EligibilityDoD · Prime & Sub
Contract eligibility depends on demonstrable readiness.
DoD prime and subcontracting opportunities increasingly require contractors to show that CMMC Level 2 controls are implemented and documented, not just planned.
No. 01 — The Stakes
CMMC readiness is becoming a contract requirement, not an IT side project.
Updated · Q2 2026
DocumentationSSP · POA&M
Documentation must match the controls you actually operate.
An SSP that does not reflect your real boundaries, systems, and procedures will not survive an assessment, and may not satisfy a flow-down requirement from your prime.
RemediationTime & Cost
Remediation takes time when gaps surface late.
Closing technical and procedural gaps under contract deadlines is more expensive, more disruptive, and more likely to delay award.
Field · Department of Defense
The contracts you bid on protect the missions in these frames.
Photographs courtesy of the U.S. Department of Defense — public domain works of the federal government. Used here to ground the work in the operational reality it supports.
.jpg?width=1280)
U.S. Air Force · F-35A
The supply chain behind every aircraft, sensor, and component flows through hundreds of small DoD subcontractors — each of whom must demonstrate CMMC Level 2 readiness.
U.S. Air Force photo · Public domain via Wikimedia Commons
_aircraft_await_weapons_and_make_final_preparations_prior_to_commencing_nightly_flight_operations_on_the_flight_deck_aboard_the_aircraft_carrier_USS_Theodore_Roosevelt_(C.jpg?width=1280)
U.S. Navy · CVN-71
Sustainment, maintenance, and logistics contractors handle Controlled Unclassified Information every day. NIST SP 800-171 is the standard that protects it.
U.S. Navy photo, PH3 Todd Frantom · Public domain
.jpg?width=1280)
U.S. Space Force · CFSCC
From command centers to component shops, CMMC Level 2 is the same baseline. The work is making sure your environment can prove it.
U.S. Space Force photo · Public domain
On the level of
The primes our clients show up for.
DBIT clients build for, supply, and subcontract under the largest defense contractors in the country — each of which now expects its supply chain to meet CMMC Level 2 readiness. Get on their level before the requirement shows up in your next contract.
LOCKHEED MARTIN
RAYTHEON
NORTHROP GRUMMAN
BOEING
GENERAL DYNAMICS
L3HARRIS
BAE SYSTEMS
HONEYWELL
LEIDOS
BOOZ ALLEN HAMILTON
LOCKHEED MARTIN
RAYTHEON
NORTHROP GRUMMAN
BOEING
GENERAL DYNAMICS
L3HARRIS
BAE SYSTEMS
HONEYWELL
LEIDOS
BOOZ ALLEN HAMILTON
Top 10 by 2025 DoD contract obligations · public sourcesDBIT is independent. Inclusion in this list reflects industry stature, not endorsement.
No. 02 — Services
Five engagements that move you from current state to assessment-ready — and keep you there.
Engagement length · varies by scope
01 —
Gap Assessment
Identify where your current environment falls short of CMMC Level 2 expectations.NIST SP 800-171 Rev. 2 alignment
→
02 —
SSP & POA&M Development
Build clear documentation that reflects your real systems, boundaries, controls, and remediation plan.System Security Plan · Plan of Action & Milestones
→
03 —
Remediation Support
Prioritize and close the technical and procedural gaps that matter most before assessment.AC.L2-3.1.1 · IA.L2-3.5.3 · SC.L2-3.13.8
→
04 —
C3PAO Assessment Support
Prepare evidence, stakeholders, and documentation for the formal assessment process.Evidence package · Interview prep · Walkthroughs
→
05 —
Managed Compliance
Quarterly evidence review, monthly action tracking, and annual affirmation support — the operating layer that keeps readiness current between cycles.Quarterly · Monthly · Annual cadence
→
No. 03 — How it Works
A clear path from gap assessment to assessment-ready.
Five phases · 12–36 weeks to certify, ongoing thereafter
Step 01
Gap Assessment
We review your current environment, scope, and documentation against CMMC Level 2 expectations.
OutputGap findings and readiness score
Step 02
SSP & POA&M
We draft or refine your System Security Plan and structure your Plan of Action & Milestones.
OutputDraft or refined SSP and POA&M
Step 03
Remediation
We prioritize the gaps that matter and guide closure of the technical and procedural items.
OutputPrioritized remediation backlog
Step 04
Assessment Support
We prepare evidence, walkthroughs, and stakeholders for the formal assessment process.
OutputEvidence package & rehearsals
Step 05
Operate
After certification, Managed Compliance keeps the SSP, POA&M, evidence, and training cadence current between cycles.
OutputQuarterly review & annual affirmation
No. 04 — Why DBIT
A readiness partner that meets contracts, leadership, and IT where they are.
South Florida · IT & Compliance
i.
South Florida local, and responsive.
On the ground in Palm Beach, Broward, and Miami-Dade. Site visits and stakeholder workshops when they matter, not just calendar invites.
ii.
IT operations and compliance, under one roof.
Readiness rarely fails on paperwork alone. We bring practitioners who understand both how the documentation should read and how the controls actually run.
iii.
Practical remediation, not a binder of findings.
A gap report is the easy part. We translate findings into a prioritized backlog your team can actually work, with clear owners and sequencing.
iv.
One language for leadership, contracts, and IT.
Executives, contracts officers, and engineers each need a different view of the same readiness picture. We produce all three from a single source of truth.
No. 05 - Industries
Built for the contractors carrying real CUI - not just the primes.
South Florida - DIB - Tier 2-3
Aerospace · Sustainment
Aircraft & systems sustainment
Engineering shops, MRO providers, and component suppliers carrying CDI under DFARS 252.204-7012.
Explore industry →Manufacturing · Components
Precision manufacturing
Machined parts, electronics, and avionics suppliers — flow-down requirements from primes intensifying through 2027.
Explore industry →Professional Services · IT
IT & professional services
Managed service providers, cleared engineering firms, and software contractors handling CUI for the defense industrial base.
Explore industry →No. 06 — Framework
Built around the documents assessors and contractors actually rely on.
NIST SP 800-171 Rev. 2
Scope & Boundary
Define systems, users, CUI flows, and assessment scope before assumptions become findings.
System Security Plan
Document implemented controls in language that matches operations, not a generic template.
Plan of Action & Milestones
Track gaps, owners, priorities, and remediation dates in a format assessors expect to see.
Sample CMMC Level 2 control IDs
AC.L2-3.1.1IA.L2-3.5.3SC.L2-3.13.8AU.L2-3.3.1CM.L2-3.4.2SI.L2-3.14.1MP.L2-3.8.3Compliance Window · Status: Active
CMMC 2.0 enforcement is already underway.
The DoD has staged CMMC rollout in phases. The industry-cited 10 November 2026 readiness window is approaching. The clock below reflects that target. Each milestone links to the authoritative source or to the engagement that handles it.
000
Days
00
Hours
00
Min
00
Sec
Target10 · NOV · 2026
Weeks remaining0W
WindowL2 Self-Assessment / C3PAO
NOV 2026
YOU ARE HERE
20242025202620272028
CMMC 2.0 Final Rule
CFR 32 Part 170 finalized. The CMMC Program rule was published in the Federal Register, codifying Level 1 / 2 / 3.
Read on Federal RegisterCMMC Program Effective
The CMMC Program rule took effect, with phased rollout planned across DoD contracts.
DoD CIO program pagePhase 1 — Self-Assessment Required
DoD begins requiring Level 1 and Level 2 self-assessments in applicable contracts. The implementing DFARS rule (DFARS 252.204-7021) takes effect, kicking off the 3-year phased rollout.
DoD CIO rollout overviewL2 Certification Assessments Required
DoD begins requiring Level 2 certification assessments by authorized C3PAOs in applicable contracts. This is the industry-watched deadline for contractors handling CUI to be assessment-ready.
Start with a gap assessmentPhase 3 — Level 3 Certification
DoD begins requiring Level 3 certification assessments (government-led) for contracts handling the most sensitive CUI. Level 2 obligations continue across the broader contract base.
See assessment prepFull DoD Implementation
Anticipated end-state: CMMC level requirements appear in all applicable DoD solicitations and contracts. Phased rollout complete.
Browse all five engagementsSources: 32 CFR Part 170 (CMMC Program), DoD Office of the CIO public guidance. Dates reflect publicly-stated industry timelines; specific contract requirements vary by program office and prime contractor flow-down.
CMMC, NIST & cyber intelligence — filtered for the defense base.
Editorially curated from DoD CIO, NIST CSRC, Cyber-AB, CISA, and the Acquisition.gov DFARS catalog. Click any item to read the primary source.
CMMC Phase 2: Level 2 C3PAO certification requirements take effect
Phase 2 of the CMMC 2.0 rollout introduces mandatory Level 2 certification assessments by accredited C3PAOs in applicable DoD solicitations and contracts handling CUI, one year after Phase 1 self-assessments began.
Feature · top wireRead primary source →
DFARS 252.204-7021 in effect — CMMC certification required prior to award
The DFARS contract clause requiring contractors to hold the required CMMC certification level before award (and primes to flow down the requirement to subcontractors handling CUI/FCI) became enforceable on 10 November 2025.
SRC · Acquisition.govRead →
Revolutionary FAR Overhaul — DFARS Part 240 reorganization takes effect
Class deviations issued under the FAR Overhaul renumber DFARS 252.204-7020 to DFARS 252.240-7997 and eliminate 252.204-7019. Foundational clauses 252.204-7012 and 252.204-7021 remain in full force.
SRC · DoDRead →
NIST SP 800-171 Rev. 3 published — Rev. 2 remains current CMMC basis
NIST published the final SP 800-171 Rev. 3 and the assessment guide SP 800-171A Rev. 3 on 14 May 2024. DoD continues to anchor CMMC Level 2 assessments to Rev. 2; Rev. 3 implementation is expected to be addressed in future rulemaking.
SRC · NISTRead →
CISA adds Langflow and Trend Micro Apex One vulnerabilities to KEV catalog
CISA added CVE-2025-34291 (Langflow origin validation) and CVE-2026-34926 (Trend Micro Apex One directory traversal) to the Known Exploited Vulnerabilities catalog with binding remediation deadlines for federal agencies.
SRC · CISARead →
Microsoft Defender vulnerabilities added to KEV — exploited in the wild
CISA added seven vulnerabilities to the KEV catalog including CVE-2026-41091 (Microsoft Defender elevation of privilege) and CVE-2026-45498 (Microsoft Defender denial of service). Federal civilian agencies have set remediation deadlines.
SRC · CISARead →
CISA releases Cybersecurity Performance Goals 2.0 for critical infrastructure
CPG 2.0 updates CISA’s recommended practices to reflect the NIST Cybersecurity Framework 2.0. The goals apply to defense-relevant critical infrastructure and align well with CMMC Level 2 controls.
SRC · CISARead →
C3PAO marketplace — accredited assessor count remains in the dozens
The Cyber AB’s C3PAO marketplace lists currently-authorized third-party assessor organizations. Limited assessor supply versus demand makes scheduling Level 2 certification slots a planning consideration.
SRC · Cyber-ABRead →
Disclaimer: The Defense Wire aggregates publicly-available developments. Summaries reflect the editors' reading and are not legal or contractual advice. Always verify specific requirements with your contracting officer or prime.Sources tracked: DoD CIO, NIST CSRC, Cyber-AB, CISA, FBI/IC3, GAO, Acquisition.gov DFARS, Federal Register
Defense Wire · Live
§ CMMC Phase 2 Level 2 C3PAO certification — 10 Nov 2026§ DFARS 252.204-7021 in effect — certification required prior to award§ NIST SP 800-171 Rev. 2 remains the current CMMC Level 2 basis§ CISA KEV catalog — Langflow + Trend Micro Apex One added (May 2026)§ Microsoft Defender vulnerabilities exploited in the wild — patch ASAP§ Cyber-AB C3PAO marketplace — limited assessor capacity§ DFARS Part 240 reorganization effective 1 Feb 2026§ 110 controls · 14 families · NIST SP 800-171 Rev. 2§ CMMC Phase 2 Level 2 C3PAO certification — 10 Nov 2026§ DFARS 252.204-7021 in effect — certification required prior to award§ NIST SP 800-171 Rev. 2 remains the current CMMC Level 2 basis§ CISA KEV catalog — Langflow + Trend Micro Apex One added (May 2026)§ Microsoft Defender vulnerabilities exploited in the wild — patch ASAP§ Cyber-AB C3PAO marketplace — limited assessor capacity§ DFARS Part 240 reorganization effective 1 Feb 2026§ 110 controls · 14 families · NIST SP 800-171 Rev. 2
No. 07 — Pricing
Plain ranges, not quotes-on-request.
Industry estimates · Q2 2026
Most CMMC readiness work falls into one of these six engagements. The ranges below are consistent with what small-to-mid-sized defense contractors typically pay in the South Florida market and reflect industry averages, not a formal quote. We publish them so you can plan before you call.
01 — A
Scoping Brief
$5K – $10K1 – 2 weeks
A short, fixed-scope engagement to define your CUI boundary, in-scope systems, and a preliminary readiness score before committing to deeper work.
- CUI environment scoping conversation
- In-scope systems & boundary memo
- Preliminary readiness score (0–110)
- Written recommendation: proceed, defer, or refer
Start here →
Most common01 — B
Gap Assessment
$15K – $30K3 – 6 weeks
A full gap analysis against all 110 NIST SP 800-171 Rev. 2 controls, with a prioritized remediation backlog your team can actually work.
- All 14 families, 110 controls reviewed
- Evidence interviews & technical walkthroughs
- Prioritized remediation backlog (H · M · L)
- Gap report deliverable + executive briefing
Most common starting point →
02 — A
Documentation Sprint
$25K – $60K6 – 12 weeks
SSP, POA&M, boundary diagram, and per-control implementation statements — written in language an assessor will actually believe.
- System Security Plan (drafting & refinement)
- POA&M with owners, dates, severity
- Boundary diagram + CUI data-flow narrative
- Per-control implementation statements
Get the paperwork right →
Full program02 — B
Remediation Program
$50K – $150K8 – 24 weeks
Hands-on closure of the technical and procedural gaps that move the readiness score — sequenced so the highest-impact items land first.
- Prioritized backlog with owners and target dates
- Configuration baselines, policy templates, procedures
- Hands-on work on AC, IA, SC, AU, CM families
- Evidence-collection guidance per item closed
Close the gap →
03
Assessment Prep
$25K – $50K4 – 8 weeks
Pre-assessment readiness: rehearse the assessor experience, finalize the evidence package, prepare your stakeholders, and dry-run the formal walkthroughs.
- Evidence package finalization
- Stakeholder interview prep & rehearsals
- Mock walkthroughs (technical + procedural)
- C3PAO selection guidance (we are not a C3PAO)
Before the C3PAO →
Recurring04
Managed Compliance
$2.5K – $8K / momonthly · 12-mo term
The operating layer that keeps your SSP, POA&M, evidence library, and training cadence current between annual obligations and triennial assessment cycles.
- Quarterly evidence review & POA&M sync
- Monthly action tracking & risk-register update
- Annual SPRS score refresh & affirmation support
- Pre-assessment refresh before the C3PAO
Stay assessment-ready →
Not included
C3PAO third-party assessment fees (typically $40K – $150K+), DoD registration costs, software/tooling subscriptions you'd procure directly, or hardware remediation. We are a readiness partner, not an assessor.
Scope drivers
Project pricing depends on environment complexity, the number of in-scope systems and users, the breadth of CUI handling, the state of existing documentation, and the volume of remediation. Managed Compliance pricing scales with in-scope user count and evidence cadence.
Engagement model
Fixed-fee for projects, flat monthly for Managed Compliance, time-and-materials only where scope honestly cannot be sized up front. We never bill for unscoped work without your sign-off.
No. 08 — Resources
Primary sources — cited, current, clickable.
External · opens in new tab
Control catalogs
NIST CSRC
NIST SP 800-171 Rev. 2 (current CMMC L2 basis)
The 110 security requirements for protecting CUI in non-federal systems. The authoritative catalog CMMC Level 2 maps to today.
Open primary source →NIST CSRC
NIST SP 800-171A Rev. 2 — assessment procedures
Procedures for assessing the security requirements in 800-171 Rev. 2. The companion assessor guide referenced by CMMC.
Open primary source →NIST CSRC
NIST SP 800-171 Rev. 3 (forward-looking)
Published 14 May 2024. Not yet the CMMC basis — DoD continues to anchor assessments to Rev. 2 pending future rulemaking.
Open primary source →Program rules
Federal Register
CMMC 2.0 Final Rule (32 CFR Part 170)
Federal Register publication of the CMMC Program rule. Published 15 Oct 2024; effective 16 Dec 2024.
Open primary source →Acquisition.gov
DFARS 252.204-7012 — safeguarding CDI & cyber incident reporting
The foundational DFARS safeguarding clause that introduced NIST SP 800-171 to defense contracts. Still in full force.
Open primary source →Acquisition.gov
DFARS 252.204-7021 — contractor compliance with CMMC level
The DFARS clause requiring contractors to hold the required CMMC certification before award and primes to flow it down. Effective 10 Nov 2025.
Open primary source →DoD CIO
DoD CIO — CMMC program portal
Office of the DoD CIO landing page for CMMC. Phase rollout timeline, current rule status, and program-office guidance.
Open primary source →Assessor ecosystem
Cyber-AB
The Cyber AB — CMMC accreditation body
The non-profit accreditation body for the CMMC ecosystem (C3PAOs, assessors, training organizations).
Open primary source →Cyber-AB
C3PAO marketplace directory
Searchable directory of authorized Third-Party Assessor Organizations. Use this when selecting an assessor for Level 2 certification.
Open primary source →Threat intelligence
CISA
CISA Known Exploited Vulnerabilities (KEV) catalog
Living catalog of CVEs known to be exploited in the wild. Track and patch entries that affect software in your CMMC scope.
Open primary source →CISA
CISA Cybersecurity Performance Goals 2.0 (CPG)
CISA’s recommended performance goals for critical infrastructure. Cross-walks well with NIST 800-171 Rev. 2 and CMMC L2.
Open primary source →CISA
CISA Cybersecurity Alerts & Advisories
Authoritative cyber advisories. Subscribe to monitor advisories relevant to your defense-base supply chain.
Open primary source →No. 09 — FAQ
Questions defense contractors usually ask us first.
Common Q · Plain answers
It depends on current maturity, the scope of in-scope systems, the quality of existing documentation, and how many remediation items surface during the gap assessment. We size each engagement after an initial scoping conversation rather than committing to a fixed timeline up front.
Environment complexity, the number of systems and users in scope, the breadth of CUI handling, the state of existing documentation, and the volume of remediation needed. We share a clear scope and pricing model after the readiness assessment.
No. DBIT Defense provides readiness and preparation work: gap assessments, SSP and POA&M development, remediation support, and assessment preparation. Formal CMMC Level 2 assessments are conducted by authorized C3PAOs where required.
A System Security Plan documents the system boundary, the environment that supports it, and how each required control is implemented. It is the central artifact assessors review and the document your team should be able to walk through end to end.
A Plan of Action and Milestones tracks identified gaps, the owner of each gap, the remediation steps in motion, and the target completion date. It is how an organization shows that known issues are managed rather than ignored.
Yes. The gap assessment is the starting point. We continue with SSP and POA&M development, prioritized remediation support, and preparation for the formal assessment process.
Know where you stand before the requirement reaches the contract.
Start with a focused CMMC readiness assessment for your South Florida defense contracting environment. We will send a written scoping summary within two business days, or a candid recommendation if it isn't the right fit.