CMMC cybersecurity built for small DoD manufacturers.
The 110 NIST SP 800-171 controls, an SSP and POAM your C3PAO will accept, and the day-to-day security operation behind it — at a price point small job shops can actually run. We're not a C3PAO; we're the partner that gets you to the certificate and keeps you there.
Why Now
CMMC 2.0 is no longer hypothetical. It's in contracts now.
DoD finalised the CMMC 2.0 rule in December 2024. Through 2025 the clause has begun appearing in new contracts and renewals. By 2028, every DoD contract handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will require certification at the appropriate level.
There are roughly 80,000 small-to-mid manufacturersin the DoD supply chain that handle CUI, plus more than 200,000 companies touching some level of FCI. Most are not ready. The big consultancies price small shops out of the market. The local IT MSP doesn't know the difference between NIST 800-171 and NIST 800-53, let alone how to write an SSP that survives a C3PAO assessment.
Our position is straightforward: build the same control stack the $10k/month CMMC specialists build, document it in audit-ready form, operate it day-to-day, and price it so a 20-person job shop can keep bidding on DoD work without going bankrupt on cyber.
What This Means In Practice
Three realities we build the engagement around.
No certification, no contract.
By 2028, every DoD contract handling FCI or CUI will require CMMC compliance at the appropriate level. New contracts already include the clause. There is no exception for small subcontractors. If you can't certify, you can't bid.
False-attestation risk is real.
DoJ's Civil Cyber-Fraud Initiative has already settled with multiple contractors who misrepresented their cyber posture — Aerojet Rocketdyne paid $9M, Verizon $4M. Whistleblower (qui tam) suits amplify the exposure. The annual self-affirmation is a legal attestation, not a checkbox.
Most specialists are out of reach.
The established CMMC consultancies typically quote $5,000–$15,000 per month for managed compliance, which is fine for prime contractors but kills small subcontractors. Our $1,400–$3,500/mo range fits Level 1 and lower-end Level 2 manufacturers without cutting the controls.
The 110 Controls
14 control families. 110 controls. 320+ assessment objectives.
NIST SP 800-171 is the rulebook CMMC Level 2 measures you against. We operate every control, document every objective, and produce the evidence a C3PAO needs to see.
Access Control
Named accounts, least privilege, session limits, remote-access controls, and admin separation across the CUI environment.
Audit & Accountability
Logging of every access and change in the CUI environment, tamper-resistant log storage, and review processes.
Awareness & Training
Role-based security awareness training for everyone with CUI access, refreshed at least annually.
Configuration Management
Documented baseline configurations, change control, and software-restriction policies on every system handling CUI.
Identification & Authentication
Multi-factor authentication on every account, phishing-resistant for privileged users, password complexity, and device authentication.
Incident Response
Documented incident response plan, tested procedures, and 72-hour reporting to DoD under DFARS 252.204-7012.
Maintenance
Controls around system maintenance — sanitisation, supervised remote maintenance, and personnel checks.
Media Protection
Encryption of CUI at rest, sanitisation before disposal, and controlled transport of media.
Personnel Security
Screening of personnel before granting CUI access and revocation when access is no longer required.
Physical Protection
Physical access controls to facilities and equipment processing CUI, including visitor logs and monitoring.
Risk Assessment
Periodic written risk assessment of the CUI environment with documented findings and remediation.
Security Assessment
Routine self-assessment, system security plans (SSP), and plans of action & milestones (POAM).
System & Communications Protection
Boundary protections, encryption in transit, denial-of-service safeguards, and segmentation of the CUI environment.
System & Information Integrity
Flaw remediation, anti-malware, monitoring of inbound communications, and unauthorised-change detection.
Realistic Timeline
9–18 months to Level 2. Honest numbers, not sales numbers.
Month 1
Free CMMC-readiness assessment
We scope your CUI environment, classify your contracts, score you against the 110 NIST 800-171 controls, and hand you a one-page roadmap with a realistic timeline and cost.
Months 2–4
Foundation controls
MFA on every account, EDR on every endpoint, named accounts (no shared logins), encrypted backups, baseline configuration documentation, and awareness training for every CUI-cleared user.
Months 4–9
System Security Plan (SSP) build-out
Documented SSP covering all 14 control families, POAM for residual gaps, formal incident response plan, change-management procedures. M365 / GCC High migration if needed.
Months 9–12
Pre-assessment readiness review
Mock assessment against the C3PAO checklist, evidence collection in audit-ready form, control owner interviews. We close gaps before the C3PAO ever sees them.
Month 12+
C3PAO engagement & ongoing operation
We coordinate the C3PAO engagement, support the assessment, and run the controls through the 3-year recertification cycle. Continuous monitoring, monthly evidence collection, annual self-affirmation support.
Indicative Pricing
Built for shops the big firms can't serve.
Level 1 Self-Attestation
$1,400+/mo
FCI-only shops, <25 staff
- 15 Level 1 practices documented
- MFA enforcement everywhere
- EDR on every endpoint
- Annual self-affirmation support
- 24/7 monitoring
Level 2 Readiness
$3,500+/mo
CUI handlers, 10–75 staff
- All 110 NIST 800-171 controls
- SSP & POAM build + maintenance
- Evidence collection in audit form
- C3PAO assessment support
- Role-based training programme
- GCC High advisory (cost-aware)
Complex Level 2 / Multi-Site
Scoped
Multi-facility, OT/ICS, >75 staff
- Per-site enclave design
- OT / ICS integration
- Group-level governance
- Dedicated programme lead
Indicative pricing. Final figures depend on CUI scope, headcount, IT estate, GCC High requirement, and existing controls. Set out in the written services agreement.
Honest Answers
The six questions we're asked first.
Doesn't our prime contractor handle CMMC for us?+
No. CMMC flow-down means every entity in the chain that handles FCI or CUI is responsible for its own certification. The prime can verify you have it, but they can't do it on your behalf. If anything, primes are now actively dropping subcontractors who can't show certification — they don't want the supply-chain risk.
We've done a self-assessment under DFARS 252.204-7019. Isn't that enough?+
DFARS 252.204-7019 requires you to score yourself against NIST SP 800-171 and post the score to the Supplier Performance Risk System (SPRS). CMMC Level 2 requires a third-party C3PAO assessment for most contracts — the self-assessment is no longer accepted for medium-and-above-priority contracts. The two coexist for now; CMMC supersedes through 2028.
Do we need Microsoft GCC High?+
Only if you store, process, or transmit CUI inside Microsoft 365. If your CUI lives only on engineering workstations and segmented file shares, you may be able to operate in commercial M365 with strict CUI-handling rules. We map this honestly in the assessment — GCC High adds material licensing cost and we don't recommend it unless required. See our GCC High deep-dive article.
We're too small for the DoD to bother enforcing this.+
Size doesn't exempt you. The point of CMMC is to clean up the long tail of small subcontractors that have historically been the weakest link in the defence supply chain. Enforcement happens through contract flow-down — your prime contractor will check before they place a purchase order. No certification, no PO.
What does Kapacyber actually deliver vs. a C3PAO?+
We are not a C3PAO and we don't certify you. We build and operate the controls that make you certifiable — SSP and POAM management, MFA and EDR deployment, log collection, awareness training, incident response, vendor due diligence, monthly evidence collection. When you're ready for a Level 2 assessment, we hand the C3PAO a clean package and stay on through the engagement.
How long until we're certifiable?+
Realistic for Level 2 from a near-zero starting point: 9–18 months, depending on existing controls, IT estate complexity, and whether you need GCC High migration. Level 1 (self-attestation) is achievable in 60–120 days for most shops. We give an honest timeline in the free assessment — not a sales-pitch number.
Dig Deeper
CMMC reading.
CMMC 2.0 Explained — Levels, Timeline, What Small Manufacturers Need to Know
The three levels, the rule timeline, who CMMC applies to, and the seven questions every small DoD subcontractor should be able to answer.
ReferenceThe 110 NIST SP 800-171 Controls in Plain English
All 14 families and 110 controls, translated out of NIST-speak with examples a manufacturing shop floor can use.
CostCMMC Level 2 Cost — What a Small DoD Subcontractor Actually Pays
Realistic budget ranges for managed compliance, C3PAO assessment, GCC High licensing, and ongoing operations through the three-year recertification cycle.
AssessmentHow to Prepare for a C3PAO Assessment
What a C3PAO looks for, how to assemble the evidence package, what fails most often, and how to keep the assessment to days instead of weeks.
RegulationDFARS 252.204-7012 vs CMMC — How They Relate
The two regulations that govern CUI handling, where they overlap, where CMMC adds new requirements, and what to do during the rollout transition.
ToolingMicrosoft GCC High — Do You Actually Need It?
When GCC High is required, when commercial M365 is enough, the realistic licensing cost, and the migration realities for a small shop.
Free TemplateCMMC Self-Assessment Worksheet
A fillable worksheet covering Level 1's 15 practices plus the Level 2 family scoring template, with evidence prompts.
Free ToolCMMC Readiness Check
A 12-question self-assessment that scores you against NIST 800-171 family-by-family and tells you what to fix first.
See where your shop stands.
Free CMMC-readiness assessment. We score you against the 110 NIST 800-171 controls, classify your contracts, and hand you a one-page roadmap with a realistic timeline and cost. No sales pressure. No proposal unless you ask.
Get Free CMMC Readiness Assessment