CMMC 2.0 · NIST 800-171 · DFARS 252.204-7012
CMMC compliance for the U.S. defense contractors who can’t afford to lose the contract.
Final rule December 16, 2024. Phase 1 enforcement began November 10, 2025. Full Level 2 requirements phase in through November 10, 2026. We get U.S. defense contractors and government subcontractors — from coast to coast — from current-state to assessment-ready, then run the long-term controls afterward.
- Level 1 and Level 2 scoping, gap, and remediation
- SSP authoring + POA&M tracking + evidence library
- GCC High migration + Sentinel + Defender XDR
- 24/7 SOC for continuous monitoring controls
CMMC 2.0 timeline
Three dates to know.
DoW has been clear about the phased rollout. The dates are not moving. If you carry FCI or CUI on a current contract — or want to bid on the next one — the timeline below is non-negotiable.
-
01
Dec 16, 2024
CMMC final rule published
CFR 32 CMR Part 170 published in the Federal Register. Rule officially in force.
-
02
Nov 10, 2025
Phase 1 enforcement begins
Self-assessment requirements (Level 1 and self-Level 2) appear in new DoW solicitations.
-
03
Nov 10, 2026
Full compliance phases in
Level 2 third-party (C3PAO) assessment requirements phase across all applicable DoW contracts.
CMMC services in Honolulu & the Pacific Defense Industrial Base
A Honolulu-headquartered CMMC partner for Pacific defense contractors.
Cyberuptive is headquartered in Honolulu at 401 Kamakee St, serving Pacific defense subcontractors and INDOPACOM supply-chain firms across all CMMC 2.0 levels. The Pacific Defense Industrial Base — the manufacturers, shipyards, MRO providers, integrators, software shops, and professional-services firms supporting Pacific Air Forces (PACAF), Pacific Fleet (PACFLT), Marine Forces Pacific (MARFORPAC), and U.S. Army Pacific (USARPAC) — faces the same CMMC requirements as Atlantic-coast primes, but with shorter assessor pipelines and tighter time-zone overlap with HQ-side compliance teams.
Our CMMC level 1 services and CMMC level 2 services in Honolulu cover the same nationwide scope — scoping the CUI boundary, NIST SP 800-171 gap assessment, SSP authoring, POA&M tracking, SPRS scoring support, GCC High migration, and 24/7 continuous monitoring — with the addition of HST-based scoping calls, Pacific-time SOC operations, and personal relationships with the C3PAO assessors covering Region IX. If your CMMC assessment services need to map to a Honolulu-headquartered prime or a JBPHH-, Schofield-, or Wheeler-adjacent subcontractor footprint, the work is already familiar to us.
CMMC 2.0 services we deliver to Pacific contractors
- CMMC Level 1 services in Honolulu — the 17 basic safeguarding requirements for contractors handling Federal Contract Information (FCI). Annual self-assessment, SPRS posting, and the controls baseline to support it.
- CMMC Level 2 services in Honolulu — all 110 NIST SP 800-171 controls for contractors handling Controlled Unclassified Information (CUI). C3PAO-ready evidence packs, SSP, POA&M, and the long-term operational controls (SOC, SIEM, vulnerability management, incident response) that the assessment requires you to keep running afterward.
- CMMC 2.0 services in Honolulu — SPRS & DFARS support — calculating, posting, and defending the SPRS score; mapping NIST 800-171 control implementations to DFARS 252.204-7012 expectations; and producing the rapid 72-hour incident reporting evidence trail.
- CMMC assessment services in Honolulu — mock C3PAO assessment with assessor-style questioning, evidence-pack QA, and the remediation lift between mock and live assessment.
Why a Honolulu-based CMMC partner matters
CUI handling under DFARS 252.204-7012 requires that the people accessing the data are U.S. persons working from U.S. soil. Many Pacific defense subcontractors operate small IT teams without 24/7 SOC capability, and the natural fallback — outsourcing to a continental U.S. MSSP — can introduce time-zone friction (a 0200 HST incident hits the East Coast MSSP at 0700, queued behind their overnight backlog) and occasionally CUI-handling complications when the MSSP's analyst rotation includes non-U.S. persons. A Honolulu-headquartered partner with U.S.-citizen analysts and HST primary coverage removes both problems.
Engagement model
From scoping to assessment-ready, with the long-term controls already running.
-
01
Scope
Define the CUI boundary. Inventory in-scope assets, users, data flows. Confirm Level 1 vs Level 2.
-
02
Gap
Score current-state against all 17 (L1) or 110 (L2) controls. Output: scored gap report + remediation roadmap.
-
03
Remediate
Close gaps. GCC High migration, Defender + Sentinel deployment, SOC + VM stand-up, IR retainer.
-
04
Document
SSP authored, POA&M live, evidence library populated, mock assessment with C3PAO-style questioning.
Built for U.S. defense contractors
Your contracts are on the line. We’re the guide that gets you assessment-ready.
CMMC 2.0 reaches every primes-and-subs corner of the Defense Industrial Base — manufacturers, integrators, software shops, professional services, and engineering firms across all 50 states. If your contracts touch Federal Contract Information or Controlled Unclassified Information, the compliance bar is the same whether you’re in Huntsville, Hartford, or San Diego.
We operate as your CMMC readiness partner: scoping the CUI boundary, scoring against NIST SP 800-171, authoring the SSP, running the POA&M, posting your SPRS score, and standing up the long-term controls — SIEM, SOC, vulnerability management, and incident response — that DFARS 252.204-7012 expects you to keep running after the C3PAO leaves.
- • Nationwide engagements for DoW primes and subcontractors
- • NIST 800-171, DFARS 252.204-7012, and SPRS scoring expertise
- • Evidence library, SSP, and POA&M built to C3PAO standards
- • U.S.-based analysts handling CUI under DFARS-aligned controls
Control families we operate long-term
Pass the assessment. Stay passed.
The hardest-to-sustain control families are continuous monitoring, audit logging, and incident response. We run those as managed services so you do not have to staff them.
AC · Access Control
Conditional Access, Entra ID PIM, role review, session controls.
AU · Audit & Accountability
Sentinel SIEM with 1-year retention, alert review, integrity protection.
CM · Configuration Management
Baselines, change control, deviation tracking, periodic review.
IR · Incident Response
24/7 SOC triage, IR retainer, tabletop exercises, post-incident review.
RA · Risk Assessment
Continuous vulnerability scanning, KEV/EPSS prioritization.
SI · System & Information Integrity
Defender XDR, threat hunting, flaw remediation tracking.
-
When does CMMC 2.0 actually start affecting my contracts?
The CMMC final rule was published December 16, 2024. Phase 1 enforcement began November 10, 2025, with self-assessment requirements appearing in new DoW solicitations. Full compliance — including Level 2 third-party assessment requirements — phases in through November 10, 2026. If you bid on DoW work touching CUI, the runway is shorter than most prime contractors realize.
-
What level do I need?
If you handle Federal Contract Information (FCI) only — Level 1 (17 controls, annual self-assessment). If you handle Controlled Unclassified Information (CUI) — Level 2 (110 controls from NIST 800-171, third-party C3PAO assessment for most). Level 3 is for the highest-priority programs and is rare for subcontractors. We do a 1-hour scoping call to confirm.
-
What does a CMMC engagement actually look like?
Four phases: (1) Scoping — define the CUI boundary, identify in-scope assets, classify data flows. (2) Gap assessment — current-state against all 110 controls, scored. (3) Remediation — close gaps, deploy GCC High where required, harden M365, build SOC + VM + IR programs. (4) Documentation & assessment prep — SSP, POA&M, evidence library, mock assessment. Typical duration: 6–12 months depending on starting maturity.
-
What does a CMMC readiness partner actually do?
A CMMC readiness partner does the work most defense contractors can’t staff in-house: scoping the CUI boundary, running the gap assessment against NIST SP 800-171, authoring the System Security Plan, maintaining the POA&M, posting and defending the SPRS score, and operating the long-term controls — SIEM, 24/7 SOC, vulnerability management, and incident response — that DFARS 252.204-7012 expects you to keep running. We do this for U.S. defense contractors and government subcontractors nationwide, with U.S.-based analysts handling CUI.
-
Do you produce the SSP and POA&M, or just review what we have?
Both. Most engagements include authoring the System Security Plan from scratch (or a substantial rewrite) and standing up a working POA&M with quarterly review. We produce evidence-ready documentation that matches what your C3PAO will request — not generic templated language.
-
Can you operate the long-term controls (SOC, VM, IR)?
Yes — that is the most cost-effective model. Continuous monitoring (SI.L2-3.14.6), audit logging (AU family), and incident response (IR family) are the controls medium and large contractors most often lack. Our managed SOC, vulnerability management, and IR retainer satisfy all three with one provider, US-based, and assessment-mapped. See SOC as a Service.
-
What about GCC High?
If you handle CUI in Microsoft 365, you almost certainly need GCC High — commercial M365 will not satisfy DFARS 252.204-7012 by itself. We scope, license, migrate, and document the tenant. See Microsoft 365 services.
-
How much does this cost?
Honest answer: it depends on size and starting maturity. A 25-person defense subcontractor starting from minimal NIST 800-171 maturity typically invests $80K–$180K across 9–12 months for full Level 2 readiness, plus ongoing managed services. We scope to the environment — not a fixed package. Lost contract revenue from non-compliance is a much bigger number.
Talk with a CMMC advisor
Need a real CMMC plan, not a spreadsheet?
A 30-minute scoping call tells us your level, your boundary, and your runway. From there we build a fixed-scope roadmap — not a sales pitch.