CMMC
The Cybersecurity Maturity Model Certification is the US Department of Defense's mandatory cybersecurity standard for defense contractors.
CMMC 2.0 establishes three certification levels for organizations in the Defense Industrial Base (DIB). Level 1 covers basic cyber hygiene — 17 practices aligned to FAR 52.204-21. Level 2 mirrors NIST SP 800-171's 110 practices, required for contractors handling Controlled Unclassified Information (CUI). Level 3 adds 24 practices from NIST SP 800-172, applying to contractors on the most critical DoD programs. CMMC 2.0 rulemaking completed in late 2024, making certification mandatory for DoD contract solicitations.
The shift from CMMC 1.0 to CMMC 2.0 eliminated the intermediate maturity levels but retained the third-party assessment requirement for Level 2 and above. Level 2 contractors must be assessed by a CMMC Third Party Assessment Organization (C3PAO) — self-attestation alone is insufficient for most DoD contracts. The assessment evaluates not just whether controls exist, but whether they are implemented, documented, and producing evidence of ongoing operation.
CMMC compliance is primarily an engineering problem, not a policy problem. The 110 NIST 800-171 controls that define Level 2 include multi-factor authentication, encryption requirements, audit log retention, incident response capabilities, configuration management, and system and communications protection. These must be implemented in the system architecture and evidenced through operational data — not described in policies that engineers ignore.
We build CMMC Level 2 compliance into defense contractor systems from the initial architecture decision — selecting GovCloud infrastructure, enforcing FIPS-140 cryptography automatically, implementing CUI handling boundaries in the system design, and generating SSP and POAM documentation as system artifacts. Our teams understand the C3PAO assessment process and build evidence generation into the deployment pipeline.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.