Understanding CMMC
CMMC was created by the DoD to verify that defense contractors have implemented adequate cybersecurity controls before they can bid on or perform contracts involving Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). CMMC 2.0 defines three levels: Level 1 (basic cyber hygiene with 15 controls for FCI), Level 2 (110 controls aligned with NIST SP 800-171 for CUI), and Level 3 (advanced controls based on NIST SP 800-172 for critical programs).
The key change from previous self-attestation requirements (DFARS 252.204-7012) is third-party assessment. Level 2 contractors handling CUI must be assessed by an authorized CMMC Third-Party Assessment Organization (C3PAO). This eliminates the gap between claimed and actual compliance that has plagued the defense industrial base. Contractors must achieve certification before contract award, making early preparation essential.
CMMC Implementation
Achieving CMMC Level 2 requires implementing all 110 controls from NIST SP 800-171 across 14 control families including access control, audit and accountability, configuration management, identification and authentication, incident response, and system and communications protection. Organizations must document a System Security Plan (SSP), maintain a Plan of Action and Milestones (POA&M) for any gaps, and implement continuous monitoring. The timeline from gap assessment to assessment-readiness is typically 6-18 months.
CMMC in San Diego
San Diego is home to one of the largest concentrations of defense contractors in the country, from major primes to hundreds of small and mid-size subcontractors. Every organization in the defense supply chain handling CUI must achieve CMMC Level 2 certification. Our team helps San Diego defense contractors navigate the CMMC journey from initial gap assessment through remediation to successful C3PAO assessment, with deep expertise in the specific challenges facing the region’s defense industrial base.