Industry Compliance Guide

Defense Contractor Compliance (CMMC)

CMMC 2.0 and NIST SP 800-171 compliance for DoD primes, subcontractors, and CUI/FCI suppliers.

Get a Free Consultation
← All Industries

What’s at stake: CMMC is in effect. The DoD final acquisition rule took effect November 10, 2025. Without the right certification level, you lose the ability to bid on DoD work — and false claims liability is real.

Regulations That Apply

RegulationWhat It Covers
CMMC 2.0Cybersecurity Maturity Model Certification — Levels 1, 2, 3 (effective Nov 10, 2025)
NIST SP 800-171 Rev 2110 controls across 14 families for CUI protection
DFARS 252.204-7012Safeguarding CUI, 72-hour incident reporting via DIBNet
DFARS 252.204-7019/-7020NIST SP 800-171 self-assessment score submission in SPRS
NIST SP 800-172Enhanced requirements for CMMC Level 3
ITAR (22 CFR 120-130)International Traffic in Arms — restricts foreign access to defense data

What You Need In Place

  • System Security Plan (SSP) covering all 110 controls
  • Plan of Action & Milestones (POA&M)
  • Documented CUI enclave or network segmentation
  • FIPS-validated encryption
  • FedRAMP Moderate (or equivalent) cloud services
  • 72-hour incident reporting capability via DIBNet
  • Multi-factor authentication on all CUI access
  • Annual self-assessment with SPRS score submission

Common Threats In This Sector

Defense contractors face a different threat model than typical SMBs. Nation-state actors with patient, well-funded operations target CUI and supply-chain access to primes. Speed of incident matters: DFARS-required reporting is 72 hours.

  • Advanced persistent threat (APT) activity targeting CUI repositories
  • Supply-chain compromise — attackers reaching primes through smaller subcontractors
  • Credential theft for VPN and remote-access systems
  • Ransomware blocking deliverables, with secondary exfiltration of CUI before encryption
  • Insider risk involving access to ITAR/EAR-controlled technical data
  • Compromise of collaboration tools (M365 GCC, Teams, SharePoint) where CUI is shared

Documentation You’ll Be Asked For

CMMC 2.0 codifies what DFARS 252.204-7012 already required: documented implementation of NIST SP 800-171 controls. Level 2 self-assessment or C3PAO assessment both require the same artifact set — the difference is who reviews it.

  • System Security Plan (SSP) covering each NIST SP 800-171 control family
  • Plan of Actions and Milestones (POA&M) for any controls not fully implemented
  • Current SPRS (Supplier Performance Risk System) self-assessment score
  • CUI marking, handling, and disposal procedures
  • Incident response plan with DoD reporting workflow (72-hour DFARS rule)
  • Subcontractor flow-down documentation showing how 7012/7019/7020/7021 clauses are passed through
  • FIPS 140-validated cryptography evidence for systems that protect CUI at rest and in transit

Where Most Small Subcontractors Fall Short

The CMMC ecosystem has consistent failure points in smaller suppliers. Most are documentation gaps rather than control gaps — the technology may be in place, but the written evidence is not.

  • SSP not actually maintained — or never written
  • SPRS score that is stale, optimistic, or unsupported by the SSP
  • MFA not enforced on every system that touches CUI
  • No FIPS-validated cryptography for CUI at rest in certain storage locations
  • No documented incident response process — especially the DoD reporting steps
  • Subcontractor security not reviewed before sharing CUI down the chain

How CGetty Helps

NIST SP 800-171 gap assessments, SSP and POA&M development, and remediation roadmaps for small and mid-sized DIB suppliers.

Start with a CMMC gap assessment

Not Sure Where Your Business Stands?

We help small businesses understand what applies to them and build a practical plan to get there. Let’s talk.

Contact Us