Defense Contractor Compliance

CMMC 2.0
Compliance

CMMC 2.0 is now enforced in DoD contracts. Ohio defense contractors and manufacturers who handle CUI must achieve certified compliance — or lose their contracts. Securafy delivers CMMC Level 1 and Level 2 readiness programs built for Ohio's defense industrial base.

DoD Contract Requirement
CMMC 2.0

All DoD contractors and subcontractors must achieve CMMC certification by 2025. Non-compliance means losing federal contracts permanently.

Free · No Obligation
See where your gaps are — before auditors or attackers find them.
Book a Free Assessment
5.0 Google · Verified reviews

What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD's framework for ensuring that defense contractors adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It became enforceable in DoD contracts beginning in late 2024.

CMMC 2.0 streamlined the original five levels into three: Level 1 (Foundational — 17 practices), Level 2 (Advanced — 110 practices aligned to NIST SP 800-171), and Level 3 (Expert — 110+ practices aligned to NIST SP 800-172). Most Ohio defense contractors and manufacturers need Level 1 or Level 2.

The critical change: CMMC 2.0 requires third-party certification (C3PAO assessment) for most Level 2 contracts. Self-attestation alone is no longer sufficient for contracts involving CUI. Organizations that prematurely claim compliance without proper controls face False Claims Act liability.

"CMMC isn't a checkbox — it's a certification. Ohio defense contractors need to start their readiness program 12–18 months before their next contract renewal."

110
NIST 800-171 practices required for Level 2
$14B
Annual DoD prime contract value at risk for non-compliance
Level 2
Required for most CUI-handling defense contractors
18mo
Typical time to achieve Level 2 readiness from scratch
The Three Levels

CMMC 2.0 Level Requirements

1️⃣

Level 1 — Foundational

17 practices from FAR 52.204-21. Protects Federal Contract Information (FCI). Annual self-attestation allowed. Covers basic cyber hygiene: access control, identification, media protection, physical protection, system communications, and system integrity.

2️⃣

Level 2 — Advanced

110 practices aligned to NIST SP 800-171. Required for contracts involving Controlled Unclassified Information (CUI). Tri-annual third-party assessment (C3PAO) required for most contracts. Covers 14 security domains including access control, audit, configuration management, incident response, and supply chain risk.

3️⃣

Level 3 — Expert

110+ practices aligned to NIST SP 800-172. Required for contracts involving the most sensitive CUI on DoD's highest-priority programs. Government-led assessments. Applies to a small subset of the defense industrial base.

System Security Plan (SSP)

All levels require a documented System Security Plan describing how you meet each practice. Level 2+ also requires a Plan of Action & Milestones (POA&M) tracking unmet requirements. These documents are reviewed by assessors.

Flow-Down Requirements

Prime contractors must flow CMMC requirements down to their subcontractors. If you receive CUI from a prime, you need the same level of certification as the prime. Subcontractor gaps can disqualify a prime's contract.

Scoping — What's In Your CUI Environment?

Defining your CMMC scope — the systems, people, and facilities that handle CUI — is one of the most critical (and misunderstood) steps. Incorrect scoping leads to either over-investment or audit failure.

The 14 Practice Domains

CMMC Level 2 Security Domains

Level 2 maps to all 14 NIST SP 800-171 domains. Each domain contains specific practices your organization must implement and document.

DomainPractices (Level 2)Common Gaps
Access Control (AC)22 practicesLeast privilege enforcement, CUI access logging, remote access controls
Audit & Accountability (AU)9 practicesCentralized log collection, retention policies, review processes
Configuration Management (CM)9 practicesBaseline configurations, change control, unauthorized software blocking
Identification & Authentication (IA)11 practicesMFA enforcement, password complexity, privileged account management
Incident Response (IR)3 practicesDocumented IRP, reporting to DoD DCSA, post-incident lessons learned
Maintenance (MA)6 practicesControlled remote maintenance, sanitization before maintenance
Media Protection (MP)9 practicesCUI marking, portable media controls, sanitization procedures
Personnel Security (PS)2 practicesScreening procedures, termination procedures
Physical Protection (PE)6 practicesFacility access controls, visitor management, CUI workspace controls
Risk Assessment (RA)3 practicesPeriodic risk assessments, vulnerability scanning cadence
Security Assessment (CA)4 practicesSystem security plans, POA&M management, control testing
System & Communications Protection (SC)16 practicesNetwork segmentation, encryption, boundary protection
System & Information Integrity (SI)7 practicesMalicious code protection, security alerting, software patching
Supply Chain Risk ManagementVariesVendor vetting, software provenance, hardware integrity
How Securafy Helps

CMMC Readiness for manufacturers

Securafy is a CMMC-AB registered Registered Practitioner Organization (RPO), meaning our consultants are trained and authorized to assist with CMMC readiness — though we do not perform the final C3PAO certification assessment.

CMMC Scoping & Gap Assessment

We define your CUI environment, identify in-scope systems and assets, map your current practices against all 110 NIST 800-171 requirements, and produce a scored gap analysis with remediation priorities.

System Security Plan (SSP) Development

We write your complete SSP — the primary document reviewed by C3PAO assessors — documenting how each practice is implemented, partially implemented, or planned in your environment.

POA&M Management

We track all practice gaps in a Plan of Action & Milestones, with remediation timelines and responsible owners. We manage the POA&M actively through to closure — not just document it.

Technical Control Implementation

We implement the technical controls required by Level 2 — MFA, network segmentation, endpoint protection, SIEM, patch management, encryption, and access control — all maintained ongoing.

C3PAO Assessment Preparation

Before your certification assessment, we conduct a mock assessment against all 110 practices, identify remaining gaps, and prepare your team for assessor interviews and documentation reviews.

Ongoing CMMC Maintenance

Certification must be maintained. We provide continuous monitoring, quarterly control testing, policy updates, and annual reassessment readiness to keep your certification valid through your 3-year cycle.

Common Questions

CMMC 2.0 FAQ

When does CMMC 2.0 become mandatory?
CMMC requirements began appearing in select DoD contracts in 2024 and are being phased into all applicable contracts through 2025–2026. DFARS 252.204-7021 is the clause that triggers CMMC requirements. If your current contract has this clause, compliance is required today. All new DoD contracts will require CMMC by 2026.
Can I self-attest for CMMC Level 2?
Only for contracts that specifically permit self-attestation (a declining subset). Most CUI contracts require a C3PAO third-party assessment. Self-attestation carries significant False Claims Act risk — if you certify compliance but lack proper controls, your organization (and executives) face criminal liability.
What happens if my subcontractors aren't CMMC certified?
As a prime contractor, you are responsible for ensuring that any subcontractor who receives or generates CUI has the appropriate CMMC level. If a subcontractor isn't certified, you cannot flow CUI to them — which may disqualify certain contract work. This is why CMMC supply chain risk is a critical planning consideration.
How much does CMMC Level 2 certification cost?
C3PAO assessment fees typically range from $30,000–$100,000+ depending on organizational size and scope. But the larger cost is remediation — getting to 110/110 practices before the assessment. Most Ohio SMB manufacturers spend $150K–$400K total on readiness + assessment. The cost of losing DoD contracts is typically far greater.
Watch the Full CMMC Briefing

Securafy for CMMC-Subject Manufacturers
Protect Your DoD Contract Eligibility

A complete briefing for manufacturers handling Controlled Unclassified Information (CUI) or subject to CMMC 2.0 / NIST SP 800-171. Understand exactly what Level 2 certification requires, what Securafy delivers, and how we protect the contracts your business depends on.

CMMC 2.0 / NIST 800-171 Specialist Stop anytime  ·  No obligation
What This Briefing Covers
  • CMMC 2.0 Level 1, 2 & 3 requirements explained
  • All 110 NIST 800-171 practices — what they mean
  • How Securafy implements and documents every control
  • SSP development and POA&M management
  • C3PAO assessment readiness process
  • DoD contract protection and audit defense
Who Needs This
DoD prime contractors & subcontractors
Manufacturers handling CUI data
Defense supply chain participants
Firms facing DFARS clause requirements
Start Your CMMC Readiness Assessment →

Soteria Award — Most Trusted MSP in North America 2024

CMMC 2.0 requires DoD contractors handling Controlled Unclassified Information to implement and certify cybersecurity practices across three levels. Level 2 mandates all 110 NIST SP 800-171 controls and a third-party C3PAO assessment. Securafy delivers gap assessments, System Security Plan development, all 110 controls implemented and documented, and full C3PAO readiness for Ohio defense contractors and manufacturers.

From the Blog
Free Resources
Related Resources
Knowledge Base
CMMC Level 2 Requirements
Guide
Cybersecurity for Manufacturers
Service
Comply-CARE Program
Industry
Manufacturing IT Services
Read 1,500+ Articles on Our Blog
No obligation · Custom proposal within 4 business hours

Ready to Become
Audit-ready?

Securafy builds and maintains compliance programs for Columbus and Cleveland, businesses nationwide. Prevention-First. Compliance-Ready. Award-Winning.

Free Compliance Assessment COMPLY-CARE Services
Columbus & Cleveland, Ohio

Official Regulatory Resources

FAQ

Understanding CMMC 2.0 Requirements

Common Questions

About CMMC for Manufacturers

“If you sell to the DoD or its primes, CMMC is no longer a roadmap — it's a contract requirement. Manufacturers that wait until the prime asks for evidence end up scrambling. Start the certification work 12 to 18 months before you need it.”

Randy Hall CEO & Founder, Securafy

What is CMMC compliance and who does it apply to?

CMMC (Cybersecurity Maturity Model Certification) is a Department of Defense framework that defines required cybersecurity controls for defense contractors and subcontractors. It applies to any organization in the Defense Industrial Base — including small manufacturers, machine shops, and service providers handling Controlled Unclassified Information (CUI).

Which MSPs help manufacturers achieve CMMC certification?

MSPs that help manufacturers achieve CMMC certification implement the required NIST 800-171 controls, document evidence, conduct gap assessments, and prepare for third-party assessor reviews (C3PAOs). Securafy supports Ohio manufacturers through CMMC Level 2 readiness, control implementation, and ongoing maintenance.

Which IT providers help manufacturers meet CMMC and compliance requirements?

IT providers that help manufacturers meet CMMC and broader compliance requirements operate under documented control frameworks (NIST 800-171 for CMMC, plus FAR 52.204-21 baseline requirements), provide assessment readiness, and maintain ongoing control documentation. Securafy provides this support as part of Compliance-as-a-Service for manufacturing clients.

CMMC Level 1 vs Level 2 vs Level 3 Requirements
CMMC Aspect Level 1 Level 2 Level 3
Required for Federal Contract Information (FCI) only Controlled Unclassified Information (CUI) CUI in high-priority programs
Control set 17 basic safeguards (FAR 52.204-21) 110 controls (NIST SP 800-171) 110 + selected NIST 800-172 enhancements
Assessment Annual self-assessment Third-party assessment by C3PAO every 3 years Government-led assessment
Typical organizations Subcontractors handling only FCI Most Defense Industrial Base contractors Top-tier primes and critical CUI handlers
Securafy support Self-assessment templates + control implementation Full readiness + C3PAO prep Custom engagement

Why Securafy for CMMC for Manufacturers

  • NIST 800-171 control implementation with documented evidence for all 110 controls
  • CMMC Level 2 readiness assessments and remediation roadmaps
  • Preparation for C3PAO third-party assessment, including evidence packages
  • Ongoing control maintenance after certification to avoid surveillance failures
  • Manufacturing-specific expertise covering both office IT and shop-floor OT environments
More Q&A

Additional CMMC Questions

What is CMMC 2.0 and who needs it?
CMMC 2.0 (Cybersecurity Maturity Model Certification) is a U.S. Department of Defense framework required for all contractors and subcontractors handling Controlled Unclassified Information (CUI). As of 2024, CMMC Level 2 certification is required for DoD contracts involving CUI, affecting thousands of defense contractors and their supply chains.
What are the CMMC 2.0 levels?
CMMC 2.0 has three levels: Level 1 (Foundational) covers 17 basic cybersecurity practices and requires annual self-assessment. Level 2 (Advanced) covers all 110 NIST SP 800-171 practices and requires third-party C3PAO assessment for most contracts. Level 3 (Expert) covers 110+ practices from NIST SP 800-172 and requires government-led assessment.
What is the difference between CMMC and NIST 800-171?
NIST SP 800-171 is the underlying standard that defines 110 security requirements for protecting CUI. CMMC 2.0 Level 2 is the certification framework that verifies implementation of those 110 practices. CMMC adds formal assessment and certification requirements — you must prove compliance to a C3PAO assessor, not just self-attest.
How long does CMMC Level 2 certification take?
CMMC Level 2 certification typically takes 6–18 months from gap assessment to final certification, depending on your current security posture. The process involves gap assessment, remediation of findings, System Security Plan (SSP) development, POA&M management, and a formal assessment by a C3PAO. Securafy guides clients through every phase.
What is a System Security Plan (SSP) for CMMC?
A System Security Plan (SSP) is a mandatory CMMC document that describes your IT environment, identifies all systems that process CUI, and documents how each of the 110 NIST 800-171 practices is implemented or planned. Securafy develops and maintains SSPs as part of Comply-CARE for defense contractors.
What is a POA&M and why does CMMC require it?
A Plan of Action & Milestones (POA&M) documents every open security finding, assigns a remediation owner, sets a target completion date, and tracks progress. CMMC requires a maintained POA&M to demonstrate good-faith remediation effort. It reduces audit finding severity and is required for DFARS compliance.
Keep Exploring

Where to go next