Clear, technical resources for Defense Industrial Base contractors processing Controlled Unclassified Information. If your organization handles CUI — as a prime or subcontractor — compliance is a current requirement for contract award.
A common misconception is that most contractors will qualify for a Level 2 annual self-assessment. In practice, the CMMC Third-Party Assessor Organization (C3PAO) path is the default for any contract involving CUI; self-assessment is reserved for the narrow set of contracts where the contracting officer specifically designates it.
DoD estimates approximately 80,000 contractors across the Defense Industrial Base will require Level 2 third-party (C3PAO) certification — effectively any organization that stores, processes, or transmits CUI under a DoD contract.
You cannot choose your assessment path. Prepare your architecture and documentation with the assumption that a third-party auditor will be reviewing it.
The phased rollout is active. Compliance is a current requirement for winning and maintaining defense contracts.
The DoD is inserting Level 2 Self-Assessment requirements into new solicitations. Contractors must have an active SPRS score prior to contract award. If you have not submitted a score, you are already at risk.
Starting this November, the DoD will begin mandating Level 2 C3PAO certification as a strict condition of contract award for prioritized CUI. Organizations that have not completed a C3PAO audit by this date will be unable to compete for new contracts involving prioritized CUI. Find accredited C3PAOs in the Cyber AB Marketplace.
C3PAO requirements expand to cover all applicable new contracts across the DIB, regardless of CUI classification tier.
C3PAO requirements apply to option periods on existing contracts, completing the transition to universal implementation across the defense supply chain.
Technical guidance on building, documenting, and maintaining a CMMC 2.0 Level 2 compliance posture — without decoding regulatory jargon.
Practical, plain-English breakdowns of the 14 security requirement families and all 110 individual controls — what each requires, how to implement it, and what evidence an assessor will look for.
Browse control family guides →Guides on structuring your System Security Plan and Plan of Action & Milestones — how to map control inheritance, document your environment accurately, and produce artifacts that hold up under C3PAO scrutiny.
Browse SSP & documentation guides →Using JSON, XML, and OSCAL (Open Security Controls Assessment Language) to move away from static spreadsheets toward machine-readable, continuous compliance tracking.
Browse automation resources →To help Defense Industrial Base organizations reduce the cost and time of CMMC assessments while measurably improving their security posture — through plain-language guidance today and agentic tooling soon.
Free, technical resources covering the 110 NIST SP 800-171 controls, SSP and POA&M architecture, scoping decisions, C3PAO selection, and the assessment lifecycle — written for practitioners, not auditors.
AI agents that draft your SSP from real environment evidence, score gaps against SPRS, and keep your POA&M current as your environment changes — built to compress months of manual assessment work into days.