CMMC 2.0 Certification — Your Passport to the Defense Industrial Base
Norvex Assurance prepares US Department of Defense contractors and subcontractors for CMMC 2.0 certification — from CUI scoping and SPRS scoring through System Security Plan development and C3PAO assessment management — so you can protect your DoD contracts and win new ones.
CMMC 2.0 Certification
End-to-end managed service
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the US Department of Defense's mandatory framework for protecting sensitive unclassified information across the Defense Industrial Base (DIB). It applies to all DoD prime contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) — an estimated 300,000+ organizations. CMMC 2.0 streamlines the original five-level model into three levels: Level 1 (17 foundational practices), Level 2 (110 practices aligned to NIST SP 800-171), and Level 3 (130+ practices adding NIST SP 800-172). DoD contracts increasingly specify the required CMMC level, and contractors that fail to meet their required level cannot bid on or retain those contracts — regardless of past performance or relationship history.
Not sure if you need CMMC?
Talk to one of our experts — free, no obligation.
Most companies start with Type I to establish a baseline, then graduate to Type II within 6–12 months.
Foundational — 17 Practices
What it covers
Covers basic cyber hygiene practices derived from FAR 52.204-21. Focuses on fundamental access controls, identification and authentication, media protection, physical protection, and system and communications protection.
Timeline
4–8 weeks for readiness and annual self-assessment
Best for
Contractors that only handle Federal Contract Information (FCI) — not CUI. Level 1 allows annual self-assessment without a third-party assessor.
Business impact
Establishes basic cyber hygiene and satisfies DoD requirements for FCI protection. Required for virtually all DoD contracts.
Advanced — 110 NIST SP 800-171 Practices
What it covers
Mirrors the 110 security requirements of NIST SP 800-171 across 14 control families. Covers advanced access control, incident response, risk assessment, system and information integrity, and more.
Timeline
6–18 months for readiness and C3PAO assessment
Best for
Contractors handling Controlled Unclassified Information (CUI) — required for most DoD contracts involving sensitive program data, technical specifications, or export-controlled information.
Business impact
Required for the vast majority of sensitive DoD contracts. Level 2 is the certification that determines whether you can bid on and hold CUI-related work across the entire defense supply chain.
Expert — 130+ Practices
What it covers
Builds on Level 2 with additional practices from NIST SP 800-172, targeting advanced persistent threats (APTs). Covers enhanced security requirements for the most sensitive DoD programs.
Timeline
18–24+ months — requires government-led assessment
Best for
Contractors working on the most critical DoD programs, typically involving highly sensitive CUI that APT actors actively target. Level 3 assessments are conducted directly by the Defense Contract Management Agency (DCMA).
Business impact
Required for the most sensitive DoD programs. Level 3 certification signals the highest level of cybersecurity maturity to the DoD and positions contractors for the most critical defense contracts.
Not sure which type you need?
Identify every location where Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) exist — systems, applications, cloud environments, removable media, and physical locations — to define your CMMC assessment scope.
Review your active and anticipated DoD contracts to confirm the required CMMC level. Ensure your scope definition aligns with contract requirements and DoD guidance on CUI handling.
Conduct a scored self-assessment against all 110 NIST SP 800-171 practices, calculate your SPRS score, and submit to the Supplier Performance Risk System. Your SPRS score directly impacts contract award decisions.
Develop a comprehensive System Security Plan documenting every control — implemented, planned, or excluded — with responsible parties, implementation details, and supporting rationale. The SSP is the foundational document for your CMMC assessment.
Document every unimplemented practice in a POA&M with realistic remediation timelines and resource allocations. A credible, fully funded POA&M demonstrates DoD that you have a genuine path to full compliance.
Hands-on technical implementation of required practices — MFA, endpoint protection, log management, incident response, configuration management, and access controls — with Norvex Assurance engineers embedded with your IT team.
For Level 2 contracts, coordinate your CMMC Third-Party Assessment Organization (C3PAO) formal assessment. Norvex Assurance prepares your documentation, coaches your team, and manages all C3PAO communication to minimize disruption and maximize assessment outcomes.
CMMC certification is increasingly embedded in contract requirements. Without the required level, you cannot bid on or retain DoD contracts — regardless of technical capability or past performance.
Early CMMC certification positions you ahead of competitors still working toward compliance, making you the safer choice for primes seeking compliant subcontractors.
A higher SPRS score improves your standing in DoD contract award decisions. Norvex Assurance helps you implement controls that maximize your score — not just achieve minimum compliance.
Our team provides hands-on implementation support for complex technical requirements — SIEM deployment, MFA rollout, endpoint management, and encryption configuration.
CMMC requirements flow down to subcontractors. We help you establish compliance requirements for your supply chain and assess your key subcontractors' CMMC readiness.
NIST SP 800-171 alignment provides a cybersecurity foundation that extends beyond DoD contracts — improving your overall security posture and positioning you for other regulated markets.
Our fixed-scope engagement covers every deliverable needed to achieve and maintain your CMMC certification — no hidden extras.
We believe you deserve to know what SOC 2 costs before you commit. All engagements begin with a free scoping call — no obligation.
Level 1
USD · 4–8 weeks
Ideal forSmall contractors handling only FCI who need to establish a documented annual self-assessment programme and SPRS submission.
Level 2
USD + C3PAO Fees · 6–18 months
Ideal forDefense contractors and subcontractors handling CUI who need CMMC Level 2 certification for DoD contract eligibility.
Enterprise
USD · Custom
Ideal forLarge prime contractors with multiple facilities, complex IT environments, or organizations that need CMMC Level 2 across an enterprise with supply chain flow-down management.
Serving global clients in the US, India, UAE, Singapore, and beyond. All pricing quoted in USD.
"We were at a -47 SPRS score when Norvex Assurance came in. Eighteen months later we passed our Level 2 C3PAO assessment on the first attempt with a +98. That improvement directly won us two contract recompetes we'd been at risk of losing."
VP of IT & Security
Defense Electronics Manufacturer
"The SSP and POA&M we tried to build internally were rejected in our pre-assessment review. Norvex Assurance rebuilt them from scratch — accurate, complete, and formatted exactly the way DCSA assessors expect. The C3PAO assessment was smooth because the documentation was bulletproof."
Chief Information Officer
Defense IT Services Company
"As a subcontractor to multiple prime contractors, we needed Level 2 certification that would satisfy all of them. Norvex Assurance scoped our CUI environment across three facilities, implemented the controls, and managed the C3PAO assessment end to end. Every prime contract we've been assessed against has been renewed."
Director of Compliance
Aerospace Subcontractor