HomeServicesCompliance & RiskCMMC 2.0

CMMC 2.0 Readiness

DoD supply chain compliance for defense contractors and subcontractors.

The CMMC 2.0 reality

The Cybersecurity Maturity Model Certification (CMMC) 2.0 program covers defense contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The CMMC Program rule (32 CFR Part 170) was finalized in late 2024, and DoD contracts are phasing in CMMC requirements over multiple years following the DFARS contractual rule. For most defense suppliers, certification will be a contract-or-no-contract issue once it appears in their solicitations.

The three levels

Level 1
Self-Assessment

Annual self-attestation against 17 basic safeguarding requirements from FAR 52.204-21. Covers FCI only.

Level 2
C3PAO Assessment

Triennial third-party assessment against the 110 controls in NIST SP 800-171. Covers CUI. This is where most of the defense supply chain lands.

Level 3
DIBCAC Assessment

Government assessment against 110 NIST 800-171 controls plus a subset of NIST 800-172 enhanced requirements. Covers high-value programs.

VALO's role and the C3PAO's role

VALO is not a Certified Third Party Assessor Organization (C3PAO). We don't issue CMMC certifications — that's a separate, independent function under the Cyber AB. We do everything that comes before the C3PAO arrives: gap analysis against NIST 800-171, System Security Plan (SSP) development, Plan of Action and Milestones (POA&M) creation, control implementation guidance, evidence package preparation, and pre-assessment readiness reviews.

When you engage a C3PAO for the actual certification assessment, we support the assessment process and respond to any findings.

What VALO delivers

  • NIST 800-171 gap assessment with documented evidence of current state
  • System Security Plan (SSP) development and maintenance
  • Plan of Action and Milestones (POA&M) development with realistic remediation timelines
  • Control implementation guidance for the 110 NIST 800-171 controls
  • CUI scoping and boundary definition
  • CMMC scoping document
  • Pre-assessment readiness review
  • C3PAO selection support

Realistic timelines

For a defense contractor starting from a typical SMB security posture, CMMC Level 2 readiness is a 6 to 18 month engagement, depending on how much remediation is required. Most clients underestimate. Plan accordingly and don't wait until your contract requires certification to start.

Who this is for

DoD prime contractors and subcontractors handling Controlled Unclassified Information. Most relevant in DFW for Lockheed Martin Fort Worth and Grand Prairie suppliers, Bell Textron suppliers, and the broader regional defense supply chain. Also relevant for SaaS and cloud service providers whose customers are CMMC-regulated.

Schedule a CMMC scoping conversation.

We'll identify your CUI boundary, assess your current NIST 800-171 posture, and map a realistic path to Level 2 readiness.

Schedule a conversation