The Boilerplate in Your Contract Is Enforceable Now
Defense contractors in Westchester and Fairfield County have had DFARS cybersecurity language in their contracts for years. Most treated it as background noise. Phase 2 enforcement is live — and the companies that assumed it was just language are the ones at risk today.
Assess Your CMMC ReadinessThe Story Most Defense Contractors Are Living
It started with a DFARS clause — 252.204-7012 — buried in a contract. Your legal team reviewed it, flagged it as a cybersecurity requirement, and assumed IT was handling it. IT saw the language and assumed legal had signed off on it. Nobody built the System Security Plan. Nobody ran a gap assessment against the 110 NIST SP 800-171 controls. The Plan of Action & Milestones document existed as a placeholder.
This is not a small-company problem. It’s a communication problem, and it’s endemic across the Defense Industrial Base. The companies that are most exposed aren’t the ones who ignored CMMC — they’re the ones who assumed someone else was managing it.
What CMMC Actually Is
The Cybersecurity Maturity Model Certification is the Department of Defense’s framework for verifying that defense contractors can adequately protect Controlled Unclassified Information — the technical, acquisition, and operational data that flows through the supply chain. CMMC Level 2, which applies to most CUI handlers, maps directly to the 110 controls in NIST SP 800-171.
DFARS clause 252.204-7012 has been a contractual requirement since 2017. What changed with CMMC is the verification mechanism: instead of self-attestation (which produced the current state of widespread non-compliance), Level 2 now requires a third-party Certified Third-Party Assessment Organization — a C3PAO — to verify your controls independently before certification is granted.
You can’t pass a C3PAO assessment by building controls the week before. The assessment tests whether your controls are operational, documented, and have been in place for a meaningful period. The preparation work takes months, sometimes longer, depending on where your environment starts.
What Happens to Contracts
The consequences of non-compliance operate at two levels. First, new DoD contracts that require CMMC Level 2 certification will require demonstrated certification before award. If you’re bidding on those contracts without certification, you’re not competitive.
Second, and more immediately: prime contractors are flowing down CMMC requirements to their subcontractors. If you’re in the supply chain as a sub — providing components, services, engineering, logistics — the prime may require proof of CMMC compliance before continuing the relationship. Some primes are already issuing notices. The cascading effect through the DIB is moving faster than most subs anticipated.
The Path to C3PAO Certification
CMMC Level 2 certification isn’t a single event — it’s a process that runs from honest assessment through third-party verification. Here’s what that path looks like.
Pre-Assessment
Review current environment, identify CUI flows, confirm scope of assessment
Gap Analysis
Map existing controls against all 110 NIST SP 800-171 requirements; document deficiencies in a POAM
Remediation
Implement missing controls, build documentation, complete the System Security Plan
C3PAO Assessment
Third-party certified assessor independently verifies all 110 controls against your live environment
Certification
CMMC Level 2 certificate issued; result submitted to the DoD CMMC database; contract eligibility confirmed
What Working with PCI on CMMC Actually Looks Like
We’re not a compliance consulting firm that hands you a spreadsheet and disappears. We work inside your environment — the Microsoft 365 tenant, the endpoint fleet, the network infrastructure — because that’s where the controls live. Documentation without working controls doesn’t pass a C3PAO assessment.
Our process starts with an honest gap analysis. We map your current environment against all 110 NIST SP 800-171 controls, identify what’s in place and what’s missing, and build a realistic remediation timeline. Then we build — implementing the controls, writing the System Security Plan, completing the POAM entries, and getting the environment into the state an assessor needs to see.
Most of our CMMC clients are mid-assessment preparation when they find they have more in place than they thought — and a few specific gaps that need focused work. The gap analysis rarely produces the catastrophic picture contractors fear. It produces a workable list.
When the C3PAO comes in, we’re available to support the assessment process — answering technical questions, producing evidence, explaining control implementations. We’ve been through enough of these to know what assessors are looking for and how to demonstrate it clearly.
CMMC Questions Defense Contractors Ask Us
Who is required to certify under CMMC?
Any defense contractor or subcontractor that handles Controlled Unclassified Information under a DoD contract is in scope. If your contracts contain DFARS clause 252.204-7012, you are looking at CMMC Level 2 — 110 controls from NIST SP 800-171, verified by a third-party C3PAO assessor.
When does CMMC enforcement actually start?
Phase 2 is live now. The DoD is flowing CMMC requirements into new contracts on a rolling basis, and prime contractors are flowing them down to subcontractors ahead of contract awards. The companies most at risk are subs who assumed the deadline applied to someone else.
Can our current IT provider handle CMMC for us?
Most managed IT providers can run the tools that map to CMMC controls. Far fewer can own the documentation, the System Security Plan, and the C3PAO assessment process. That gap is where most contractors discover they need a specialist.
How long does CMMC certification take?
From honest gap analysis to certification, six to twelve months is typical for a company that has reasonable baseline security in place. Longer if the environment is starting from a weak posture. The C3PAO observation period itself cannot be compressed — controls must be operational, not just documented.
What does CMMC certification cost?
Costs fall into three buckets: remediation work to close control gaps, the C3PAO assessment itself, and ongoing maintenance. The gap analysis is the only way to give a real number. Round estimates without an environment review are not useful for planning.
Find Out Where You Actually Stand
A CMMC gap analysis gives you a clear picture of what’s in place, what’s missing, and how long remediation realistically takes. That’s the right starting point — not a guess.
Start a Gap Analysis Conversation