Defense Industrial Base Cybersecurity
Comprehensive CMMC consulting services for defense contractors pursuing Level 1, Level 2, and Level 3 certification. From contractual requirements analysis and technical security evaluations to supply chain management and C3PAO assessment preparation, we deliver end-to-end compliance support aligned with your DoD contract obligations.
Overview
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB). The Department of Defense developed CMMC to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the defense supply chain.
CMMC certification is required for Department of Defense contractors and subcontractors. The framework incorporates cybersecurity standards and best practices, including NIST SP 800-171, mapped to processes and practices across maturity levels.
Unlike self-attestation approaches, CMMC requires third-party assessment by certified CMMC Third Party Assessment Organizations (C3PAOs), providing objective verification of cybersecurity practices.
Regulatory Status
The Department of Defense published the final CMMC rule in the Federal Register, effective December 16, 2024. This regulation establishes CMMC as a requirement for DoD contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Under 32 CFR Part 170, organizations must achieve the CMMC level corresponding to the type of information they handle. CMMC requirements will be phased into DoD contracts over 12-24 months, with high-priority programs requiring certification first.
The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021 requires contractors to maintain a current CMMC certificate at the level specified in the contract. This clause is being incorporated into new DoD solicitations and contract modifications.
Contractors must maintain CMMC certification throughout the contract performance period and provide certification evidence to the Contracting Officer upon request.
After achieving CMMC Level 2 certification, organizations must submit annual attestations confirming continued compliance with all 110 security practices. Failure to maintain compliance can result in certificate suspension or revocation.
Note: Organizations can pass a CMMC assessment but remain non-compliant if contractual CUI requirements were not properly validated during scoping. Contract analysis before assessment scope definition helps ensure alignment between certification and contractual obligations.
Our Approach
Our methodology begins with contractual requirements analysis—not technical assessments. We identify DoD Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) handling obligations before defining assessment scope. This contract-first approach prevents a critical failure mode: achieving CMMC certification while remaining non-compliant with actual contractual obligations.
Organizations can pass C3PAO assessments and achieve perfect NIST 800-171 scores, yet still violate contract terms if CUI requirements were improperly scoped. Our upfront contract analysis ensures certification aligns with your actual compliance obligations.
Upon successful awarding of a CMMC certification, we also provide ongoing support for the required annual attestation and subsequent contracting arrangements.
Credentials
Thalen Technologies is a Cyber AB Registered Practitioner Organization (RPO) with credentialed CMMC consultants authorized to provide advisory services to organizations pursuing CMMC certification.
Our consultants have completed training and maintain current knowledge of CMMC requirements, assessment processes, and implementation practices as validated by the Cyber Accreditation Body.
Our team has supported CMMC certifications across defense contractors, from small subcontractors to large prime contractors.
Certification Levels
CMMC consists of three levels, each building upon the previous to provide progressively advanced cybersecurity protection.
Basic cyber hygiene practices to protect Federal Contract Information (FCI). Suitable for contractors handling only FCI without CUI. Implements foundational security controls including access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity.
Assessment Method:
Annual self-assessment with affirmation statement
Typical Timeline:
2-4 months for implementation and self-assessment
Implements all NIST SP 800-171 security requirements to protect Controlled Unclassified Information (CUI). Required for most DoD contractors and subcontractors handling CUI. Encompasses 17 security domains including access control, incident response, risk assessment, security assessment, system and communications protection, and system and information integrity.
Assessment Method:
Third-party assessment by certified C3PAO (triennial cycle) with annual self-attestation between assessments
Typical Timeline:
6-12 months for gap remediation, implementation, and C3PAO assessment
Contract Requirements:
DFARS clause 252.204-7021 requires Level 2 for contracts involving CUI
Advanced and progressive cybersecurity practices to protect CUI against Advanced Persistent Threats (APTs). Builds upon Level 2 with 20 additional practices focused on threat hunting, advanced monitoring, and proactive defense. Required for high-priority programs, critical national security information, and contracts explicitly requiring Level 3 certification.
Assessment Method:
Government-led assessment by Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) or authorized government assessors
Typical Timeline:
12-18 months for comprehensive implementation and government assessment
Contract Requirements:
Specified in individual contracts for critical programs and APT-targeted environments
Our Services
End-to-end support from contract analysis through certification and ongoing compliance. Our services address the full spectrum of CMMC requirements across all certification levels, including technical evaluations, supply chain management, and strategic compliance planning.
Identify DoD contractual obligations for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) handling. Analyze prime and subcontractor flow-down requirements to ensure proper scoping before assessment.
Develop comprehensive compliance strategies aligned with your contract portfolio, including certification timelines for prime contractors and subcontractors. Establish roadmaps for achieving required CMMC levels.
Assess organizational readiness for CMMC Level 1, Level 2, or Level 3 certification. Support self-assessment processes including control testing, gap identification, and evidence collection against all applicable security practices.
Provide guidance on security control system design, security program development, and implementation of technical and administrative controls. Address identified gaps with prioritized remediation plans aligned with certification timelines.
Assist prime contractors with subcontractor compliance management, including scoping support, flow-down requirement implementation, and auditing subcontractor CMMC compliance status throughout the supply chain.
Perform comprehensive technical assessments including vulnerability scanning, penetration testing, web application security testing, and network security evaluations to validate control effectiveness before C3PAO assessment.
Prepare for CMMC Third Party Assessment Organization (C3PAO) assessment with evidence collection, artifact review, control validation, and mock assessments. Coordinate with C3PAOs and manage assessment logistics.
Support continuous compliance monitoring, annual attestation preparation, and compliance maintenance activities. Provide ongoing advisory services to maintain certification status and address evolving threats.
Security Domains
CMMC Level 2 encompasses 110 practices across 17 security domains aligned with NIST SP 800-171.
Success Story
A defense contractor with $120M in annual DoD contracts needed CMMC Level 2 certification to maintain contract eligibility. Initial contract analysis revealed CUI handling requirements across 15 active contracts with varying scoping needs. The organization faced significant gaps in security controls, inadequate documentation, and unclear subcontractor compliance requirements.
Contact us to discuss your CMMC requirements and timeline. Our team can assess your current security posture and develop an implementation roadmap aligned with your DoD contracts.