Does CMMC apply to subcontractors, not just prime contractors?

Yes. If a prime contractor flows CUI to you as part of a DoD contract, you must hold CMMC certification at the required level. The DoD is holding the entire supply chain accountable, not just the companies that sign the prime contract.

Can I self-assess for CMMC Level 2?

Only for a limited subset of contracts deemed lower priority. Most Level 2 contracts will require a third-party assessment by an accredited C3PAO. Assume you need third-party certification unless your contracting officer explicitly states otherwise.

How much does CMMC certification cost?

Costs vary significantly based on your current environment. The assessment itself typically ranges from $30,000 to $100,000+ depending on scope and complexity. The larger expense is usually the remediation work to close gaps — implementing encryption, access controls, monitoring, and documentation. Investing in a compliant IT infrastructure before the assessment reduces both cost and risk.

What happens if I do not get CMMC certified?

You will be ineligible to bid on or perform DoD contracts that require CMMC certification. For manufacturers and other businesses in the Everett defense corridor whose revenue depends on DoD work, losing contract eligibility is an existential business risk — not just a compliance checkbox.

What Is CMMC 2.0 and How Does It Affect Washington State Defense Contractors?

CMMC 2.0 — the Cybersecurity Maturity Model Certification — is the Department of Defense’s framework for verifying that contractors and subcontractors meet specific cybersecurity standards before they can bid on or perform DoD contracts. If your company is anywhere in the defense supply chain in Washington state, CMMC compliance is no longer theoretical — it is becoming a contractual requirement in 2025 and 2026, and companies that cannot demonstrate certification will lose access to DoD work.

What Is CMMC 2.0?

CMMC 2.0 replaced the original CMMC 1.0 model with a streamlined three-level structure based on NIST cybersecurity frameworks:

Level 1 — Foundational. Covers 17 basic cybersecurity practices from FAR 52.204-21. Applies to companies that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). Self-assessment is sufficient.
Level 2 — Advanced. Requires implementation of all 110 security controls from NIST SP 800-171. Applies to companies that handle CUI. Most contracts at this level require a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO). Some lower-priority contracts may allow self-assessment.
Level 3 — Expert. Based on a subset of NIST SP 800-172 controls. Applies to the highest-priority programs involving the most sensitive CUI. Requires government-led assessment by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center).

Most Washington defense contractors and subcontractors will need Level 2 certification because they handle CUI as part of their contract work.

Who Needs CMMC Certification?

Every company in the DoD supply chain — primes and subcontractors alike. If you receive, store, process, or transmit CUI or FCI as part of defense work, you need CMMC certification at the appropriate level. This is not limited to the company that signs the prime contract. If a prime contractor flows CUI down to a machine shop, that machine shop needs CMMC certification too.

This matters enormously in Western Washington. Boeing’s Everett facility is the largest manufacturing building in the world by volume and employs tens of thousands of workers across dozens of defense-related programs. Naval Station Everett is the Navy’s most modern installation on the West Coast. The defense supply chain in Snohomish County is deep — manufacturers, engineering firms, logistics companies, and professional services firms all handle CUI as part of their work supporting these operations.

If your business is part of that ecosystem, CMMC applies to you. Waiting to find out is not a strategy.

What Are the Key IT Requirements for CMMC Level 2?

CMMC Level 2 maps directly to the 110 controls in NIST SP 800-171. For a business owner or operations manager, here is what that translates to in practical IT terms:

CUI Protection

All Controlled Unclassified Information must be identified, labeled, and protected throughout its lifecycle. This includes data at rest on servers and workstations, data in transit across networks, and data in cloud environments. You need to know exactly where your CUI lives — and most companies we assess do not.

Access Controls

Only authorized personnel should access CUI, and access must follow the principle of least privilege. This requires unique user accounts, role-based access permissions, and prompt revocation when employees change roles or leave. Shared accounts are a direct compliance failure.

Multi-Factor Authentication (MFA)

MFA is required for all remote access and for any privileged account access to systems that handle CUI. Password-only authentication is not sufficient.

Encryption

CUI must be encrypted at rest and in transit using FIPS-validated cryptographic modules. This applies to hard drives, email, file transfers, VPN connections, and cloud storage.

Audit Logging

All systems that handle CUI must generate audit logs that capture who accessed what, when, and from where. Logs must be retained, protected from tampering, and reviewed regularly. If an incident occurs, you need a clear evidentiary trail.

Incident Response

You must have a documented, tested incident response plan that covers detection, containment, eradication, recovery, and reporting. DoD contracts often include specific timelines for reporting cyber incidents — typically 72 hours.

Endpoint Protection

Every endpoint that accesses CUI — laptops, desktops, servers, mobile devices — must run managed endpoint detection and response (EDR) with active monitoring. Traditional antivirus does not meet the bar.

How Does an MSP Help with CMMC Compliance?

Most small and mid-sized defense contractors do not have dedicated cybersecurity staff. That is not a disqualifier — but it means you need a partner who understands both the technical controls and the compliance documentation required.

Here is what a security-first MSP brings to CMMC readiness:

Gap assessment. A thorough review of your current environment against all 110 NIST SP 800-171 controls, identifying what is in place, what is partially implemented, and what is missing. This is similar to a comprehensive IT security assessment but specifically scoped to CMMC requirements.
Remediation and implementation. Deploying the technical controls needed to close gaps — encryption, MFA, EDR, network segmentation, backup systems, and access control configurations.
Documentation. CMMC requires a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) that describe your environment, your controls, and your remediation timeline. Assessors will review these documents before they touch a keyboard.
Continuous monitoring. Compliance is not a point-in-time achievement. Controls must be maintained, logs must be reviewed, and vulnerabilities must be remediated on an ongoing basis. An MSP with cybersecurity expertise provides 24/7 monitoring that keeps your environment audit-ready.

At ROI Technology, our security architecture is built on NIST frameworks from the ground up — it is not an aftermarket bolt-on. We maintain zero ransomware incidents across our client base because we engineer environments to be defensible, not just functional. That same architecture aligns directly with CMMC requirements.

Timeline: When Does CMMC Enforcement Begin?

The DoD began including CMMC requirements in select contracts in 2025, with a phased rollout through 2026 and beyond. The ramp-up means:

Phase 1 (2025): CMMC Level 1 and Level 2 self-assessments begin appearing in new contracts.
Phase 2 (2026): Third-party assessments for Level 2 required in applicable contracts.
Phase 3 (2027+): Full implementation across all applicable DoD contracts, including Level 3 requirements for critical programs.

If you are starting from scratch, achieving CMMC Level 2 readiness typically takes 6 to 18 months depending on your current security posture. Companies in the Snohomish County defense supply chain that have not begun preparation are already behind. The assessment pipeline through C3PAOs is limited, and scheduling delays will increase as demand ramps up.