CMMC without the guesswork
Get assessment-ready for CMMC without rebuilding your security program
episki maps NIST SP 800-171 and 800-172 controls to CMMC levels, automates evidence collection, and keeps your POA&M current so your team can focus on winning contracts.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's verification program for ensuring defense contractors adequately protect sensitive information. Originally announced in 2020, the program was streamlined into CMMC 2.0 with three levels instead of the original five.
The CMMC 2.0 final rule was published in the Federal Register on October 15, 2024, and took effect on December 16, 2024. The companion DFARS rule — which embeds CMMC requirements into actual defense contracts — took effect on November 10, 2025, marking the start of real enforcement.
The three CMMC levels
- Level 1 — Foundational covers basic safeguarding of Federal Contract Information (FCI). It requires 17 practices drawn from FAR 52.204-21 and is verified through annual self-assessment.
- Level 2 — Advanced protects Controlled Unclassified Information (CUI). It requires all 110 security requirements from NIST SP 800-171 Rev 2 and can be verified through self-assessment or third-party C3PAO assessment depending on the contract.
- Level 3 — Expert defends against advanced persistent threats on the most sensitive programs. It adds 24 enhanced requirements from NIST SP 800-172 on top of Level 2 and requires government-led assessment by DIBCAC.
Phased implementation timeline
CMMC enforcement follows a four-phase rollout:
- Phase 1 (November 2025 – November 2026) — Level 1 and Level 2 self-assessments appear as conditions of award in select solicitations. A limited number of contracts may require Level 2 C3PAO assessments.
- Phase 2 (November 2026 – November 2027) — Level 2 C3PAO certification requirements expand to more contracts. Level 3 requirements begin appearing in select solicitations.
- Phase 3 (November 2027 – November 2028) — Level 2 and Level 3 requirements appear broadly across applicable contracts.
- Phase 4 (November 2028 onward) — All DoD contracts requiring FCI or CUI handling must include the appropriate CMMC level as a condition of award.
Who needs CMMC?
Every organization in the defense industrial base that handles FCI or CUI needs a CMMC certification at the level specified in their contract. This includes prime contractors, subcontractors at every tier, and cloud service providers hosting DoD data. Flow-down requirements mean that even small suppliers several tiers removed from the prime may need certification.
Common challenges
- Scoping complexity — determining which systems, people, and processes are in scope for CUI handling is often the hardest first step.
- NIST 800-171 gaps — many contractors self-attested compliance for years but never closed all 110 requirements. CMMC makes third-party verification real.
- POA&M management — Plan of Action and Milestones items must be closed within 180 days of assessment. Tracking remediation across teams is difficult without tooling.
- Subcontractor flow-down — primes must verify that their subcontractors also hold the required CMMC level, adding supply chain management overhead.
A structured approach that maps controls to NIST 800-171, tracks evidence continuously, and monitors POA&M progress removes most of these friction points.
CMMC topics
Deep-dive into specific CMMC compliance topics.
CMMC Assessment Process
How CMMC assessments work — self-assessments, C3PAO third-party assessments, and DIBCAC government-led assessments including scoring, POA&Ms, and conditional certification.
CMMC Implementation Timeline
The four-phase CMMC rollout from November 2025 through November 2028, including what each phase requires for Level 1, Level 2, and Level 3 contractors.
CMMC Levels Explained
A complete guide to the three CMMC 2.0 maturity levels — Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert) — with practice counts, assessment types, and scoping guidance.
CMMC outcomes with episki
Quantify the impact security and compliance brings to your business.
3 maturity levels
Pre-mapped practices for Level 1, Level 2, and Level 3 with assessment-type guidance for each.
110 practices
Full NIST SP 800-171 Rev 2 control set mapped to CMMC Level 2 objectives out of the box.
Phase 1 live now
DFARS enforcement began November 2025. Level 1 and Level 2 self-assessments already required in select solicitations.
Why teams choose episki for CMMC
Framework-specific automation, collaboration, and reporting in one workspace.
NIST 800-171 control mapping
Every CMMC Level 2 practice is linked to its NIST SP 800-171 source requirement with pre-written narratives.
- 14 control families mapped to 110 security requirements
- AI-drafted implementation narratives and testing procedures
- Gap analysis highlights missing controls before your assessment
Assessment preparation workspace
Whether you self-assess or engage a C3PAO, episki organizes evidence and scoring in one place.
- POA&M tracking with 180-day close-out reminders
- Scoring methodology aligned to DoD assessment guide
- Assessor portal with scoped read-only access
Cross-framework reuse
Controls mapped to CMMC automatically satisfy overlapping NIST CSF, ISO 27001, and FedRAMP requirements.
- Unified control graph eliminates duplicate documentation
- Evidence collected once, reused across every framework
- Framework coverage dashboard shows gaps at a glance
CMMC readiness checklist inside episki
Everything is preloaded in your free trial so you can start scoping your assessment and closing gaps immediately.
Plug episki into your stack and work directly from this checklist during the free trial.
- ✓ NIST SP 800-171 control library with mapped CMMC practices
- ✓ Level 1, 2, and 3 scoping guidance and practice sets
- ✓ POA&M register with risk-ranked remediation priorities
- ✓ System Security Plan (SSP) template with AI drafting
- ✓ Evidence library organized by control family
CMMC acceleration resources
CMMC acceleration resources
Give leadership and contracting officers visibility into your cybersecurity posture at every stage.
Executive scorecard
Translate control work into CMMC readiness percentages and contract eligibility status.
Assessment readiness kit
Pre-assessment checklist, evidence package review, and mock scoring aligned to DIBCAC methodology.
Subcontractor flow-down tracker
Monitor which subcontractors need their own CMMC certification and track their progress.
CMMC frequently asked questions
CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's program for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The final program rule took effect December 16, 2024, and DFARS contract enforcement began November 10, 2025.
Level 1 requires 17 basic safeguarding practices for FCI based on FAR 52.204-21. Level 2 requires 110 security practices aligned to NIST SP 800-171 Rev 2 for CUI. Level 3 adds 24 enhanced practices from NIST SP 800-172 for the most sensitive programs. Each level builds on the one below it.
Costs vary by level and organization size. Level 1 requires only an annual self-assessment. Level 2 self-assessments are free but require significant preparation effort. Level 2 C3PAO assessments typically range from $50,000 to $150,000+ depending on scope. episki reduces preparation costs by automating evidence collection and control documentation.
CMMC is being phased into DoD contracts over four phases. Phase 1 began November 10, 2025, requiring Level 1 and Level 2 self-assessments in select solicitations. Phase 2 (November 2026) expands Level 2 C3PAO requirements. Phase 3 (November 2027) adds Level 3. By Phase 4 (November 2028), all applicable DoD contracts will require the appropriate CMMC level.
Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract needs CMMC certification. This includes prime contractors, subcontractors at all tiers, and cloud service providers hosting DoD data. The required level depends on the sensitivity of information handled.
Related terms
What is Access Control?What is Change Management?What is Continuous Monitoring?What is Data Classification?What is Disaster Recovery?What is Encryption?What is a Firewall?What is Incident Response?What is Key Management?What is Least Privilege?What is Log Management?What is Malware?What is Monitoring?What is Multi-Factor Authentication?What is Network Security?What is Penetration Testing?What is a Risk Register?What is Security Awareness Training?
Other compliance frameworks
Launch your CMMC workspace today
Import your NIST 800-171 controls, map them to CMMC levels, and start closing gaps before your next assessment.
