If your business supplies products, services, or technology to the Department of Defense, the rules have changed. The Cybersecurity Maturity Model Certification (CMMC) program is no longer a future requirement or a pilot initiative. It is the active framework that determines whether your company can continue to win and perform DoD contracts. For the thousands of defense contractors and subcontractors in the Dayton region, many of whom supply Wright-Patterson Air Force Base directly or sit deeper in the defense supply chain, CMMC compliance is now a condition of doing business with the federal government.
The challenge for most small and mid-sized contractors is figuring out what CMMC actually requires, which level applies to them, and how to close the gaps in their current cybersecurity posture without spending a fortune or stalling their operations. This is particularly urgent in the Dayton area, where the concentration of aerospace suppliers, engineering firms, manufacturers, IT service providers, and research organizations tied to Wright-Patterson creates one of the densest defense industrial base clusters in the country. A failure to achieve CMMC compliance can mean losing contracts that have been the backbone of your business for years. This guide walks through what CMMC 2.0 actually requires, how to determine your level, and what a practical path to certification looks like for contractors without an in-house security team.
Why CMMC Exists and Why It Matters Now
The Department of Defense has spent years watching its supply chain get compromised. Adversaries, including nation-state actors, have systematically targeted defense contractors to steal controlled unclassified information (CUI) and intellectual property related to weapons systems, research programs, and military technology. The economic and strategic impact of these breaches has been significant, and DoD concluded that voluntary compliance with existing cybersecurity requirements was not working.
CMMC is the response to that failure. It takes the security controls that contractors were already required to implement under DFARS 252.204-7012 and NIST SP 800-171 and adds a mandatory third-party assessment process that verifies compliance before contract award. The self-attestation model of the past is gone. Going forward, contractors handling sensitive federal information must demonstrate through documentation, evidence, and independent assessment that they are meeting the required standards.
The CMMC 2.0 final rule was published in late 2024, and phased implementation began in 2025. By the time full rollout completes, every DoD contract involving federal contract information (FCI) or controlled unclassified information (CUI) will include a CMMC requirement at the appropriate level. Contractors who cannot meet that requirement will not be eligible for award. For Dayton-area businesses whose revenue depends on defense work, the timeline is not hypothetical. It is happening now.
Understanding the Three CMMC Levels
CMMC 2.0 defines three levels of compliance, each tied to the sensitivity of information the contractor handles. Understanding which level applies to your business is the first step in building a realistic compliance plan.
Level 1: Foundational
Level 1 applies to contractors who handle federal contract information (FCI) but do not handle CUI. FCI is information provided by or generated for the government under a contract that is not intended for public release, but it is less sensitive than CUI. Examples include internal contract communications, delivery schedules, and administrative information tied to a specific contract.
Level 1 requires implementation of 17 basic cybersecurity practices drawn from FAR 52.204-21. These are foundational controls like limiting system access to authorized users, identifying and authenticating users, sanitizing media before disposal, and maintaining physical security of systems. Level 1 compliance is verified through annual self-assessment, meaning contractors attest to their own compliance rather than undergoing a third-party audit.
For many small contractors supplying commercial off-the-shelf products or providing non-sensitive services, Level 1 will be the applicable standard. The 17 practices are manageable, and the self-assessment model keeps the compliance cost reasonable. That said, "self-assessment" is not the same as "optional." False attestations carry significant legal risk under the False Claims Act, and a contractor who certifies compliance without actually meeting the requirements is exposing themselves to whistleblower actions and federal enforcement.
Level 2: Advanced
Level 2 is where the majority of Dayton-area defense contractors will land. It applies to contractors handling CUI, which is broadly defined and includes technical data, engineering specifications, research information, and a wide range of other sensitive categories. If your business receives technical drawings, design documents, test results, or any information marked as CUI, you are almost certainly operating at Level 2.
Level 2 requires implementation of all 110 security controls from NIST SP 800-171 Revision 2. These controls span 14 families including access control, audit and accountability, configuration management, identification and authentication, incident response, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. This is a significantly more demanding standard than Level 1, and for most contractors it represents a substantial lift from their current cybersecurity posture.
The assessment model at Level 2 depends on the contract. Some contracts allow self-assessment, but the majority of CUI-handling contracts require assessment by a CMMC Third-Party Assessment Organization (C3PAO) on a three-year cycle. C3PAO assessments are formal, evidence-based audits that examine whether your controls are properly implemented and documented. Passing a C3PAO assessment requires more than having the technology in place. It requires policies, procedures, training records, and the ability to demonstrate that your security program is operating as documented.
Level 3: Expert
Level 3 applies to contractors supporting the Department's highest-priority programs, typically those involving information that would cause severe damage to national security if compromised. It builds on the 110 NIST SP 800-171 controls and adds a subset of enhanced controls from NIST SP 800-172 focused on protecting against advanced persistent threats.
Level 3 assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by commercial C3PAOs. This level is rare and typically applies to prime contractors and critical technology suppliers rather than smaller subcontractors. If Level 3 is relevant to your business, you likely already know it because of your existing contract relationships and program exposure.
Why Dayton's Defense Ecosystem Makes CMMC Particularly Important
The Dayton metropolitan area occupies a unique position in the defense industrial base. Wright-Patterson Air Force Base is the headquarters of Air Force Materiel Command, the Air Force Life Cycle Management Center, the Air Force Research Laboratory, and numerous other organizations responsible for acquisition, research, development, and sustainment of Air Force systems. The economic gravity of Wright-Patterson has shaped an enormous ecosystem of suppliers, contractors, and service providers across the Dayton region and extending into Cincinnati, Columbus, and beyond.
That ecosystem includes defense-focused engineering firms, aerospace component manufacturers, IT service providers working on government programs, research organizations partnering with AFRL, software companies building tools for military users, logistics and supply chain companies, and professional services firms providing specialized support. What these businesses share is exposure to CMMC requirements, regardless of whether they think of themselves as traditional "defense contractors."
This is the trap many Dayton-area businesses fall into. A 30-person engineering firm that subcontracts to a prime on a Wright-Patterson program may not consider itself a defense contractor in the same sense as a Lockheed or a Raytheon. But if that firm handles CUI as part of its work, CMMC requirements flow down through the prime contract. Failure to comply does not just put the firm at risk. It puts the prime at risk, which means primes are actively auditing their subcontractors and removing non-compliant suppliers from their networks. Losing a prime relationship can mean losing 40, 60, or 80 percent of your revenue overnight.
Manufacturing companies supplying aerospace and defense primes face particular exposure because their shop-floor environments often contain CUI in the form of technical drawings, specifications, and test data. Protecting this information requires both traditional IT security and attention to the operational technology systems that interact with production workflows.
What NIST SP 800-171 Actually Requires
Because Level 2 applies to most contractors handling CUI, and because Level 2 compliance is built on NIST SP 800-171, understanding what 800-171 requires is central to any CMMC preparation effort. The 110 controls cover 14 families, but they can be grouped into themes that make the scope easier to understand.
Access control means ensuring that only authorized users and systems can reach CUI. This includes unique user accounts, role-based access, session management, and restrictions on remote access. Multi-factor authentication is required for privileged accounts and remote access, and network access must be limited to what each user actually needs to perform their job.
Audit and accountability requires logging of system events, protection of audit logs from tampering, and regular review of log data to identify suspicious activity. This is where many small contractors discover their existing IT environment is not capturing the information needed to demonstrate compliance. Comprehensive logging with 24/7 monitoring is typically necessary to meet this requirement.
Configuration management means controlling how systems are configured, preventing unauthorized changes, and maintaining documentation of approved configurations. This extends to managing software inventory, restricting installation of unauthorized applications, and ensuring that security settings are applied consistently across the environment.
Identification and authentication goes beyond basic username-and-password login. It requires unique credentials for every user, authentication of devices as well as users, enforcement of strong password policies, and protection of authentication credentials themselves. Password management tools and centralized identity management platforms are the practical way most contractors address this requirement.
Incident response requires having a documented plan for detecting, analyzing, containing, and recovering from security incidents. It also requires training, testing, and reporting of incidents to relevant authorities. This is an area where many contractors have gaps because they have never formalized what they would actually do if an incident occurred.
Media protection covers the handling of physical and digital media containing CUI. This includes sanitizing media before disposal or reuse, controlling access to media, and protecting media during transport. For contractors who receive technical data on physical media, this requirement has real operational implications.
Risk assessment requires periodic evaluation of security risks to organizational operations, assets, and individuals. The assessment must consider threats, vulnerabilities, and the potential impact of incidents. A comprehensive cybersecurity risk assessment conducted annually or after significant changes is typically the evidence assessors want to see.
System and communications protection addresses how information is protected as it moves across networks and between systems. Encryption of CUI in transit and at rest is required, and network boundaries must be defined and monitored. Firewall monitoring and management and encryption services are foundational to meeting these controls.
System and information integrity requires protection against malware, monitoring of security alerts, and timely application of security patches. Managed endpoint detection and response, vulnerability scanning, and structured patch management processes are the core technical controls in this family.
The remaining families (awareness and training, media protection, personnel security, physical protection, and security assessment) add additional requirements but tend to be areas where contractors have existing practices that can be formalized rather than built from scratch.
The System Security Plan and Plan of Action and Milestones
Two documents sit at the center of CMMC Level 2 compliance: the System Security Plan (SSP) and the Plan of Action and Milestones (POA&M). These are not optional artifacts. They are required deliverables that assessors will examine closely.
The System Security Plan describes your environment, the CUI flows through it, and how each of the 110 NIST SP 800-171 controls is implemented in your specific context. A good SSP is detailed, specific, and honest. It identifies your systems, your users, your data flows, and your security controls in enough depth that an outside assessor can understand how your security program actually works. Generic or templated SSPs that do not reflect your real environment are a red flag for assessors and a common reason contractors fail initial assessments.
The Plan of Action and Milestones documents any gaps between your current state and full compliance, along with the specific actions and timelines for closing those gaps. CMMC 2.0 allows limited use of POA&Ms for certain controls, meaning you can achieve conditional certification while you complete remediation work, but the rules around which controls are POA&M-eligible are strict. Most critical controls must be fully implemented before certification, and contractors who try to POA&M their way through foundational requirements will not pass assessment.
Producing accurate, thorough documentation is one of the most common pain points in CMMC preparation. Contractors often have security controls in place but lack the written policies, procedures, and evidence to demonstrate compliance. The time required to develop proper documentation is frequently underestimated, and businesses that wait until shortly before assessment to begin this work run out of runway.
The SPRS Score and Why It Matters
Even before formal CMMC assessment, DoD contractors handling CUI are required to submit a self-assessment score to the Supplier Performance Risk System (SPRS). The SPRS score is a numerical representation of your compliance with NIST SP 800-171 on a scale that can range from negative 203 to positive 110. A perfect score of 110 means every control is fully implemented. Scores below 110 reflect unimplemented controls, weighted by severity.
SPRS scores are visible to DoD contracting officers and prime contractors evaluating subcontractor cybersecurity posture. A low score does not automatically disqualify you from contracts, but it creates friction in the acquisition process and raises questions that contractors with higher scores do not have to answer. Primes increasingly use SPRS scores as a filter when selecting subcontractors, which means your score affects your competitiveness even before CMMC formal assessment enters the picture.
Accurate SPRS scoring requires the same rigor as the eventual CMMC assessment. Contractors who inflate their scores to appear more compliant are exposing themselves to False Claims Act liability if the actual state of their environment is later found to differ from what they reported. The right approach is to assess honestly, document the gaps, and build a credible plan to close them.
Practical Steps to CMMC Compliance
For a Dayton-area contractor starting the CMMC compliance journey without a dedicated security team, the path forward can feel overwhelming. Breaking it into sequential phases makes the work manageable.
Phase 1: Scope and determine applicability. Identify which of your contracts involve FCI or CUI, what level of CMMC applies, and which parts of your business are in scope. Not every system in your environment needs to handle CUI, and limiting scope to the systems that actually process, store, or transmit CUI can significantly reduce compliance burden. This is often called an enclave approach, and it can be a practical way to make compliance achievable without rebuilding your entire environment.
Phase 2: Conduct a gap assessment. Evaluate your current state against the applicable CMMC level using the NIST SP 800-171 assessment methodology (for Level 2). Identify which controls are fully implemented, partially implemented, or not implemented at all. This assessment should produce an accurate SPRS score and a clear list of gaps. A network security assessment conducted by a qualified provider can form the technical foundation of the gap analysis.
Phase 3: Build your remediation plan. For each gap, define the specific actions required to close it, the resources needed, and the timeline for completion. Prioritize controls that are prerequisites for other controls or that address the highest-risk gaps first. This plan becomes your internal roadmap and, in many cases, the basis for your formal POA&M.
Phase 4: Implement controls and produce documentation. Execute the remediation plan, deploying technical controls and developing the policies, procedures, and evidence that demonstrate compliance. This is typically the longest phase and the one where contractors benefit most from working with an experienced partner who has done this work before.
Phase 5: Internal readiness assessment. Before engaging a C3PAO, conduct a mock assessment to identify remaining gaps, test your documentation, and prepare your team for the formal assessment experience. Internal readiness assessment is not a regulatory requirement, but it significantly improves the likelihood of passing on the first attempt.
Phase 6: Formal CMMC assessment. Engage an authorized C3PAO, coordinate the assessment logistics, and undergo the formal evaluation. The assessment includes interviews, evidence review, and hands-on examination of your environment. Passing results in CMMC certification valid for three years, after which reassessment is required.
Phase 7: Ongoing compliance. CMMC is not a one-time project. Your environment will change, your workforce will turn over, and your threat landscape will evolve. Maintaining compliance between assessments requires continuous attention to controls, documentation, and security operations.
Why Most Contractors Need a Partner
The reality for most Dayton-area defense contractors is that CMMC compliance cannot be achieved with internal resources alone. The combination of technical expertise, documentation effort, policy development, and ongoing security operations required is beyond what a 20-person or 50-person company can sustain internally. The question is not whether to engage outside help but how to engage it effectively.
A qualified managed services provider experienced in CMMC can fill the capability gap by providing the security controls, documentation support, and ongoing operations that compliance requires. The right partner understands NIST SP 800-171 deeply, has worked through CMMC preparations with multiple clients, and knows what assessors are looking for. They can help you scope your environment, identify gaps, implement controls, develop documentation, and maintain compliance between assessments.
What a managed services provider cannot do is grant you certification directly. CMMC assessment must be performed by an independent C3PAO, and your MSP cannot serve in that role. What a good MSP does is prepare you for assessment so thoroughly that passing becomes a predictable outcome rather than a hopeful gamble.
How Harbour Technology Consulting Supports Dayton-Area Defense Contractors
Harbour Technology Consulting has been serving businesses across the Dayton region since 2000, and our work with defense-adjacent contractors has given us direct experience with the cybersecurity requirements that CMMC formalizes. Based in Springboro, Ohio, we understand the Wright-Patterson ecosystem and the businesses that depend on it, and we have built our service model around the kind of layered, documented security that CMMC demands.
Our managed IT and cybersecurity services provide the foundational technical controls that NIST SP 800-171 requires: managed endpoint detection and response, multi-factor authentication, firewall management, 24/7 monitoring, patch management, encryption, backup and disaster recovery, and comprehensive logging. We combine these controls with the documentation, policy development, and risk assessment support that contractors need to build a complete compliance program.
If your business handles DoD contracts and you are not sure where you stand with CMMC requirements, or if you have tried to navigate the framework internally and realized you need help, contact our team for a candid conversation about your situation. We will help you determine which level applies, assess your current posture, and outline a realistic path to compliance that fits your timeline and budget. The contracts you have worked to win are worth protecting, and the work to keep them is achievable with the right preparation.
