[ COMPLIANCE ] // CMMC 2.0 LEVEL 2

CMMC 2.0 Level 2 systems built by engineers, not auditors with slide decks.

We design CUI enclaves on GCC High and AWS GovCloud, implement all 110 NIST SP 800-171 Rev. 2 controls in code, and write SSPs that hold up under DIBCAC scrutiny. SDVOSB-certified, veteran-led.

Veteran-Owned SDVOSB
[001 / 005] Field Conditions

Most CMMC programs fail because the system doesn't match the paperwork.

// SITUATION

We get called in after the first failed assessment. The pattern is consistent: a consultant wrote a 200-page SSP describing controls that were never actually implemented, the team is still using commercial Microsoft 365 for CUI emails, the GitHub repo has no branch protection, and the POA&M lists 40 open items with no owners. The DIBCAC assessor or C3PAO walks through the system, asks for evidence, and the gap between the document and reality becomes obvious within an hour. Then the prime pulls the subcontract, or the contract opportunity moves on.

  • CUI flowing through commercial Microsoft 365 or Google Workspace tenants that were never authorized for it
  • SSPs written from templates, describing controls the engineering team has never heard of, let alone implemented
  • FIPS-validated crypto claimed but the actual TLS endpoints, KMS keys, and MFA tokens are not on the CMVP list
  • POA&M items with no owner, no budget, no closure date — assessors treat these as unmet controls
110 / 110
NIST 800-171 controls implemented as code
< 12 wks
Typical GCC High enclave standup
SDVOSB
Certified for federal set-aside vehicles
[002 / 005] Operational Approach

Build the enclave first. Then write the SSP against what actually exists.

  1. STEP-01

    Scope the CUI boundary

    Map every system that stores, processes, or transmits CUI. Most teams scope too wide and inherit pain. We draw a tight enclave boundary — usually GCC High or AWS GovCloud — and push everything else (marketing, HR, non-CUI dev) outside it. Smaller boundary, fewer controls to inherit.

  2. STEP-02

    Stand up the enclave

    GCC High tenant or GovCloud account with FIPS 140-2/3 validated endpoints, Entra ID Conditional Access, phishing-resistant MFA (FIDO2 / PIV), and a hardened EDR baseline. Logging into a Sentinel or GuardDuty + Security Hub pipeline with 90-day hot, 1-year cold retention per AU controls.

  3. STEP-03

    Engineer controls into the SDLC

    Controls live in code, not Word docs. Branch protection in GitHub Enterprise Cloud (GCC), signed commits, SAST/DAST in the pipeline, IaC scanning with Checkov, secrets in Key Vault or Secrets Manager. Every control maps to a pipeline check or a Sentinel analytic — assessor-verifiable, not narrative.

  4. STEP-04

    Write the SSP and POA&M honestly

    110 controls, 320 assessment objectives. We write the SSP against the system as built, with diagrams that match reality. POA&M items get owners, dates, and budget. Sloppy SSPs fail Joint Surveillance Voluntary Assessments fast — the DIBCAC team reads them.

  5. STEP-05

    Drive to assessment

    Self-assessment for Level 2 non-prioritized, C3PAO assessment for prioritized acquisitions. We rehearse with a mock assessment, fix gaps, then schedule the real thing. JSVA path gets you a 3-year DoD-recognized score before the C3PAO market clears.

// YAML PATTERN 
# control-mapping.yml — every NIST 800-171 control maps to an enforceable artifact
# Reviewed by the assessor against actual system state, not policy PDFs.

controls:
  AC.L2-3.1.1:
    description: Limit system access to authorized users
    implementation:
      - entra_id_conditional_access_policy: require-compliant-device
      - github_saml_sso: enforced
      - aws_iam_identity_center: scim_provisioned
    evidence:
      - sentinel_query: SigninLogs | where ConditionalAccessStatus == 'success'
      - export: monthly_access_review.csv

  IA.L2-3.5.3:
    description: Multi-factor authentication for privileged accounts
    implementation:
      - fido2_security_keys: yubikey_5_fips
      - piv_smartcard: optional
      - sms_otp: DISALLOWED
    evidence:
      - entra_authentication_methods_report

  SC.L2-3.13.11:
    description: FIPS-validated cryptography for CUI
    implementation:
      - tls_endpoints: fips_140_3_validated
      - kms: aws_kms_fips_endpoint
      - storage_encryption: cmk_with_fips_module
    evidence:
      - nist_cmvp_certificate_numbers: [4282, 4398]

Controls become CI checks and queryable evidence. Assessors verify the system, not the prose around it.

[003 / 005] Common Questions

Field FAQ.

Do we actually need CMMC Level 2, or is Level 1 enough?

If your contract handles Controlled Unclassified Information (CUI) — anything marked CUI//SP-PRVCY, CUI//SP-PROCURE, ITAR technical data, or covered defense information — you need Level 2. Level 1 covers only Federal Contract Information (FCI) and 17 controls. Level 2 is the 110 controls from NIST SP 800-171 Rev. 2. Check your contract's DFARS 252.204-7012 clause and any CUI markings on government-furnished data. When in doubt, ask your contracting officer in writing.

GCC High or AWS GovCloud — which enclave should we use?

Depends on your stack. GCC High is the right call if you're Microsoft 365-heavy and need Teams, SharePoint, and Outlook for CUI collaboration — it inherits a lot of controls from Microsoft's FedRAMP High authorization. AWS GovCloud wins for custom application workloads, container platforms, and data pipelines. Many of our clients run both: GCC High for productivity and document handling, GovCloud for the application plane, connected via a hardened transit point.

What is the Joint Surveillance Voluntary Assessment (JSVA) and should we pursue it?

JSVA is a DIBCAC-led assessment under DFARS 252.204-7020 that, if passed, gives you a 3-year SPRS score recognized as equivalent to a CMMC Level 2 certification once the rule fully phases in. It's the fastest path to a defensible posture before C3PAO capacity scales. If you're a prime or a critical sub on a CUI contract, JSVA is worth pursuing now rather than waiting in the C3PAO queue.

How long does it take to get to a passing assessment?

From a clean slate, plan on 6 to 12 months. Standing up the enclave is 8 to 12 weeks. Engineering control implementations into the SDLC and IT operations is another 2 to 4 months. SSP authoring, evidence collection, and a mock assessment is another 6 to 10 weeks. Companies that try to compress this below 6 months usually fail their first assessment and pay twice. Budget for the real timeline.

What does FIPS 140-2 or 140-3 validated crypto actually mean in practice?

It means the cryptographic module — not just the algorithm — has a CMVP certificate from NIST. AES-256 is not enough; the implementation must be on the validated module list. In practice: use AWS KMS FIPS endpoints, Azure Key Vault Premium with HSM-backed keys, FIPS-mode OpenSSL builds, and FIDO2 keys with FIPS certification (YubiKey 5 FIPS series). Document the CMVP certificate numbers in your SSP. Assessors will check.

Can we use our existing GitHub, Jira, and Slack for CUI projects?

Standard GitHub.com, Atlassian Cloud, and Slack are not authorized for CUI. You need GitHub Enterprise Cloud with GCC, Atlassian Government Cloud (FedRAMP Moderate), and Slack GovSlack or Microsoft Teams in GCC High. The migration is real work — repo histories, issue exports, integrations, and webhook endpoints all need to be re-pointed. Plan 4 to 8 weeks for tooling migration, and freeze CUI-touching work in the legacy tenants during cutover.

How does SDVOSB status help us as a prime or sub?

SDVOSB (Service-Disabled Veteran-Owned Small Business) certification gives primes a small-business subcontracting credit and lets us compete on SDVOSB set-aside vehicles directly. For CMMC work specifically, primes increasingly want subs who already understand the controls and can pass their own assessment without dragging the prime's score down. We bring both — the certification posture and the engineering depth to actually implement the controls.

What's the difference between an SSP and a POA&M, and why do assessors care?

The System Security Plan (SSP) describes how each of the 110 controls is implemented in your system as it exists today. The Plan of Action and Milestones (POA&M) tracks the gaps — controls not yet fully met, with owner, remediation plan, and target date. For Level 2, only certain controls are POA&M-eligible and items must close within 180 days. A vague SSP or an aspirational POA&M is the fastest way to fail.

What happens if we self-attest and get audited later?

Under the False Claims Act, a knowingly false self-attestation in SPRS is fraud. DOJ's Civil Cyber-Fraud Initiative has already pursued cases against contractors who misrepresented their NIST 800-171 posture. The score in SPRS needs to reflect reality, with a defensible SSP and POA&M behind it. We've seen primes pull subcontracts when the sub's SPRS score didn't match what the assessment showed. Attest honestly, then drive the score up with real work.

[004 / 005] Adjacent Files

Continue recon.

REL-01

Compliance Services

Custom builds, modernization, and AI integration scoped for CUI and federal workloads.

 REL-02

Federal Case Studies

How we've taken DoD primes and subs through enclave builds and assessments.

 REL-03

CMMC Readiness Packages

Fixed-scope engagements: gap analysis, enclave standup, SSP authoring, mock assessment.

 REL-04

Talk to an engineer

30-minute scoping call with someone who has actually shipped this. No SDR layer.
[ NEXT ACTION ]

Need a CMMC Level 2 enclave built by people who have shipped one? Let's talk.

Talk to a VooStack operator. We respond within one business day.

Open a Channel Full Services