Cyberuptive
Contact Us

CMMC 2.0 · NIST 800-171 · DFARS 252.204-7012

CMMC compliance for the U.S. defense contractors who can’t afford to lose the contract.

Final rule December 16, 2024. Phase 1 enforcement began November 10, 2025. Full Level 2 requirements phase in through November 10, 2026. We get U.S. defense contractors and government subcontractors — from coast to coast — from current-state to assessment-ready, then run the long-term controls afterward.

  • Level 1 and Level 2 scoping, gap, and remediation
  • SSP authoring + POA&M tracking + evidence library
  • GCC High migration + Sentinel + Defender XDR
  • 24/7 SOC for continuous monitoring controls
Schedule a discovery call All services

CMMC 2.0 timeline

Three dates to know.

DoW has been clear about the phased rollout. The dates are not moving. If you carry FCI or CUI on a current contract — or want to bid on the next one — the timeline below is non-negotiable.

  1. 01

    Dec 16, 2024

    CMMC final rule published

    CFR 32 CMR Part 170 published in the Federal Register. Rule officially in force.

  2. 02

    Nov 10, 2025

    Phase 1 enforcement begins

    Self-assessment requirements (Level 1 and self-Level 2) appear in new DoW solicitations.

  3. 03

    Nov 10, 2026

    Full compliance phases in

    Level 2 third-party (C3PAO) assessment requirements phase across all applicable DoW contracts.

Engagement model

From scoping to assessment-ready, with the long-term controls already running.

  1. 01

    Scope

    Define the CUI boundary. Inventory in-scope assets, users, data flows. Confirm Level 1 vs Level 2.

  2. 02

    Gap

    Score current-state against all 17 (L1) or 110 (L2) controls. Output: scored gap report + remediation roadmap.

  3. 03

    Remediate

    Close gaps. GCC High migration, Defender + Sentinel deployment, SOC + VM stand-up, IR retainer.

  4. 04

    Document

    SSP authored, POA&M live, evidence library populated, mock assessment with C3PAO-style questioning.

U.S. defense contractor team reviewing CMMC compliance evidence

Built for U.S. defense contractors

Your contracts are on the line. We’re the guide that gets you assessment-ready.

CMMC 2.0 reaches every primes-and-subs corner of the Defense Industrial Base — manufacturers, integrators, software shops, professional services, and engineering firms across all 50 states. If your contracts touch Federal Contract Information or Controlled Unclassified Information, the compliance bar is the same whether you’re in Huntsville, Hartford, or San Diego.

We operate as your CMMC readiness partner: scoping the CUI boundary, scoring against NIST SP 800-171, authoring the SSP, running the POA&M, posting your SPRS score, and standing up the long-term controls — SIEM, SOC, vulnerability management, and incident response — that DFARS 252.204-7012 expects you to keep running after the C3PAO leaves.

  • Nationwide engagements for DoW primes and subcontractors
  • NIST 800-171, DFARS 252.204-7012, and SPRS scoring expertise
  • Evidence library, SSP, and POA&M built to C3PAO standards
  • U.S.-based analysts handling CUI under DFARS-aligned controls

Control families we operate long-term

Pass the assessment. Stay passed.

The hardest-to-sustain control families are continuous monitoring, audit logging, and incident response. We run those as managed services so you do not have to staff them.

AC · Access Control

Conditional Access, Entra ID PIM, role review, session controls.

AU · Audit & Accountability

Sentinel SIEM with 1-year retention, alert review, integrity protection.

CM · Configuration Management

Baselines, change control, deviation tracking, periodic review.

IR · Incident Response

24/7 SOC triage, IR retainer, tabletop exercises, post-incident review.

RA · Risk Assessment

Continuous vulnerability scanning, KEV/EPSS prioritization.

SI · System & Information Integrity

Defender XDR, threat hunting, flaw remediation tracking.

FAQ

Frequently asked

Don't see your question? Talk to a real person — we're 833-92-CYBER.

  • When does CMMC 2.0 actually start affecting my contracts?

    The CMMC final rule was published December 16, 2024. Phase 1 enforcement began November 10, 2025, with self-assessment requirements appearing in new DoW solicitations. Full compliance — including Level 2 third-party assessment requirements — phases in through November 10, 2026. If you bid on DoW work touching CUI, the runway is shorter than most prime contractors realize.

  • What level do I need?

    If you handle Federal Contract Information (FCI) only — Level 1 (17 controls, annual self-assessment). If you handle Controlled Unclassified Information (CUI) — Level 2 (110 controls from NIST 800-171, third-party C3PAO assessment for most). Level 3 is for the highest-priority programs and is rare for subcontractors. We do a 1-hour scoping call to confirm.

  • What does a CMMC engagement actually look like?

    Four phases: (1) Scoping — define the CUI boundary, identify in-scope assets, classify data flows. (2) Gap assessment — current-state against all 110 controls, scored. (3) Remediation — close gaps, deploy GCC High where required, harden M365, build SOC + VM + IR programs. (4) Documentation & assessment prep — SSP, POA&M, evidence library, mock assessment. Typical duration: 6–12 months depending on starting maturity.

  • What does a CMMC readiness partner actually do?

    A CMMC readiness partner does the work most defense contractors can’t staff in-house: scoping the CUI boundary, running the gap assessment against NIST SP 800-171, authoring the System Security Plan, maintaining the POA&M, posting and defending the SPRS score, and operating the long-term controls — SIEM, 24/7 SOC, vulnerability management, and incident response — that DFARS 252.204-7012 expects you to keep running. We do this for U.S. defense contractors and government subcontractors nationwide, with U.S.-based analysts handling CUI.

  • Do you produce the SSP and POA&M, or just review what we have?

    Both. Most engagements include authoring the System Security Plan from scratch (or a substantial rewrite) and standing up a working POA&M with quarterly review. We produce evidence-ready documentation that matches what your C3PAO will request — not generic templated language.

  • Can you operate the long-term controls (SOC, VM, IR)?

    Yes — that is the most cost-effective model. Continuous monitoring (SI.L2-3.14.6), audit logging (AU family), and incident response (IR family) are the controls medium and large contractors most often lack. Our managed SOC, vulnerability management, and IR retainer satisfy all three with one provider, US-based, and assessment-mapped. See SOC as a Service.

  • What about GCC High?

    If you handle CUI in Microsoft 365, you almost certainly need GCC High — commercial M365 will not satisfy DFARS 252.204-7012 by itself. We scope, license, migrate, and document the tenant. See Microsoft 365 services.

  • How much does this cost?

    Honest answer: it depends on size and starting maturity. A 25-person defense subcontractor starting from minimal NIST 800-171 maturity typically invests $80K–$180K across 9–12 months for full Level 2 readiness, plus ongoing managed services. We scope to the environment — not a fixed package. Lost contract revenue from non-compliance is a much bigger number.

Talk with a CMMC advisor

Need a real CMMC plan, not a spreadsheet?

A 30-minute scoping call tells us your level, your boundary, and your runway. From there we build a fixed-scope roadmap — not a sales pitch.

Schedule a discovery call Call 833-92-CYBER