Defense contractors: CMMC 2.0 compliance is now required to bid on DoD contracts.

DoD Cybersecurity Compliance

CMMC 2.0 compliance, handled by people who know defense contracting.

If you work with the Department of Defense, CMMC 2.0 certification is now a contract requirement. We help you figure out which level you need and how to get there.

Required for all DoD contracts involving controlled unclassified information (CUI)

Three levels based on the sensitivity of the information you handle

Non-compliance means losing eligibility on current and future DoD contracts

Talk to a CMMC specialist

Tell us about your situation. A specialist will assess your current position and walk you through what certification requires for your specific contracts.

Free assessment, no commitment required

Your full name

300K+

DoD contractors required to comply with CMMC

Certification levels, based on data sensitivity

110

Security practices required at Level 2

2025

Full CMMC enforcement began rolling out

Does this apply to you

Not every DoD contractor needs the same level of compliance

Requirements depend on what information your contracts involve, not just whether you work with the DoD.

FCI only

Level 1

Your contract involves Federal Contract Information but no Controlled Unclassified Information. Annual self-assessment, 17 basic practices.

Most common

Level 2

Your contract involves Controlled Unclassified Information (CUI). 110 practices aligned with NIST SP 800-171. Third-party assessment required for most contracts.

High-priority programs

Level 3

Reserved for the most sensitive DoD programs involving critical national security information. Government-led assessment, based on NIST SP 800-172.

Not sure which level your contract requires?

Check your contract or solicitation for CUI, DFARS clause 252.204-7012, or CMMC. If any appear, you almost certainly need Level 2 or above. If you are unsure, the free assessment is the fastest way to a straight answer.

What is CMMC 2.0

A federal cybersecurity standard that is now a contract requirement.

CMMC is the DoD's framework for making sure contractors protect federal contract information and controlled unclassified information (CUI). It replaced self-attestation, so contractors now have to prove compliance, not just claim it.

Applies across the defense industrial base

Any contractor or subcontractor that handles DoD data needs to meet the appropriate CMMC level for their work.

Built on existing NIST frameworks

Level 2 aligns with the 110 security practices in NIST SP 800-171. If you have already started on NIST compliance, you have a head start.

The three certification levels

Level 1

Foundational

Covers basic cyber hygiene. 17 practices focused on protecting Federal Contract Information (FCI). Self-assessment is allowed.

Annual self-assessment

Level 2

Advanced

110 practices aligned with NIST SP 800-171. Required for contractors handling Controlled Unclassified Information (CUI). Third-party assessment required for most contracts.

Third-party assessment (C3PAO)

Level 3

Expert

Reserved for the most sensitive DoD programs. Based on a subset of NIST SP 800-172 practices. Government-led assessment required.

Government-led assessment

How we help

From where you are to where you need to be

Most contractors know they need CMMC but are not sure where to start. We do.

1Assess

Gap assessment

We review your current security posture against the CMMC level your contracts require and identify exactly what is missing. No jargon, just a clear list of gaps and priorities.

2Remediate

Plan and fix

We build a remediation roadmap tailored to your business, then work through it with you. We handle the documentation, the policies, and the technical controls side by side with your team.

3Certify

Get certified and stay there

We prepare you for the assessment and connect you with a certified C3PAO assessor when required. Then we help you maintain compliance so nothing lapses between contracts.

Why fed.net

We work with defense contractors, not just IT firms

Most CMMC consultants come from pure cybersecurity. We come from federal contracting, so we understand the contract, not just the controls.

Contract-aware guidance

We tailor the path to what your contracts actually require, not a generic checklist. If you only need Level 1, we will not oversell you on Level 2.

A dedicated specialist

One person who knows your business and your timeline. Not a different consultant every call, not a shared inbox. The same point of contact from assessment through certification.

We already know federal contracting

We already handle SAM registration and set-aside certifications. If you are new to federal contracting, we can get you registered and CMMC compliant at once, not through two firms.

What happens after you reach out

No black box, no commitment until you are ready

Exactly what happens from the moment you submit, so there are no surprises.

You submit the form

Takes about two minutes. No payment at this stage, and nothing is charged until you have reviewed and agreed to move forward.

Right now

A CMMC specialist calls you

A real person reviews your contracts and current security controls, then gives you a straight read on which level applies and what it takes to get there.

Within one business day

Gap assessment

We check your security posture against the required CMMC practices and hand you a clear, prioritized gap list. No jargon, just what to fix and in what order.

After you decide to move forward

Remediation and documentation

We build your System Security Plan, policies, and technical controls, then work through the list with your team at a pace that fits your contract timeline.

Assessment and certification

For Level 2 we prep you for the third-party assessment and connect you with an accredited C3PAO. For Level 1 we prepare your self-assessment. Then we help you stay compliant.

Timeline depends on your starting posture

On cost: Pricing depends on your current security posture, your contract requirements, and the size of your organization. Your specialist will walk you through what is involved and what it costs after the initial assessment. There is no payment to get started.

Questions

CMMC questions, answered plainly

How do I know which level I need?

It depends on the information your contract involves. FCI only means Level 1. CUI means Level 2, which covers most defense programs. Level 3 is for a small set of high-priority programs. We confirm your level first, so you never over or under-prepare.

We already have a NIST 800-171 plan. Does that count toward CMMC?

Yes, a real head start. Level 2 is built on the 110 practices in NIST SP 800-171, so your existing plan carries over. The difference is CMMC needs a third-party assessment, not self-attestation, so we prepare you for how assessors actually evaluate it.

What is a C3PAO and do we need one?

A C3PAO is the accredited firm that conducts your CMMC assessment. At Level 2, most contracts require one rather than self-assessment. We prepare you and connect you with an accredited C3PAO. We are not one ourselves, so we have no conflict of interest.

How long does CMMC compliance take?

It depends on your posture and level. Level 1 can take weeks if basic hygiene is in place. Level 2 with real gaps takes several months. We give you an honest estimate after the gap assessment, not a feel-good number.

Do subcontractors need CMMC certification too?

Yes. Subcontractors handling CUI need to meet the appropriate level too, just like primes. The flow-down rule also makes primes responsible for their subs. If you are a prime, it covers your supply chain. If you are a sub, it applies to you directly.

Is this right for you

We would rather be honest than oversell

CMMC is a real requirement for the right businesses. Here is an honest read on whether we are a fit.

This is a good fit if

You have or are pursuing DoD contracts that involve CUI or FCI

Your solicitation references DFARS 252.204-7012, NIST SP 800-171, or CMMC

You are a subcontractor whose prime requires CMMC compliance

You want to get ahead of compliance before it blocks a contract award

It is probably not for you if

Your contracts are with civilian agencies only and involve no DoD work

Your work does not involve handling any federal data or government information

You already have a C3PAO managing your CMMC program

You need a full managed security services provider (MSSP), not a compliance consultant

Get started

Find out what CMMC compliance requires for your contracts.

A free assessment with a specialist. No commitment, no pressure, just a straight answer on where you stand and what it takes.

Get my free assessment

Talk to a CMMC specialistFree assessment, no commitment

Start