If you're a subcontractor doing work for the Department of Defense — or working under a general contractor who does — you've probably heard "CMMC" mentioned at least once in the last year or two. Maybe your GC told you it was coming. Maybe you got a clause stuffed into a contract and didn't know what it meant. Maybe you Googled it and walked away more confused than when you started.
That's what this is for. No government-speak. No consulting firm trying to scare you into a six-figure engagement. Just what you need to know — who it applies to, what level probably applies to you, and what steps you actually have to take.
What CMMC Is (in Plain Language)
CMMC stands for Cybersecurity Maturity Model Certification. The Department of Defense created it because too many contractors — and their subcontractors — were handling sensitive government information with zero documented security controls. Data was leaking. Supply chains were exposed. The DoD decided to stop taking people's word for it and start requiring proof.
CMMC 2.0 is the current version. It replaced the more complicated original framework and simplified it down to three levels. If you handle DoD contract work at any tier — meaning you're a subcontractor to a prime, or a sub-sub — this framework may apply to you.
The key phrase is may apply. It depends on what kind of information touches your business.
The Two Types of Information That Matter
Before you can figure out your level, you need to understand the difference between two categories of government information:
FCI — Federal Contract Information. This is information the government provides or generates under a contract. Work orders, specs, drawings, communications related to government work. If you're doing any kind of federal contract work, you're almost certainly touching FCI.
CUI — Controlled Unclassified Information. This is a step up. CUI is sensitive information the government has designated for protection — things like export-controlled technical data, law enforcement info, certain design specifications. Not every contractor handles CUI, but plenty of subs do without fully realizing it.
Which one you handle determines your level.
The Three Levels — and Which One Is Probably Yours
You handle FCI but not CUI. This is the baseline. Seventeen security practices pulled directly from FAR 52.204-19. Basic stuff: control who has access to your systems, identify which systems touch federal information, use antivirus, manage your passwords. Annual self-assessment required. No third-party auditor.
You handle CUI. This is where most subcontractors in the defense supply chain land. One hundred ten security practices aligned to NIST SP 800-171. If your contract involves any kind of sensitive technical information — designs, materials, project specs marked as controlled — you're here. Level 2 requires either an annual self-assessment or a third-party assessment depending on the criticality of the program. The DoD decides which.
You handle CUI on high-priority programs. One hundred thirty-four practices, government-led assessment, NIST SP 800-172 as the baseline. If you're at this level, you already know it. This doesn't apply to most trades and construction subcontractors.
The practical answer for most construction subs: You're probably Level 1 or Level 2. If your work is tied to a federal construction project — a base, a federal facility, infrastructure — and you're receiving specs, drawings, or communications that carry any kind of CUI marking, you're Level 2.
When This Actually Takes Effect
CMMC 2.0 is being phased in through DoD contracts starting in 2025 and ramping through 2026. It won't appear in every contract immediately, but the rollout is real and it's moving. Your prime contractors are already being asked to flow CMMC requirements down through their supply chains. That means clauses showing up in your subcontracts.
If you're bidding on federal work — or working under someone who is — the question isn't whether CMMC will hit your contracts. It's when.
What You Actually Have to Do at Level 1
Level 1 is achievable without a compliance program or a full-time IT department. It's seventeen controls. Here's what they amount to in plain language:
- Control who can access your systems. Not everyone needs access to everything.
- Know which systems and devices touch federal contract work.
- Use antivirus and keep it updated.
- Use strong passwords and don't share accounts.
- Limit physical access to devices and systems that hold federal information.
- Sanitize or destroy media before you get rid of it — don't just throw old laptops in a dumpster.
- Screen people before you give them access to federal information.
- Have a basic incident response plan. Know what you'd do if something went wrong.
- Protect your network connections. Basic firewall rules, remote access controls.
Annual self-assessment means you document that you've done these things. No auditor shows up. You affirm compliance in a government system called SPRS.
What You Actually Have to Do at Level 2
Level 2 is more involved. One hundred ten controls sounds like a lot because it is. But they're organized into seventeen domains — things like access control, incident response, media protection, system and communications protection — and most of the controls build on practices you may already have in place or should have regardless of compliance requirements.
The realistic approach is a gap assessment first. You look at where you stand today against the 110 controls and identify what's missing. Then you build a System Security Plan (SSP) that documents your environment and your controls, and a Plan of Action and Milestones (POA&M) that maps out how you'll close the gaps.
If a third-party assessment is required for your program, you work with a C3PAO — a certified third-party assessment organization — who validates your controls and submits the results.
The timeline to get from zero to compliant at Level 2 is typically six to twelve months for a small business that starts organized and moves with purpose. It's longer if you're starting with no documentation, no security tooling, and no one who knows what NIST 800-171 means.
The Thing Most Subs Get Wrong
They wait.
The prime gets certified. The contract clause shows up. The prime tells the sub they need to be compliant. The sub has ninety days and no plan.
CMMC compliance isn't something you do in a sprint. The documentation alone takes time. Getting your tooling in place takes time. If a third-party assessment is required, scheduling one takes time — C3PAOs are busy and that's not changing.
The subs who will handle this without disruption are the ones who started now, while there's still runway.
How We Help
CMMC advisory is part of our Growth and Enterprise service tiers at Don's Tech Rescue. For construction and trades businesses in the DoD supply chain, that means:
- Gap assessment against CMMC Level 1 or Level 2 controls
- System Security Plan development
- POA&M documentation
- Security tooling implementation aligned to NIST 800-171
- Ongoing compliance support as requirements evolve
If you're not sure which level applies to your contracts, that's exactly the kind of question we answer in a free technology assessment. No cost. No commitment. You'll walk away knowing where you stand and what it takes to get there.
Not sure which CMMC level applies to you? Schedule your free technology assessment at donstechrescue.com or call 412-974-2663. No cost. No commitment. You'll walk away knowing where you stand.