San Diego is one of the nation’s largest defense and military hubs. With Naval Base San Diego, Marine Corps Air Station Miramar, and dozens of major defense contractors and subcontractors, the region’s defense industrial base handles enormous volumes of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) every day.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now being enforced through contract requirements. San Diego defense contractors who cannot demonstrate compliance risk losing existing contracts and being excluded from future opportunities. This guide covers everything you need to know about meeting defense cybersecurity requirements.
CMMC 2.0: The Framework You Must Know
CMMC 2.0 streamlined the original five-level model into three levels. Most San Diego defense contractors handling CUI will need to achieve Level 2 compliance.
Basic cyber hygiene for protection of Federal Contract Information (FCI). Self-assessment allowed.
- Limit system access to authorized users
- Authenticate user identities
- Protect FCI at organizational boundaries
- Monitor and control communications at system boundaries
- Identify and report security incidents
Protection of Controlled Unclassified Information (CUI). Requires third-party assessment for critical contracts.
- Full implementation of NIST SP 800-171 Rev 2 controls
- System Security Plan (SSP) documenting all 110 practices
- Plan of Action and Milestones (POA&M) for gaps
- Third-party C3PAO assessment for prioritized acquisitions
- Self-assessment allowed for non-prioritized acquisitions
Protection against advanced persistent threats (APTs). Government-led assessment required.
- All Level 2 requirements plus enhanced controls from NIST SP 800-172
- Advanced threat detection and response capabilities
- Incident response with forensic capabilities
- Government-conducted assessment by DIBCAC
- Required for most classified and critical defense programs
NIST SP 800-171: The 110 Controls
CMMC Level 2 maps directly to the 110 security requirements in NIST SP 800-171. These requirements are organized into 14 control families. San Diego contractors must implement all 110 controls to achieve full compliance.
Access Control
Limit system access to authorized users, processes, and devices
Awareness and Training
Ensure personnel are aware of security risks and trained in policies
Audit and Accountability
Create, protect, and retain audit records for monitoring
Configuration Management
Establish and enforce security configuration settings
Identification and Authentication
Identify and authenticate users and devices
Incident Response
Establish incident handling capability
Maintenance
Perform timely maintenance on organizational systems
Media Protection
Protect system media containing CUI
Personnel Security
Screen individuals before authorizing access
Physical Protection
Limit physical access to systems and equipment
Risk Assessment
Assess risk to organizational operations and assets
Security Assessment
Assess effectiveness of security controls
System and Communications Protection
Monitor and protect communications boundaries
System and Information Integrity
Identify and correct system flaws in a timely manner
ITAR Compliance: Beyond CMMC
Many San Diego defense contractors also handle data controlled under the International Traffic in Arms Regulations (ITAR). ITAR imposes strict controls on technical data related to defense articles and services listed on the United States Munitions List (USML).
Key ITAR Cybersecurity Requirements
- ITAR-controlled data must not be accessible by foreign persons (including foreign nationals employed by the company)
- Cloud services must ensure data remains within the United States and is only accessible by US persons
- Encryption meeting NIST standards must protect ITAR data in transit and at rest
- Access controls must prevent unauthorized access by foreign subsidiaries or partners
- Physical security controls must protect areas where ITAR data is processed
- Violations can result in penalties up to $1 million per violation and criminal prosecution
Common Challenges for San Diego Contractors
Based on our work with San Diego defense contractors, these are the most common compliance challenges organizations face.
SPRS Score Calculation
Defense contractors must calculate and submit their Supplier Performance Risk System (SPRS) score to the DoD. Many San Diego contractors discover their score is far lower than expected when properly assessed.
Scoping CUI Boundaries
Identifying all systems that store, process, or transmit CUI is critical. Over-scoping increases costs; under-scoping creates compliance gaps and audit failures.
Cloud Service Provider Requirements
CUI must be processed in FedRAMP Moderate or equivalent cloud environments. Many commercial cloud services used by San Diego contractors do not meet this requirement.
Subcontractor Flow-Down
CMMC requirements flow down to subcontractors handling CUI. San Diego prime contractors must verify that their supply chain meets the same compliance standards.
Managed Service Provider Compliance
MSPs and IT service providers with access to CUI systems must also meet CMMC requirements. Many general IT providers serving San Diego contractors are not CMMC-ready.
Your CMMC Compliance Roadmap
Achieving CMMC compliance is a structured process that typically takes 6-18 months depending on your current security posture and the level of compliance required.
- 1
Gap Assessment
Evaluate your current security controls against NIST 800-171 requirements. Calculate your SPRS score and identify all gaps.
- 2
Scope Your CUI Environment
Map all systems that store, process, or transmit CUI. Consider segmenting CUI systems to reduce your compliance scope.
- 3
Develop Your SSP and POA&M
Create a System Security Plan documenting how each control is implemented and a Plan of Action and Milestones for addressing gaps.
- 4
Implement Technical Controls
Deploy required security technologies: MFA, encryption, EDR, SIEM, backup solutions, and access management tools.
- 5
Establish Policies and Procedures
Document security policies covering all 14 NIST control families. Train staff on their responsibilities.
- 6
Conduct Internal Assessment
Perform a thorough self-assessment to validate all controls are implemented and operating effectively.
- 7
Engage a C3PAO
For Level 2 prioritized acquisitions, schedule your third-party assessment through a certified C3PAO.
- 8
Continuous Monitoring
Establish ongoing monitoring, regular assessments, and annual POA&M reviews to maintain compliance.
San Diego’s Defense Ecosystem
San Diego is home to one of the largest concentrations of military installations and defense contractors in the United States. The region’s defense ecosystem includes major prime contractors, hundreds of subcontractors, and specialized technology companies supporting naval, aerospace, and intelligence operations.
This concentration makes San Diego a high-priority target for nation-state cyber actors. Chinese, Russian, and other foreign intelligence services actively target the San Diego defense supply chain to steal technical data, weapons system specifications, and operational intelligence.
The Department of Defense has made it clear that cybersecurity is now a non-negotiable requirement for participation in the defense industrial base. San Diego contractors who invest in compliance now will maintain their competitive position and contract eligibility for the long term.
Conclusion
For San Diego defense contractors, cybersecurity compliance is not just a regulatory requirement -- it is a contract requirement and a business imperative. CMMC 2.0 assessments are now required in select contracts, and the requirement will expand to all DoD contracts handling CUI.
The organizations that begin their compliance journey now will be best positioned to win and retain defense contracts. Waiting until a contract requires certification puts your timeline at risk and your existing contracts in jeopardy.