Movalo
Need support? Contact Sales
All frameworks
DoD supply chain

CMMC 2.0, level by level.

The Cybersecurity Maturity Model Certification gates participation in the DoD supply chain. Every contractor handling federal contract information or controlled unclassified information has to reach a certified level before the next contract cycle.

What CMMC 2.0 actually requires.

CMMC 2.0 is the streamlined replacement for the original five-level model, structured as three levels tied directly to the type of information you handle. The framework borrows its control set almost entirely from NIST: Level 1 is a 17-practice subset, Level 2 is the full NIST SP 800-171, and Level 3 adds selected NIST SP 800-172 controls.

Compliance is required to bid on defense contracts that flow down FCI or CUI handling. The rollout has been incremental, but expect CMMC clauses to appear in increasingly more contract vehicles over the next two years.

Level 1: Foundational

17 practices from FAR 52.204-21. For FCI only. Annual self-assessment.

Level 2: Advanced

110 controls from NIST SP 800-171. For CUI. Third-party C3PAO assessment every 3 years.

Level 3: Expert

Level 2 plus selected NIST SP 800-172 controls. Highest-risk programs. Government-led assessment.

Who has to comply.

Every defense contractor and subcontractor in the DoD supply chain that handles federal contract information or CUI. The level depends on what you handle, not how big you are:

What we implement.

Most of the work is engineering and documentation. The technical controls map almost one-to-one to NIST 800-171's 110 requirements at Level 2. We close the gaps and assemble the assessment package.

CUI handling environment

Segmented network, controlled-access systems, marked and tracked data. Often a separate enclave depending on existing infrastructure.

Access control

MFA for all CUI access, least privilege, joiner/mover/leaver process. Privileged account isolation.

Configuration management

Baselined configurations, change tickets, periodic configuration audits.

Logging and IR

Centralized log collection from CUI systems, alerting, IR plan tested annually, breach reporting tied to DFARS 252.204-7012 timelines.

SSP and POA&M

Drafted, maintained, kept current. SPRS score reflects reality. Plan of Action & Milestones tracks gaps with realistic dates.

Supply chain

Vendor inventory mapped to CUI exposure, plus the assessment tracking that proves flow-down.

Who owns what.

On us

  • Technical implementation of all 110 NIST 800-171 controls
  • SSP and POA&M drafting and maintenance
  • SPRS score calculation and submission support
  • Continuous monitoring of CUI systems
  • Coordination with the C3PAO assessor during the engagement
  • Evidence collection between assessments

On you

  • Contract review and CUI flow-down identification
  • Executive sponsor and program management
  • Workforce CUI awareness training (we provide content)
  • Final SSP approval and SPRS submission signature
  • C3PAO engagement letter (Level 2+)
  • Incident reporting to DoD per DFARS

Common pitfalls we see.

Assuming Level 1 is fine when CUI is actually present.

FCI is broad contract data; CUI is the narrower controlled subset. The distinction matters. If a single technical drawing or schedule lands in your inbox, you may be Level 2 territory. We help map every data flow before scoping.

Inflated SPRS scores that won't survive an assessment.

Self-attesting to a 110 when the SSP shows gaps is a problem. Honest scores plus a credible POA&M get more contracts than optimistic ones that collapse on assessment.

CUI scattered across general business systems.

If your main Microsoft 365 tenant holds CUI alongside marketing files, the whole tenant is in scope. We help establish a separate enclave or correctly scope GCC High when appropriate.

Forgetting the supply chain flow-down.

If you accept CUI from a prime, you have to flow the requirements down to your subcontractors. We map which vendors are in scope and keep the assessment tracking that proves it; the flow-down contract language itself is your counsel's to write.

Related frameworks.

These sit directly next to CMMC.

CUI & federal vendors

NIST SP 800-171

The control catalog Level 2 is built from. Most CMMC work is NIST 800-171 work.

Federal systems

NIST SP 800-53 Rev. 5

The federal information system catalog Level 3 borrows from.

Baseline framework

NIST CSF 2.0

The reporting language for executive and board communication.
Schedule a call

Let's talk for 30 minutes.
No slides.

Bring a recent contract, your DFARS clauses, or your last SPRS score. We'll come back with a written gap analysis, and what it would cost to reach Level 2.

  • 30-min discovery, no slide deck
  • Free written assessment, yours to keep
  • A clear proposal, no pressure

Or call us directly: 904-639-0003

Schedule a call →