CMMC 2.0 Compliance
Defense Contracts Require CMMC Certification. Lionhive Builds the Program That Gets You There and Keeps You There.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense’s framework for verifying that defense contractors and subcontractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at the level the national security implications of that data demand. CMMC 2.0 is not a compliance exercise that can be satisfied with documentation alone — it is a third-party verified assessment of whether your cybersecurity program actually implements the practices required by NIST SP 800-171 at the depth and consistency that DoD assessors will examine. Organizations that fail their CMMC assessment lose eligibility for DoD contracts. Organizations that misrepresent their compliance status in DoD contract certifications face liability under the False Claims Act — including treble damages and potential criminal exposure.
The Defense Industrial Base (DIB) spans prime contractors and their entire supply chains — which means CMMC requirements flow down through subcontracts to organizations that may not immediately recognize themselves as defense contractors. If your organization provides products, services, or technology to a prime contractor or to any tier of the DoD supply chain — and that relationship involves handling FCI or CUI — CMMC requirements apply to you regardless of whether your contract is directly with the government.
Lionhive provides CMMC 2.0 readiness assessment, gap remediation, program implementation, and preparation support for Level 1 self-assessments and Level 2 third-party assessments conducted by CMMC Third-Party Assessment Organizations (C3PAOs) across the Defense Industrial Base.
CMMC is not a certification you buy. It is a certification you earn by demonstrating that your cybersecurity program actually does what it says it does — consistently, across every system that touches CUI, verified by an independent assessor who has seen every way organizations try to paper over gaps that their programs haven’t actually closed. Lionhive builds programs that pass genuine assessment — not programs optimized for documentation.
CMMC 2.0 Structure — Three Levels, One Framework
CMMC 2.0 simplified the original five-level CMMC 1.0 model into three levels aligned with the sensitivity of the information being handled and the nature of the work being performed:
Level 1 — Foundational — Applies to organizations handling Federal Contract Information (FCI) but not CUI. Requires implementation of 17 basic cybersecurity practices drawn from FAR 52.204-21. Satisfied through annual self-assessment with results submitted to the Supplier Performance Risk System (SPRS). While Level 1 is self-assessed, the self-assessment is a legal certification — false certifications create False Claims Act exposure.
Level 2 — Advanced — Applies to organizations handling CUI in support of DoD programs. Requires implementation of all 110 practices from NIST SP 800-171 Revision 2 organized across 14 practice domains. Most defense contractors and subcontractors handling CUI will require Level 2 certification. Assessment is conducted by an accredited C3PAO every three years, with annual affirmations of continued compliance between assessments. Level 2 is where the majority of CMMC compliance work occurs and where Lionhive’s program focus is concentrated.
Level 3 — Expert — Applies to organizations handling CUI associated with DoD’s highest priority programs. Requires implementation of all NIST SP 800-171 practices plus a subset of practices from NIST SP 800-172. Assessed by government officials from the Defense Contract Management Agency (DCMA). Level 3 applies to a limited set of organizations in the DIB and is not the focus of Lionhive’s standard CMMC practice.
The 14 CMMC Level 2 Practice Domains
CMMC Level 2 requires implementation of 110 security practices organized across 14 domains drawn directly from NIST SP 800-171. Each domain addresses a specific aspect of the security program required to protect CUI:
Access Control (AC) — 22 practices governing who can access CUI, under what conditions, and with what limitations. Includes least-privilege enforcement, session controls, remote access management, and separation of duties. Access Control is typically the domain with the most gaps in organizations beginning CMMC preparation — the accumulation of over-provisioned accounts, legacy access grants, and inadequately controlled remote access creates a significant remediation workload.
Awareness and Training (AT) — 3 practices requiring that personnel understand their security responsibilities and are trained to recognize and report security threats. Security awareness training must be documented and current — not a one-time onboarding activity but an ongoing program with role-specific content for users who handle CUI.
Audit and Accountability (AU) — 9 practices requiring creation, protection, retention, and review of audit logs across systems that process, store, or transmit CUI. Log coverage, retention periods, and review processes are commonly deficient — organizations that have never been asked to produce audit logs for an assessment frequently discover that logging was incomplete, logs were being overwritten, or no one was reviewing them.
Configuration Management (CM) — 9 practices governing baseline configurations, change control, and management of software and hardware inventory. Configuration management requires documented baselines for every system touching CUI, a process for evaluating and approving changes, and controls preventing installation of unauthorized software.
Identification and Authentication (IA) — 11 practices governing identity verification for users, processes, and devices. Multi-factor authentication for all users accessing CUI systems — local and remote — is a specific IA requirement that many organizations struggle with in legacy environments. Password management, account lifecycle, and authenticator management are also addressed in this domain.
Incident Response (IR) — 3 practices requiring documented incident response capability, testing, and reporting. As discussed on Lionhive’s Incident Response page, having a documented and tested IR plan is the minimum — assessors will verify that the plan is operational, has been exercised, and covers CUI-relevant incident scenarios.
Maintenance (MA) — 6 practices governing system maintenance activities, including controls on remote maintenance tools and personnel performing maintenance on systems handling CUI. Maintenance controls are frequently overlooked in CMMC preparation — the technician who remotes into a system to perform maintenance represents an access control and monitoring challenge that requires specific procedural and technical controls.
Media Protection (MP) — 9 practices governing protection, handling, transport, and disposal of system media containing CUI — including physical media like hard drives and USB devices, and digital media in cloud and on-premises storage. Media sanitization procedures and documentation are commonly deficient, particularly for organizations that replace hardware regularly without documented sanitization processes.
Personnel Security (PS) — 2 practices addressing screening of personnel in positions of trust and protecting CUI during and after personnel actions. Personnel security requirements are relatively limited under NIST SP 800-171 compared to some other frameworks, but termination and transfer procedures — ensuring access is revoked and CUI is returned or destroyed when personnel leave — are specifically required.
Physical Protection (PE) — 6 practices governing physical access to systems and facilities where CUI is processed or stored. Physical access controls, visitor management, and monitoring of physical access to CUI environments are required — and for organizations that have never thought about physical security in the context of their IT environment, this domain can surface gaps that require facility-level changes.
Risk Assessment (RA) — 3 practices requiring periodic risk assessments, vulnerability scanning, and risk remediation. Risk assessments must be documented, periodic, and connected to remediation actions — not a one-time exercise performed before an assessment and never revisited. Vulnerability scanning must cover all systems in the CUI environment and results must be acted upon within defined timeframes.
Security Assessment (CA) — 4 practices requiring periodic assessment of security controls, action plans for identified deficiencies, and a System Security Plan (SSP) documenting the CUI environment, security controls, and their implementation status. The SSP is the foundational document of the CMMC assessment — a comprehensive description of the organization’s CUI environment and how each of the 110 practices is implemented. Organizations without an SSP cannot be assessed and cannot submit meaningful SPRS scores.
System and Communications Protection (SC) — 16 practices governing protection of communications and system boundaries — network segmentation, encryption in transit, session controls, and boundary protection. CUI must be encrypted in transit and at rest, system boundaries must be defined and enforced, and wireless access must be controlled. This domain is technically demanding and frequently requires network architecture changes for organizations with flat network designs.
System and Information Integrity (SI) — 7 practices governing malware protection, security alerts, patch management, and system monitoring. Antivirus/EDR deployment, patch management currency, and security alert monitoring are the primary requirements. Organizations running systems with significant patch backlogs or without endpoint protection on all CUI-handling systems will find SI remediation among the most time-intensive aspects of CMMC preparation.
The System Security Plan — The Foundation of CMMC Compliance
The System Security Plan (SSP) is the most important document in a CMMC compliance program. It defines the scope of the CUI environment — every system, application, network component, and cloud service that processes, stores, or transmits CUI — and documents how each of the 110 NIST SP 800-171 practices is implemented within that environment. The SSP is what C3PAO assessors review during a CMMC Level 2 assessment, and the quality and accuracy of the SSP significantly affects assessment outcomes.
A weak SSP — one that is vague about implementation details, omits systems that are actually in scope, or claims practices are implemented when they aren’t — creates assessment failures that are more damaging than an honest SSP that accurately documents gaps alongside a Plan of Action and Milestones (POA&M) that addresses them. DoD’s assessment process accommodates POA&Ms for practices that are partially implemented or scheduled for implementation — but it has no tolerance for misrepresentation of implementation status, which is where False Claims Act exposure originates.
Lionhive builds SSPs that are accurate, defensible, and assessment-ready — documenting the CUI environment completely, representing each practice implementation honestly, and connecting incomplete implementations to POA&M timelines that demonstrate active progress toward full compliance.
CUI Scoping — The Most Important Decision in CMMC Preparation
The scope of the CMMC assessment — the set of systems, personnel, and facilities subject to assessment — is determined by what touches CUI. Organizations that define their CUI environment too broadly create unnecessary compliance burden by subjecting systems that don’t actually handle CUI to the full weight of NIST SP 800-171 requirements. Organizations that define it too narrowly risk assessment failure and False Claims Act exposure when assessors identify CUI-handling systems that were excluded from scope.
Lionhive conducts CUI scoping assessments that identify where CUI enters the organization, how it flows through systems and processes, where it is stored, and what the appropriate boundary of the CUI environment is — applying National Archives CUI Registry definitions and DoD contract requirements to establish a defensible scope that is neither over-inclusive nor under-inclusive. For organizations considering cloud migration of CUI workloads, Lionhive evaluates FedRAMP-authorized cloud services and DoD Cloud Computing Security Requirements Guide (SRG) compliance for cloud providers handling CUI — ensuring that cloud services in scope are authorized to handle CUI at the required impact level.
Lionhive’s CMMC Readiness Approach
Gap Assessment Against NIST SP 800-171 — Lionhive conducts a structured assessment of your organization’s current security posture against all 110 NIST SP 800-171 practices, producing a gap analysis that identifies which practices are fully implemented, partially implemented, or not implemented — with the specific evidence gaps that an assessor would identify for each deficiency. The gap assessment produces the honest baseline that drives remediation planning.
SPRS Score Calculation — The DoD’s Supplier Performance Risk System requires organizations to submit a score reflecting their implementation status against NIST SP 800-171. The scoring methodology assigns point values to each practice and deducts points for practices that are not implemented — a perfect score is 110, and most organizations beginning CMMC preparation score significantly below that. Lionhive calculates your current SPRS score based on the gap assessment and develops a remediation roadmap that prioritizes practices by their impact on the SPRS score, the risk they address, and the implementation complexity they involve.
Remediation Planning & Implementation — Based on the gap assessment, Lionhive designs and implements the technical controls and procedural changes required to close identified gaps — across all 14 practice domains. This is the substantive work of CMMC preparation — configuring access controls and MFA through Microsoft Entra ID, deploying endpoint protection via CrowdStrike, implementing network segmentation to isolate the CUI environment, establishing log collection and review processes, building configuration management baselines, and documenting every control implementation in the SSP. Remediation is prioritized by risk and assessment readiness — highest-impact gaps and easiest wins first.
System Security Plan Development — Lionhive writes the SSP that documents the CUI environment, control implementations, and POA&M for incomplete practices — in the format and with the level of detail that C3PAO assessors require. The SSP is developed iteratively as remediation progresses, so that the final document accurately reflects the implemented program rather than being written as a separate documentation exercise.
Pre-Assessment Readiness Review — Before the formal C3PAO assessment, Lionhive conducts a mock assessment against the CMMC Level 2 practice set — identifying remaining gaps, validating evidence packages for each practice, and ensuring the organization enters the formal assessment with a realistic expectation of outcomes and no avoidable surprises. The pre-assessment review is the quality check that determines whether the formal assessment is a confirmation of readiness or a discovery of gaps that should have been addressed earlier.
C3PAO Assessment Support — Lionhive supports the organization during the formal C3PAO assessment — coordinating evidence submission, responding to assessor questions, clarifying implementation details, and managing the logistics of the assessment process. Having experienced support during the assessment reduces the operational burden on internal staff and ensures that implementation details are accurately communicated to assessors.
Ongoing Compliance Maintenance — CMMC Level 2 certification is valid for three years, with annual affirmations of continued compliance required between assessments. Maintaining compliance requires ongoing attention — new systems added to the CUI environment must be brought into the SSP and assessed for compliance, personnel changes require updated training records and access reviews, and the security program must continue operating at the level the SSP represents. Lionhive provides ongoing compliance maintenance to ensure that the program certified by the C3PAO remains compliant through the three-year certification period and is in strong position for recertification.
CMMC and Related Frameworks
CMMC Level 2 is based on NIST SP 800-171, which in turn maps to NIST SP 800-53 and aligns with NIST CSF 2.0. Organizations that have implemented NIST CSF will find significant overlap with CMMC Level 2 requirements — the investment in one framework accelerates readiness for the other. Similarly, organizations pursuing SOC 2 Type II certification will find that the access control, audit logging, and incident response requirements common to both frameworks allow shared evidence and overlapping control implementations.
For organizations in regulated industries that handle both CUI and protected health information, Lionhive builds unified compliance programs that address HIPAA and CMMC requirements through a single integrated security program — reducing the overhead of maintaining separate compliance frameworks for overlapping control requirements.
🌐 Why Organizations Choose Lionhive for CMMC
- Gap assessment against all 110 NIST SP 800-171 practices with honest, specific findings — not optimistic scoring
- SPRS score calculation and remediation roadmap prioritized by risk and assessment impact
- CUI scoping assessment that establishes a defensible environment boundary — neither over-inclusive nor under-inclusive
- SSP development that accurately documents implementation and POA&Ms — assessment-ready and False Claims Act defensible
- Technical remediation across all 14 practice domains using Microsoft Entra ID, CrowdStrike, and proven security tooling
- Pre-assessment readiness review that eliminates avoidable surprises before the formal C3PAO assessment
- Ongoing compliance maintenance through the three-year certification period and recertification preparation
- Integration with NIST CSF, SOC 2, and HIPAA programs for organizations managing multiple compliance frameworks
📞 Ready to Get Serious About CMMC Before Your Next Contract Requires It?
The organizations that approach CMMC preparation as a last-minute exercise before contract award consistently discover that the gap between where they are and where they need to be is larger than they expected and takes longer to close than the contract timeline allows. Lionhive starts with an honest assessment of where you actually stand — SPRS score, practice-level gaps, CUI environment definition — and builds the remediation roadmap that gets you to assessment-ready on a timeline that works for your contract pipeline. If CMMC requirements are coming for your organization, let’s talk about how far ahead of them you want to be.
👉 Book a CMMC Readiness Assessment
Part of Lionhive’s Cybersecurity & Compliance practice — see also NIST CSF, Zero Trust Architecture, Identity & Access Management, Incident Response, and SOC 2.