How long does CMMC certification take?

For Level 2, expect 6–18 months depending on your starting maturity. C3PAO assessment scheduling alone runs 2–6 months given current demand. Phase 2 enforcement begins November 2026 — companies starting now are already cutting it close.

How much does CMMC certification cost?

Level 1 self-assessment typically runs $5,000–$20,000/year. Level 2 certification typically runs $30,000–$300,000+ depending on company size and scope. See our full cost breakdown for details by company size.

Does CMMC apply to subcontractors?

Almost certainly yes. If your prime contractor flows down DFARS clauses to your subcontract, CMMC requirements apply to you. Many primes are already requiring CMMC certification from their subs ahead of the formal mandate.

What we do

Three services.
One goal: your certification.

Q: How do I know if I need CMMC Level 1 or Level 2?

It depends on whether you handle Controlled Unclassified Information (CUI). If your DoD contracts involve CUI — technical specs, engineering data, export-controlled information — you need Level 2. If you only handle Federal Contract Information (FCI), basic contract data, you need Level 1. Our free assessment identifies your level in 3 minutes.

Q: What happens if we don't get CMMC certified?

Starting November 2026, contracts with CMMC requirements will not be awarded to non-certified contractors. Existing contracts may not renew. Self-attesting compliance you don't actually have carries False Claims Act risk — one contractor recently paid $4.6M in penalties.

Q: How does Meridian Compass make money?

We're compensated by the assessment partners we connect you with — similar to how an insurance broker works. Our service is free to you. We don't mark up their fees, and we don't favor one partner over another based on who pays us more.

We don't sell software or run assessments. We guide you through the CMMC landscape and connect you with the right certified partner.

Start here — free

Not sure where you stand? Start with the free tools.

Most contractors don't need a call first — they need 10 minutes with the right tool. Our free toolbox can tell you whether CMMC applies, which level you need, what it'll cost, and how ready you are. No email. No obligation. When you're ready to move, that's when we talk.

Does CMMC Apply? → Check Readiness → Estimate Cost → View all 6 tools →

Service 01

CMMC Readiness Assessment

Already used the free readiness tool? This call goes deeper — into your specific contracts, CUI environment, and timeline.

Before you can get certified, you need to know exactly what you're dealing with. Most defense contractors don't know which CMMC level applies to them, whether they handle CUI, or how long the process will take.

In a single 15-minute call, we determine your CMMC level, scope your contract requirements, and give you a realistic assessment of your timeline and cost range. No forms. No obligation. You walk away knowing exactly where you stand.

Schedule a readiness call

What we cover

— Which CMMC level applies to your contracts
— Whether you handle Controlled Unclassified Information (CUI)
— What systems and networks fall in scope
— Realistic timeline from kickoff to certification
— Cost range for your specific situation

15 minutes. No obligation.

You'll know your CMMC level, scope, and timeline.

Service 02

Partner Matching

Not every assessment organization is right for every company. A CMMC Third-Party Assessment Organization (C3PAO) that specializes in large aerospace firms will struggle with a 25-person precision machining shop. A firm booked out 18 months can't help you with a contract deadline in six.

We work with a vetted group of CMMC-certified C3PAOs and Registered Practitioner Organizations (RPOs) — advisory firms that help you prepare. We know their current capacity, their specializations, and which one fits your size and situation. You don't have to vet them — we already did.

Get matched with a partner

How we select partners

Certification status

Verified authorized through the Cyber AB Marketplace

Current capacity

We know their scheduling and can target available windows

Industry fit

Manufacturing, engineering, IT — different assessors for different sectors

Size experience

Track record with companies in your employee and revenue band

Service 03

Compliance Navigation

We stay involved through the transition from introduction to engagement start. Your matched partner receives a full briefing on your situation — your scope, your current posture, your timeline. You start the engagement already understood.

We don't run the assessment. We don't manage remediation. But we make sure nothing falls through the cracks in the handoff — and we're available if questions come up along the way.

Start the journey

What we're not

Not a C3PAO

We don't perform assessments. Only authorized C3PAOs can certify you.

Not an RPO

We don't sell remediation services or compliance software.

Not a consultant

We don't bill by the hour or manage ongoing engagements.

Not a vendor

We have no products to sell, no software to license, no interest in keeping you in a retainer.

Full journey

From intake to certification.

Intake Call

15-min scoping call. Determine CMMC level, scope, and timeline.

Assessment

We review your current posture and identify what needs to happen before a formal C3PAO assessment.

Remediation

Your matched RPO or MSP addresses gaps. Typically 3–12 months.

Certification

C3PAO formal assessment. Pass and receive your CMMC certificate.

Common questions

FAQ.

How do I know if I need CMMC Level 1 or Level 2?

How long does certification take?

What does it cost?

What if I already have an IT vendor or MSP?

What if I'm not sure we even handle CUI?

How does Meridian Compass make money?

What happens if we don't get CMMC certified?

We're a subcontractor — does CMMC apply to us?

Ready to start?

One call. Total clarity.

We'll tell you exactly what applies to your contracts and what your next step should be. 15 minutes. No software to sell you.

Check Your Readiness

Or talk to a navigator →

Available to US-based defense contractors.

Three services.One goal: your certification.