What Every SoCal DoD Contractor Needs to Know
CMMC has become a game-changer for anyone doing business with the Department of Defense. Its roots trace back to the 2016 FAR rule, which first introduced baseline cybersecurity requirements for federal contractors. Since then, the compliance landscape has intensified. With the new rule officially in place since December 2024 and full contract enforcement on the horizon for late 2025, defense contractors in San Diego, and across Southern California, must be clear on where they stand and be actively moving toward compliance.
The Cybersecurity Maturity Model Certification (CMMC) defines three distinct levels of cybersecurity readiness. You don’t choose your level—the DoD decides, based on the category of Controlled Unclassified Information (CUI) needed in the performance of a contract. Here’s what you need to know.
Level 1: Basic Safeguarding of FCI
Level 1 is all about the basics. It’s intended for companies that handle Federal Contract Information (FCI) but not CUI. If your work involves simple procurement or logistics without sensitive data, this might be your lane.
Requirements include:
- 15 security practices based on FAR 52.204-21
- Annual self-assessments
- Annual executive affirmation submitted in the Supplier Performance Risk System (SPRS)
Think of this as the cybersecurity equivalent of locking your doors and installing a basic alarm system. It’s entry-level, but it still matters. Level 1 organizations are required to perform a self-assessment annually and submit an executive affirmation in SPRS, providing a cost-effective way to demonstrate compliance without a third-party audit.
Level 2: Broad Protection of CUI
Most small and mid-sized DoD contractors fall here. If you handle CUI—design drawings, test results, or anything sensitive but unclassified—Level 2 is where you need to be.
Requirements include:
- Implementation of all 110 controls in NIST SP 800-171 Rev 2
- While the DoD allows self-assessments for select Level 2 contracts, the reality is that very few organizations will qualify for this pathway. Most contractors handling CUI will fall into the category that requires a third-party assessment conducted by a Certified Third Party Assessment Organization (C3PAO) every 3 years.
- Annual affirmation, verifying compliance with the 110 security requirements in NIST SP 800-171 Revision 2
- Uploading assessment results and a Plan of Action & Milestones (POA&M) to SPRS
This level separates the serious players from the rest. Level 2 organizations are expected to undergo third-party assessments by a C3PAO for higher-priority work. These assessments, along with submission of POA&Ms to SPRS, create a verifiable path toward certification. If you want to stay competitive in the defense ecosystem, Level 2 isn’t optional—it’s expected.
Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats
Reserved for contractors supporting the highest-priority national security programs, Level 3 builds on the required Level 2, incorporating even more advanced cybersecurity practices.
Requirements include:
- Compliance with NIST SP 800-171 R2 plus select controls from NIST SP 800-172
- Government-led assessments every 3 years by the DIBCAC
- Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172
This level involves zero tolerance for security lapses and is tailored for organizations with mission-critical roles in the defense industrial base. Level 3 assessments are government-led, with no self-assessment options, reflecting the high stakes involved. Think missile systems, intelligence operations, or top-tier space programs.
Southern California Defense Contractors
Our region is home to a high concentration of defense innovators—from San Diego’s shipyards to L.A.’s aerospace corridor. Whether you’re subcontracting with a prime or bidding on direct DoD work, your CMMC level determines which doors are open to you.
Understanding the levels helps you:
- Set realistic compliance goals
- Budget appropriately for cybersecurity investments
- Know what kind of audits to expect
- Align your IT strategy with your business development efforts
Final Word from the Field
Compliance can take time—acting now is critical, before the clock runs out. With enforcement already underway and contract clauses evolving rapidly, identifying your required level and starting the path to readiness isn’t optional—it’s urgent. It’s about positioning your company as a trusted, capable partner in the eyes of the Department of Defense.
If you’re not sure where your organization stands, or what category(s) of CUI you handle, you’re not alone. Our experienced CMMC implementation team specializes in helping Southern California contractors make sense of the standard and implement controls as efficiently as possible—and turn compliance into a competitive edge.
Ready to talk CMMC? Let’s get to work – contact us today.