Blog details
CMMC compliance has moved from a future concern to a current contract issue. The Department of Defense began phased CMMC implementation on November 10, 2025, and Phase 1 runs through November 9, 2026, with a primary focus on Level 1 and Level 2 self-assessments. More importantly, when a solicitation includes CMMC requirements, contractors must meet those requirements before award.
That matters in Southern California. California remains a major aerospace and defense state, and Los Angeles County continues to treat aerospace and defense as a priority industry in its workforce and economic development efforts. For local manufacturers, engineering firms, integrators, and subcontractors, CMMC compliance is now tied directly to revenue protection, bid eligibility, and customer trust.
What CMMC Compliance Actually Means
A lot of companies still treat CMMC compliance like a paperwork project. That is a mistake. In practice, CMMC is a framework the DoD uses to verify that contractors protect the information they handle at the level a contract requires. The model has three levels. Level 1 covers the basic safeguarding requirements for Federal Contract Information (FCI). Then, Level 2 covers the 110 security requirements in NIST SP 800-171 Rev. 2 for protecting Controlled Unclassified Information (CUI). Finally, Level 3 builds on that foundation with additional requirements derived from NIST SP 800-172 for selected high-priority programs.
That structure is exactly why many businesses get tripped up. They know they need “CMMC compliance,” but they have not confirmed what kind of data they handle, which systems are actually in scope, or which assessment path applies to them. As a result, they buy tools too early, write policies too late, and walk into assessments with gaps they could have avoided.
Why Many Contractors Struggle With CMMC Compliance
The biggest problem is not usually awareness. It is execution.
Some companies still rely on scattered spreadsheets, tribal knowledge, and half-finished policy documents. Others assume a clean Microsoft 365 setup, a firewall refresh, or an endpoint tool is enough. It is not. CMMC compliance depends on whether your organization can prove that required controls are implemented, operating, and backed by evidence.
That means you need more than security products. You need a defined scope, assigned ownership, written policies, technical configurations, access reviews, incident response procedures, backup validation, user training records, and documentation that matches what your environment actually does. If those pieces do not line up, your compliance story falls apart fast.
Start With Scope Before You Touch Anything Else
The smartest CMMC compliance projects begin with scope. Before you rewrite policies or buy another security tool, determine exactly where FCI or CUI is processed, stored, or transmitted. Then identify the users, devices, cloud services, servers, business units, and third parties that touch that data.
This is where many small and midsize contractors lose time. They let CUI spread across shared mailboxes, general file shares, unmanaged laptops, and vendor platforms. Then, when assessment time comes, the scope balloons. Costs rise, remediation drags on, and leadership starts treating compliance like an emergency.
A better approach is to reduce the attack surface early. Limit where sensitive data lives. Standardize devices. Tighten identities. Lock down remote access. Clean up stale accounts. Segment systems where it makes sense. Good scoping does not just help you pass an assessment. It also makes the whole environment easier to secure and support. Strong data governance also supports broader privacy obligations under CCPA compliance. The same discipline strengthens uptime and coordination in IT support for construction environments.
Evidence Wins Assessments
At Level 2, the standard maps to the 110 NIST SP 800-171 Rev. 2 requirements, and the assessment guidance makes clear that organizations need to show evidence through examination, interviews, and testing. In other words, assessors are not grading your intentions. They are evaluating what is actually in place.
That is why mature CMMC compliance programs build evidence as they go. Policies should match technical reality. Procedures should show who does what and when. Logs should support control operation. Screenshots, system settings, ticket records, training logs, vulnerability remediation records, and backup test results should all tell the same story.
If your written standards say multi-factor authentication is enforced everywhere, but one legacy remote access path still bypasses it, that mismatch becomes a problem. If your incident response policy says events are escalated within defined timelines, but nobody can show tickets or reports that prove it, that is another problem. CMMC compliance rewards consistency.
Assessments, Affirmations, and the Details That Get Missed
Another point companies overlook is that not every contractor follows the exact same assessment route. For Level 1, contractors perform an annual self-assessment and submit an affirmation in SPRS. For Level 2, the solicitation determines whether the organization needs a self-assessment or an independent assessment by an authorized C3PAO, and annual affirmations still apply. Contractors also need to flow required CMMC obligations down to relevant subcontractors.
There is also limited room for remediation, but it is not a free pass. The DoD says POA&Ms are not allowed for Level 1, and for conditional statuses where POA&Ms are permitted, the closeout assessment must confirm closure within 180 days or the conditional status expires.
That is why waiting for an RFP is a bad strategy. By the time a prime asks for proof, you should already know your scope, your required level, your evidence gaps, and your remediation path.