KapacyberKapacyber
Vertical SolutionCMMC · DoD Subcontractors

CMMC cybersecurity built for small DoD manufacturers.

The 110 NIST SP 800-171 controls, an SSP and POAM your C3PAO will accept, and the day-to-day security operation behind it — at a price point small job shops can actually run. We're not a C3PAO; we're the partner that gets you to the certificate and keeps you there.

Get Free CMMC Readiness AssessmentTry the Free Tool

Why Now

CMMC 2.0 is no longer hypothetical. It's in contracts now.

DoD finalised the CMMC 2.0 rule in December 2024. Through 2025 the clause has begun appearing in new contracts and renewals. By 2028, every DoD contract handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will require certification at the appropriate level.

There are roughly 80,000 small-to-mid manufacturersin the DoD supply chain that handle CUI, plus more than 200,000 companies touching some level of FCI. Most are not ready. The big consultancies price small shops out of the market. The local IT MSP doesn't know the difference between NIST 800-171 and NIST 800-53, let alone how to write an SSP that survives a C3PAO assessment.

Our position is straightforward: build the same control stack the $10k/month CMMC specialists build, document it in audit-ready form, operate it day-to-day, and price it so a 20-person job shop can keep bidding on DoD work without going bankrupt on cyber.

What This Means In Practice

Three realities we build the engagement around.

No certification, no contract.

By 2028, every DoD contract handling FCI or CUI will require CMMC compliance at the appropriate level. New contracts already include the clause. There is no exception for small subcontractors. If you can't certify, you can't bid.

False-attestation risk is real.

DoJ's Civil Cyber-Fraud Initiative has already settled with multiple contractors who misrepresented their cyber posture — Aerojet Rocketdyne paid $9M, Verizon $4M. Whistleblower (qui tam) suits amplify the exposure. The annual self-affirmation is a legal attestation, not a checkbox.

Most specialists are out of reach.

The established CMMC consultancies typically quote $5,000–$15,000 per month for managed compliance, which is fine for prime contractors but kills small subcontractors. Our $1,400–$3,500/mo range fits Level 1 and lower-end Level 2 manufacturers without cutting the controls.

The 110 Controls

14 control families. 110 controls. 320+ assessment objectives.

NIST SP 800-171 is the rulebook CMMC Level 2 measures you against. We operate every control, document every objective, and produce the evidence a C3PAO needs to see.

22 controls

Access Control

Named accounts, least privilege, session limits, remote-access controls, and admin separation across the CUI environment.

9 controls

Audit & Accountability

Logging of every access and change in the CUI environment, tamper-resistant log storage, and review processes.

3 controls

Awareness & Training

Role-based security awareness training for everyone with CUI access, refreshed at least annually.

9 controls

Configuration Management

Documented baseline configurations, change control, and software-restriction policies on every system handling CUI.

11 controls

Identification & Authentication

Multi-factor authentication on every account, phishing-resistant for privileged users, password complexity, and device authentication.

3 controls

Incident Response

Documented incident response plan, tested procedures, and 72-hour reporting to DoD under DFARS 252.204-7012.

6 controls

Maintenance

Controls around system maintenance — sanitisation, supervised remote maintenance, and personnel checks.

9 controls

Media Protection

Encryption of CUI at rest, sanitisation before disposal, and controlled transport of media.

2 controls

Personnel Security

Screening of personnel before granting CUI access and revocation when access is no longer required.

6 controls

Physical Protection

Physical access controls to facilities and equipment processing CUI, including visitor logs and monitoring.

3 controls

Risk Assessment

Periodic written risk assessment of the CUI environment with documented findings and remediation.

4 controls

Security Assessment

Routine self-assessment, system security plans (SSP), and plans of action & milestones (POAM).

16 controls

System & Communications Protection

Boundary protections, encryption in transit, denial-of-service safeguards, and segmentation of the CUI environment.

7 controls

System & Information Integrity

Flaw remediation, anti-malware, monitoring of inbound communications, and unauthorised-change detection.

Read the 110 controls in plain English

Realistic Timeline

9–18 months to Level 2. Honest numbers, not sales numbers.

1

Month 1

Free CMMC-readiness assessment

We scope your CUI environment, classify your contracts, score you against the 110 NIST 800-171 controls, and hand you a one-page roadmap with a realistic timeline and cost.

2

Months 2–4

Foundation controls

MFA on every account, EDR on every endpoint, named accounts (no shared logins), encrypted backups, baseline configuration documentation, and awareness training for every CUI-cleared user.

3

Months 4–9

System Security Plan (SSP) build-out

Documented SSP covering all 14 control families, POAM for residual gaps, formal incident response plan, change-management procedures. M365 / GCC High migration if needed.

4

Months 9–12

Pre-assessment readiness review

Mock assessment against the C3PAO checklist, evidence collection in audit-ready form, control owner interviews. We close gaps before the C3PAO ever sees them.

5

Month 12+

C3PAO engagement & ongoing operation

We coordinate the C3PAO engagement, support the assessment, and run the controls through the 3-year recertification cycle. Continuous monitoring, monthly evidence collection, annual self-affirmation support.

Indicative Pricing

Built for shops the big firms can't serve.

Level 1 Self-Attestation

$1,400+/mo

FCI-only shops, <25 staff

  • 15 Level 1 practices documented
  • MFA enforcement everywhere
  • EDR on every endpoint
  • Annual self-affirmation support
  • 24/7 monitoring

Level 2 Readiness

$3,500+/mo

CUI handlers, 10–75 staff

  • All 110 NIST 800-171 controls
  • SSP & POAM build + maintenance
  • Evidence collection in audit form
  • C3PAO assessment support
  • Role-based training programme
  • GCC High advisory (cost-aware)

Complex Level 2 / Multi-Site

Scoped

Multi-facility, OT/ICS, >75 staff

  • Per-site enclave design
  • OT / ICS integration
  • Group-level governance
  • Dedicated programme lead

Indicative pricing. Final figures depend on CUI scope, headcount, IT estate, GCC High requirement, and existing controls. Set out in the written services agreement.

Honest Answers

The six questions we're asked first.

Doesn't our prime contractor handle CMMC for us?+

No. CMMC flow-down means every entity in the chain that handles FCI or CUI is responsible for its own certification. The prime can verify you have it, but they can't do it on your behalf. If anything, primes are now actively dropping subcontractors who can't show certification — they don't want the supply-chain risk.

We've done a self-assessment under DFARS 252.204-7019. Isn't that enough?+

DFARS 252.204-7019 requires you to score yourself against NIST SP 800-171 and post the score to the Supplier Performance Risk System (SPRS). CMMC Level 2 requires a third-party C3PAO assessment for most contracts — the self-assessment is no longer accepted for medium-and-above-priority contracts. The two coexist for now; CMMC supersedes through 2028.

Do we need Microsoft GCC High?+

Only if you store, process, or transmit CUI inside Microsoft 365. If your CUI lives only on engineering workstations and segmented file shares, you may be able to operate in commercial M365 with strict CUI-handling rules. We map this honestly in the assessment — GCC High adds material licensing cost and we don't recommend it unless required. See our GCC High deep-dive article.

We're too small for the DoD to bother enforcing this.+

Size doesn't exempt you. The point of CMMC is to clean up the long tail of small subcontractors that have historically been the weakest link in the defence supply chain. Enforcement happens through contract flow-down — your prime contractor will check before they place a purchase order. No certification, no PO.

What does Kapacyber actually deliver vs. a C3PAO?+

We are not a C3PAO and we don't certify you. We build and operate the controls that make you certifiable — SSP and POAM management, MFA and EDR deployment, log collection, awareness training, incident response, vendor due diligence, monthly evidence collection. When you're ready for a Level 2 assessment, we hand the C3PAO a clean package and stay on through the engagement.

How long until we're certifiable?+

Realistic for Level 2 from a near-zero starting point: 9–18 months, depending on existing controls, IT estate complexity, and whether you need GCC High migration. Level 1 (self-attestation) is achievable in 60–120 days for most shops. We give an honest timeline in the free assessment — not a sales-pitch number.

Dig Deeper

CMMC reading.

Overview

CMMC 2.0 Explained — Levels, Timeline, What Small Manufacturers Need to Know

The three levels, the rule timeline, who CMMC applies to, and the seven questions every small DoD subcontractor should be able to answer.

Reference

The 110 NIST SP 800-171 Controls in Plain English

All 14 families and 110 controls, translated out of NIST-speak with examples a manufacturing shop floor can use.

Cost

CMMC Level 2 Cost — What a Small DoD Subcontractor Actually Pays

Realistic budget ranges for managed compliance, C3PAO assessment, GCC High licensing, and ongoing operations through the three-year recertification cycle.

Assessment

How to Prepare for a C3PAO Assessment

What a C3PAO looks for, how to assemble the evidence package, what fails most often, and how to keep the assessment to days instead of weeks.

Regulation

DFARS 252.204-7012 vs CMMC — How They Relate

The two regulations that govern CUI handling, where they overlap, where CMMC adds new requirements, and what to do during the rollout transition.

Tooling

Microsoft GCC High — Do You Actually Need It?

When GCC High is required, when commercial M365 is enough, the realistic licensing cost, and the migration realities for a small shop.

Free Template

CMMC Self-Assessment Worksheet

A fillable worksheet covering Level 1's 15 practices plus the Level 2 family scoring template, with evidence prompts.

Free Tool

CMMC Readiness Check

A 12-question self-assessment that scores you against NIST 800-171 family-by-family and tells you what to fix first.

See where your shop stands.

Free CMMC-readiness assessment. We score you against the 110 NIST 800-171 controls, classify your contracts, and hand you a one-page roadmap with a realistic timeline and cost. No sales pressure. No proposal unless you ask.

Get Free CMMC Readiness Assessment