CMMC 2.0 is enforceable. Contracts are being lost to it.
DoD began phasing CMMC requirements into contracts in 2025. Full rollout runs through 2028. Contracts now reference CMMC levels at bid time. Subcontractors need to match the prime's level when CUI flows downstream. The days of DFARS 252.204-7012 self-attestation being enough are ending. If you are reading this and your CMMC readiness work has not started, you are already behind.
Who we work with
Prime contractors
Primes and major subcontractors with substantial CUI operations. Engagements include CUI enclave architecture review, tenant isolation in cloud services, FedRAMP Moderate equivalence validation for cloud CUI, and supply chain risk management.
Subcontractors and mid-tier DIB suppliers
Companies that receive CUI flowdown from primes but do not handle CUI across their entire operation. The most valuable engagement is tight CUI scoping — minimizing the boundary reduces cost of controls and audit.
Specialty manufacturers and engineering firms
Companies whose work (engineering drawings, machining, composite fabrication, avionics integration) produces CUI outputs. We assess the physical and logical controls around CUI handling in engineering and manufacturing environments.
Defense technology startups
Early-stage defense-adjacent companies (satellite, UAV, autonomy, AI/ML for defense, cyber products) who need CMMC to bid on SBIR Phase II/III, AFWERX, or direct DoD contracts.
Services for DIB clients
- CMMC 2.0 Readiness Assessment — full Level 2 or Level 3 preparation
- NIST 800-171 Rev. 2 gap assessment and remediation
- System Security Plan (SSP) development and review
- Plan of Action and Milestones (POA&M) advisory
- Penetration testing of CUI-handling systems
- CUI enclave architecture design review
- FedRAMP Moderate / GCC High cloud posture review
- C3PAO selection advisory and pre-audit coordination
- Supply chain risk management per DFARS 252.204-7020
The Connecticut and Texas defense ecosystem
Connecticut
- Electric Boat (Groton) — submarine construction, thousands of CT suppliers
- Sikorsky (Stratford) — rotorcraft, CT supplier network
- Pratt & Whitney (East Hartford) — engines, deep CT industrial base integration
- RTX (multiple CT locations) — Raytheon subsidiaries
Dallas-Fort Worth
- Lockheed Martin (Fort Worth) — F-35 production, deep TX supplier network
- Bell Flight (Fort Worth) — rotorcraft and tiltrotor
- L3Harris (DFW operations) — electronic warfare, communications
- Elbit Systems of America (Fort Worth) — defense electronics
Common gotchas in CMMC readiness
CUI scope too broad
The single biggest cost lever. If CUI is on every workstation, every network, every cloud tenant, the entire environment is in scope. A well-designed enclave reduces cost by 50-80%.
Using cloud services that are not FedRAMP compliant
DFARS 252.204-7012 requires CUI in cloud services to meet FedRAMP Moderate. Default Microsoft 365 and Google Workspace do not qualify. GCC High, AWS GovCloud, Google Workspace for Government are the compliant options. Moving CUI off a non-compliant cloud is often painful.
POA&M abuse
CMMC 2.0 allows limited POA&M items at Level 2. Not all practices can be plan items. Relying on POA&M to defer multiple controls does not pass C3PAO assessment.
SSP that does not match reality
The SSP is the document the C3PAO reads first. An SSP that describes controls that are not actually implemented fails assessment. Our engagement produces SSPs that accurately reflect what exists and is operating.