Does CMMC 2.0 apply to subcontractors?

Yes. DFARS clause 252.204-7021 requires prime contractors to flow down CMMC requirements to subcontractors who handle CUI. If you are a tier-2 or tier-3 supplier receiving technical drawings, specifications, or program data from a prime, you likely need to meet Level 2 requirements even if you have no direct DoD contract. Check your subcontract agreements for the presence of DFARS 252.204-7021.

What is the difference between CMMC self-assessment and a C3PAO assessment?

CMMC Level 2 allows self-assessment (with senior official affirmation submitted to SPRS) for programs the DoD has designated as lower criticality. For higher-criticality programs, a third-party assessment by a certified C3PAO (CMMC Third-Party Assessment Organization) is required. Check your specific contract requirements — the solicitation or DFARS clause will specify which assessment type applies. When in doubt, assume C3PAO assessment is required.

What is SPRS and how does it relate to CMMC?

The Supplier Performance Risk System (SPRS) is the DoD database where contractors submit their NIST SP 800-171 self-assessment scores. Even before full CMMC certification is required, DoD contracting officers can review SPRS scores as part of source selection. The SPRS score ranges from -203 to 110; the goal is 110 (full compliance). Submitting an inaccurate score constitutes False Claims Act exposure.

How long does achieving CMMC Level 2 compliance take?

Based on DIBCAC assessment data and industry experience, a company starting from a moderate security baseline typically requires 6–18 months to achieve Level 2 compliance through a C3PAO assessment. Companies with significant gaps (low SPRS scores, no vulnerability scanning, no incident response plan) are at the longer end. Beginning the gap assessment immediately is critical — do not wait for a contract award to trigger the process.

What happens if we fail a CMMC assessment?

If a C3PAO assessment finds deficiencies, the assessor produces a finding report. You can remediate deficiencies and request a follow-up assessment, or submit a Plan of Action & Milestones (POA&M) for temporary conditional authorization on specific items. However, a significant number of non-compliant practices will typically result in failure that must be remediated before certification is granted. Conditional authorization timelines are short — typically 180 days.

Where can I find the official CMMC requirements?

The official CMMC program website is cmmc.mil, which publishes the current assessment guides and program documentation. The underlying technical requirements are NIST Special Publication 800-171 (available free at csrc.nist.gov). The legal authority is 32 CFR Part 170 (the final CMMC rule). BRITECITY can provide a CMMC gap assessment mapped to all 110 practices to show your current compliance position.

CMMC 2.0 Compliance Checklist for Orange County Defense Contractors

What CMMC 2.0 Is and Who It Applies To

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework became legally enforceable through the DoD's final rule published in 32 CFR Part 170 in December 2024. It applies to all companies in the Defense Industrial Base (DIB) — any contractor or subcontractor who processes, stores, or transmits Controlled Unclassified Information (CUI) as part of DoD work.

Orange County has a substantial defense contractor ecosystem: aerospace firms in Anaheim and Irvine, wire harness manufacturers, defense electronics suppliers, and software firms supporting military programs. Many of these are small and mid-sized companies — tier-2 and tier-3 suppliers — who have historically operated under self-attestation rather than formal certification.

CMMC 2.0 has three levels:

Level 1 (Foundational): 17 basic cyber hygiene practices. Applies to contractors handling Federal Contract Information (FCI) but not CUI. Annual self-assessment.
Level 2 (Advanced): 110 practices from NIST SP 800-171. Applies to contractors handling CUI. Requires either a C3PAO (third-party assessment) or self-assessment with senior official affirmation, depending on the program's criticality classification.
Level 3 (Expert): 110+ practices including NIST SP 800-172 requirements. Applies to contractors on the most critical DoD programs. Government-led assessment only.

Most Orange County defense contractors who handle technical data, drawings, specifications, or program information will need Level 2. The triggering mechanism is the presence of DFARS clause 252.204-7021 in your contract. If that clause is in your current or anticipated contracts, CMMC compliance is not optional.

Domain 1: Access Control (AC) — 22 Practices

Access Control is the largest CMMC domain and the one most directly impacted by identity management decisions. NIST SP 800-171 defines 22 access control requirements that fall into two categories: basic safeguarding requirements and derived security requirements.

Key checklist items for AC:

Limit system access to authorized users, processes, and devices (AC.1.001, AC.1.002)
Control the flow of CUI in accordance with approved authorizations (AC.2.006)
Separate the duties of individuals to reduce risk of malevolent activity (AC.2.007)
Implement least privilege — users only have access to what their role requires (AC.2.006)
Control connections to external systems (AC.2.013)
Prohibit remote activation of cameras and microphones without indication to users (AC.3.017)
Implement cryptographic mechanisms to protect confidentiality of CUI during remote access (AC.2.015)
Use session lock after a defined period of inactivity (AC.2.013)

Common gap: Many contractors grant broad access permissions that have accumulated over time. A CMMC assessment will expose any user who has access beyond what their role requires. Access reviews should happen at minimum annually.

Domains 2–4: Audit & Accountability, Configuration Management, Identification & Authentication

Audit & Accountability (AU) — 9 Practices
You must create, protect, and retain audit records sufficient to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity. This means logging is not optional — every system that processes CUI must generate audit logs, and those logs must be protected from modification and reviewed regularly.

Checklist items:

Establish and retain system audit logs to enable monitoring and investigation (AU.2.041, AU.2.042)
Ensure actions of individual users can be traced to those users (AU.2.042)
Review and update logged events (AU.3.045)
Alert in the event of audit logging process failure (AU.3.046)

Configuration Management (CM) — 9 Practices
Every system handling CUI must have a documented, baseline configuration. Deviations from baseline must be tracked and approved. According to NIST SP 800-171, contractors must:

Establish and maintain baseline configurations for systems (CM.2.061)
Establish and enforce security configuration settings (CM.2.062)
Track, review, approve, and log changes to systems (CM.2.064)
Analyze the security impact of changes prior to implementation (CM.3.068)

Identification & Authentication (IA) — 11 Practices
Every user accessing CUI systems must be uniquely identified and authenticated. This domain directly requires MFA:

Use multi-factor authentication for local and network access to privileged accounts and remote access to all accounts (IA.3.083)
Employ replay-resistant authentication mechanisms (IA.3.083)
Manage CUI system identifiers by disabling accounts after 90 days of inactivity (IA.2.078)
Enforce minimum password complexity and change requirements (IA.2.078)

Domains 5–7: Incident Response, Maintenance, Media Protection

Incident Response (IR) — 6 Practices
CMMC Level 2 requires that contractors have a documented and tested incident response capability. The DoD's concern is that contractors who suffer security incidents must be able to contain, report, and recover in a manner that protects CUI and supports DoD notification requirements.

Checklist items:

Establish an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user response activities (IR.2.092, IR.2.093)
Track, document, and report incidents to designated officials and/or authorities (IR.2.093)
Test the organizational incident response capability (IR.3.098)
Use knowledge of an attack on one system to protect other systems (IR.3.098)

Note: The DoD DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) has flagged inadequate incident response as one of the most common gaps found during assessments.

Maintenance (MA) — 6 Practices
System maintenance — especially remote maintenance — must be controlled and documented. Unapproved remote maintenance tools used on CUI systems are a CMMC finding:

Perform maintenance on organizational systems (MA.2.111)
Provide controls on tools, techniques, and personnel for maintenance (MA.2.112)
Ensure equipment removed for maintenance is sanitized (MA.2.113)

Media Protection (MP) — 9 Practices
Physical and digital media containing CUI must be controlled, labeled, protected during transport, and securely disposed of:

Protect system media containing CUI, both paper and digital (MP.2.119, MP.2.120)
Limit access to CUI on system media to authorized users (MP.2.120)
Sanitize or destroy system media before disposal or reuse (MP.2.121)
Control the use of removable media on system components (MP.3.122)

Domains 8–11: Personnel Security, Physical Protection, Risk Assessment, Security Assessment

Personnel Security (PS) — 2 Practices
Screen individuals prior to authorizing access to systems containing CUI, and ensure CUI is protected during and after personnel termination and transfer (PS.2.127, PS.2.128).

Physical Protection (PE) — 6 Practices
CUI systems must be physically protected — this applies to server rooms, workstations, and any location where CUI is processed or stored:

Limit physical access to systems to authorized individuals (PE.1.131, PE.1.132)
Escort visitors and monitor visitor activity (PE.2.135)
Maintain audit logs of physical access (PE.2.136)

Risk Assessment (RA) — 6 Practices
CMMC Level 2 requires documented risk assessments — not just security controls, but evidence that you have assessed your risk posture:

Periodically assess the risk to operations, assets, and individuals from the operation of systems (RA.2.141)
Scan for vulnerabilities in systems and applications periodically (RA.2.142)
Remediate vulnerabilities in accordance with risk assessments (RA.2.143)

The vulnerability scanning requirement (RA.2.142) is specific: you must use an automated tool, run scans at defined intervals, and document remediation. A manual review is not sufficient.

Security Assessment (CA) — 9 Practices
The Security Assessment domain requires that you periodically evaluate your security controls to ensure they are effective:

Periodically assess the security controls to determine if effective (CA.2.157)
Develop and implement plans of action to correct deficiencies (CA.2.158, CA.2.159)
Monitor security controls on an ongoing basis (CA.2.159)

Domains 12–14: System & Communications Protection, System & Information Integrity

System & Communications Protection (SC) — 16 Practices
This domain governs how CUI is protected in transit and at rest, and how systems are segmented to prevent unauthorized lateral movement. It directly implicates email infrastructure decisions (see our article on Exchange Server CMMC risk) and network architecture:

Monitor, control, and protect communications at external boundaries and key internal boundaries (SC.1.175)
Implement subnetworks for publicly accessible system components (SC.3.177)
Employ cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission (SC.3.177)
Implement DNS filtering services (SC.3.190)
Employ architectural designs and software development techniques that promote security (SC.3.192)

System & Information Integrity (SI) — 7 Practices
This domain covers malware protection, security alerts, and system flaws:

Identify, report, and correct information system flaws in a timely manner (SI.1.210)
Provide protection from malicious code at appropriate locations (SI.1.211)
Update malicious code protection mechanisms when new releases are available (SI.1.212)
Perform periodic scans and real-time scans of files from external sources (SI.1.213)
Receive and respond to cybersecurity threat intelligence from information sharing forums (SI.2.217)

Getting started: The official BRITECITY cybersecurity assessment process maps your current environment against all 110 practices and produces a Plan of Action & Milestones (POA&M) — the required remediation document for CMMC. For Orange County defense contractors in Irvine, Anaheim, and surrounding areas, schedule a CMMC readiness assessment to understand your current gap count before assessors do.

CMMC Timeline and Practical Next Steps

The CMMC final rule (32 CFR Part 170) became effective in December 2024. The phased implementation means CMMC requirements are being incorporated into new DoD contracts on a rolling basis. If DFARS clause 252.204-7021 is in your current contracts or if you expect it in upcoming solicitations, your compliance timeline should be treated as urgent.

Practical timeline for Level 2 certification (C3PAO path):

Month 1–2: Gap assessment — map current controls against all 110 NIST SP 800-171 practices. Quantify your score using the DoD's SPRS (Supplier Performance Risk System) scoring methodology.
Month 2–6: Remediation — address deficiencies by priority. Implement the controls required by your highest-gap domains.
Month 6–8: System Security Plan (SSP) completion — document all controls in your SSP, which assessors will review during the C3PAO assessment.
Month 8–12: C3PAO assessment — a CMMC Third-Party Assessment Organization conducts a formal review. Assessment duration varies from days to weeks depending on scope.

Companies often underestimate the documentation burden. CMMC assessors do not just check whether controls exist — they verify that controls are documented, that personnel are trained, and that processes are repeatable. A policy that exists only in an engineer's head is not a control.

The Department of Defense provides official guidance at cmmc.mil. NIST SP 800-171 is available free at csrc.nist.gov.

What CMMC 2.0 Is and Who It Applies To

Level 1 (Foundational): 17 basic cyber hygiene practices. Applies to contractors handling Federal Contract Information (FCI) but not CUI. Annual self-assessment.
Level 2 (Advanced): 110 practices from NIST SP 800-171. Applies to contractors handling CUI. Requires either a C3PAO (third-party assessment) or self-assessment with senior official affirmation, depending on the program's criticality classification.
Level 3 (Expert): 110+ practices including NIST SP 800-172 requirements. Applies to contractors on the most critical DoD programs. Government-led assessment only.

Domain 1: Access Control (AC) — 22 Practices

Limit system access to authorized users, processes, and devices (AC.1.001, AC.1.002)
Control the flow of CUI in accordance with approved authorizations (AC.2.006)
Separate the duties of individuals to reduce risk of malevolent activity (AC.2.007)
Implement least privilege — users only have access to what their role requires (AC.2.006)
Control connections to external systems (AC.2.013)
Prohibit remote activation of cameras and microphones without indication to users (AC.3.017)
Implement cryptographic mechanisms to protect confidentiality of CUI during remote access (AC.2.015)
Use session lock after a defined period of inactivity (AC.2.013)

Domains 2–4: Audit & Accountability, Configuration Management, Identification & Authentication

Establish and retain system audit logs to enable monitoring and investigation (AU.2.041, AU.2.042)
Ensure actions of individual users can be traced to those users (AU.2.042)
Review and update logged events (AU.3.045)
Alert in the event of audit logging process failure (AU.3.046)

Establish and maintain baseline configurations for systems (CM.2.061)
Establish and enforce security configuration settings (CM.2.062)
Track, review, approve, and log changes to systems (CM.2.064)
Analyze the security impact of changes prior to implementation (CM.3.068)

Identification & Authentication (IA) — 11 Practices
Every user accessing CUI systems must be uniquely identified and authenticated. This domain directly requires MFA:

Use multi-factor authentication for local and network access to privileged accounts and remote access to all accounts (IA.3.083)
Employ replay-resistant authentication mechanisms (IA.3.083)
Manage CUI system identifiers by disabling accounts after 90 days of inactivity (IA.2.078)
Enforce minimum password complexity and change requirements (IA.2.078)

Domains 5–7: Incident Response, Maintenance, Media Protection

Establish an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user response activities (IR.2.092, IR.2.093)
Track, document, and report incidents to designated officials and/or authorities (IR.2.093)
Test the organizational incident response capability (IR.3.098)
Use knowledge of an attack on one system to protect other systems (IR.3.098)

Perform maintenance on organizational systems (MA.2.111)
Provide controls on tools, techniques, and personnel for maintenance (MA.2.112)
Ensure equipment removed for maintenance is sanitized (MA.2.113)

Media Protection (MP) — 9 Practices
Physical and digital media containing CUI must be controlled, labeled, protected during transport, and securely disposed of:

Protect system media containing CUI, both paper and digital (MP.2.119, MP.2.120)
Limit access to CUI on system media to authorized users (MP.2.120)
Sanitize or destroy system media before disposal or reuse (MP.2.121)
Control the use of removable media on system components (MP.3.122)

Domains 8–11: Personnel Security, Physical Protection, Risk Assessment, Security Assessment

Limit physical access to systems to authorized individuals (PE.1.131, PE.1.132)
Escort visitors and monitor visitor activity (PE.2.135)
Maintain audit logs of physical access (PE.2.136)

Risk Assessment (RA) — 6 Practices
CMMC Level 2 requires documented risk assessments — not just security controls, but evidence that you have assessed your risk posture:

Periodically assess the risk to operations, assets, and individuals from the operation of systems (RA.2.141)
Scan for vulnerabilities in systems and applications periodically (RA.2.142)
Remediate vulnerabilities in accordance with risk assessments (RA.2.143)

Periodically assess the security controls to determine if effective (CA.2.157)
Develop and implement plans of action to correct deficiencies (CA.2.158, CA.2.159)
Monitor security controls on an ongoing basis (CA.2.159)

Domains 12–14: System & Communications Protection, System & Information Integrity

Monitor, control, and protect communications at external boundaries and key internal boundaries (SC.1.175)
Implement subnetworks for publicly accessible system components (SC.3.177)
Employ cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission (SC.3.177)
Implement DNS filtering services (SC.3.190)
Employ architectural designs and software development techniques that promote security (SC.3.192)

System & Information Integrity (SI) — 7 Practices
This domain covers malware protection, security alerts, and system flaws:

Identify, report, and correct information system flaws in a timely manner (SI.1.210)
Provide protection from malicious code at appropriate locations (SI.1.211)
Update malicious code protection mechanisms when new releases are available (SI.1.212)
Perform periodic scans and real-time scans of files from external sources (SI.1.213)
Receive and respond to cybersecurity threat intelligence from information sharing forums (SI.2.217)

CMMC Timeline and Practical Next Steps

Month 1–2: Gap assessment — map current controls against all 110 NIST SP 800-171 practices. Quantify your score using the DoD's SPRS (Supplier Performance Risk System) scoring methodology.
Month 2–6: Remediation — address deficiencies by priority. Implement the controls required by your highest-gap domains.
Month 6–8: System Security Plan (SSP) completion — document all controls in your SSP, which assessors will review during the C3PAO assessment.
Month 8–12: C3PAO assessment — a CMMC Third-Party Assessment Organization conducts a formal review. Assessment duration varies from days to weeks depending on scope.

CMMC 2.0 Compliance Checklist for Orange County Defense Contractors

What CMMC 2.0 Is and Who It Applies To

Domain 1: Access Control (AC) — 22 Practices

Domains 2–4: Audit & Accountability, Configuration Management, Identification & Authentication

Domains 5–7: Incident Response, Maintenance, Media Protection

Domains 8–11: Personnel Security, Physical Protection, Risk Assessment, Security Assessment

Domains 12–14: System & Communications Protection, System & Information Integrity

CMMC Timeline and Practical Next Steps

Common Questions About This Topic

Does CMMC 2.0 apply to subcontractors?

What is the difference between CMMC self-assessment and a C3PAO assessment?

What is SPRS and how does it relate to CMMC?

How long does achieving CMMC Level 2 compliance take?

What happens if we fail a CMMC assessment?

Where can I find the official CMMC requirements?

Explore More IT Topics

Exchange Server CMMC Risk

Data Privacy Compliance

IT Hire vs. Outsourcing Cost

Ready to Discuss Your IT Needs?

CMMC 2.0 Compliance Checklist for Orange County Defense Contractors

What CMMC 2.0 Is and Who It Applies To

Domain 1: Access Control (AC) — 22 Practices

Domains 2–4: Audit & Accountability, Configuration Management, Identification & Authentication

Domains 5–7: Incident Response, Maintenance, Media Protection

Domains 8–11: Personnel Security, Physical Protection, Risk Assessment, Security Assessment

Domains 12–14: System & Communications Protection, System & Information Integrity

CMMC Timeline and Practical Next Steps

Common Questions About This Topic

Does CMMC 2.0 apply to subcontractors?

What is the difference between CMMC self-assessment and a C3PAO assessment?

What is SPRS and how does it relate to CMMC?

How long does achieving CMMC Level 2 compliance take?

What happens if we fail a CMMC assessment?

Where can I find the official CMMC requirements?

Explore More IT Topics

Exchange Server CMMC Risk

Data Privacy Compliance

IT Hire vs. Outsourcing Cost

Ready to Discuss Your IT Needs?