CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense cybersecurity framework required for contractors who handle Controlled Unclassified Information (CUI). Codified in 32 CFR Part 170 (effective December 2024), it requires most defense industrial base (DIB) contractors in Orange County and across the U.S. to achieve Level 2 certification — 110 security practices from NIST SP 800-171 — before they can bid on or perform DoD contracts containing the DFARS clause 252.204-7021.
The Framework
CMMC 2.0 replaced the original five-level CMMC 1.0 framework with a streamlined three-tier model. The Department of Defense published the final rule in 32 CFR Part 170 in December 2024, making CMMC a contractual requirement that will be phased into new DoD solicitations starting in 2025. If your company holds a DoD contract — or plans to bid on one — and that contract involves CUI, you need CMMC Level 2 certification.
Orange County is home to a dense cluster of defense contractors and aerospace firms, from primes like Boeing and Raytheon operations to hundreds of small and mid-size suppliers in Irvine, Huntington Beach, Anaheim, and Costa Mesa. Many of these firms handle CUI daily — engineering drawings, test data, technical specifications, and export-controlled information. Every one of them falls under CMMC 2.0 if their contracts include DFARS clause 252.204-7021.
The three CMMC levels map directly to the sensitivity of the information you handle. Level 1 covers Federal Contract Information (FCI) with 17 basic practices. Level 2 covers CUI with 110 practices drawn from NIST SP 800-171. Level 3 adds enhanced practices from NIST SP 800-172 for the most critical programs. The vast majority of Orange County defense contractors will need Level 2.
Three Levels
Each level builds on the previous. Most DoD contracts containing CUI require Level 2, which maps directly to the 110 controls in NIST SP 800-171 Rev 2.
17
Security Practices
Basic cyber hygiene for FCI (Federal Contract Information)
Annual Self-Assessment110
Security Practices
Full NIST SP 800-171 for CUI (Controlled Unclassified Information)
C3PAO Certification134
Security Practices
NIST SP 800-172 for highest-priority CUI programs
Government-Led AssessmentDomain 1 of 14
Access Control (AC) is the single largest CMMC domain with 22 of the 110 Level 2 practices. It governs who can access what, under which conditions, and how that access is enforced. For most defense contractors in Orange County, this domain represents the most remediation work because it touches every system, application, and data store in the CUI environment.
AC.L2-3.1.1 through 3.1.2: Restrict information system access to authorized users, processes, and devices. Limit access to the types of transactions and functions that authorized users are permitted to execute.
AC.L2-3.1.5 through 3.1.7: Employ the principle of least privilege. Use non-privileged accounts for non-security functions. Prevent non-privileged users from executing privileged functions.
AC.L2-3.1.12 through 3.1.17: Monitor and control remote access sessions. Route remote access through managed access control points. Protect wireless access using authentication and encryption.
AC.L2-3.1.18 through 3.1.22: Control connection of mobile devices. Encrypt CUI on mobile devices. Control CUI posted or processed on publicly accessible information systems.
Domains 2-4
Audit logging is the foundation of accountability. You must create, protect, and retain system audit logs that capture who accessed what, when, and from where. CMMC requires that audit records contain enough detail to establish what type of event occurred, when it occurred, where it occurred, the source, and the outcome.
For most contractors, this means deploying a SIEM (Security Information and Event Management) solution, configuring centralized log collection from all CUI-bearing systems, setting up alerting for failed login attempts and privilege escalation events, and establishing log retention policies that meet the three-year minimum. Audit logs must be protected from unauthorized access and tampering — a compromised log is worthless for incident investigation.
Configuration management ensures your systems remain in a known, secure state. This means establishing baseline configurations for all operating systems, applications, and network devices that process CUI. Every deviation from baseline must be documented, approved, and tracked.
Practically, this requires maintaining a configuration management database (CMDB), enforcing change control processes, restricting the ability to install software to authorized personnel, disabling unnecessary services and ports, and applying the principle of least functionality. If a server does not need to run a web service, that service should be disabled. Orange County contractors with legacy manufacturing systems often struggle here because older equipment runs outdated software with services that cannot easily be disabled.
Every user and device accessing CUI must be uniquely identified and authenticated before access is granted. CMMC Level 2 requires multi-factor authentication (MFA) for all network access to privileged and non-privileged accounts. This is non-negotiable and cannot be placed on a Plan of Action and Milestones (POA&M).
Authentication mechanisms must use FIPS-validated cryptography. Passwords must meet minimum complexity requirements and be changed periodically. Replay-resistant authentication is required for network access to privileged accounts. Device authentication — ensuring only managed, compliant endpoints can connect — is equally critical. Many contractors in Irvine and across Orange County still rely on passwords alone, which is the single most common reason for failing a CMMC assessment.
Domains 5-7
You must have a documented incident response plan that covers preparation, detection, analysis, containment, eradication, and recovery. The plan must be tested at least annually and updated based on lessons learned.
Incident reporting to the DoD through the DIBNet portal is mandatory within 72 hours. Track and document security incidents from detection through resolution. Many contractors underestimate this domain because it has only three practices, but each practice requires substantial documentation and operational capability.
All maintenance on CUI-bearing systems must be performed by authorized personnel using approved tools. This includes both on-site and remote maintenance. Non-local maintenance requires MFA, session encryption, and session termination when complete.
Equipment being removed for off-site maintenance must have all CUI sanitized from storage media before leaving the facility. Maintenance tools (diagnostic software, test equipment) must be checked for malicious code before connecting to CUI systems. For aerospace and defense shops in Orange County with specialized equipment, coordinate maintenance windows with your IT provider.
All media containing CUI — hard drives, USB devices, backup tapes, printed documents — must be protected, controlled, and sanitized before disposal or reuse. This means full-disk encryption on all endpoints, encrypted USB policies, and documented media disposal procedures.
Digital media must be sanitized using NIST SP 800-88 guidelines before disposal. CUI markings must be applied to all media. Transport of CUI media outside the facility requires encryption and physical security controls. Many contractors overlook removable media policies, which is a common C3PAO finding.
Gap Analysis
Based on initial SPRS self-assessments, these are the typical gap rates across the 14 CMMC domains. Higher percentages indicate more organizations have unmet practices.
Typical First Assessment Finding
Most Orange County defense contractors score below 50% on their initial SPRS self-assessment. Access Control, Security Assessment, and Audit & Accountability consistently show the highest gap rates across the DIB.
Domains 8-11
Screen individuals prior to authorizing access to CUI systems. Ensure CUI access is revoked when personnel are transferred or terminated. This requires integration between HR processes and IT account management. When an employee leaves, their access must be disabled the same day — not next week, not when IT gets around to it. Automated deprovisioning workflows are the standard approach for contractors with more than 20 employees.
Limit physical access to systems, equipment, and operating environments to authorized individuals. Escort visitors, maintain audit logs of physical access, and control physical access devices (keys, badges, combinations). Server rooms and network closets containing CUI systems must have restricted access with logging. For Orange County contractors with shared office spaces or co-working arrangements, physical separation of CUI environments becomes especially important.
Periodically assess the risk to organizational operations, assets, and individuals resulting from the operation of CUI systems. Scan for vulnerabilities in those systems on a regular schedule and remediate findings based on risk. This means running authenticated vulnerability scans at least monthly, maintaining a vulnerability management program with defined SLAs for patching (critical vulnerabilities within 14 days), and conducting a formal risk assessment at least annually.
Periodically assess your security controls to determine if they are effective. Develop and implement plans of action to correct deficiencies. Monitor security controls on an ongoing basis. This domain requires you to have a System Security Plan (SSP) that documents how your environment meets each of the 110 practices, and to update it whenever you make changes. The SSP is the first document a C3PAO assessor will request.
Domains 12-14
This is the second-largest domain. It requires monitoring, controlling, and protecting communications at the external and internal boundaries of CUI systems. All CUI transmitted across networks must use FIPS-validated encryption (TLS 1.2+ minimum, TLS 1.3 preferred). Network segmentation must separate CUI systems from general business systems.
Implementations include boundary protection devices (firewalls, IDS/IPS), encrypted VPN tunnels for all remote access, denial-of-service protection, cryptographic key management, and session authenticity verification. DNS filtering, email encryption for CUI, and network architecture diagrams showing CUI data flows are all part of demonstrating compliance. For contractors in Irvine and Orange County running hybrid on-premises and cloud environments, documenting the boundary between CUI and non-CUI systems is critical.
Identify, report, and correct information system flaws in a timely manner. Provide protection from malicious code at appropriate locations. Monitor system security alerts and advisories and take appropriate actions. This domain ties directly to your patch management and endpoint protection programs.
Endpoint detection and response (EDR) tools must be deployed on all CUI endpoints. Email and web filtering must block known malicious content. Security advisories from vendors (Microsoft Patch Tuesday, firmware updates) must be reviewed and acted on within defined timeframes. Spam protection, input validation for web applications, and monitoring for unauthorized changes to systems and data are all required. A managed detection and response (MDR) service satisfies multiple practices in this domain.
Ensure that managers, system administrators, and users are aware of the security risks associated with their activities and the applicable policies, standards, and procedures. Ensure personnel are trained to carry out their assigned information-security responsibilities.
This goes beyond generic annual security awareness training. Role-based training is required: administrators need training specific to their security responsibilities, users who handle CUI need training on CUI marking and handling procedures, and incident response team members need training on the IR plan. Training records must be maintained as evidence for assessors. Insider threat awareness training is also required, covering indicators of potential insider threats and reporting procedures.
Your Score
The Supplier Performance Risk System (SPRS) score is your organization’s self-reported measure of compliance with NIST SP 800-171. Scores range from -203 (no practices implemented) to 110 (all practices fully implemented). Every defense contractor with an active DoD contract was required to submit an SPRS score starting November 2020 under DFARS 252.204-7019 and 7020.
Your SPRS score directly impacts your ability to win contracts. Contracting officers can view your score in the SPRS portal, and a low score — or a score that was clearly inflated without supporting documentation — is a red flag. Under CMMC 2.0, your SPRS score becomes the starting point for the C3PAO assessment. If your self-reported score claims 95 but the assessor finds you at 40, you face not just a failed assessment but potential False Claims Act liability.
Critical
Significant gaps. 18-24 months of remediation likely needed before a C3PAO assessment.
In Progress
Partial compliance. 12-18 months to close gaps with focused effort and expert guidance.
Near Ready
Strong foundation. 6-12 months to address remaining gaps and prepare documentation.
Timeline
The phased rollout began in 2025 with CMMC requirements appearing in select DoD solicitations. By 2026, CMMC Level 2 requirements will appear in a significant portion of new contracts involving CUI. Full implementation across all applicable contracts is expected by 2028. Contractors who wait until CMMC appears in their specific solicitation will be too late — the 12-18 month remediation timeline means you need to start now.
December 2024
32 CFR Part 170 published — CMMC 2.0 becomes official rule
Q1-Q2 2025
CMMC requirements begin appearing in select DoD solicitations
2025-2026
Phased rollout — increasing number of contracts require CMMC Level 2
2026-2027
Majority of new CUI contracts include CMMC Level 2 as a condition
2028
Full implementation — all applicable contracts require CMMC certification
Action Plan
Whether your SPRS score is -100 or 90, these six steps will move you toward CMMC Level 2 certification on the shortest timeline.
Identify every system, application, and data store that processes, stores, or transmits CUI. This defines the boundary of your CMMC assessment. Reducing CUI scope reduces the number of systems that must comply.
Score yourself against all 110 NIST SP 800-171 practices. Be ruthlessly honest — an inflated SPRS score only delays the pain. Document what you have, what you lack, and what is partially implemented.
Your System Security Plan documents how your environment meets each practice. Your POA&M captures gaps with remediation plans, owners, and deadlines. These two documents are the backbone of your CMMC submission.
Deploy MFA everywhere, encrypt all CUI at rest and in transit, configure SIEM logging, harden endpoints with EDR, segment your network, and enforce least-privilege access. Prioritize practices that cannot be on a POA&M.
Role-based security awareness training, CUI handling procedures, incident response tabletop exercises, and insider threat awareness. Document all training with dates, attendees, and materials covered.
Once your internal assessment shows readiness, engage a CMMC Third-Party Assessment Organization. The Cyber AB (cyberab.org) maintains the list of authorized C3PAOs. Scheduling early is critical — C3PAO capacity is limited as demand ramps up.
Yes. Any subcontractor that processes, stores, or transmits CUI must meet the same CMMC level as the prime contractor. DFARS 252.204-7012 already requires primes to flow down cybersecurity requirements. Under CMMC 2.0, this means subcontractors in Orange County and elsewhere must achieve Level 2 certification independently before the prime can include them on a CUI-bearing contract. The DoD will not accept a prime's certification as a substitute for the subcontractor's own assessment.
Level 1 requires only an annual self-assessment uploaded to SPRS. Level 2 has two paths: some contracts allow self-assessment, but most contracts involving CUI require a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). C3PAOs are accredited by the CMMC Accreditation Body (the Cyber AB). Level 3 requires a government-led assessment by DIBCAC. For most Orange County defense contractors handling CUI, C3PAO certification is the requirement.
SPRS (Supplier Performance Risk System) is the DoD portal where contractors submit their NIST SP 800-171 self-assessment scores. Your SPRS score (ranging from -203 to 110) reflects how many of the 110 practices you have implemented. CMMC 2.0 builds on SPRS by requiring third-party validation of that score for Level 2. Contractors who have been submitting accurate SPRS scores are already partway through the CMMC process. Those who inflated their scores face significant remediation work.
For a typical small-to-mid-size defense contractor in Orange County, achieving Level 2 readiness takes 12-18 months from the start of a structured compliance program. Organizations starting from scratch may need 18-24 months. The timeline depends on your current SPRS score, the complexity of your CUI environment, and whether you need to deploy new infrastructure like a SIEM, encrypted email, or endpoint detection and response tools.
If you fail a C3PAO assessment, you receive a report identifying the gaps. You can remediate the deficiencies and request a reassessment, though this incurs additional cost and delay. During the remediation period, you cannot be awarded new contracts requiring that CMMC level. Some gaps can be addressed with a Plan of Action and Milestones (POA&M), but only for a limited number of practices and with a strict 180-day remediation window. Critical practices like MFA and FIPS-validated encryption cannot be on a POA&M.
The official rule is codified in 32 CFR Part 170, published December 2024. NIST SP 800-171 Rev 2 defines the 110 Level 2 practices. The Cyber AB (cyberab.org) maintains the list of authorized C3PAOs and assessment guides. BRITECITY in Irvine, CA can also walk Orange County defense contractors through the requirements and map them to your specific environment during a CMMC readiness assessment.
BRITECITY helps defense contractors across Irvine, Newport Beach, and Orange County achieve CMMC Level 2 certification. From gap analysis through C3PAO readiness, we handle the technical implementation so you can focus on winning contracts.