Home/Capabilities/CMMC

CMMC 2.0 for defense contractors.

NIST 800-171 implementation, CUI enclave architecture, DFARS 252.204-7012 compliance, SSP authoring, and C3PAO assessment readiness.

Discuss your CMMC path View capabilities statement

CMMC 2.0 in context

The DoD has spent a decade trying to reduce the leakage of Controlled Unclassified Information from the defense industrial base. CMMC 2.0 is the current answer. The final rule under 32 CFR Part 170 took effect December 16, 2024, and the DFARS implementation rule under 48 CFR (252.204-7021) became effective in 2025, beginning a phased rollout of certification requirements in DoD solicitations. Contractors handling CUI must achieve the certification level required by the contract or lose access to the contract.

CMMC 2.0 has three levels:

  • Level 1 Foundational — 17 basic safeguarding practices from FAR 52.204-21. Annual self-assessment. Applies to contractors handling Federal Contract Information (FCI).
  • Level 2 Advanced — 110 practices drawn from NIST SP 800-171 rev 2 (transitioning to rev 3 per the DoD roadmap). Third-party assessment every three years by a Certified Third-Party Assessor Organization (C3PAO). Applies to contractors handling CUI.
  • Level 3 Expert — Level 2 plus selected controls from NIST SP 800-172. Government assessment by DIBCAC. Applies to contractors handling CUI of critical national importance.

Who needs which level

The CMMC level required appears in the solicitation and flows down to every subcontractor that touches CUI for that contract. Most small defense contractors will need Level 2. Firms handling only FCI (no CUI) can operate at Level 1. Firms on high-priority programs (HBSS, specific weapon systems) may face Level 3.

The 14 control families of NIST 800-171

Level 2 assessment covers 110 practices organized into 14 families:

  • Access Control (AC) — 22 practices. Account management, least privilege, separation of duties.
  • Awareness and Training (AT) — 3 practices. Security training, insider threat awareness.
  • Audit and Accountability (AU) — 9 practices. Logging, log review, time synchronization, protection of logs.
  • Configuration Management (CM) — 9 practices. Baseline configurations, change control, least functionality.
  • Identification and Authentication (IA) — 11 practices. MFA, identifier management, password requirements.
  • Incident Response (IR) — 3 practices. Capability, reporting, testing.
  • Maintenance (MA) — 6 practices. Maintenance tools, remote maintenance, personnel.
  • Media Protection (MP) — 9 practices. Marking, storage, transport, sanitization of CUI media.
  • Personnel Security (PS) — 2 practices. Screening, personnel actions on termination or transfer.
  • Physical Protection (PE) — 6 practices. Facility access, visitor control, monitoring.
  • Risk Assessment (RA) — 3 practices. Periodic risk assessment, vulnerability scanning.
  • Security Assessment (CA) — 4 practices. Plan of Action, system security plan, control assessment.
  • System and Communications Protection (SC) — 16 practices. Network boundary protection, encryption, DNSSEC.
  • System and Information Integrity (SI) — 7 practices. Flaw remediation, malware protection, monitoring.

Enclave strategy: minimize scope

The single highest-leverage CMMC decision is where to draw the CUI boundary. Most defense contractors do not need every employee, every laptop, every SaaS tool in scope. A dedicated CUI enclave — a discrete environment where CUI lives and only CUI lives — can shrink the assessed footprint from an entire enterprise down to 20-50 users and one technology stack.

Enclave patterns we implement:

  • Microsoft 365 GCC High enclave. Dedicated tenant with GCC High licensing (Azure Government + Microsoft 365 US Government Defense). Teams, SharePoint, OneDrive, Exchange all inside the CUI boundary. Endpoints via Intune with hardened profiles.
  • AWS GovCloud enclave. VPC-isolated environment with WorkSpaces or AppStream 2.0 for user access, S3 for storage, encryption via AWS KMS, CloudTrail logging to a segregated log archive.
  • On-premise SCIF-adjacent enclave. Dedicated physical network for CUI work, managed endpoints, no commingling with general enterprise.

The enclave reduces cost (fewer licenses at GCC High rates), reduces assessment complexity (smaller perimeter), and reduces breach blast radius.

SSP and POA&M for CMMC

Level 2 requires a written System Security Plan and a Plan of Action and Milestones. The SSP describes how each of the 110 practices is implemented. The POA&M tracks open gaps. CMMC 2.0 permits conditional certification when certain POA&M items remain open, but the assessor score must still exceed 88 of 110. We author SSPs and POA&Ms that match reality and are organized for C3PAO review.

DFARS 252.204-7012 and incident reporting

The underlying statutory requirement is DFARS 252.204-7012. Two obligations matter:

  • Safeguarding. Implement NIST 800-171. CMMC verifies this.
  • Incident reporting. Report cyber incidents within 72 hours to the DoD Cyber Crime Center (DC3) via the DIBNet portal. Preserve media, provide images on request, facilitate damage assessment.

The incident response capability must exist before CMMC assessment. We implement the IR practices end-to-end: detection, triage, reporting workflow, DC3 submission template, tabletop exercises, post-incident review.

C3PAO assessment readiness

We run CMMC mock assessments using the official Assessment Guide scoring methodology. Typical findings we remediate before real assessment: incomplete SSP narratives, missing parameter values, undocumented shared responsibility on cloud inheritances, gaps in monthly vulnerability scanning cadence, missing time synchronization evidence, and incomplete audit log retention configuration.

Related reading

Frequently Asked
CMMC 2.0, answered.
What is CMMC 2.0?

CMMC 2.0 is the DoD's Cybersecurity Maturity Model Certification framework requiring defense contractors handling CUI to meet NIST 800-171 with independent assessment. Three levels: Foundational, Advanced (110 practices, C3PAO), Expert.

Who needs CMMC certification?

Any contractor or subcontractor that processes, stores, or transmits CUI on DoD contracts. Level required is specified in the solicitation and flows down.

What is DFARS 252.204-7012?

The DFARS clause that requires defense contractors to implement NIST 800-171, report cyber incidents within 72 hours to DC3, and meet cloud requirements equivalent to FedRAMP Moderate.

How do you architect a CUI enclave?

Segment CUI into a discrete environment: GCC High or dedicated AWS GovCloud tenant, hardened endpoints, restricted egress, encrypted storage, minimized user population.

What is a C3PAO?

A Certified Third-Party Assessor Organization accredited by the Cyber AB to perform CMMC Level 2 assessments. Required every three years for Level 2 certification.

Is Precision Federal a SAM.gov-registered small business?

Yes. Precision Delivery Federal LLC, SAM.gov active, UEI Y2JVCZXT9HP5, CAGE 1AYQ0, NAICS 541512. Ames, Iowa.

Related capabilities
Often deployed together.
Capability

FedRAMP Engineering

Cloud authorization for federal service providers.
Capability

ATO Engineering

RMF, NIST 800-53, SSP, POA&M.
Capability

Zero Trust

Zero trust architecture for DoD networks.
1 business day response

Pass CMMC Level 2.

NIST 800-171 implementation, CUI enclave design, C3PAO-ready SSPs.

[email protected]
UEI Y2JVCZXT9HP5CAGE 1AYQ0NAICS 541512SAM.GOV ACTIVE