CMMC Compliance By RPO #1449

CMMC stands for Cybersecurity Maturity Model Certification, the Department of Defense framework that controls how its supply chain protects Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It was finalized as a rule in October 2024 (32 CFR Part 170) and the contracting clause that mandates compliance (DFARS 252.204-7021) is rolling out in phases through 2025 to 2028. By the end of the rollout, every contract that touches CUI will require a CMMC certification at the appropriate level before the prime can flow work down.

That means the question for most defense subcontractors is no longer "if" but "which level and how fast." The flow-down clause in your prime contract drives the answer, not your company size or your IT budget. Read the clause first, identify the data class, then match it to a level.

Level 1 is the on-ramp, not the destination

If your contract flows down DFARS 252.204-7012 but you only handle Federal Contract Information without a CUI marking, you may qualify for Level 1. Seventeen basic safeguarding practices, drawn straight from FAR 52.204-21, self-assessed annually, attested by a senior official, score posted to the Supplier Performance Risk System (SPRS). No C3PAO. No assessment fee. No third party in your environment.

The trap is assuming Level 1 is "compliance theater." It is not. The 17 controls cover access control, authentication, media protection, physical access, system integrity, and the audit basics. If you cannot honestly attest to them, you cannot honestly bid on the work, and the federal False Claims Act exposure of attesting falsely is real. We walk through every control in our CMMC Level 1 self-assessment guide so you can answer the attestation questions with evidence, not optimism.

Level 2 is where most DoD subcontractors land

If your contract references CUI or your prime has identified you as a CUI-handling subcontractor, you need Level 2. That means an assessment by a Certified Third Party Assessment Organization (C3PAO) against all 110 NIST SP 800-171 controls, every three years, with a numeric SPRS score posted to the DoD before contract award.

A typical Level 2 engagement opens with a CMMC gap assessment against all 110 controls. We map the CUI boundary (data, systems, people), score the current state on the SPRS scale (+110 maximum, -203 minimum), and produce a prioritized remediation roadmap with cost bands. From there we close the technical gaps that almost always block Level 2:

• Multifactor authentication on every required path - local console, network access, privileged accounts, remote access - per control 3.5.3.
• Session lock and termination at 15 minutes of inactivity, with cryptographic disconnect of remote sessions, per 3.1.10 and 3.1.11.
• FIPS 140-2 or 140-3 validated cryptography for CUI in transit and at rest, with documented module certificates, per 3.13.8, 3.13.11, and 3.13.16.
• Audit log creation, correlation, and protection across the 3.3 family - logs that actually answer the assessor's "who did what when" questions, not just a SIEM that ingests bytes.
• Configuration management baselines for every CUI-handling system, with documented change-control under 3.4.3.
• Risk assessment cadence per 3.11.1, with vulnerability scans, prioritized remediation, and a tracked POA&M for items that cannot be closed immediately.

We author the System Security Plan, build the Plan of Action & Milestones, organize the evidence library, then run a mock C3PAO assessment against the same Conformity Assessment Procedures (CAP) the real assessor will use. The deliverable at the end of Stage 02 is an SSP, a POA&M, an evidence repository, and a written go or no-go on assessment readiness.

Level 3 stacks 800-172 enhanced controls on top

Level 3 applies to the smallest, most sensitive slice of the defense industrial base - contractors handling CUI on programs where an advanced persistent threat actor is part of the threat model. Level 2 baseline plus a selected subset of the 35 NIST SP 800-172 enhanced controls (the exact subset is contract-specific), assessed directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by a C3PAO. The control set is layered and includes dual-authorization for sensitive operations, threat-hunt obligations, and supply-chain provenance requirements that go well beyond NIST 800-171. Level 3 environments also require a credentialed digital forensics capability for chain-of-custody evidence handling when a CUI breach is suspected.

We consult at Level 3 when the contract requires it. Most Level 3 work is an extension of an existing Level 2 build, with the 800-172 controls layered on after the 800-171 baseline is solid. We will tell you honestly when a Level 3 engagement is premature and when it is the right scope.

Scope reduction: enclave architecture beats whole-tenant certification

One of the highest-leverage decisions in a CMMC engagement is the boundary itself. Most defense subcontractors do not need to certify their whole IT environment. They need to certify the slice that handles CUI. An enclave architecture - a dedicated CUI environment with controlled connections to the rest of the business - typically reduces the assessment boundary by 60 to 80 percent, which means fewer controls to remediate, fewer policies to author, and a shorter time-to-assessment.

We model enclave-versus-whole-tenant tradeoffs honestly. Sometimes the enclave is the right answer. Sometimes the whole tenant is already simple enough that scoping in an enclave adds complexity for no gain. Sometimes a managed-tenant offering from another vendor is cheaper than building either. We walk through the tradeoffs in CMMC alternatives before we write the engagement letter.

How C3PAO selection works (and how it goes wrong)

Once your environment is ready, you select a Certified Third Party Assessment Organization from the Cyber AB authorized list. C3PAO selection matters more than most contractors expect. Assessment scope, timeline, fees, scheduling lead time, sector experience, and assessor team depth all vary widely. Our C3PAO selection guide for DoD contractors is vendor-neutral by design. It includes the scoping question bank, the assessor-team verification checklist, and the timeline-and-fee transparency standard that separates good C3PAOs from the rest.

Petronella Technology Group does not certify and does not assess. RPO-listed firms are explicitly forbidden by Cyber AB rules from performing the assessment they helped prepare. That separation is by design and we keep it clean.

SPRS scoring: an honest baseline beats a hopeful one

The Supplier Performance Risk System (SPRS) is where DoD checks your CMMC posture before contract award. The score runs from +110 (full compliance against all 110 NIST 800-171 controls) to -203 (no controls implemented). Posting an inflated score is a federal False Claims Act exposure - the audit trail is permanent and the DoD does compare posted scores against assessor findings.

We score honestly. Our gap assessment produces the SPRS number you should post today, the POA&M items that lift it over the next 90 to 180 days, and the documented evidence chain that supports both. Our companion SPRS calculator lets you self-score before scoping work - no login, no email gate.

Common Level 2 failure modes (and how we avoid them)

After 23 years in regulated IT and several years of CMMC engagements, the failure modes are predictable:

• "Compliant on paper, not in practice." Policies are written but the technical controls are not deployed. Audit logs exist but do not correlate. MFA is enforced for IT staff but not for the finance team that opens CUI-marked spreadsheets. The assessor finds the gap on day one. We test the technical reality during Stage 02 remediation, not the assumption.
• Scope creep mid-assessment. The CUI boundary as drawn during gap assessment expands when the assessor finds CUI on a workstation outside the enclave. We walk every endpoint with the CUI flow-mapping before the SSP is finalized, so surprise CUI does not surface during the audit.
• Evidence repository chaos. The C3PAO requests evidence for control 3.5.3.b sub-element 2, and the document trail is a SharePoint folder named "MFA stuff." We organize the evidence library by control family and CAP procedure, with named owners and review dates, so each assessor request is a 60-second response, not a 6-hour scavenger hunt.
• Wrong C3PAO selection. A C3PAO with no sector experience asks questions that miss the threat model and over-questions areas that are not in the boundary. We help match assessor depth to your environment before you sign the engagement.

How CMMC connects to the rest of your security stack

CMMC is the framework, but it sits inside a wider compliance landscape. Defense contractors often carry overlapping obligations: HIPAA for defense health contractors handling protected health information, multi-framework compliance across NIST 800-53, CCPA, GLBA. The cybersecurity operations that support CMMC (24/7 SOC, EDR, threat hunt) also support HIPAA security rule, PCI-DSS, and state breach-notification laws. We design the engagement so CMMC certification produces compliance leverage across these adjacent frames, not duplicate spending.

If you are an engineering firm, a defense contractor, or a manufacturer handling CUI for the DoD, the CMMC engagement integrates with your industry-specific controls. We meet you where the regulation actually intersects with the work you ship.

CUI marking, identification, and the human layer

Half of every CMMC engagement is technology. The other half is the human-and-process work of correctly identifying, marking, and handling Controlled Unclassified Information in the first place. The DoD CUI program (DoDI 5200.48) defines the dissemination control markings, the limited-distribution categories, and the lifecycle obligations from receipt through destruction. We see contractors who have rolled out FIPS-validated encryption and MFA across the entire tenant but cannot answer a basic question: which folder, which email thread, which workstation actually has CUI in it today? The C3PAO assessor asks that question on day one.

Our engagement model includes a CUI identification workshop with your contracts officer, your program managers, and the people who actually open the files. We walk the inbound flow (how does CUI arrive: email, GovCloud upload, contractor portal, secure file transfer), the storage flow (where does it land, who can read it, how is it marked), the transmit flow (how is it shared with subs, with the prime, with internal reviewers), and the destruction flow (when the contract ends, what gets purged, what gets retained). The deliverable is a CUI flow diagram and a marking-and-handling SOP that your team can actually follow. Without this layer, even the best technical control set fails the audit, because the assessor finds CUI on an unprotected share within hours.

The role of training and security awareness in CMMC

Two control families - 3.2 Awareness & Training and 3.9 Personnel Security - require annual role-based security training, insider-threat awareness, and documented training records for every individual with CUI access. Many contractors think a generic phishing awareness module satisfies these requirements. It does not. The assessor will ask for the training curriculum, the attendance log per individual per year, the role-based content for privileged users versus general users, and the insider-threat module specifically. Generic SaaS training products rarely have the role-based mapping required for evidence.

We provide a 2026 security awareness training course mapped directly to NIST 800-171 control 3.2.1 with the attendance, completion-quiz, and role-mapping reporting an assessor wants to see. We also build the role-based modules for privileged-user training (control 3.2.2) and insider-threat awareness (control 3.2.3). Training is one of the lower-cost, higher-impact remediation steps in a CMMC engagement and we recommend it early in Stage 02.

Reassessment, continuous monitoring, and the 3-year cycle

CMMC Level 2 certification lasts three years. That is not a license to set the SSP on a shelf and ignore it. The continuous monitoring control (3.12.3) requires ongoing assessment of security controls, and the annual affirmation requires a senior official to attest that the certified posture is still accurate. Drift between annual affirmations is the most common path to a False Claims Act exposure - the SSP says one thing, the actual environment has drifted to another, the affirmation contradicts reality, and the audit trail is permanent.

Our post-certification engagement keeps the POA&M cadence running monthly, refreshes the SPRS score quarterly with documented evidence, and runs an internal mock assessment annually so the three-year reassessment is not a fire drill. Most contractors who let the SSP go stale spend 60 to 80 percent of the original engagement cost on the reassessment. Continuous sustainment costs a small fraction of that.

Supply chain and flow-down obligations

If you have your own subcontractors who touch CUI, DFARS 252.204-7012 requires that you flow the clause down to them. Your CMMC posture is only as strong as the weakest CUI-handling sub in your supply chain, and the audit trail of flow-down enforcement is itself an assessor question. We help model the supply-chain map, draft the flow-down clauses for your subcontracts, and build the supplier-attestation tracker that proves you are managing the obligation rather than ignoring it. For supply chains with significant external dependency, the supply chain security module of an engagement matters as much as the internal control set.