From initial gap assessment through Level 2 or Level 3 certification — Cleared Systems gets defense contractors to assessment-ready and keeps them there.
No CMMC certification, no contract. The Department of Defense has been clear: organizations handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) on DoD contracts must be certified under the appropriate CMMC level. The implementation timeline isn't speculative anymore — clauses are flowing into solicitations, primes are pushing requirements down, and assessments are happening.
Cleared Systems works with prime contractors and subcontractors across the Defense Industrial Base to reach CMMC certification on their actual contract timeline, and to maintain certification once it's achieved. We've helped organizations move from CMMC-unaware to assessment-ready. We've helped others remediate after a failed assessment. We've stood alongside our clients during C3PAO engagements. The work is hard, but it's well-defined — and we know exactly where most organizations stumble.
What is CMMC, CUI & DFARS Compliance?
The Cybersecurity Maturity Model Certification (CMMC) program is the DoD's framework for verifying that contractors handling federal contract information and controlled unclassified information are doing so securely. CMMC 2.0 has three levels:
- Level 1 (Foundational): 17 basic safeguarding practices, self-attested annually. Required for organizations handling FCI but not CUI.
- Level 2 (Advanced): All 110 controls in NIST SP 800-171 rev. 2. Required for organizations handling CUI on DoD contracts. Most contracts requiring CUI handling will require third-party assessment by a C3PAO.
- Level 3 (Expert): NIST 800-171 plus a subset of NIST 800-172 controls. Required for the most sensitive DoD work and assessed by the government directly.
DFARS 252.204-7012 has been in effect for years, requiring covered contractors to implement NIST 800-171 controls, report incidents to DC3, and flow obligations to subcontractors. DFARS 252.204-7019 and -7020 added the requirement to submit and maintain a current NIST 800-171 self-assessment score in SPRS. DFARS 252.204-7021 is the CMMC clause itself.
The program these regulations create is interlocking. NIST 800-171 is the technical control set. SPRS is the score reporting venue. DFARS 7012 is the contractual incident reporting and flow-down requirement. CMMC is the third-party verification regime that ties it all together. We work in all of it.
Why You Need This Service
The pressures are concrete and quantifiable:
CMMC is contractually required. Organizations responding to solicitations with CMMC clauses must have certification at the required level before contract award. There's no waiver process. There's no grace period after the clause shows up. Without the certificate, you're disqualified.
Your SPRS score is visible. Primes can see your SPRS score before they award subcontracts. A low or absent score is a competitive disadvantage that's increasingly weighing into prime selection decisions.
DFARS 7012 obligations have teeth. DC3 incident reporting, the 72-hour rule, and the requirement to provide DCMA access during incident investigation are all enforceable contract terms. Organizations that haven't operationalized them are exposed every day they continue to handle CUI.
Primes are flowing requirements down hard. If you supply to a prime that's preparing for CMMC, expect requests for your SPRS score, your SSP, your POA&M, and increasingly direct attestations of CMMC readiness. Subcontractor flow-down is no longer a "later" problem.
C3PAO availability is constrained. The pool of authorized C3PAOs is much smaller than the population of organizations that will need assessment. Booking an assessment six months ahead of when you'll be ready is increasingly common — and that means readiness work has to be scoped now, not when the contract clause hits.
Failed assessments are expensive. A failed CMMC assessment isn't a "try again next month" situation. The remediation, re-evidence, and reschedule costs run well into six figures, and the contract you were trying to win is gone. Doing it right the first time costs less.
What We Deliver
A typical CMMC, CUI & DFARS engagement spans gap assessment through certification and into ongoing sustainment:
- A scoped CUI boundary that defines exactly what's in assessment scope, what's segmented out, and the rationale for both
- A NIST 800-171 gap assessment with findings at the control level — implemented, partial, planned, or not implemented
- A Plan of Action and Milestones (POA&M) the assessor will accept, with realistic remediation timelines and effort estimates
- A System Security Plan (SSP) that accurately describes your system, controls, inheritance, and shared responsibility model
- A current and defensible SPRS score, with documentation supporting the score on file
- Technical control implementation guidance — including identity and access management, encryption at rest and in transit, multifactor authentication, audit logging, incident response, and continuous monitoring
- Cloud architecture review for organizations using GCC High, AWS GovCloud, or hybrid environments — the inheritance matrix matters, and getting it wrong loses controls you thought you had
- Policy and procedure development for all 110 controls, written so your team can execute them
- Workforce training on CUI handling, incident reporting, and DFARS 7012 obligations
- C3PAO selection support and assessment readiness, including mock assessments and evidence walk-throughs
- DFARS 7012 incident response support, including DC3 reporting protocols
- Sustainment work post-certification: change management, control re-validation, and re-assessment preparation
The deliverables are all designed to satisfy the C3PAO, not to look impressive. The standard isn't internal stakeholder approval — it's whether the assessment passes.
Frameworks and Standards We Work In
CMMC 2.0 (Levels 1, 2, and 3), NIST SP 800-171 rev. 2 and rev. 3, NIST SP 800-172 (Level 3 enhanced controls), DFARS 252.204-7012/7019/7020/7021, FAR 52.204-21 (Basic Safeguarding for FCI), 32 CFR Part 2002 (CUI program implementation), DoDI 5200.48 (DoD CUI program), SPRS (Supplier Performance Risk System), and DC3 incident reporting protocols.
Who This Is For
This service is built for defense prime contractors and subcontractors, aerospace companies in the DIB supply chain, precision manufacturers handling controlled technical data, and any organization that's been notified — through a contract clause, a prime flow-down request, or a customer compliance questionnaire — that CMMC certification is in their future. See the industries we serve for the broader regulatory context.
You'll get the most from this engagement if you can name your target CMMC level, your contract timeline, and your current state. If you can't, the gap assessment is the right place to start — it produces the answers to those questions.
How We Engage
CMMC work is the canonical retainer engagement. The path from gap assessment to certification typically runs nine to eighteen months, and certification isn't the end — it's the point at which sustainment becomes the main work. Cleared Systems engages on retainer by default — see how we engage — with project-scoped readiness assessments available as the entry point.
CMMC engagements frequently pair with ITAR & Export Controls Compliance when CUI overlaps with export-controlled technical data, with Compliance Program Development when the program work extends beyond NIST 800-171, and with Regulatory vCISO Services when the organization needs senior leadership ownership of the program. Request a quote for a CMMC engagement and we'll scope readiness work against your contract timeline.
Common Questions
What CMMC level do we need?
Driven by the data you'll handle on the contract. FCI-only contracts are typically Level 1. Contracts handling CUI are typically Level 2 with C3PAO assessment. The most sensitive DoD work is Level 3. The contract clause and the CUI marking determine the requirement — not the contractor's preference.
How long does it take to get from where we are to certified?
Driven by your current state. A small contractor with mature IT and tight CUI scope can reach Level 2 readiness in 4–6 months. A mid-sized organization with sprawling shadow IT and undefined data flows often needs 9–12 months before they're ready for a C3PAO. Add 1–4 months for assessment scheduling and execution.
Can we self-assess at Level 2?
A small subset of Level 2 contracts allow self-assessment. Most require C3PAO third-party assessment. The contracting officer determines which applies based on the data and contract type.
What's the cost of a C3PAO assessment?
Varies widely based on environment size, complexity, and assessment scope. Quotes typically run from the low five figures for small focused environments to mid-six figures for large, complex ones. We help clients select an appropriate C3PAO and prepare a scope that doesn't run up unnecessary cost.
What if we fail the assessment?
You enter a remediation period and re-test. Failed controls become POA&M items with bounded remediation timelines. The contract impact depends on the contract terms — some allow conditional certification, some don't. Failure is recoverable, but expensive in time and money. Better to be ready going in.
We use GCC High or AWS GovCloud — does that mean we're done?
No. Cloud authorization gets you a meaningful set of inherited controls, but the inheritance matrix is detailed and full of gotchas. Many organizations assume more inheritance than they actually have, and the C3PAO will catch the gap. We routinely correct cloud inheritance assumptions during gap assessment.
Get to Assessment-Ready
The CMMC clauses aren't pausing for organizations that aren't ready. Request a quote for a CMMC, CUI, and DFARS engagement and we'll scope readiness work against your specific contract obligations and timeline.