Download our CMMC Assessment Checklist
If you think you are ready for a CMMC assessment, use this resource to test where you actually are before contacting a professional.
Achieving Cybersecurity Maturity Model Certification (CMMC) is no longer optional for defense contractors. The Department of Defense (DoD) requires all organizations handling Controlled Unclassified Information (CUI) to demonstrate compliance at CMMC Level 2, assessed by a CMMC Third-Party Assessment Organization (C3PAO) authorized by The Cyber AB. Backed by deep expertise in NIST SP 800-171 and the CMMC framework, our certified assessors deliver a professional, thorough, and transparent assessment process tailored to your organization's specific environment and scope.

Smithers believes there is a very basic foundational value when offering third-party assessments. Many C3PAOs complete an assessment and move on. We take a different approach. Our assessors are focused on relationships — working with your organization across multiple processes and over a multi-year compliance life-cycle means you benefit from continuity, familiarity, and an assessor team that genuinely understands your environment. We consistently strive to deliver this by:
Start Your CMMC Certification with Confidence
Your path to CMMC Level 2 certification starts with selecting the right C3PAO. Smithers brings the authorized credentials, certified expertise, and relationship-first approach that defense contractors need from a long-term compliance partner.
A CMMC Level 2 assessment is an official third-party evaluation conducted by a C3PAO authorized by The Cyber AB. It verifies that a defense contractor has implemented all 110 security requirements defined in NIST SP 800-171 Revision 2 across its systems and processes. The assessment is required by the DoD for contractors that handle Controlled Unclassified Information (CUI) and wish to remain eligible for applicable defense contracts.
Any DoD contractor or subcontractor whose scope includes the processing, storage, or transmission of Controlled Unclassified Information (CUI) is required to achieve CMMC Level 2 certification. Contractors handling only Federal Contract Information (FCI) may be eligible for CMMC Level 1, which allows for self-assessment.
No. Under CMMC 2.0, Level 2 certification for most CUI-handling contractors requires a formal third-party assessment conducted by an authorized C3PAO. Self-assessment is not a permissible path to Level 2 certification for the majority of applicable organizations.
Assessment costs vary based on several factors, including the size of your organization, the complexity of your assessment boundary, your existing cybersecurity posture, and the scope of CUI within your environment. Smithers provides transparent, itemized quotes to ensure you understand exactly what is included. Contact us to request a quote.
The duration depends on your organization's size, scope, and readiness at the time of assessment. Preparation and planning can take several months; the formal assessment itself may span days to weeks. Organizations that have invested in readiness preparation prior to engaging a C3PAO typically move through the process more efficiently. Smithers can help you determine a realistic timeline during the pre-assessment planning phase.
If your organization does not meet all requirements, you will be required to develop a Plan of Action and Milestones (POA&M) identifying deficiencies and remediation timelines for select requirements scored as not met. Once those items are addressed, Smithers can conduct a close-out assessment to verify remediation and finalize your certification status.
CMMC Level 2 certification is valid for three years from the date of issuance. Organizations must undergo reassessment at the end of each certification period and maintain continuous compliance throughout to remain eligible for applicable DoD contracts.
CMMC compliance is a multi-year commitment. Partner with a C3PAO that will be there with you every step of the way — from initial scoping through triennial reassessment — with consistent pricing, consistent personnel, and an assessment approach built around your organization's success.