Name: BRITECITY
Address: 4 Executive Circle Suite 190, Irvine, CA, 92614, US
Telephone: +1-949-243-7440
Price range: $$
Rating: 5.0

BRITECITY Report EmailReport a Suspicious Email

BRITECITY
CMMC WalkthroughSetting expectations for Level 1, Level 2, and Level 3 engagements
Make IT Easy
The Framework
What is CMMC?CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense framework that requires every contractor and subcontractor handling federal contract information or controlled unclassified information to prove a measured level of cybersecurity. It is codified in 32 CFR Part 170 and enforced through DFARS clauses 252.204-7012, -7019, -7020, and -7021.
If your contract carries DFARS 252.204-7021, the certification clause applies — no cert, no contract.
Why It Matters Now
The rules already in your contractsDFARS 252.204-7012
Existing rule. Requires safeguarding of CUI and 72-hour incident reporting.
DFARS 252.204-7019
Requires a current NIST SP 800-171 score in SPRS to be eligible for award.
DFARS 252.204-7020
Allows DoD to verify that score with a higher-tier assessment.
DFARS 252.204-7021
Triggers the CMMC certification requirement once the contract clause is included.
32 CFR Part 170
Final CMMC rule, effective December 2024 — phased rollout into solicitations through 2028.
No cert, no contract
Once the clause is in your solicitation, you cannot be awarded the contract without the required CMMC level.
Three Levels
Pick the level your contracts require
Level 1
Federal Contract Information (FCI)17 basic safeguarding practices
Annual self-assessment, submitted to SPRS
Level 2
Controlled Unclassified Information (CUI)110 practices from NIST SP 800-171 Rev 2
C3PAO assessment every 3 years (most CUI contracts)
Level 3
CUI in programs facing advanced persistent threats110 Level 2 practices + 24 enhanced from NIST SP 800-172
Government-led DIBCAC assessment
Most defense contractors handling CUI need Level 2.
Level 1 — Scope
Federal Contract Information (FCI)Applies to any contractor that processes, stores, or transmits FCI but no CUI. Covers basic hygiene: access control, identification, media handling, physical protection, system integrity.
Practices
17 basic safeguarding practices
Domains
6 domains
Assessment
Annual self-assessment, submitted to SPRS
Level 1 — Delivery
BRITECITY delivers Level 1 end-to-end01Discovery — confirm FCI scope, inventory systems, identify named POC
02Gap analysis — map current state to the 17 practices
03Remediation — close gaps, document configurations
04System Security Plan (SSP) — written and maintained for you
05Annual self-attestation support — score calculation, SPRS submission
Single billable IT engagement at our standard rate. Scoped up front based on system count and current state.
Level 2 — Scope
Controlled Unclassified Information (CUI)Applies to most defense contractors handling CUI — engineering drawings, technical data, test results, ITAR-controlled material. Triggered by DFARS clause 252.204-7021.
Practices
110 practices from NIST SP 800-171 Rev 2
Domains
14 domains (NIST 800-171)
Assessment
C3PAO assessment every 3 years (most CUI contracts)
Level 2 — Delivery
BRITECITY co-delivers Level 2 with a 3rd-party CMMC partnerYou don’t go through Level 2 alone, and neither do we. The 3rd-party partner brings both BRITECITY and you through the assessment.
BRITECITY brings in an accredited CMMC RPO / C3PAO partner
The partner walks both the client and BRITECITY through the assessment process
BRITECITY owns the IT remediation work — MFA, FIPS encryption, SIEM, EDR, network segmentation, account lifecycle automation
The partner owns the assessment artifacts — SSP review, POA&M coordination, C3PAO scheduling
Multi-month engagement; typical readiness window is 12–18 months for a contractor starting from a low SPRS score
Billable engagement at our standard rate, plus 3rd-party assessor fees passed through at cost. Scoped after a paid readiness assessment.
Level 3 — Referral
BRITECITY does not provide Level 3 todayApplies to a small subset of high-priority programs. Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center.
Level 3 is reserved for a small subset of high-priority DoD programs
It is assessed by the government (DIBCAC), not a commercial C3PAO
Requires NIST SP 800-172 enhanced controls beyond standard MSP scope
BRITECITY refers Level 3 prospects to a specialty defense-cyber firm
If your contract requires Level 3, we’ll introduce you to a specialty partner and stay engaged on the IT side where it makes sense.
What You Provide
What we need from you to get started01Contract scope — which contracts contain DFARS 252.204-7021 and what data flows under them
02System inventory — every device, app, and cloud tenant that touches FCI or CUI
03Named project sponsor with budget authority
04Named day-to-day point of contact
05Decision on enclave-vs-enterprise scoping (a CUI enclave is usually cheaper to certify than the whole company)
06Access to existing security tooling, M365 / Google tenant, and HR offboarding process
The Roadmap
From discovery to certification01Discovery
Scope contracts, inventory systems, identify CUI flow, choose enclave vs. enterprise.
02Gap Analysis
Map current state to required practices. Score against SPRS scale (-203 to 110).
03Remediation
Close gaps. Deploy MFA, FIPS-validated encryption, SIEM, EDR, account lifecycle automation, and policy.
04SSP & POA&M
Write the System Security Plan. Document any open items in a Plan of Action & Milestones.
05Assessment
Level 1 — submit self-assessment to SPRS. Level 2 — schedule and pass C3PAO assessment.
06Annual Upkeep
Reassess yearly. Maintain SPRS score. Re-certify Level 2 every 3 years.
Pricing Model
How engagements get billed
Level 1
Scoped IT projectSingle billable IT engagement at our standard rate. Scoped up front based on system count and current state.
Level 2
Co-delivered + pass-throughBillable engagement at our standard rate, plus 3rd-party assessor fees passed through at cost. Scoped after a paid readiness assessment.
Level 3
ReferralNot offered. Referral only.
Specific dollar figures and daily rates are confirmed in writing during the scoping call — not in this deck.
Common Pitfalls
What costs contractors the most time and moneyInflating your SPRS scoreSelf-reported scores will be audited under -7020. A score that does not match reality becomes a False Claims Act exposure once a C3PAO confirms the gap.
Treating Level 2 as a checklistPractices like MFA and FIPS-validated encryption cannot be POA&M items. Critical gaps must be closed before the assessment.
Ignoring subcontractor flow-downPrimes must flow CMMC requirements to subs. A sub that cannot certify will be removed from the contract.
Scoping the whole company when an enclave will doA bounded CUI enclave is typically the fastest, cheapest path to Level 2. Whole-company scoping is rarely required.
Starting too lateReadiness for a contractor starting from scratch is usually 12–18 months. Waiting until the clause hits the solicitation is too late.
Next Steps
Four steps from here01CMMC Scoping CallFree 30-minute call. We confirm the level you need, the contracts in play, and whether BRITECITY is a fit (Level 1 or Level 2) or whether you need a referral (Level 3).
02Paid Readiness AssessmentFixed-fee engagement. We document your current SPRS score, scope the CUI environment, and produce a written remediation plan with effort and timeline.
03Remediation EngagementBillable IT engagement at our standard rate. Level 1 = scoped project. Level 2 = co-delivered with the 3rd-party assessor.
04Assessment & CertificationLevel 1 self-attestation submitted to SPRS, or C3PAO assessment scheduled and supported through award.
Book a CMMC scoping call
britecity.com/book-a-call — 30 minutes, free, no commitment.
Prefer a printed handout? Download the walkthrough as a Word doc.
Make IT Easy
BRITECITY  ·  CMMC Compliance Walkthrough · 2026
1 / 14

BRITECITY
CMMC WalkthroughSetting expectations for Level 1, Level 2, and Level 3 engagements
Make IT Easy
The Framework
What is CMMC?CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense framework that requires every contractor and subcontractor handling federal contract information or controlled unclassified information to prove a measured level of cybersecurity. It is codified in 32 CFR Part 170 and enforced through DFARS clauses 252.204-7012, -7019, -7020, and -7021.
If your contract carries DFARS 252.204-7021, the certification clause applies — no cert, no contract.
Why It Matters Now
The rules already in your contractsDFARS 252.204-7012
Existing rule. Requires safeguarding of CUI and 72-hour incident reporting.
DFARS 252.204-7019
Requires a current NIST SP 800-171 score in SPRS to be eligible for award.
DFARS 252.204-7020
Allows DoD to verify that score with a higher-tier assessment.
DFARS 252.204-7021
Triggers the CMMC certification requirement once the contract clause is included.
32 CFR Part 170
Final CMMC rule, effective December 2024 — phased rollout into solicitations through 2028.
No cert, no contract
Once the clause is in your solicitation, you cannot be awarded the contract without the required CMMC level.
Three Levels
Pick the level your contracts require
Level 1
Federal Contract Information (FCI)17 basic safeguarding practices
Annual self-assessment, submitted to SPRS
Level 2
Controlled Unclassified Information (CUI)110 practices from NIST SP 800-171 Rev 2
C3PAO assessment every 3 years (most CUI contracts)
Level 3
CUI in programs facing advanced persistent threats110 Level 2 practices + 24 enhanced from NIST SP 800-172
Government-led DIBCAC assessment
Most defense contractors handling CUI need Level 2.
Level 1 — Scope
Federal Contract Information (FCI)Applies to any contractor that processes, stores, or transmits FCI but no CUI. Covers basic hygiene: access control, identification, media handling, physical protection, system integrity.
Practices
17 basic safeguarding practices
Domains
6 domains
Assessment
Annual self-assessment, submitted to SPRS
Level 1 — Delivery
BRITECITY delivers Level 1 end-to-end01Discovery — confirm FCI scope, inventory systems, identify named POC
02Gap analysis — map current state to the 17 practices
03Remediation — close gaps, document configurations
04System Security Plan (SSP) — written and maintained for you
05Annual self-attestation support — score calculation, SPRS submission
Single billable IT engagement at our standard rate. Scoped up front based on system count and current state.
Level 2 — Scope
Controlled Unclassified Information (CUI)Applies to most defense contractors handling CUI — engineering drawings, technical data, test results, ITAR-controlled material. Triggered by DFARS clause 252.204-7021.
Practices
110 practices from NIST SP 800-171 Rev 2
Domains
14 domains (NIST 800-171)
Assessment
C3PAO assessment every 3 years (most CUI contracts)
Level 2 — Delivery
BRITECITY co-delivers Level 2 with a 3rd-party CMMC partnerYou don’t go through Level 2 alone, and neither do we. The 3rd-party partner brings both BRITECITY and you through the assessment.
BRITECITY brings in an accredited CMMC RPO / C3PAO partner
The partner walks both the client and BRITECITY through the assessment process
BRITECITY owns the IT remediation work — MFA, FIPS encryption, SIEM, EDR, network segmentation, account lifecycle automation
The partner owns the assessment artifacts — SSP review, POA&M coordination, C3PAO scheduling
Multi-month engagement; typical readiness window is 12–18 months for a contractor starting from a low SPRS score
Billable engagement at our standard rate, plus 3rd-party assessor fees passed through at cost. Scoped after a paid readiness assessment.
Level 3 — Referral
BRITECITY does not provide Level 3 todayApplies to a small subset of high-priority programs. Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center.
Level 3 is reserved for a small subset of high-priority DoD programs
It is assessed by the government (DIBCAC), not a commercial C3PAO
Requires NIST SP 800-172 enhanced controls beyond standard MSP scope
BRITECITY refers Level 3 prospects to a specialty defense-cyber firm
If your contract requires Level 3, we’ll introduce you to a specialty partner and stay engaged on the IT side where it makes sense.
What You Provide
What we need from you to get started01Contract scope — which contracts contain DFARS 252.204-7021 and what data flows under them
02System inventory — every device, app, and cloud tenant that touches FCI or CUI
03Named project sponsor with budget authority
04Named day-to-day point of contact
05Decision on enclave-vs-enterprise scoping (a CUI enclave is usually cheaper to certify than the whole company)
06Access to existing security tooling, M365 / Google tenant, and HR offboarding process
The Roadmap
From discovery to certification01Discovery
Scope contracts, inventory systems, identify CUI flow, choose enclave vs. enterprise.
02Gap Analysis
Map current state to required practices. Score against SPRS scale (-203 to 110).
03Remediation
Close gaps. Deploy MFA, FIPS-validated encryption, SIEM, EDR, account lifecycle automation, and policy.
04SSP & POA&M
Write the System Security Plan. Document any open items in a Plan of Action & Milestones.
05Assessment
Level 1 — submit self-assessment to SPRS. Level 2 — schedule and pass C3PAO assessment.
06Annual Upkeep
Reassess yearly. Maintain SPRS score. Re-certify Level 2 every 3 years.
Pricing Model
How engagements get billed
Level 1
Scoped IT projectSingle billable IT engagement at our standard rate. Scoped up front based on system count and current state.
Level 2
Co-delivered + pass-throughBillable engagement at our standard rate, plus 3rd-party assessor fees passed through at cost. Scoped after a paid readiness assessment.
Level 3
ReferralNot offered. Referral only.
Specific dollar figures and daily rates are confirmed in writing during the scoping call — not in this deck.
Common Pitfalls
What costs contractors the most time and moneyInflating your SPRS scoreSelf-reported scores will be audited under -7020. A score that does not match reality becomes a False Claims Act exposure once a C3PAO confirms the gap.
Treating Level 2 as a checklistPractices like MFA and FIPS-validated encryption cannot be POA&M items. Critical gaps must be closed before the assessment.
Ignoring subcontractor flow-downPrimes must flow CMMC requirements to subs. A sub that cannot certify will be removed from the contract.
Scoping the whole company when an enclave will doA bounded CUI enclave is typically the fastest, cheapest path to Level 2. Whole-company scoping is rarely required.
Starting too lateReadiness for a contractor starting from scratch is usually 12–18 months. Waiting until the clause hits the solicitation is too late.
Next Steps
Four steps from here01CMMC Scoping CallFree 30-minute call. We confirm the level you need, the contracts in play, and whether BRITECITY is a fit (Level 1 or Level 2) or whether you need a referral (Level 3).
02Paid Readiness AssessmentFixed-fee engagement. We document your current SPRS score, scope the CUI environment, and produce a written remediation plan with effort and timeline.
03Remediation EngagementBillable IT engagement at our standard rate. Level 1 = scoped project. Level 2 = co-delivered with the 3rd-party assessor.
04Assessment & CertificationLevel 1 self-attestation submitted to SPRS, or C3PAO assessment scheduled and supported through award.
Book a CMMC scoping call
britecity.com/book-a-call — 30 minutes, free, no commitment.
Prefer a printed handout? Download the walkthrough as a Word doc.
Make IT Easy
BRITECITY  ·  CMMC Compliance Walkthrough · 2026
1 / 14