The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now being enforced across Department of Defense contracts. If your business works with the DoD — directly or as a subcontractor — this affects you. Here's a plain-English breakdown of what you need to know.
CMMC is the DoD's framework for ensuring that defense contractors adequately protect sensitive government information, specifically Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Version 2.0 simplified the original five-level model into three levels.
17 basic cybersecurity practices aligned with FAR 52.204-21. Self-assessment is allowed. Covers basic cyber hygiene like antivirus, password policies, and access controls. Required for companies handling FCI.
110 practices aligned with NIST SP 800-171. Third-party assessment required for most contracts involving CUI. This is where most defense contractors fall — and where the most work is required.
Based on NIST SP 800-172 with additional practices. Government-led assessments. Required for the most critical DoD programs.
💡 Important: CMMC compliance cannot be faked or rushed. Starting early gives you time to fix gaps properly. Companies found misrepresenting their compliance status face False Claims Act liability.
We provide CMMC readiness assessments, gap analysis, SSP development, and technical implementation of the required controls. Our founder's academic background in cybersecurity combined with practical MSP experience makes us uniquely positioned to guide small defense contractors through this process.
Get a free, no-obligation IT and security assessment from our team. We'll identify your risks and show you exactly how to fix them.
Get My Free Assessment →