CMMC Certification: What It Costs, Why Companies Fail, and How to Pass

CMMC 2.0 has three levels, each with increasing security requirements:

Most contractors need Level 2, which requires passing a third-party assessment against all 110 NIST 800-171 controls.

You need CMMC certification if you:

• Are a prime contractor or subcontractor to the Department of Defense
• Handle Controlled Unclassified Information (CUI) in your work
• Want to bid on DoD contracts that require CMMC
• Are part of the Defense Industrial Base (DIB) supply chain

This includes approximately 80,000+ companies ranging from small machine shops to major aerospace manufacturers.

CUI is sensitive information that requires protection but isn't classified. Examples include:

• Technical drawings and specifications
• Export-controlled data (ITAR, EAR)
• Personally identifiable information (PII)
• Proprietary business information
• Contract performance data
• Critical infrastructure information

If your DoD contract includes a DFARS 252.204-7012 clause, you're handling CUI and need CMMC Level 2.

CMMC is being phased in from 2025 through 2028:

• 2025: CMMC requirements start appearing in select contracts
• 2026: Broader rollout across DoD contracts
• 2027-2028: Full implementation, most contracts require CMMC

However, don't wait. Assessment backlogs are already forming, and getting certified takes 6-12 months from start to finish. Companies starting now will have a competitive advantage.

C3PAO stands for CMMC Third Party Assessment Organization. These are companies authorized by the Cyber AB (the CMMC accreditation body) to conduct official CMMC assessments.

Think of C3PAOs like certified auditors. You can't self-certify for Level 2; you must hire an authorized C3PAO to assess your security controls and issue your certification.

As of late 2024, there are approximately 50+ authorized C3PAOs, with more being certified.

CMMC Level 2 assessment costs typically range from $30,000 to $100,000+ depending on:

• Company size: More employees and systems = more to assess
• Scope complexity: Number of locations, cloud environments, networks
• Assessment duration: Typically 3-5 days on-site
• C3PAO rates: Vary by assessor and demand

A typical CMMC Level 2 assessment follows this process:

1. Pre-assessment (1-2 weeks before): Submit your SSP, policies, and evidence package. The C3PAO reviews documentation.
2. On-site assessment (3-5 days): Assessors interview staff, review systems, examine evidence for each of the 110 controls.
3. Evidence gathering: For each control, you must provide proof of implementation. This includes policies, configurations, logs, screenshots, and attestations.
4. Findings review: Assessors identify any gaps or deficiencies.
5. Final report: You receive a PASS, CONDITIONAL PASS (with POA&M), or FAIL.

The entire process from scheduling to certification typically takes 2-4 months.

The System Security Plan (SSP) is the master document describing how your organization implements each NIST 800-171 control. It's the primary evidence package assessors review.

A typical SSP includes:

• System boundaries: What systems, networks, and data are in scope
• Control implementations: How you satisfy each of the 110 controls
• Responsible parties: Who owns each control
• Evidence references: Links to supporting documentation

SSPs are typically 100-300+ pages and take months to create properly.

POA&M (Plan of Action and Milestones) documents known security gaps and your plan to fix them.

If you have minor deficiencies during assessment, you may receive a Conditional Certification with a POA&M listing what must be fixed within a specified timeframe (typically 180 days).

However, you cannot POA&M your way to certification. Critical controls must be fully implemented before assessment.

CMMC certification is valid for 3 years.

During this period, you must:

• Maintain all implemented controls
• Submit annual affirmations that controls remain in place
• Address any new vulnerabilities or threats
• Keep documentation updated

At the end of 3 years, you must undergo a full reassessment to maintain certification.

NIST SP 800-171 is a publication from the National Institute of Standards and Technology that specifies security requirements for protecting CUI in non-federal systems.

CMMC Level 2 is essentially NIST 800-171 with mandatory third-party verification. The 110 controls in CMMC Level 2 come directly from NIST 800-171.

If you've been complying with DFARS 7012 requirements, you've already been working toward NIST 800-171. CMMC just adds the verification requirement.

NIST 800-171 organizes its 110 controls into 14 families:

Approximately 40-50% of NIST 800-171 controls can be directly evidenced through infrastructure-as-code configurations. Key examples:

• SC-28 (Encryption at Rest): S3 bucket encryption, RDS encryption, EBS encryption settings in Terraform
• SC-8 (Encryption in Transit): TLS configurations, HTTPS-only settings, SSL policies
• AC-6 (Least Privilege): IAM policies, RBAC configurations, service account permissions
• AU-2 (Audit Events): CloudTrail configurations, logging settings, audit policies
• SC-7 (Boundary Protection): VPC configurations, security groups, network ACLs
• CM-6 (Configuration Settings): Baseline configurations, hardening settings

The remaining controls require policies, procedures, or manual evidence (training records, physical security, personnel screening).

Based on NIST 800-171 self-assessments (the predecessor to CMMC), only 10-15% of companies that believed they were compliant actually passed rigorous review.

The most common reasons for this gap:

• Overconfidence in existing controls
• Documentation that doesn't match implementation
• Incomplete evidence for controls
• Scope creep (systems not included in SSP)

The most common CMMC assessment failures:

1. Documentation/Implementation Mismatch (35%): SSP says encryption is enabled, but S3 buckets aren't actually encrypted. Policies claim MFA, but it's not enforced.
2. Incomplete Evidence (25%): Control is implemented but you can't prove it. No logs, no screenshots, no configuration exports.
3. Scope Definition Issues (20%): Systems handling CUI weren't included in assessment scope. Shadow IT discovered during assessment.
4. Missing Controls (15%): Controls never implemented, or implemented incorrectly.
5. Personnel/Process Gaps (5%): Technical controls in place, but staff can't demonstrate procedures. Training not completed.

If you fail a CMMC assessment:

• No certification issued: You cannot claim CMMC compliance
• Remediation period: Typically 90-180 days to fix issues
• Reassessment required: Pay for another full assessment
• Contract impact: May lose ability to bid on CMMC-required contracts
• Total cost: $60K-200K+ (double assessment fees plus remediation)

This is why pre-assessment verification is critical. Finding gaps before the official assessment saves significant time and money.

Not all evidence is equal. Assessors weight evidence by verifiability:

IaC configurations are the gold standard because they're machine-verifiable, version-controlled, and represent your actual implementation.

Infraproof parses all major infrastructure-as-code formats:

• Terraform: .tf, .tfvars files
• AWS CDK: TypeScript, Python synthesized templates
• CloudFormation: YAML and JSON templates
• Azure ARM/Bicep: ARM templates and Bicep files
• GCP Deployment Manager: YAML configurations
• Pulumi: Multi-language infrastructure definitions

We extract security-relevant configurations from each resource and map them to specific NIST 800-171 controls.

Here's an example of how Terraform configuration maps to NIST controls:

Your Terraform:

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.example.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.example.arn
    }
  }
}

Mapped to Controls:

• SC-28: Protection of Information at Rest ✓
• SC-28(1): Cryptographic Protection ✓
• MP-4: Media Storage ✓

The evidence report includes the exact configuration, resource ARN, and encryption algorithm used.

Infraproof is a pre-assessment verification platform that:

1. Parses your IaC: Upload Terraform, CDK, CloudFormation, etc. We extract all security-relevant configurations.
2. Maps to NIST controls: Each resource is automatically mapped to the NIST 800-171 controls it satisfies.
3. Generates evidence: Create audit-ready evidence reports with code snippets, resource ARNs, and configuration details.
4. Identifies gaps: See which controls have strong evidence, weak evidence, or no evidence at all.
5. Cross-references SSP: Upload your SSP and we verify your documentation claims match your actual infrastructure.

The result: You know exactly where you stand before paying for a C3PAO assessment.

No. Infraproof is a pre-assessment tool, not a certification body.

You still need an authorized C3PAO to conduct your official CMMC assessment and issue certification. Infraproof helps you:

• Prepare stronger evidence before the assessment
• Identify gaps before the assessor does
• Generate documentation that matches your implementation
• Increase your probability of passing on the first try

Think of us as your pre-flight checklist before the FAA inspector arrives.

Traditional GRC (Governance, Risk, Compliance) platforms focus on documentation management. They help you organize policies, track tasks, and store evidence.

Infraproof focuses on evidence verification:

We complement GRC platforms by providing higher-quality evidence that matches your actual infrastructure.

1. Upload a sample IaC file: Start with a single Terraform or CloudFormation file to see the mapping in action.
2. Review the evidence report: See which controls your IaC satisfies and which have gaps.
3. Connect your repository: Link GitHub, GitLab, or Bitbucket for comprehensive scanning.
4. Upload your SSP: We'll cross-reference your documentation against your infrastructure.
5. Generate your evidence package: Get audit-ready reports for your C3PAO.

Request a free evidence report to see how it works with your actual infrastructure.

Yes. We handle CUI-adjacent data and take security seriously:

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access control: Role-based access, MFA enforced
• Data residency: US-only infrastructure (AWS us-east-1)
• Audit logging: Full audit trail of all access
• No data retention: Delete your data anytime

We're also pursuing our own CMMC certification because we believe in eating our own cooking.

Infraproof pricing is designed to be a fraction of assessment costs:

• Starter: $499/scan - Single repository, NIST 800-171 mapping, PDF evidence report
• Professional: $1,999/month - Unlimited scans, multi-cloud, Git integration, SSP cross-reference
• Enterprise: Custom pricing - Multi-tenant, API access, CI/CD integration, dedicated support

Compare this to $30-100K for an assessment and $60-200K for a failed assessment + remediation + reassessment.

See full pricing details

Yes. Request a free evidence report and we'll analyze a sample of your IaC.

You'll see:

• Which controls your infrastructure satisfies
• Gaps where evidence is missing or weak
• Sample evidence report format

No credit card required. No commitment.