CMMC Compliance for Small Government Contractors: From Assessment to Actually Ready at Level 1 and Level 2

Three Contractors. Three Different Spots. Same Problem.

In the last few months, three different small contractors have reached out to me about CMMC. None of them were in the same place.

The first one needs Level 2. They handle CUI, they have a contract that requires it, and we are deep in the work right now. They have a gap assessment from a few years ago, so I am already knocking out the quick-fix items from that list while we get the bigger pieces moving. A C3PAO firm is now coming in to formally assess the environment, and we will be meeting with them weekly to build out the plan of action and milestones. They handle the formal assessment side. I bridge the technical gaps.

The second one is currently self-attesting at Level 1. That is fine for today. The problem is that the work they want to bid on next is going to require Level 2. So we are doing two things at once. Keeping them clean for Level 1 and laying the groundwork for Level 2 before the deadline becomes the deadline.

The third one is on a call with me later this week. They are Level 1 today and they think they can stay there. What they actually need is someone managing their environment. Computers, Microsoft 365, least-privilege access, and documenting everything they have. The CMMC piece will follow naturally once the foundation is in place.

Three different contractors. Three different stages. The common thread is the same. They need someone who can actually configure the systems, manage the environment, and document what was done. The compliance piece follows once the foundation is solid.

That is the conversation I keep having with small contractors across Maryland, Northern Virginia, Washington DC, Pennsylvania, West Virginia, Delaware, the broader DMV area, and remotely with small businesses throughout the United States.

What CMMC Compliance for Small Government Contractors Actually Is and Why It Matters Now

CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense's framework for making sure contractors and subcontractors actually protect the information they handle. The rule is in effect, the clauses are showing up in contracts, and the timeline is no longer theoretical.

There are three levels, but for most small businesses the conversation is about Level 1 or Level 2.

Level 1 applies if you handle Federal Contract Information, or FCI. This is information generated for or provided to the government that is not intended for public release. If you are a small contractor with even one DoD subcontract, you almost certainly handle FCI.

Level 2 applies if you handle Controlled Unclassified Information, or CUI. CUI is more sensitive. Engineering drawings, technical specifications, export-controlled data, certain types of personnel information. If your prime sends you anything marked CUI or anything that should be marked CUI, you are in Level 2 territory.

The biggest mistake I see is contractors assuming they only need Level 1 because they are small. Size is not what determines your level. The data you touch is.

CMMC Level 1 vs CMMC Level 2 at a Glance

• Level 1: Applies to contractors handling Federal Contract Information (FCI). Covers 17 basic safeguarding requirements from FAR 52.204-21. Self-assessed annually in SPRS.

• Level 2: Applies to contractors handling Controlled Unclassified Information (CUI). Covers all 110 controls in NIST SP 800-171. Most require a third-party assessment from an accredited C3PAO.

• Determining factor: The type of data you handle, not the size of your business.

• My role: Technical implementation. I partner with the C3PAO or consulting firm doing the assessment so they handle the formal review and I handle the work needed to close the gaps. I am not a C3PAO myself.

CMMC Level 1: What Small Contractors Actually Need to Do

Level 1 is built around 17 basic safeguarding requirements that come straight from FAR 52.204-21. These are things like making sure only authorized users access your systems, controlling who connects to your network, sanitizing media before disposal, and limiting physical access to your equipment.

For Level 1, small contractors can self-assess. You log into the Supplier Performance Risk System, or SPRS, and submit your own attestation annually. There is no third-party assessor at this level.

That sounds easy. It is not.

Self-assessment does not mean self-assured. The DoD can audit your attestation, and if you certified that you had controls you did not actually have in place, that is a False Claims Act problem. Real money. Real penalties. Possibly criminal exposure.

What CMMC Level 1 really requires is an honest review of your environment, an actual implementation of those 17 safeguards, and documentation that proves what you did.

That is the part I help contractors with every day.

CMMC Level 2: Where the Stakes Get Higher

Level 2 is built on the 110 controls in NIST SP 800-171. This is a much bigger lift. Access control. Audit logging. Configuration management. Incident response. System and communications protection. The full set.

Most Level 2 contractors will need a third-party assessment from a Certified Third-Party Assessor Organization, known as a C3PAO. Some lower-risk contracts allow for self-assessment at Level 2, but the trend is toward third-party assessment for anything involving CUI.

This is where I want to be very clear about my role.

I do not perform Level 2 assessments. I am not a C3PAO. That is a separate, accredited function. There are firms in the DMV area that do that work specifically, and there are excellent C3PAOs across the country that I have partnered with on behalf of clients. Two of my Maryland-based clients are currently working through their Level 2 assessments with a C3PAO firm out of Texas. The right assessor is the right assessor regardless of where they are located.

What I do is partner with those firms. I implement the technical controls across your whole environment, not just one piece of it. Most small contractors I work with have a real mix. On-prem servers or Synology storage holding their working files. Switches, firewalls, and wireless access points handling the network. Endpoints and laptops in the field. Microsoft 365 sitting on top of all of it. The work covers all of it. Multi-factor authentication implemented across the entire environment, not just on email. Network segmentation and VLANs to isolate where CUI lives. Firewall rule cleanup and hardening. Wireless tightened up properly. Server access controls and audit logging on the on-prem side. Endpoint protection across every device. Identity, access, and audit logging in Microsoft 365 or whatever cloud platforms you use. Backups handled the right way, because where they are stored and how they are protected matters. Encrypted, off-site or immutable, separated from the production environment, and actually tested. Network diagrams that show what lives where, how everything connects, IP schemes, and VLAN tags. I do these for every client because networks are always changing and having something to reference matters. And the technical documentation that supports the System Security Plan. The C3PAO or consulting firm leads the formal write-up. I make sure the technical evidence behind it is accurate and complete.

By the time the assessor walks in, every layer of the environment is ready. Network, servers, endpoints, cloud, and documentation. That is the part most small contractors cannot do alone, and that is exactly where I come in.

CMMC Compliance for Small Government Contractors: Why Most Get Stuck Between Assessment and Implementation

 see the same pattern repeatedly. A contractor pays for a gap assessment. They get a 40-page report full of findings. They read it once, set it on their desk, and have no idea what to do next.

The assessment tells you what is wrong. It does not fix anything.

Implementation is a different skill set entirely. It requires someone who can actually configure your systems, regardless of where they live. That means hardening on-prem servers and file shares, locking down network equipment, configuring identity and access controls in Microsoft 365 or whatever cloud platforms you use, enforcing least-privilege access so people only have what they actually need to do their job, implementing multi-factor authentication across the entire environment instead of just on email, building out email authentication like SPF, DKIM, and DMARC, deploying endpoint detection across every workstation and laptop, segmenting your network where CUI lives, writing your incident response plan, and producing the technical documentation that backs up every control you put in place.

That is the stage where most small contractors lose months. They have the report. They have the will. They do not have the hands.

For contractors in Maryland, Northern Virginia, Washington DC, Pennsylvania, West Virginia, Delaware, the broader DMV area, and small businesses throughout the United States, I am that pair of hands. Most of the work is done remotely, which means location is rarely a factor in whether I can support you.

What I Actually Do for Small Government Contractors

When a small contractor brings me in, the work usually breaks down into a few clear phases.

The first phase is environment review. I take an honest look at what you have. On-prem servers and file shares. Network architecture, firewalls, switches, and wireless. Identity and access management. Microsoft 365 or whatever cloud platforms you use. Endpoint setup. Backup and recovery. Mobile device management. I walk through your environment so we can see how it lines up with CMMC Level 1 or NIST 800-171 requirements before any implementation begins.

For Level 2 contractors, I also work alongside your C3PAO or consulting firm to address the gaps they identify in their formal assessment. Their findings drive the implementation work. My job is to take those findings and turn them into action.

The second phase is hardening. This is where the real work lives, and it looks different in every environment. Multi-factor authentication is the one control that runs across everything before we even get into the layer-by-layer work. Email, VPN, server admin access, firewall admin, switch admin, wireless management, remote access, anywhere credentials are used. If MFA is not enforced across all of it, nothing else holds up. From there, the hardening work splits by layer. For on-prem servers, that means locking down access, enforcing least privilege, configuring proper logging, segmenting where CUI is stored, and making sure backups are encrypted and tested. For network equipment, the first thing to check is whether the gear you have can actually meet Level 2 requirements in the first place. Not every switch, firewall, or wireless platform qualifies. UniFi gear, for example, is popular and affordable but does not meet the validation requirements needed for systems handling CUI at Level 2. If a contractor is heading toward Level 2, sometimes the network gear has to be replaced before any other hardening work makes sense. Once the equipment can actually meet the standard, the work is cleaning up firewall rules, segmenting VLANs around CUI systems, disabling insecure protocols, and turning on the logging that almost nobody enables by default. For Microsoft 365 or other cloud platforms, the right tier matters before any hardening conversation begins. Conditional access, advanced data loss prevention, sensitivity labels, and threat protection are not all available on every license. Microsoft 365 Business Standard does not have what you need. Business Premium is usually the floor for a small contractor handling FCI. E5 or GCC High enters the picture once CUI is in play. Once the licensing fits the work, that means conditional access, audit logging turned on and retained, sensitivity labels and data loss prevention for CUI, and threat protection configured properly. Endpoints across the board get protection deployed and monitored. The goal is the same regardless of platform: real controls, real logs, real evidence.

The third phase is documentation. Contractors hate it. Assessors live for it. For Level 2, the C3PAO or consulting firm typically leads the formal documentation, including the System Security Plan, the Plan of Action and Milestones (POA&M), and the evidence packages. My job is to give them accurate technical input and evidence. Network diagrams, configuration documentation, audit trails, and proof that the controls are actually working. For Level 1 and for clients without a C3PAO engaged, I can build out the documentation directly.

The fourth phase is assessment support. The C3PAO and consulting firm lead the formal assessment work and the team interviews. My role is technical. I am available during the engagement to pull evidence, clarify configurations, and address any technical findings as they come up. After the assessment, I take on the technical items in the POA&M and work them to closure.

Through all of it, I am your IT partner. I am not handing you a report and walking away.

The Microsoft 365 Question Almost Every Contractor Asks

Most small contractors I work with are running Microsoft 365 commercial. The first question they ask is whether commercial is enough or whether they need GCC High. (For a deeper look at why default Microsoft 365 settings are not enough for small businesses with compliance obligations, see my earlier post on Microsoft 365 security and CMMC readiness in the DMV.)

It comes down to the data you handle.

If you only handle FCI, Microsoft 365 Commercial properly configured can support Level 1. If you handle CUI, the conversation gets more complicated. Some CUI categories require GCC High. Others can be handled in commercial with the right Business Premium or E5 add-ons, sensitivity labels, and data loss prevention policies in place.

This is one of the most expensive decisions a small contractor will make. GCC High licensing is significantly more expensive than commercial, and migration is a project. I help contractors think through the data they actually handle, the contracts they are pursuing, and the realistic path forward before they spend money they do not need to spend. Getting this decision right can save tens of thousands of dollars in licensing and migration costs.

What the Implementation Work Actually Looks Like

When I come into a small contractor's environment, the first thing I do is sort out what can be addressed in their systems versus what needs to be addressed through policy or process changes. Implementation does not happen in one big bang. It happens in steady, prioritized phases.

On the technical side, that means hardening on-prem file servers with proper access controls and audit logging. Enforcing least-privilege access so people only have what they need to do their job. Cleaning up firewall rules. Segmenting networks so CUI lives on its own VLAN, separated from general business traffic. Rolling out multi-factor authentication across the entire environment, not just on email but on VPN, server admin, firewall admin, and anywhere else credentials are used. Replacing shared logins with individual accounts so every action can be tied to a specific user. Deploying endpoint detection on every workstation. Configuring data loss prevention policies for documents that may contain CUI. Building real backup and recovery plans that are actually tested. (For the Microsoft 365 piece specifically, I have written about what actually needs to be configured in Microsoft 365 for small businesses.)

On the documentation side, the work is producing the technical evidence the formal documentation depends on. Network diagrams, configuration records, audit logs, and proof that controls are working. The C3PAO or consulting firm leads the formal write-up. My job is to make sure the technical evidence behind it is accurate and complete.

This is not a weekend project. It is steady work, done right, over months. That is the difference between paying for a report and actually being ready when the contract requires it.

My Services Include

• CMMC Level 1 self-assessment preparation and SPRS attestation support

• Environment review and remediation roadmapping aligned to NIST 800-171 for Level 2 readiness

• On-prem server hardening, access controls, and audit logging configuration

• Network segmentation, firewall rule cleanup, and switch configuration for CUI environments

• Microsoft 365 and cloud platform security hardening for FCI and CUI

• Endpoint detection and response deployment across workstations and laptops

• GCC High versus Commercial licensing strategy for small contractors

• Technical input and evidence for Level 2 SSP and POA&M led by the C3PAO or consulting firm

• Direct SSP and POA&M build-out for Level 1 contractors and clients without a consulting firm engaged

• Network diagrams and technical documentation for every client

• Coordination and implementation work with C3PAO assessors

• Ongoing managed IT support for small government contractors

Frequently Asked Questions

Do you perform CMMC Level 2 assessments?

No. I am not a Certified Third-Party Assessor Organization, or C3PAO. CMMC Level 2 assessments must be performed by an accredited C3PAO. What I do is implement the technical controls and produce the technical evidence the assessment relies on. The C3PAO or consulting firm typically leads the formal documentation. I partner with C3PAOs across the country when contractors need a referral, and I work alongside whichever assessor you choose, regardless of where they are located.

Can a small contractor with only a few employees really need CMMC?

Yes. CMMC level is determined by the data you handle, not the size of your company. If you have a DoD contract or subcontract that includes Federal Contract Information or Controlled Unclassified Information, you fall under CMMC. I work with contractors as small as three or four people who need Level 1 or Level 2 readiness, handling the technical implementation work that compliance requires. For Level 2, I partner with C3PAOs and consulting firms who lead the formal assessment side.

What is the difference between CMMC Level 1 and CMMC Level 2?

Level 1 covers 17 basic safeguarding requirements for contractors who handle FCI. It can be self-assessed. Level 2 covers all 110 controls in NIST SP 800-171 for contractors who handle CUI. Most Level 2 contractors require a third-party assessment from a C3PAO. The data you touch determines which level applies to you.

How long does it take to prepare a small contractor for CMMC Level 2?

Twelve to eighteen months is realistic for a small contractor starting from scratch, and every environment is different. The timeline depends on how much foundational work needs to happen across the whole environment. On-prem servers, network gear (some of which may need to be replaced if it cannot meet Level 2 requirements), Microsoft 365 licensing and configuration, whether you need to migrate to GCC High, identity and access controls, backups, documentation, and how quickly your team can implement policy and procedure changes. Some contractors are further along than they think. Others have more ground to cover than they realized. Starting now is always better than starting later.

Do I need GCC High to be CMMC compliant?

Not always. GCC High is required for certain types of CUI and certain export-controlled data, but many small contractors can meet CMMC Level 2 requirements in Microsoft 365 Commercial with the right licensing, configuration, and data loss prevention policies. The right answer depends on the specific contracts and data you handle. I help contractors work through that decision before they spend money on a migration they may not need.

Can I just self-assess for CMMC Level 1 without help?

Technically yes. Practically, this is risky. Self-assessment carries real legal exposure under the False Claims Act if you certify controls you do not actually have in place. Most small contractors I work with bring me in to make sure the controls are real, the documentation is honest, and the SPRS submission accurately reflects their environment.

What is a System Security Plan and do I really need one?

A System Security Plan, or SSP, is a written document that describes your environment, the controls you have in place, and how those controls meet CMMC requirements. For Level 2 you absolutely need one. Assessors will ask for it. For Level 1 it is best practice even though it is not strictly required. For Level 2, the C3PAO or consulting firm leading the assessment typically writes the formal SSP, and I provide the technical input and evidence that backs it up. For Level 1 or clients without a consulting firm engaged, I can produce the SSP and supporting documentation directly. The technical evidence comes from the implementation work itself.

Do you work with government contractors outside of Maryland?

Yes. I am based in Columbia, MD and serve small government contractors across Maryland, Northern Virginia, Washington DC, Pennsylvania, West Virginia, Delaware, and small businesses throughout the United States. Most CMMC implementation work is done remotely. I currently have Maryland-based clients working with C3PAO assessors out of Texas, which is a good example of how location does not limit who I can help or who you can partner with for your assessment. On-site visits are available throughout my normal service area of Maryland, Northern Virginia, Washington DC, Pennsylvania, West Virginia, and Delaware, and I am willing to travel and fly out for engagements that require on-site work elsewhere in the country.

What happens if my prime contractor pushes CMMC requirements down to me?

That is becoming the most common way small contractors learn about CMMC. If your prime is asking you to certify Level 1 or pursue Level 2, the clock is already running. The first step is figuring out what data you actually handle under that contract, and then building a realistic plan to meet the requirements before the contract action date. I can help you have that conversation with your prime if needed.

A Quick Note for the Rest of the GovCon Ecosystem

CMMC applies to defense contractors and subcontractors. But plenty of small businesses live around the edges of the federal contracting world. Capture firms, proposal consultants, professional services groups, vendors, and partners who support government contractors but are not directly pursuing CMMC themselves. The IT work in this post still applies. Locking down access, managing the environment, documenting the network, protecting backups, and running a tight Microsoft 365 setup is foundational for any small business handling sensitive client information. If you serve the GovCon community in any capacity, you are welcome to reach out.

Let's Get You Ready Before the Deadline

Based in Columbia, MD and serving small government contractors across Maryland, Northern Virginia, Washington DC, Pennsylvania, West Virginia, Delaware, and small businesses throughout the United States, I handle the technical implementation work that CMMC compliance requires. Hardening your environment, configuring your systems, producing the technical evidence, and supporting your formal documentation. Whether you are preparing for a Level 1 self-assessment or partnering with a C3PAO for Level 2, I am the IT partner who actually does the technical work.

If you would like to talk through where your environment stands and what it would take to get you assessment-ready, contact me today.