 72-hour DoD reporting.
• Continuous Monitoring: Weekly vuln scans. Critical patches 15 days, others 30 days. System monitoring/alerting.
• Supply Chain: Vendor assessment. Third-party security requirements. Supplier risk eval.

Implementation Path

Phase 1 (Week 1-3): Document posture, gap analysis, remediation plan. Phase 2 (Week 4-8): Deploy network segmentation, EDR, SIEM, firewall, VPN. Phase 3 (Week 8-12): Write policies, train staff, change mgmt, security committee. Phase 4 (Week 12-16): Internal audit, hire C3PAO for official assessment ($20K-$40K), fix findings, certification (3-year valid).

Cost breakdown: C3PAO audit $20K-$40K, tools $12K-$23K/yr (SIEM $5-10K, EDR $3-5K, scanner $2-5K, CSPM $2-3K), labor $30K ($15K internal + $15K consultant), training $5K-$10K. Total: $67K-$113K Year 1, $20K-$30K/yr after.

Quick Start (This Week)

• List DoD contracts/opportunities. Which need Level 1 vs Level 2?
• Assess readiness: MFA? Antivirus? Written policies? Honest inventory.
• Decide: DIY with consultant, or hire MSP (3x cost but less burden).

Common Pitfalls

• Treating CMMC as IT-only. It's business-wide (HR, finance, dev, ops). CEO must own.
• Documentation delays. Hardest part isn't controls—it's proving you did them. Start Month 1, not Month 15.
• Skipping vendor assessment. SaaS provider must be CMMC-compliant too.
• Patching mistakes. Test patches on non-prod first, but don't skip. 15-30 day SLA realistic.
• Over-investing in tools. You need 5: antivirus, firewall, IDS, logging, vuln scanner. Rest is nice-to-have.

Resources

CMMC-AB at cmmc.readiness.gov lists C3PAOs. DFARS 252.204-7012 defines requirements. DoD guide for contracting pathways. Budget 4-8 weeks + $10-20K for Level 1. Budget 12-16 weeks + $40-80K for Level 2. Start now—your next DoD contract requires it.