NIST 800-171/CMMC 2.0 Cybersecurity Support

‍

CMMC Level 2 Certification Requirements for DoD Suppliers Handling CUI Effective November 10, 2025, the U.S. Department of Defense (DoD) mandates that all contractors and subcontractors who process, store, or transmit Controlled Unclassified Information (CUI) must achieve Cybersecurity Maturity Model Certification (CMMC) Level 2 to be eligible for new contract awards.

‍
CMMC Level 2 aligns with the full implementation of NIST SP 800-171 Rev. 2,
encompassing 110 security requirements across 14 control families, including:

‍
• Access Control (AC)
• Audit and Accountability (AU)
• Incident Response (IR)
• System and Communications Protection (SC)
• Configuration Management (CM)
• Risk Assessment (RA)
• …and others critical to safeguarding CUI

‍
Certification Requirements:

‍
• Third-Party Assessment: Organizations must undergo a formal assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO) authorized by the Cyber AB. Self-assessments are not accepted at Level 2.
• Assessment Scope: The assessment must cover all applicable assets within the CUI environment, including enclave boundaries, policies, procedures, and technical implementations.
• Certification Validity: Once granted, certification is valid for three years, with potential for interim surveillance or spot checks.
• Contractual Flowdown: Prime contractors must ensure that all applicable subcontractors handling CUI also achieve Level 2 certification.

FY Consulting provides end-to-end support for CMMC Level 2 readiness, including:

• Gap analysis against NIST SP 800-171
• System Security Plan (SSP) and Plan of Action & Milestones (POA&M) development
• Policy and procedure creation
• Technical control implementation guidance
• Pre-assessment readiness reviews

‍
We help defense suppliers navigate the complexities of CMMC with precision, ensuring
audit readiness and long-term compliance.

‍

‍

For additional information, email frank@fyconsulting.com or call 908-875-7466.

‍