The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s framework for ensuring that contractors and subcontractors in the Defense Industrial Base protect sensitive government information from cyber threats. It was developed in response to a significant increase in cyberattacks targeting the defense supply chain, including smaller contractors that handle sensitive data but lack enterprise-level security programs. CMMC establishes specific, verifiable cybersecurity requirements that must be met before a contractor can bid on or perform DoD work.

If your business holds, transmits, or handles Controlled Unclassified Information (CUI) as part of a DoD contract or subcontract, or if you are pursuing contracts that involve CUI, CMMC applies to you. This includes prime contractors, subcontractors, and suppliers at every tier of the defense supply chain. It does not matter how small your business is or how limited your role in a contract. If CUI flows through your environment, you have compliance obligations.

Controlled Unclassified Information is government-created or government-owned information that requires safeguarding but is not classified. Examples include technical specifications, engineering drawings, contract data, export-controlled research, and certain personnel and legal information. If your DoD contract contains a DFARS clause (specifically DFARS 252.204-7012) your business handles CUI and is subject to NIST SP 800-171 and CMMC requirements. If you are unsure whether your contract involves CUI, we help you make that determination as part of our pre-assessment process.

CMMC 2.0 has three levels. Level 1, Foundational, covers basic cyber hygiene and applies to contractors that handle Federal Contract Information but not CUI. It requires annual self-assessment against 17 practices. Level 2, Advanced, applies to contractors that handle CUI and aligns with the 110 security requirements of NIST SP 800-171. Most contractors handling CUI will require a third-party assessment at this level. Level 3, Expert, applies to contractors working on the most sensitive DoD programs and involves government-led assessments based on NIST SP 800-172. We serve clients at Levels 1 and 2, which covers the overwhelming majority of DIB SMBs.

Yes. CMMC obligations flow down through the supply chain. If a prime contractor handles CUI and passes any of that work, or access to that information, to a subcontractor, the subcontractor inherits the same compliance obligations. Many smaller businesses are surprised to discover they are in scope even though they have no direct relationship with the DoD. We have experience helping subcontractors determine exactly what their obligations are based on the nature of the information they handle and the contract language governing their engagement.

NIST SP 800-171 is the security standard that CMMC Level 2 is built on. It defines 110 security requirements across 14 domains that contractors handling CUI must meet. CMMC is the certification framework that verifies compliance with those requirements. Prior to CMMC, contractors self-attested to NIST 800-171 compliance with limited independent verification. CMMC adds mandatory third-party assessment for Level 2 contractors, making compliance verifiable rather than self-reported. If your organization has already done NIST 800-171 work, that foundation is directly applicable to CMMC Level 2 readiness.

It depends on your level. Level 1 allows annual self-assessment – you evaluate your own compliance against the 17 foundational practices and submit an affirmation through the Supplier Performance Risk System. Level 2 requires a third-party assessment conducted by a certified C3PAO for most contractors handling CUI, though a subset of Level 2 contractors may be permitted to self-assess based on the sensitivity of the programs they support. Level 3 requires a government-led assessment. We help you determine which path applies to your situation.

Your Supplier Performance Risk System (SPRS) score is a numerical rating based on a self-assessment of your compliance with the 110 requirements of NIST SP 800-171. Scores range from negative 203 to positive 110, with higher scores reflecting stronger security postures. A current SPRS score is required for Level 2 contractors and is increasingly referenced by prime contractors when evaluating subcontractors. We help you complete and submit your SPRS self-assessment accurately as part of our readiness work.

A System Security Plan is a documented description of your organization’s security environment – what systems you operate, how they are protected, which NIST 800-171 requirements you meet, and how. It is a foundational requirement for CMMC Level 2 and a critical document during any formal assessment. Alongside the SSP, contractors are expected to maintain a Plan of Action and Milestones (POA&M) that documents any requirements not yet fully met and the timeline for addressing them. We produce your SSP and POA&M as part of our compliance engagement.

Our pre-assessment follows the same structured approach as our other compliance engagements. It includes one to two days onsite, a network asset inventory, a gap analysis against the applicable CMMC level requirements, and a full written report with findings. You also receive draft compliance documents including your SSP and POA&M as starting points. Deliverables are provided within seven days of the onsite visit. The pre-assessment gives you a clear, documented picture of where you stand before any formal C3PAO assessment takes place — and identifies what needs to be resolved to avoid failing that assessment.

It depends on the level and the complexity of your environment. For Level 1, a self-assessment can typically be completed in approximately one month once readiness work is underway. Level 2 full certification involving a third-party C3PAO assessment takes six months or more for most SMBs – longer for organizations with more departments, more people handling CUI, or more significant gaps to remediate. If you have a contract bid deadline, the most important step is starting early. Waiting until a contract requires certification before beginning the process is the most common and costly mistake we see.

We work with a trusted compliance partner that maintains established relationships with specific C3PAOs and employs Registered Practitioners with formal CMMC credentials. Our role is to prepare your environment and documentation so you are ready to pass the formal assessment. Our partner manages the C3PAO relationship and coordinates the assessment process. This means you have a single point of accountability from pre-assessment through certification rather than having to source and coordinate multiple vendors independently.

The consequences are direct. CMMC certification is a contract eligibility requirement – without the required level, you cannot be awarded the contract. For existing contracts, failure to maintain compliance or meet new requirements as they are phased in can result in contract termination, suspension of DoD work, and in cases of knowing misrepresentation of compliance status, potential False Claims Act liability. Getting ahead of requirements before a bid deadline is significantly less expensive than losing a contract or facing enforcement action after the fact.

CMMC Level 2 requires a triennial third-party reassessment and an annual affirmation of continued compliance submitted through SPRS. Between assessments, your security posture must be actively maintained – controls cannot lapse, documentation must stay current, and changes to your environment must be reflected in your SSP. We offer ongoing CMMC compliance maintenance as a separate service delivered in conjunction with our compliance partner. This is distinct from standard managed IT services but can be coordinated alongside your monthly IT contract.

Schedule your CMMC pre-assessment using the form on this page. We will conduct an onsite evaluation, assess your environment against the applicable level requirements, and deliver a written gap analysis, SSP draft, POA&M draft, and remediation roadmap within seven days. If you have a contract deadline in view, contact us as early as possible — the timeline to full Level 2 certification means that starting promptly is the single most important thing you can do.