The federal government's supplier base includes hundreds of thousands of small businesses — companies that manufacture components, provide professional services, support logistics operations, and develop software. Many of these organizations handle sensitive government data as part of their work: controlled unclassified information, technical specifications, acquisition-sensitive details, or personally identifiable information from government systems.
For years, the security requirements on these organizations were largely self-attestation. Contractors certified that they met requirements without independent verification. The compliance gap between what organizations attested to and what they actually implemented was significant.
That is changing. The Cybersecurity Maturity Model Certification program and the ongoing enforcement of DFARS 252.204-7012 are moving the government contractor security landscape toward third-party verification and demonstrated implementation. For small and mid-sized contractors, this creates real compliance obligations that require real resources to meet.
The Regulatory Landscape
DFARS 252.204-7012 requires contractors who handle Controlled Unclassified Information (CUI) to implement the 110 security controls in NIST SP 800-171 and to report cyber incidents to the Department of Defense within 72 hours of discovery. This requirement has been in place since 2017. Enforcement was historically inconsistent, but False Claims Act actions against contractors who mis-certified compliance have increased significantly.
CMMC 2.0 is the Department of Defense's certification framework for the defense industrial base. It establishes three maturity levels:
- Level 1 (Foundational): 17 practices aligned with basic cyber hygiene. Required for contractors handling Federal Contract Information (FCI) but not CUI. Self-assessment.
- Level 2 (Advanced): 110 practices aligned with NIST SP 800-171. Required for contractors handling CUI. Assessment by a certified third-party assessment organization (C3PAO) for most contractors, with annual self-assessment allowed for a limited subset.
- Level 3 (Expert): 134+ practices incorporating additional NIST SP 800-172 requirements. Required for contractors on high-priority programs. Government-led assessment.
The timeline for CMMC requirements appearing in contracts has been phased. By 2026, CMMC requirements are anticipated to be broadly incorporated in DoD solicitations.
FedRAMP is the authorization framework for cloud products used by federal agencies. It is not a contractor compliance requirement directly, but contractors that use or resell cloud services to federal agencies need to understand whether those services have FedRAMP authorization — a factor that affects procurement eligibility and security posture.
What NIST SP 800-171 Actually Requires
NIST SP 800-171 organizes its 110 requirements into 14 control families. For small contractors assessing their obligations, the families that most commonly produce findings are:
Access Control (22 requirements). Limit system access to authorized users and authorized functions. Control access to CUI on a need-to-know basis. Manage privileged accounts separately from standard user accounts.
Audit and Accountability (9 requirements). Create, protect, and retain audit logs. Review and analyze logs for evidence of attacks. Ensure that the actions of individuals can be traced to those individuals.
Configuration Management (9 requirements). Establish and maintain baseline configurations for organizational systems. Restrict, disable, or prevent the use of nonessential programs and services. Control and monitor user-installed software.
Identification and Authentication (11 requirements). Identify information system users and authenticate their identities prior to access. Enforce MFA for privileged accounts and remote access. Manage authenticator content (password complexity, rotation, history).
Incident Response (3 requirements). Establish an operational incident-handling capability. Track, document, and report incidents. Test incident response capabilities regularly.
System and Communications Protection (16 requirements). Monitor, control, and protect communications at external boundaries. Implement architectural design to separate CUI from other data. Implement cryptographic mechanisms to prevent unauthorized disclosure.
System and Information Integrity (7 requirements). Identify and report flaws in systems. Provide protection from malicious code. Monitor systems to detect attacks.
Where Small Contractors Typically Fall Short
Assessments of small contractors against 800-171 requirements consistently identify the same gaps:
CUI identification and handling. Many small contractors do not have a defined process for identifying what data constitutes CUI, where it is stored, who has access to it, and how it should be marked, handled, and disposed of. This is foundational — you cannot protect CUI if you do not know what it is and where it lives.
System security plan. NIST 800-171 requires a documented System Security Plan (SSP) that describes how the 110 requirements are implemented. Most small contractors have never produced one.
Plans of Action and Milestones. When controls are not fully implemented, an organization is expected to document a plan for achieving compliance. The POA&M is required documentation; most small contractors do not have one.
Multi-factor authentication. MFA is required for all remote access and for privileged accounts. Small contractors frequently have MFA on corporate email but not on VPN, remote desktop, or other remote access pathways.
Configuration management. Baseline configurations, hardening standards, and change management processes for IT systems are rarely documented at small contractors and often not implemented systematically even where documentation exists.
Audit logging. The logging requirements in 800-171 require more than enabling default Windows event logs. Authentication events, administrator activity, access to CUI repositories, and system configuration changes should all be logged and retained.
Incident response. An operational incident response capability with a documented plan, defined roles, and tested procedures is uncommon among small contractors.
The Self-Assessment Score
Since late 2020, DoD contractors handling CUI have been required to submit a SPRS score — a self-assessed compliance score against the 800-171 requirements, submitted to the Supplier Performance Risk System. The maximum score is 110 points, and specific point values are deducted for each unimplemented requirement.
The self-assessment process has significant problems. There is no standardization in how assessors apply judgment to partially-implemented controls, and self-assessment scores are not independently verified. When C3PAO assessments for CMMC Level 2 are required, the gap between self-assessed scores and assessed scores is frequently substantial.
Organizations that have not submitted a SPRS score, or that submitted a score that does not reflect their actual implementation state, are exposed to False Claims Act risk under the Cyber Fraud Initiative, which has resulted in enforcement actions against contractors.
What CMMC Preparation Actually Involves
Getting ready for a CMMC Level 2 assessment is not primarily a documentation project. The controls need to be implemented and operating effectively. The assessment process requires evidence of implementation, not just policies describing what the organization intends to do.
The practical preparation sequence for most small contractors:
-
Scope definition. Identify what systems handle CUI and define the assessment scope. Reducing scope — for example, by isolating CUI processing to a dedicated enclave — reduces the number of systems and controls subject to assessment.
-
Gap assessment. Assess current implementation against all 110 800-171 requirements. Document findings, evidence of implementation, and gaps.
-
System Security Plan development. Produce the SSP describing the system environment, control implementations, and responsible parties.
-
Remediation planning. For gaps, develop a POA&M with realistic timelines, resource assignments, and milestones.
-
Remediation execution. Implement the required controls. This is where the actual security work happens.
-
Pre-assessment review. Before engaging a C3PAO, a pre-assessment review identifies remaining gaps that would produce assessment findings.
-
C3PAO assessment. The formal assessment for CMMC Level 2.
The timeline from gap assessment to passing a C3PAO assessment varies significantly by organization. For small contractors with significant gaps, 12-18 months of active remediation work is not unusual.
Working with an MSP or Managed Security Provider
Many small contractors rely on managed service providers for IT operations. The CMMC and 800-171 requirements extend to the service providers that process, store, or transmit CUI on behalf of contractors. Understanding what your MSP does and does not cover — and what their own security posture looks like — is part of your compliance obligation.
The external service provider requirements in 800-171 require that you have contractual provisions requiring MSPs to implement applicable security requirements, and that you have visibility into their implementation.
Northern Virginia Context
Northern Virginia is home to one of the largest concentrations of government contractors in the country — from large defense primes in Tysons and Reston to small professional services firms in Arlington and Alexandria. Many of these organizations are navigating CMMC preparation alongside their core business operations, without dedicated security staff.
NightFortress works alongside existing IT providers and MSPs at NoVA-area contractors to develop and implement the security programs required for CMMC compliance. If you are beginning the compliance process or are concerned about gaps in your current implementation, a conversation is the right starting point.
The regulatory requirements are expanding. The enforcement environment is stricter than it was three years ago. The cost of proactive compliance is substantially lower than the cost of a False Claims Act action or a failed CMMC assessment.