If your company handles Controlled Unclassified Information (CUI) as part of a Department of Defense (DoD) contract or subcontract, you are required to comply with DFARS clause 252.204-7012 and — under the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework — demonstrate that compliance to a certified third-party assessor before contract award.
For manufacturers, engineering firms, IT companies, and other defense suppliers across Massachusetts and Rhode Island, CMMC compliance is no longer optional. Meta IT Pro helps DoD contractors in the MA/RI defense industrial base achieve and maintain CMMC Level 1 and Level 2 compliance — with a practical, documented approach that survives a C3PAO assessment.
Starting in 2025, DoD contracts requiring CUI handling will mandate a verified CMMC Level 2 certification — assessed by an accredited third-party organization (C3PAO). Contractors that cannot demonstrate compliance will be ineligible for contract award. The window to prepare is now. |
Understanding CMMC 2.0 — What It Means for Your Business
CMMC Level | Who It Applies To | Practice Requirements | Assessment Type |
Level 1 — Foundational | Contractors handling Federal Contract Information (FCI) only | 17 practices from FAR 52.204-21 | Annual self-assessment |
Level 2 — Advanced | Contractors handling Controlled Unclassified Information (CUI) | 110 practices from NIST SP 800-171 | Triennial C3PAO assessment OR annual self-assessment (for select programs) |
Level 3 — Expert | Contractors on highest-priority DoD programs | 110+ practices including NIST SP 800-172 | Government-led assessment |
Most small-to-mid defense contractors fall under Level 2 — 110 security practices across 14 domains, assessed against NIST SP 800-171. This is the level Meta IT Pro specializes in.
DFARS 252.204-7012 — Your Current Obligations
DFARS clause 252.204-7012 is already active in most DoD contracts that involve CUI. It requires contractors to:
- Implement the 110 security requirements in NIST SP 800-171
- Report cyber incidents to DoD within 72 hours of discovery
- Preserve and protect images of compromised systems
- Flow down requirements to all subcontractors handling CUI
- Maintain a System Security Plan (SSP) documenting your implementation
- Submit a self-assessment score to the Supplier Performance Risk System (SPRS)
Your SPRS score is visible to all DoD prime contractors evaluating you as a supplier. A low or missing SPRS score can disqualify you from contract opportunities before the conversation even starts. |
Our CMMC & DFARS Compliance Services
- NIST SP 800-171 Gap Assessment
Before you can fix anything, you need to know exactly where you stand against all 110 NIST SP 800-171 requirements. We conduct a thorough gap assessment across every control domain and produce a written report with your current compliance posture and a prioritized remediation roadmap.
- Assessment against all 110 NIST SP 800-171 practices across 14 domains
- Current state documentation for each practice (Met / Partially Met / Not Met)
- Risk-ranked remediation roadmap with effort and cost estimates
- SPRS score calculation based on current posture
- System Security Plan (SSP) Development
The SSP is the foundational document of your CMMC compliance program — required by DFARS today and by CMMC assessors tomorrow. It describes your entire IT environment, how CUI flows through it, and how each of the 110 NIST practices is implemented (or planned to be).
- Complete SSP covering your CUI environment boundary
- System component inventory and network diagram
- Practice-by-practice implementation description
- Plan of Action & Milestones (POA&M) for practices not yet fully implemented
- SSP maintained and updated as your environment changes
- CUI Enclave Design & Implementation
One of the most effective strategies for CMMC compliance — especially for smaller contractors — is creating a defined CUI enclave: a segmented, controlled IT environment where CUI is processed and stored, separate from the rest of your business network. This limits your assessment scope and reduces the overall compliance burden significantly.
- CUI enclave architecture design — what goes in, what stays out
- Network segmentation between enclave and general business network
- Microsoft GCC High or Azure Government evaluation for cloud CUI storage
- Access control design — who can reach CUI and under what conditions
- Enclave boundary documentation for SSP and C3PAO assessment
- Technical Controls Implementation — NIST 800-171
We implement the technical security controls required by the 14 NIST SP 800-171 domains across your CUI environment — ensuring every practice is not just documented but actually in place.
- Access Control (AC): role-based access, least privilege, MFA on all CUI systems
- Audit & Accountability (AU): comprehensive logging of all CUI access and changes
- Configuration Management (CM): secure baseline configs, change control
- Identification & Authentication (IA): MFA, password policy, account management
- Incident Response (IR): documented plan, 72-hour DoD reporting capability
- Maintenance (MA): controlled maintenance, remote maintenance logging
- Media Protection (MP): encrypted removable media, secure disposal
- Personnel Security (PS): screening procedures, termination controls
- Risk Assessment (RA): periodic vulnerability scans, risk analysis
- Security Assessment (CA): internal audit, POA&M management
- System & Communications Protection (SC): network segmentation, encryption in transit
- System & Information Integrity (SI): malware protection, security alerts, patching
- SPRS Score Improvement & Submission
Your DoD-mandated SPRS self-assessment score directly affects your competitiveness for contract awards. We calculate your current score, implement the controls that have the highest impact on your score, and support your SPRS submission with the documentation to back it up.
- Current SPRS score calculation against all 110 practices
- Prioritized remediation plan targeting highest-weighted practices
- SPRS submission support and documentation package
- Ongoing score maintenance as your environment evolves
- C3PAO Assessment Preparation
A CMMC Level 2 assessment by an accredited C3PAO is a rigorous, evidence-based evaluation of all 110 practices. We prepare your team and your documentation so you walk into that assessment confident — not scrambling.
- Pre-assessment mock audit against C3PAO evaluation criteria
- Evidence collection and organization for all 110 practices
- Staff interview preparation — assessors will talk to your people
- Artifact library: policies, procedures, screenshots, logs, and configurations
- Remediation support for any gaps identified in mock assessment
- Ongoing CMMC Compliance Management
CMMC is not a one-time certification — it requires continuous maintenance. Your environment changes, your contracts evolve, and assessors return. We provide ongoing compliance management to keep your program current.
- Quarterly compliance review and POA&M progress tracking
- SSP updates when systems, personnel, or processes change
- Annual SPRS self-assessment and score update
- Incident response retainer — 72-hour DoD reporting capability
- Subcontractor flow-down support — help your subs meet their DFARS obligations
CMMC — The 14 Domains at a Glance
Domain | Abbrev. | # Practices |
Access Control | AC | 22 |
Awareness & Training | AT | 3 |
Audit & Accountability | AU | 9 |
Configuration Management | CM | 9 |
Identification & Authentication | IA | 11 |
Incident Response | IR | 3 |
Maintenance | MA | 6 |
Media Protection | MP | 9 |
Personnel Security | PS | 2 |
Risk Assessment | RA | 5 |
Security Assessment | CA | 4 |
System & Communications Protection | SC | 16 |
System & Information Integrity | SI | 7 |
Physical Protection | PE | 4 |
Defense Contractors We Serve in MA & RI
Massachusetts and Rhode Island have a significant defense industrial base — from the Naval Station Newport corridor in RI to the Route 128 defense tech corridor in MA. We serve:
- Manufacturers supplying defense components or assemblies
- Engineering and professional services firms on DoD contracts
- IT and software companies with federal contracts involving CUI
- Shipbuilding and maritime defense suppliers in the RI/southeastern MA region
- Small businesses entering the DoD supply chain for the first time
Frequently Asked Questions
When do CMMC requirements take effect?
CMMC 2.0 requirements are being phased into DoD contracts through 2025 and beyond. DFARS 252.204-7012 obligations — including NIST SP 800-171 implementation and SPRS score submission — are already active in most contracts that involve CUI. Full C3PAO assessment requirements for Level 2 are being included in solicitations on a rolling basis. Contractors should begin preparation now rather than waiting for a specific contract to trigger the requirement.
What is Controlled Unclassified Information (CUI)?
CUI is information the U.S. government creates or possesses that requires safeguarding but is not classified. For defense contractors, this commonly includes technical data, engineering drawings, specifications, software code, and contract performance information marked with CUI designation. If your contract includes a DD254 (Contract Security Classification Specification) or references DFARS 252.204-7012, you are almost certainly handling CUI.
How long does CMMC Level 2 preparation typically take?
For most small-to-mid defense contractors starting from a low baseline, achieving a defensible CMMC Level 2 posture takes 6–18 months depending on the complexity of the environment, the current gap, and the budget available for remediation. Starting with a gap assessment is the essential first step — it gives you an accurate picture of the work ahead.
Don’t let CMMC cost you your next contract. Start with a NIST SP 800-171 gap assessment — know exactly where you stand and what it takes to get to compliant. Book a Free CMMC Readiness Call → metaitpro.com | 774-434-2346 |
