CMMC Requirements, Explained for Small Hampton Roads Defense Contractors

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense framework that sets minimum cybersecurity requirements for contractors handling federal contract information (FCI) or controlled unclassified information (CUI). For small Hampton Roads defense contractors, CMMC is a contract eligibility problem — without the required certification level, a company cannot bid on or perform DoD work.

CMMC requirements are not a paperwork problem. They are a contract eligibility problem.

If you are a small defense contractor in Hampton Roads, the question is simple: does your company process, store, or transmit federal contract information or controlled unclassified information? If yes, cybersecurity may be tied directly to whether you can bid, perform, or keep work.

If you are not sure, start by tracing where contract files, drawings, specifications, and technical data land. Scope comes from the data, not from company size.

That hits differently around Newport News, Norfolk, Hampton, Chesapeake, Portsmouth, Virginia Beach, and Suffolk. A small fabrication shop, engineering firm, staffing company, logistics provider, or machine shop may not think of itself as a cybersecurity target. But if your team touches drawings, specifications, technical data, or contract files tied to defense work, your systems may be in scope.

The hard part is that CMMC gets explained like everyone has a compliance department. Most small contractors do not. They have an owner, an operations lead, maybe one IT person, and a pile of contract language.

So here is the plain version. CMMC 2.0 has 3 levels. Level 1 is basic safeguarding for federal contract information. Level 2 maps to NIST SP 800-171 for controlled unclassified information. Level 3 is the highest level and is aligned to NIST SP 800-172. Your required level depends on the contract and the information your systems handle.

Helix Stax helps with readiness and preparation through Cybersecurity Compliance. We are not a C3PAO, and we do not certify companies. We help you find gaps, build evidence like policies, an SSP, and POA&M items, and get ready for the assessment path your contract requires, so you are not starting from scratch when the clock starts.

What is CMMC and who does it apply to?

The CMMC requirement is a Department of Defense framework for checking whether contractors have the right cybersecurity controls in place for the information they handle. The official DoD CIO CMMC page is the best starting point for current program-level guidance.

CMMC stands for Cybersecurity Maturity Model Certification. In practice, it gives the DoD a way to assess contractor cybersecurity against existing safeguarding rules. For small businesses, the point is proof: your people, devices, cloud tools, files, vendors, and policies are managed well enough for the contract.

There are two terms that matter right away.

Federal contract information, or FCI, is information provided by or generated for the government under a contract that is not meant for public release. It is usually less sensitive than CUI, but it still needs basic safeguarding. Think of information connected to the work you are doing, not public website content or simple payment details.

Controlled unclassified information, or CUI, is more serious. It is unclassified, but it still requires safeguarding or dissemination controls under law, regulation, or policy. In defense work, that can include controlled technical information, engineering data, drawings, specifications, research, and other contract data your team should not treat like normal office files.

This is where small contractors get tripped up. They ask, “Are we CMMC Level 2?” before they know where CUI lives.

Start with the data. Where does contract information arrive? Email? SharePoint? Teams? A file server? Who can access it? Does it land on unmanaged laptops? Does a subcontractor receive it? Is it backed up? Can you prove any of that?

For Hampton Roads contractors near shipbuilding, maritime, logistics, and defense support work, this gets messy fast. A company may have commercial work and defense work in the same Microsoft 365 tenant, file shares, and laptops. The boundary is probably not as clean as the org chart says it is.

What are the three CMMC 2.0 levels and what do they require?

CMMC 2.0 has three levels. Level 1 covers basic safeguarding for FCI and requires annual self-assessment (roughly 17 controls). Level 2 aligns to all 110 controls in NIST SP 800-171 and applies to contractors handling CUI; depending on contract sensitivity it requires either self-assessment or third-party C3PAO assessment. Level 3 is the highest tier, aligned to NIST SP 800-172, and requires government-led assessment.

CMMC 2.0 has 3 levels: Level 1, Level 2, and Level 3.

Level 1 is the starting point. It covers basic safeguarding for FCI and uses an annual self-assessment. For a small contractor, Level 1 is about simple but real controls: limiting access, identifying users, protecting media, controlling physical access, updating systems, and keeping contract information out of public places.

Level 2 is where most CMMC anxiety lives. It applies when the contract involves CUI and aligns to NIST SP 800-171. That standard has 110 security requirements across areas like access control, training, audit logging, configuration management, identity, incident response, and system integrity.

Some Level 2 contracts may allow a self-assessment. Others require a C3PAO assessment. That depends on the contract and the information involved.

Level 3 is the highest CMMC level. It is aligned to NIST SP 800-172 and is meant for the most sensitive CUI situations. Most small contractors are not starting there, but primes and program requirements can push expectations down the supply chain.

• Level 1: FCI, basic safeguarding, annual self-assessment.
• Level 2: CUI, NIST SP 800-171 compliance, self or C3PAO depending on the contract.
• Level 3: highest level, aligned to NIST SP 800-172.

The level is not a badge you pick for marketing. It follows the contract and the data.

If you just confirmed Level 2 may apply, do not wait for the contract deadline to start sorting evidence. A Free IT Assessment can help identify the systems, users, data paths, and control gaps that need attention first. Sixty minutes. No pressure.

Which DFARS clause requires CMMC certification?

DFARS 252.204-7021 is the clause that puts CMMC level requirements into the contract.

That clause requires the contractor to have and maintain the current CMMC status at the level named in the contract for systems that process, store, or transmit FCI or CUI. It also includes flowdown expectations, so subcontractors may need the right CMMC status when they handle covered information for the work.

DFARS 252.204-7012 is the older clause many contractors already know. It covers safeguarding covered defense information and cyber incident reporting. It points contractors handling covered defense information toward NIST SP 800-171 and requires rapid reporting of certain cyber incidents to DoD.

DFARS 7012 says you must safeguard covered defense information and report incidents. DFARS 7021 is where CMMC status becomes a contract requirement. The level named in the contract usually needs to be in place before you bid or perform the covered work, not cleaned up after award. If you are reading contract language, do not skim these numbers. One digit changes the obligation.

Small contractors should also watch flowdown. You may not hold the prime contract. That does not automatically take you out of scope.

Does CMMC apply to small subcontractors, not just primes?

CMMC does not apply to every federal contractor in the same way.

It is a DoD program focused on the defense industrial base. The requirement depends on the contract, the clause language, and whether your systems process, store, or transmit FCI or CUI.

But “we are small” is not an exemption.

Small business status does not remove the need to safeguard covered information. A 12-person engineering firm can have a bigger compliance problem than a 200-person commercial company if the smaller firm handles CUI on unmanaged systems.

The clean way to decide scope is to answer 5 questions: which contracts mention CMMC or NIST 800-171, what information you receive or create, which systems touch it, who can access it, and what evidence you could show today.

Evidence is where many small businesses discover the gap between “we do that” and “we can prove we do that.” A policy is not enforced MFA. A backup tool is not a tested restore.

If your company is based near Newport News and supports shipbuilding, maritime services, base operations, logistics, engineering, or defense manufacturing, this is worth sorting out before a prime asks for proof.

Is CMMC compliance difficult?

CMMC compliance is difficult when the business has grown faster than its systems.

That is the honest answer. The controls are not magic. They are work a mature IT environment should already be doing: access control, MFA, patching, device management, logging, backups, incident response, vendor control, training, and proof.

Shared accounts. Old servers. Personal devices. Local admin rights everywhere. Files copied into email attachments because nobody trusts the shared drive. A firewall nobody has logged into since the installer left. Backups that report “success” but have not been restored in years.

That is where NIST 800-171 compliance becomes work instead of a checklist. You have to map requirements to real systems, fix the gaps, document decisions, and keep evidence current. For CMMC Level 2, that means a system security plan, policies, technical controls, user training, incident handling, and a plan of action for remediation items.

Technical work might include MFA, device management, endpoint protection, logging, backup encryption, conditional access, and secure configuration. Operational work includes access reviews, onboarding and offboarding, vendor tracking, user training, and keeping evidence organized.

Small businesses usually underestimate the operational side. Tools create signals. People still have to make decisions, document exceptions, and review access.

The best first step is not buying another security product. It is a readiness assessment.

For Helix Stax, that means identifying the contracts, data, systems, users, vendors, and control gaps first. Then we help build a practical roadmap: what to fix now, what can wait, what evidence is missing, and where a C3PAO or legal/compliance advisor needs to be involved.

If CMMC requirements are starting to show up in prime requests, contract language, or customer questionnaires, start with the Free IT Assessment. We will help you find the gaps, explain what they mean in plain English, and leave you with a practical next-step list, even if Helix Stax is not the right fit.