"A 32-person defense subcontractor achieved Level 2 readiness in 8 months with no prior compliance team."
CMMC 2.0 enforcement is active. If you're competing for DoD contracts — or defending existing ones — you need Level 1, 2, or 3 readiness documented and scored in SPRS. We help small and mid-sized contractors get there without a Big 4 consulting bill.
Our CMMC 2.0 Self-Assessment Workbook covers all 17 Level 1 practices, all 110 Level 2 practices, and the Level 3 enhanced subset. Grouped by the 14 CMMC domains aligned to NIST SP 800-171 Rev 2. Download the full checklist below.
67-page workbook covering all three CMMC 2.0 levels. Includes practice-level evidence checklists, SPRS scoring calculator, POA&M template, and a CMMC Level selector so you know exactly what applies to your organisation.
No spam. One-click unsubscribe. hello@secureveryone.com sends it.
The CMMC 2.0 Self-Assessment Workbook is on its way. If you don't see it within a few minutes, check your spam folder.
One-on-one coaching. Best for Level 1 gap assessment and initial CMMC Level selector.
Team session up to 8 attendees. Level 2 readiness coaching with domain-by-domain walkthrough.
Unlimited team sessions. Best for Level 2 / Level 3 organisations with multiple workforces to train.
Answers to the questions we hear most from DoD supply chain contractors. If yours isn't here, email us and we'll add it.
It depends on the type of information you handle and the DoD contracts you hold or are bidding on.
Level 1 (FCI only): If you only process Federal Contract Information — unclassified info not intended for public release — and your contracts don't require CUI handling, Level 1 self-assessment is the minimum. All DoD contracts include FCI, so this applies to every contractor.
Level 2 (CUI): If you handle, store, or process Controlled Unclassified Information — which includes technical drawings, software code, CUI in any form — your contract specifies the CMMC level required. Most prime contracts require Level 2. Subs flowing CUI from a prime also need Level 2.
Level 3 (high-value CUI): Only organisations working on the most sensitive DoD programs with high-value CUI require Level 3. This is a government-led assessment (GSA), not a C3PAO assessor.
If you don't know whether you handle CUI, check your contract's DFARS 252.204-7012 clause — it defines the flow-down requirements including CUI handling. Our self-assessment workbook includes a CMMC Level selector to help you determine which applies.
It depends on your target level and contract requirements:
Level 1: Annual self-assessment only. You complete the assessment yourself using the CMMC self-assessment guide, score yourself against NIST SP 800-171 DoD Assessment Methodology, and submit your score to SPRS (Supplier Performance Risk System). No third-party assessor required.
Level 2: Contracts are phasing in. For some contracts, an annual self-assessment is the current requirement. For others — particularly those with higher CMMC Level 2 requirements — a third-party assessment by a C3PAO (Certified Third-Party Assessor Organization) is required. The CMMC level specified in your contract contract determines which applies. Check the DoD CMMC program website and your contracting officer for current requirements on your specific contract.
Level 3: Government-led assessment (GSA) by DCSA (Defense Counterintelligence and Security Agency). Not a C3PAO.
CMMC 2.0 is actively rolling out via DoD contracts. The DoD has been implementing CMMC requirements incrementally through DFARS clauses and contract awards. Phase-in started in 2025 with contracts beginning to include CMMC Level requirements, with full implementation being phased over the coming years.
The key point for SMBs: enforcement is active now for new contract awards that include CMMC requirements. If you're bidding on new DoD contracts or have existing contracts being renewed, the CMMC level required will be specified in the solicitation. Delaying readiness means losing competitive bids to contractors who are already CMMC-certified.
The self-assessment scores for Level 1 must be posted to SPRS (supplierperformance.defense.gov) before contract award. Start your Level 1 assessment now — even if you're targeting Level 2 long-term.
Yes — and this is one of the most directly actionable controls in the CMMC framework. The Awareness & Training (AT) family requires:
AT.1.001 (Level 1): Personnel must be made aware of security risks associated with their activities and applicable policies and procedures.
AT.2.001 (Level 2): Role-based security awareness training. Personnel must be trained to carry out their assigned information security-related duties.
AT.3.001 (Level 2): Security awareness training must include recognition and reporting of potential and actual security incidents.
Documented training with attendance records directly satisfies these requirements. Our sessions produce timestamped attendance records with participant names, session topic, and completion status — evidence you include in your SSP (System Security Plan) and upload to your eMASS compliance package. This is one of the most cost-effective CMMC controls to implement — training is required regardless, and the evidence documentation is straightforward.
FCI (Federal Contract Information) is any unclassified information that is provided by or generated for the government under a contract — and is not intended for public release. It does not require any special handling markings; FCI is the default on all DoD contracts. Level 1 CMMC is built around protecting FCI.
CUI (Controlled Unclassified Information) is a specific category of unclassified information that requires safeguarding or dissemination controls under law, regulation, or government policy. CUI is explicitly marked (or should be) and has defined handling rules. Defense contractors routinely handle CUI in technical data, software, engineering drawings, and program documentation. Level 2 CMMC governs CUI protection.
The key distinction: all contractors handle FCI. Only contractors working with sensitive unclassified DoD information handle CUI. If your contracts involve anything that isn't public — technical specs, program data, ITAR-controlled information — you're likely handling CUI and need Level 2 readiness.
SPRS (Supplier Performance Risk System) is the DoD's database for contractor self-assessment scores. Before contract award on contracts requiring CMMC, contractors must submit their CMMC Level 1 self-assessment score to SPRS at supplierperformance.defense.gov.
The score is calculated using the DoD Assessment Methodology (based on NIST SP 800-171). Each of the 110 Level 2 practices is scored 0, 1, or N/A — with a weighted scoring guide. Level 1 is a subset of the 17 practices. The maximum perfect score for Level 1 is 100. Scores below 100 indicate gaps that must be addressed in a Plan of Action & Milestones (POA&M).
Our CMMC 2.0 Self-Assessment Workbook includes a SPRS scoring guide with the calculation methodology so you can score your current state, identify your gaps, and build your POA&M before your next contract bid.
Start with a $150 personal session. Map your current level, identify your gaps, and get a clear roadmap to Level 2 or Level 3 readiness before your next solicitation closes.