Managing Cybersecurity Maturity Model Certification (CMMC) across multiple Commercial and Government Entity (CAGE) codes can be costly and complex. Because CMMC compliance is assessed at the individual CAGE code level, companies with several codes face multiplied obligations—each code may need its own controls, documentation, and assessment. This guide translates that reality into a clear, repeatable playbook you can apply right now. You’ll learn why CAGE codes matter, how multi‑code structures affect CMMC scope and cost, and how to consolidate work where it’s truly possible—so you protect revenue and avoid redundant effort.
CMMC Per CAGE Code: Scope, Consolidation and What to Do Now
CMMC is enforced per CAGE code. Each code represents a distinct entity that must meet cybersecurity requirements based on the information it handles (for example, Federal Contract Information—FCI, or Controlled Unclassified Information—CUI). If you operate multiple CAGE codes, expect multiple, parallel compliance tracks—unless you can legitimately consolidate under one System Security Plan (SSP) where shared controls, infrastructure, and oversight exist. Focus on:
(1) accurate CAGE inventory and hierarchy(2) identifying control inheritance opportunities, (3) SSP consolidation only when ≈90% control commonality exists, (4) clear assessment scoping with your C3PAO, and (5) prioritizing CAGE codes that materially drive DoD revenue.
Why CAGE Codes Matter (and How They Drive CMMC Scope)
CAGE codes are five‑character identifiers assigned by the Defense Logistics Agency to businesses working with the U.S. government. In the CMMC context, each CAGE code acts as the discrete unit for compliance: the DoD identifies and contracts with entities by CAGE code, and each entity must independently meet applicable requirements based on whether it handles FCI or CUI. CAGE codes expire on a 5‑year cycle and require renewal through active SAM registration.
For companies with multiple codes (e.g., separate business units, subsidiaries, or locations), this structure magnifies scope. Every code that processes CUI typically drives you toward CMMC Level 2 certification via a third‑party assessment; codes that only touch FCI align to Level 1 self‑assessment. The more codes, the more parallel work—unless you can legitimately consolidate.
The Multi-CAGE Realty: Challenges You’ll Face
- Individual Compliance Tracks — Each CAGE code that handles covered data must demonstrate compliance. Without planning, documentation, and assessment multiply linearly.
- Vertical IT Integration Gaps — M&A activity and federated IT models often leave different codes on different stacks. Inconsistent controls make consolidation risky or impossible.
- CUI/FCI Segregation — Few legacy environments were designed to cleanly segregate CUI and FCI across business units, creating blind spots in scope and evidence.
- Documentation Burden — Each CAGE code (or legitimate grouping of codes) requires an SSP with mapped controls, artifacts, and ownership. Redundant authoring wastes budget.
- Financial Exposure — Assessment fees, tooling, remediation, and staffing multiply across codes. Without triage, you risk spending heavily where revenue impact is low.
What the Market Data Says
The current landscape underscores the urgency:
- Only 4% of defense contractors believe they are ready for CMMC certification.
- 87% of DoD contractors are failing to meet basic cybersecurity requirements.
- The average Supplier Performance Risk System (SPRS) score is −12 (vs. 110 required).
- Only 41% of contractors have completed the self‑assessment requirement.
These datapoints reinforce the value of early scoping, consolidation where legitimate, and staged execution to protect contract eligibility.
Cost Overview (Assessment + Implementation)
Assessment costs (3‑year cycle) vary by level and size. Representative DoD estimates include:
- Level 1 Self‑Assessment — Small: $6,000; Other: $4,000
- Level 2 Self‑Assessment — Small: $37,000; Other: $49,000
- Level 2 Third‑Party Assessment — Small: $105,000; Other: $118,000
- Level 3 Assessment — Small: $12,000; Other: $45,000
Implementation budgets go far beyond assessment. Typical ranges:
- Small: $30,000–$150,000
- Mid‑size: $100,000–$500,000
- Large: $500,000–$2,000,000+
If you operate multiple CAGE codes, these costs can multiply without strategic grouping, inheritance, and careful scope management.
Strategic Approaches that Actually Work
A) Strategic SSP Consolidation
Consolidate multiple CAGE codes into a single SSP only when you can prove substantial commonality:
• Similar functions and entity‑level controls (e.g., HR, security policies)
• Shared network infrastructure
• Common technical controls and procedures
• Unified IT management and oversight
Target ~90% control commonality. Be cautious with physical security deltas or local exceptions that could jeopardize certification for the entire group.
B) Control Inheritance
Where a parent or central IT provides email, cloud platforms, endpoint protection, logging, and monitoring, document inheritance into child SSPs. This reduces duplicate implementation effort while keeping accountability clear.
C) COTS Exceptions
Evaluate whether any entities qualify for Commercial Off‑the‑Shelf (COTS) exceptions that may remove certain compliance obligations. Ensure criteria are truly met (unchanged commercial availability, uniform pricing, no government‑specific modifications).
D) CAGE Code Inventory & Business Triage
Build a complete CAGE inventory: function, location, data handled (FCI vs. CUI), and associated DoD revenue. Consider de‑scoping low‑revenue codes from near‑term certification if the cost/benefit is unfavorable.
E) Proper Hierarchy Management
Maintain accurate CAGE hierarchy in SAM so SPRS recognizes relationships. Track 5‑year expirations and renew via active SAM maintenance.
F) Assessment Scope Design with Your C3PAO
A single CMMC assessment can cover more than one entity if scope is clearly defined and validated by the C3PAO. Document grouping logic and scope boundaries comprehensively.
Designing Your Assessment Scope ( Groupings that Hold Up)
- Scope Definition — Capture the boundaries (systems, sites, assets, users) to be assessed together. Align scope to where controls are truly uniform and centrally governed.
- Grouping Logic — Base grouping on shared characteristics and vertical IT integration. Document the rationale so assessors see a coherent, defensible approach.
- Certificate & CAGE Coverage — A Level 2 certificate is issued to the discrete information system identified in the SSP. The certificate lists all affiliated CAGE codes covered by that assessment.
- Evidence Integrity — Centralize artifacts with clear naming and timestamps. Avoid cross‑contamination from sites that don’t meet the same control maturity.
12-Step Plan: Multi-Cage CMMC Readiness
1) Build a Complete CAGE Inventory: List every code, its function, location, associated DoD revenue, and whether it handles FCI or CUI.
2) Map Data & System Boundaries per Code/Group: Document where FCI/CUI lives and flows; define enclaves to minimize scope.
3) Choose the Initial Assessment Scope: Prioritize codes that drive revenue and where consolidation is feasible. Create a staged roadmap for the rest.
4) Baseline Against NIST SP 800‑171: Run a gap assessment per scope; log owners, milestones, and POA&Ms.
5) Decide Consolidation vs. Separate SSPs: Use the ~90% rule of shared controls; avoid grouping where physical or process differences create risk.
6) Document Control Inheritance: Capture centrally provided services (email, cloud, AV/EDR, logging) and how child entities inherit them.
7) Harden Policies, Procedures, and Technical Controls: Normalize versions, align names with control IDs, and implement high‑impact fixes first (access, logging, incident response).
8) Build the Evidence Package: Screenshots, configs, tickets, training records, and monitoring logs—organized by control and scope.
9) Train Control Owners: Deliver role‑based training for admins and process owners; practice how to answer assessor questions.
10) Schedule with a C3PAO: Share scope documents and the evidence index early; confirm sampling and timelines.
11) Execute the Assessment: Maintain a single source of truth; respond quickly to requests; record decisions.
12) Close Findings & Stabilize: Remediate issues, update artifacts, and establish a cadence for continuous compliance and renewals.
Evidence Checklist (Multi‑CAGE Starter)
• CAGE Inventory & Hierarchy — Codes, functions, locations, revenue mapping, SAM hierarchy documentation.
• Scope/Borders — Network diagrams, asset inventories, site lists, enclave definitions, data flows for FCI/CUI.
• Identity & Access — MFA configs, RBAC matrices, privilege logs, joiner/mover/leaver evidence.
• Config & Hardening — Baseline standards, change tickets, secure configs per platform/site.
• Vulnerability & Patch — Scans, remediation tickets, schedules, exceptions.
• Logging & Monitoring — SIEM rules, dashboards, retention policies, exemplar event trails.
• Incident Response — Plan, tabletop records, incidents/after‑action reports.
• Training & Awareness — Curricula, rosters, completion records.
• Governance — Policies, procedures, risk register, POA&Ms, management reviews.
• Supply Chain — Supplier security questionnaires, flow‑down clauses, subcontractor evidence.
• Physical Security — Facility access logs, visitor records, site photos/diagrams where applicable.
Frequently Asked Questions (FAQ)
Q1: Can one assessment cover multiple CAGE codes?
A: Yes—if the scope is clearly defined and validated by a C3PAO. Group codes only when controls, infrastructure, and oversight are truly shared.
Q2: Do all CAGE codes need Level 2?
A: Only codes that process CUI typically require a Level 2 third‑party assessment. Codes that handle only FCI align to Level 1 self‑assessment.
Q3: How do costs scale with multiple codes?
A: Assessment and implementation costs can multiply with each code. Strategic grouping, inheritance, and revenue‑based triage can significantly reduce total cost.
Q4: What about COTS exceptions?
A: Some entities may qualify for COTS exceptions, removing certain obligations—verify that products meet the strict criteria before relying on this path.
Q5: What documentation trips teams up?
A: Incomplete SSPs, inconsistent versions across sites, and scattered evidence. Use a single artifacts index and standardized templates.
How Does Elevate Help?
Managing CMMC across multiple CAGE codes is one of the toughest challenges in the Defense Industrial Base. We help you inventory codes, triage by revenue and risk, design defensible assessment scopes, consolidate where legitimate, and operationalize control inheritance. The outcome: fewer surprises, less redundancy, and a clearer path to certification across the codes that matter most.
Executive Summary
- CAGE codes uniquely identify business entities in DoD contracting. CMMC compliance is evaluated at the CAGE code level, which can multiply costs and effort when you have many codes.
- Multi‑CAGE organizations (often due to mergers and acquisitions or distributed operations) face added complexity: vertical IT misalignment, fragmented evidence, and difficulty segregating CUI/FCI across units.
- Smart consolidation can help: where codes share infrastructure, security controls, and management, you may consolidate into fewer SSPs—but only when control commonality is high and physical/security variations won’t jeopardize certification across the group.
- Costs add up: implementation can range from tens of thousands to seven figures, depending on size and scope; DoD’s own estimates for assessments vary by level and organization size.
- A practical approach: inventory all CAGE codes, map information flows, evaluate revenue impact per code, group where legitimate, inherit controls where shared, and set a 12‑step readiness plan per assessment scope.