Find out exactly what CMMC level your shop needs.
Shop CMMC Check is a free, no-signup self-assessment for small machine shops and metal fabricators doing U.S. Department of Defense (DoD) work. In about 3 minutes it estimates which CMMC 2.0 level you need — Level 1 or Level 2 — and how ready you are today.
The check is built around NIST SP 800-171 Rev 2 (the basis for CMMC Level 2; Rev 3 is on the way) and the kind of SPRS self-assessment score your prime contractors ask about in their flow-down letters.
What you get
- A plain-English readiness score for your shop.
- Your likely required CMMC 2.0 level.
- A clear next step toward your System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
Start the free Check
CMMC, in plain English
My prime sent me a letter about CMMC. What is it?
CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's way of verifying that everyone in its supply chain — including small shops machining parts three tiers down from the prime — actually protects sensitive government information. As of November 10, 2025, it is written into new DoD contracts and flows down from primes to their subcontractors. If you cannot show the required CMMC status, you become ineligible for that work.
Which level do I need?
Level 1 applies if you handle Federal Contract Information (FCI): 15 basic safeguards, self-assessed annually, no outside auditor. Level 2 applies if you handle Controlled Unclassified Information (CUI) such as technical drawings and specs for defense parts: all 110 NIST SP 800-171 controls, with most shops needing a C3PAO assessment every three years. If you machine parts from drawings the government or your prime provided, assume CUI is in play until you confirm otherwise.
What if I only sell standard catalog parts?
Contracts exclusively for commercial off-the-shelf (COTS) items are exempt from CMMC. But selling standard parts and machining to customer drawings are very different situations. If any of your DoD work involves their drawings or specs, the exemption likely does not apply to that work.
When do I actually have to do this?
CMMC requirements started appearing in new contracts and option years on November 10, 2025, with a phased rollout over three years until full implementation around late 2028. There is no grace period on a contract that includes the clause — you must have the required status at award. The deadline is whenever your next contract or PO renewal shows up with the clause in it.
What is an SSP and a POA&M?
A System Security Plan (SSP) is the master document describing how your shop meets each of the 110 NIST 800-171 controls. A POA&M (Plan of Action and Milestones) is your documented to-do list for controls you do not fully meet yet: what the gap is, how you will fix it, by when, and what it will cost.
What is a SPRS score?
The Supplier Performance Risk System is the DoD database where your assessment score lives. NIST 800-171 scoring starts at 110 (perfect) and subtracts weighted points for each unmet control, down to as low as negative 203. Under the new rules, contract award depends on having a current score on file.
How much does CMMC compliance cost a small shop?
Two buckets people blur together. Implementation (multifactor authentication, access controls, possibly a secure enclave like PreVeil or GCC High) commonly lands in the low thousands to low five figures. Documentation (the SSP, POA&M, and policies) is the part consultants routinely quote $20,000 to $30,000 for, and the part this tool generates for a fraction of that. Implementing your controls is still real work that is on you.
Is this official? Will this certify me?
No. We are an independent software tool, not a C3PAO, and not affiliated with the DoD or the Cyber AB. The Check gives directional guidance based on the CMMC 2.0 Final Rule; the Builder produces draft documents mapped to NIST SP 800-171 that you review and approve. Certification, where required, comes from an assessment of what your shop actually does.
What happens to my answers?
The free Check runs entirely in your browser. There is no signup, and your answers are never sent to or stored on our servers.
I have a question you did not answer.
Email jh@jodyharrisinc.com before you start. You will get a plain answer from the person who built this.
Built in Stillwater, Oklahoma by Jody Harris, with 20 years in federal program compliance and audit. Shop CMMC Check is an independent software tool. We are not a C3PAO and we do not certify or guarantee CMMC compliance. This is directional guidance, not legal advice. Confirm your requirements with your prime contractor or contracting officer. This page needs JavaScript for the full interactive experience.