CMMC 2.0
Compliance
CMMC 2.0 is now enforced in DoD contracts. Ohio defense contractors and manufacturers who handle CUI must achieve certified compliance — or lose their contracts. Securafy delivers CMMC Level 1 and Level 2 readiness programs built for Ohio's defense industrial base.
All DoD contractors and subcontractors must achieve CMMC certification by 2025. Non-compliance means losing federal contracts permanently.
What Is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD's framework for ensuring that defense contractors adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It became enforceable in DoD contracts beginning in late 2024.
CMMC 2.0 streamlined the original five levels into three: Level 1 (Foundational — 17 practices), Level 2 (Advanced — 110 practices aligned to NIST SP 800-171), and Level 3 (Expert — 110+ practices aligned to NIST SP 800-172). Most Ohio defense contractors and manufacturers need Level 1 or Level 2.
The critical change: CMMC 2.0 requires third-party certification (C3PAO assessment) for most Level 2 contracts. Self-attestation alone is no longer sufficient for contracts involving CUI. Organizations that prematurely claim compliance without proper controls face False Claims Act liability.
"CMMC isn't a checkbox — it's a certification. Ohio defense contractors need to start their readiness program 12–18 months before their next contract renewal."
CMMC 2.0 Level Requirements
Level 1 — Foundational
17 practices from FAR 52.204-21. Protects Federal Contract Information (FCI). Annual self-attestation allowed. Covers basic cyber hygiene: access control, identification, media protection, physical protection, system communications, and system integrity.
Level 2 — Advanced
110 practices aligned to NIST SP 800-171. Required for contracts involving Controlled Unclassified Information (CUI). Tri-annual third-party assessment (C3PAO) required for most contracts. Covers 14 security domains including access control, audit, configuration management, incident response, and supply chain risk.
Level 3 — Expert
110+ practices aligned to NIST SP 800-172. Required for contracts involving the most sensitive CUI on DoD's highest-priority programs. Government-led assessments. Applies to a small subset of the defense industrial base.
System Security Plan (SSP)
All levels require a documented System Security Plan describing how you meet each practice. Level 2+ also requires a Plan of Action & Milestones (POA&M) tracking unmet requirements. These documents are reviewed by assessors.
Flow-Down Requirements
Prime contractors must flow CMMC requirements down to their subcontractors. If you receive CUI from a prime, you need the same level of certification as the prime. Subcontractor gaps can disqualify a prime's contract.
Scoping — What's In Your CUI Environment?
Defining your CMMC scope — the systems, people, and facilities that handle CUI — is one of the most critical (and misunderstood) steps. Incorrect scoping leads to either over-investment or audit failure.
CMMC Level 2 Security Domains
Level 2 maps to all 14 NIST SP 800-171 domains. Each domain contains specific practices your organization must implement and document.
| Domain | Practices (Level 2) | Common Gaps |
|---|---|---|
| Access Control (AC) | 22 practices | Least privilege enforcement, CUI access logging, remote access controls |
| Audit & Accountability (AU) | 9 practices | Centralized log collection, retention policies, review processes |
| Configuration Management (CM) | 9 practices | Baseline configurations, change control, unauthorized software blocking |
| Identification & Authentication (IA) | 11 practices | MFA enforcement, password complexity, privileged account management |
| Incident Response (IR) | 3 practices | Documented IRP, reporting to DoD DCSA, post-incident lessons learned |
| Maintenance (MA) | 6 practices | Controlled remote maintenance, sanitization before maintenance |
| Media Protection (MP) | 9 practices | CUI marking, portable media controls, sanitization procedures |
| Personnel Security (PS) | 2 practices | Screening procedures, termination procedures |
| Physical Protection (PE) | 6 practices | Facility access controls, visitor management, CUI workspace controls |
| Risk Assessment (RA) | 3 practices | Periodic risk assessments, vulnerability scanning cadence |
| Security Assessment (CA) | 4 practices | System security plans, POA&M management, control testing |
| System & Communications Protection (SC) | 16 practices | Network segmentation, encryption, boundary protection |
| System & Information Integrity (SI) | 7 practices | Malicious code protection, security alerting, software patching |
| Supply Chain Risk Management | Varies | Vendor vetting, software provenance, hardware integrity |
CMMC Readiness for manufacturers
Securafy is a CMMC-AB registered Registered Practitioner Organization (RPO), meaning our consultants are trained and authorized to assist with CMMC readiness — though we do not perform the final C3PAO certification assessment.
CMMC Scoping & Gap Assessment
We define your CUI environment, identify in-scope systems and assets, map your current practices against all 110 NIST 800-171 requirements, and produce a scored gap analysis with remediation priorities.
System Security Plan (SSP) Development
We write your complete SSP — the primary document reviewed by C3PAO assessors — documenting how each practice is implemented, partially implemented, or planned in your environment.
POA&M Management
We track all practice gaps in a Plan of Action & Milestones, with remediation timelines and responsible owners. We manage the POA&M actively through to closure — not just document it.
Technical Control Implementation
We implement the technical controls required by Level 2 — MFA, network segmentation, endpoint protection, SIEM, patch management, encryption, and access control — all maintained ongoing.
C3PAO Assessment Preparation
Before your certification assessment, we conduct a mock assessment against all 110 practices, identify remaining gaps, and prepare your team for assessor interviews and documentation reviews.
Ongoing CMMC Maintenance
Certification must be maintained. We provide continuous monitoring, quarterly control testing, policy updates, and annual reassessment readiness to keep your certification valid through your 3-year cycle.
CMMC 2.0 FAQ
Securafy for CMMC-Subject Manufacturers
Protect Your DoD Contract Eligibility
A complete briefing for manufacturers handling Controlled Unclassified Information (CUI) or subject to CMMC 2.0 / NIST SP 800-171. Understand exactly what Level 2 certification requires, what Securafy delivers, and how we protect the contracts your business depends on.
- CMMC 2.0 Level 1, 2 & 3 requirements explained
- All 110 NIST 800-171 practices — what they mean
- How Securafy implements and documents every control
- SSP development and POA&M management
- C3PAO assessment readiness process
- DoD contract protection and audit defense
Soteria Award — Most Trusted MSP in North America 2024
CMMC 2.0 requires DoD contractors handling Controlled Unclassified Information to implement and certify cybersecurity practices across three levels. Level 2 mandates all 110 NIST SP 800-171 controls and a third-party C3PAO assessment. Securafy delivers gap assessments, System Security Plan development, all 110 controls implemented and documented, and full C3PAO readiness for Ohio defense contractors and manufacturers.
Ready to Become
Audit-ready?
Securafy builds and maintains compliance programs for Columbus and Cleveland, businesses nationwide. Prevention-First. Compliance-Ready. Award-Winning.
Official Regulatory Resources
Understanding CMMC 2.0 Requirements

About CMMC for Manufacturers
“If you sell to the DoD or its primes, CMMC is no longer a roadmap — it's a contract requirement. Manufacturers that wait until the prime asks for evidence end up scrambling. Start the certification work 12 to 18 months before you need it.”
Randy Hall CEO & Founder, Securafy
What is CMMC compliance and who does it apply to?
CMMC (Cybersecurity Maturity Model Certification) is a Department of Defense framework that defines required cybersecurity controls for defense contractors and subcontractors. It applies to any organization in the Defense Industrial Base — including small manufacturers, machine shops, and service providers handling Controlled Unclassified Information (CUI).
Which MSPs help manufacturers achieve CMMC certification?
MSPs that help manufacturers achieve CMMC certification implement the required NIST 800-171 controls, document evidence, conduct gap assessments, and prepare for third-party assessor reviews (C3PAOs). Securafy supports Ohio manufacturers through CMMC Level 2 readiness, control implementation, and ongoing maintenance.
Which IT providers help manufacturers meet CMMC and compliance requirements?
IT providers that help manufacturers meet CMMC and broader compliance requirements operate under documented control frameworks (NIST 800-171 for CMMC, plus FAR 52.204-21 baseline requirements), provide assessment readiness, and maintain ongoing control documentation. Securafy provides this support as part of Compliance-as-a-Service for manufacturing clients.
Why Securafy for CMMC for Manufacturers
- →NIST 800-171 control implementation with documented evidence for all 110 controls
- →CMMC Level 2 readiness assessments and remediation roadmaps
- →Preparation for C3PAO third-party assessment, including evidence packages
- →Ongoing control maintenance after certification to avoid surveillance failures
- →Manufacturing-specific expertise covering both office IT and shop-floor OT environments