Get eligible to perform.
CMMC & NIST 800-171 Readiness
For firms touching federal contract information or CUI on DoD work: a clear path from gap assessment to System Security Plan, POA&M, SPRS score, and a third-party assessment, with Scott running point.
Overview
Get eligible to perform.
If your AEC firm receives, creates, or transmits federal contract information on a DoD project, CMMC now applies to you, and it's law, not a proposal. The program rule (32 CFR Part 170) took effect December 16, 2024, and the acquisition rule that activates the contract clause took effect November 10, 2025, kicking off a three-year, four-phase rollout toward full enforcement by November 10, 2028. AEC firms get pulled in because their everyday work product is exactly what CMMC exists to protect: facility drawings, floor plans and elevations of government buildings, site and utility plans, structural and MEP packages, and as-built documentation for federal installations. The agencies that drive this (USACE, NAVFAC, AFCEC) are already conditioning solicitations on it and flowing it down to A/E subconsultants regardless of firm size. For most AEC firms the bar is Level 2: full implementation of all 110 NIST SP 800-171 Revision 2 controls. The one rule that catches firms off guard: the company that gets you ready can't be the company that certifies you.
What you need to know
The rules, stated plainly.
Is CMMC actually required now? Yes.
This is no longer 'coming.' The CMMC Program Rule (32 CFR Part 170) took effect December 16, 2024, establishing the three levels, the assessment requirements, and the C3PAO ecosystem. The Acquisition Rule (48 CFR, amending DFARS Parts 204, 212, 217, and 252) took effect November 10, 2025. That second date started the clock. The rollout is phased over three years, each phase exactly one year apart: Phase 1 (Nov 10, 2025) brings Level 1 and Level 2 self-assessment into applicable solicitations, with DoD retaining discretion to require a Level 2 third-party assessment on selected high-priority contracts even now; Phase 2 (Nov 10, 2026) makes Level 2 C3PAO certification the standard for most CUI contracts; Phase 3 (Nov 10, 2027) adds Level 3 and DIBCAC assessment; Phase 4 (Nov 10, 2028) is full implementation. The practical takeaway: contracting officers can already write CMMC into solicitations, and the requirement only escalates. Showing up to a bid without a current SPRS score and the clause already in the solicitation is a fast way to get cut.
What level does an AEC firm need? Almost always Level 2.
Level 1 covers Federal Contract Information (FCI) and requires an annual self-assessment against 15 basic safeguarding requirements from FAR 52.204-21, with no third party and no POA&M. Level 2 covers Controlled Unclassified Information (CUI) and requires implementation of all 110 security requirements in NIST SP 800-171 Revision 2 (Rev. 2, not Rev. 3, is the correct standard for 2025-2026). Level 3 covers the highest-risk CUI, adds 24 enhanced requirements from NIST SP 800-172 on top of the 110 (134 total), is assessed by the government (DIBCAC), and applies to roughly 1% of the defense industrial base. The reason AEC firms land at Level 2 is simple: your work touches CUI constantly. Facility drawings, site and utility plans, technical specs, and CAD/Revit models for a DoD installation are CUI the moment they're tied to that project. If you handle that data, you're a Level 2 firm.
How Level 2 is assessed, and why you can't use one firm for everything
Level 2 is met by either a self-assessment or a C3PAO third-party assessment, depending on what the specific solicitation requires; both are valid for three years with an annual affirmation in between. As the phase-in advances into Phase 2, third-party C3PAO certification becomes the standard for most CUI contracts. Here's the structural rule that surprises firms: a C3PAO is authorized by the Cyber AB and, rooted in ISO/IEC 17020, is prohibited from assessing any client it provided CMMC consulting or remediation services to, with a three-year lookback. That's why readiness and certification must come from different firms. The firm that builds your enclave, writes your SSP, and remediates your gaps (the work Northbend coordinates) can't also be the independent C3PAO that certifies you. Anyone selling you 'we'll get you ready and certify you' is describing a conflict the rule forbids. The C3PAO pool is also limited, so certification can take months to schedule. Queue it before you need it, not after the bid drops.
What you actually have to produce
Level 2 compliance is a documented program, not a checkbox. You need: a System Security Plan (SSP) describing how each of the 110 controls is implemented; the supporting policies, procedures, and evidence for each control; a posted SPRS score; a tightly limited Plan of Action and Milestones (POA&M) for any deferred items; and an annual affirmation. SPRS scoring is subtractive: a perfect implementation of all 110 controls scores 110, and each unmet control deducts 5, 3, or 1 points by security impact, with no partial credit per control. To pass Level 2 with a Conditional status you need at least 80%, a minimum SPRS score of 88 of 110, with only POA&M-eligible items open; only a perfect 110 yields Final status directly. POA&Ms are sharply limited: all 3-point and 5-point controls, plus six specified 1-point controls, can't be deferred. Any POA&M item must be remediated and verified via a closeout assessment within 180 days, or the Conditional status expires.
The clause, the affirmation, and the False Claims Act risk
Under the final 48 CFR rule, a contracting officer inserts provision DFARS 252.204-7025 (the Notice of CMMC Level Requirements, which ties award eligibility to holding the required CMMC status and a current affirmation in SPRS) and clause DFARS 252.204-7021 (which imposes the performance obligation and the subcontractor flow-down). To be eligible for award, the offeror must already hold the required status and a current affirmation. That affirmation matters more than it looks: a senior company official, the Affirming Official, must electronically submit an annual affirmation of continuous compliance in SPRS under 32 CFR 170.22, and knowingly submitting a false affirmation or inflated score creates False Claims Act exposure (treble damages, civil penalties, and personal liability for the official). DOJ’s Civil Cyber-Fraud Initiative has already produced settlements. This is precisely why a real, documented program beats a paper one, and why governance, not a one-time scan, is the job.
DFARS 7012 still applies, and it all flows down
CMMC doesn't replace DFARS 252.204-7012, the existing clause that requires NIST SP 800-171 implementation and 72-hour cyber incident reporting to DoD. That remains a separate, continuous obligation; CMMC is the certification proving the 7012 controls are actually in place. And all of it flows down. CMMC requirements apply to subcontractors at every tier that process, store, or transmit FCI or CUI, regardless of size. A prime can't lawfully award CUI work to, or share regulated data with, a sub that lacks the required level. That's the trap for smaller firms: even a $1 to $5M structural or civil shop that only ever works as a sub has to meet the level, or it gets dropped from teams it's worked with for years. A Level 2 build typically runs 12 to 18 months, which is exactly why this has to be a roadmap, not a scramble.
The roadmap
What we do, in order.
Scott owns each step and pulls in accredited specialists only where the rules require them.
Request an AssessmentScope the data: determine whether the firm handles FCI only (Level 1) or CUI (Level 2), and define the assessment boundary covering every system that touches that data.
Run a gap assessment against the 110 NIST SP 800-171 Rev. 2 controls and calculate the baseline SPRS score; identify which gaps are 5/3/1-point and which are POA&M-eligible.
Remediate and document: stand up the compliant environment (often a CUI enclave or GCC High tenant), write the System Security Plan, and draft the policies and evidence for each control. Northbend coordinates this, it's never C3PAO work.
Submit to SPRS: post the score, SSP details, and any POA&M so the firm shows a current CMMC status against the contract.
Choose the assessment path: confirm from the solicitation whether it allows a Level 2 self-assessment or requires a C3PAO third-party assessment, then schedule accordingly.
Engage an independent, Cyber AB-authorized C3PAO (never the firm that did the readiness work) for the formal Level 2 assessment.
Close out the POA&M: remediate any deferred 1-point items and pass a closeout assessment within 180 days to move from Conditional to Final status.
Affirm and maintain: have the Affirming Official submit the annual affirmation in SPRS, sustain the controls, manage flow-down to subs, and re-assess every three years.
Questions
Straight answers.
Does my AEC firm actually need CMMC, or is that only for defense manufacturers?
It's not just for manufacturers, and for most AEC firms doing DoD work the answer is yes. CMMC exists to protect Federal Contract Information and Controlled Unclassified Information, and your everyday work product is full of CUI: facility drawings, floor plans and elevations of government buildings, site and utility plans, structural and MEP packages, and CAD/Revit models for a military installation. The moment that data is tied to a USACE, NAVFAC, or AFCEC project, it's regulated, and CMMC applies. If you handle CUI, you're looking at Level 2.
Is CMMC actually required now, or is it still just proposed?
It's law and in force. The program rule (32 CFR Part 170) took effect December 16, 2024, and the acquisition rule that activates the contract clause took effect November 10, 2025. That started a three-year, four-phase rollout: contracting officers can already write CMMC into solicitations, and the requirement escalates each year until full enforcement by November 10, 2028. The window to get ahead of it is now, because a Level 2 build typically takes 12 to 18 months.
What CMMC level does my AEC firm need?
Almost always Level 2. Level 1 covers Federal Contract Information and is a 15-requirement annual self-assessment. Level 2 covers Controlled Unclassified Information and requires all 110 controls in NIST SP 800-171 Revision 2. Because AEC work touches CUI constantly through drawings, specs, and site plans, most firms land at Level 2. Level 3 adds 24 more controls (134 total) and applies to roughly 1% of the defense industrial base, so it's unlikely to be your bar.
Do I have to hire a third-party assessor, or can I self-assess?
It depends on the specific solicitation. Some Level 2 contracts allow a self-assessment; most CUI work requires a third-party assessment by a C3PAO, and as the phase-in advances into Phase 2 (November 2026) third-party certification becomes the standard. Both are valid for three years with an annual affirmation in between. We confirm the requirement from the solicitation so you're not caught assuming a self-assessment is enough when the contract demands certification, which can take months to schedule.
Can the same company get me ready and then certify me?
No, and this surprises a lot of firms. A C3PAO is prohibited from certifying any client it provided CMMC consulting or remediation to, with a three-year lookback, under the ISO/IEC 17020 standard that governs assessors. So readiness work and certification have to come from different firms. Northbend coordinates the readiness side and brings in an independent C3PAO for the assessment. Anyone promising to both prepare and certify you is describing a conflict the rule forbids.
What exactly do I have to produce to be compliant at Level 2?
A documented program, not a checkbox. You need a System Security Plan describing how each of the 110 controls is implemented, supporting policies and evidence for each control, a posted SPRS score, a tightly limited POA&M for any deferred items, and an annual affirmation. SPRS is subtractive: 110 is perfect, and unmet controls deduct 5, 3, or 1 points each. You need at least an 88 of 110 for a Conditional status, and you must close out any POA&M within 180 days or that Conditional status expires.
Does this apply to me if I am only a subcontractor, not the prime?
Yes. CMMC flows down to subcontractors at every tier that process, store, or transmit FCI or CUI, regardless of firm size. A prime can't lawfully share regulated data with, or award CUI work to, a sub that lacks the required level. This is the trap for smaller firms: even a $1 to $5M shop that only works as a sub has to meet the level, or it gets dropped from teams it's worked with for years.
Why does a principal-led firm need a compliance quarterback instead of just handing this to our IT vendor?
Because this is a procurement and governance discipline, not just an IT task. Your IT vendor can configure systems, but someone has to own the roadmap: scope the CUI boundary, keep SAM and certifications current, write and maintain the SSP, sequence the registrations and set-asides, manage subcontractor flow-down, file the annual affirmation (which carries personal False Claims Act exposure), and coordinate an independent C3PAO. That standing ownership is the quarterback role. Scott Mann owns the roadmap and the agency relationships and coordinates the specialists, including your IT or MSP partner, so nothing falls through the cracks between a bid and an audit.
Next step
Let's map where your firm stands.
A short assessment call: what you handle, what you want to pursue, and the real gaps between here and award. No obligation.