Defense contractors don't get second chances on cybersecurity compliance. We get you certified and keep you there.
The Cybersecurity Maturity Model Certification (CMMC) determines what Department of War contracts you can bid on and which contracts you get to keep.
We have Lead CMMC Certified Assessors (LCCA) on staff who guide companies through CMMC Level 1 and CMMC Level 2 compliance from preparation to first assessment and certification, and we help you maintain your CMMC compliance status. We lead with business outcomes, so compliance is implemented in a way that avoids operational friction.
Which level applies to you?
CMMC has two levels that apply to defense contractors. Which one you need depends on the type of government information you handle. If you’re not sure, start here.
CMMC Level 1
You handle Federal Contract Information (FCI)
FCI is information provided by or generated for the government under a contract that is not intended for public release. If your company performs work on a federal contract and receives or creates government data in the process, even basic procurement or project information, you are likely handling FCI.
Level 1 covers 15 basic safeguarding requirements drawn from FAR Clause 52.204-21. Compliance is demonstrated through an annual self-assessment submitted to the Supplier Performance Risk System (SPRS). No third-party assessor is required.
Who This is For:
- You have a federal contract or are responding to a solicitation referencing FAR 52.204-21
- Your company receives or creates government-related information as part of contract performance
- You need to submit an annual self-assessment to SPRS
- You are not sure whether you handle CUI or you know you don’t
See Where You Stand
CMMC Level 2
You handle Controlled Unclassified Information (CUI)
CUI is government information that requires protection under law, regulation, or policy but is not classified. If your contracts reference DFARS clause 252.204-7012, if your prime has told you that you handle CUI, or if your work involves technical data, export-controlled information, or sensitive program details, you are almost certainly in Level 2 territory.
Level 2 covers 110 security requirements from NIST SP 800-171. Certification requires a formal assessment conducted by an accredited third-party assessment organization (C3PAO). This is a significant undertaking and the stakes are significant too. Without it, you cannot bid on or hold contracts that require CUI protection.
Who This is For:
- Your contracts reference DFARS 252.204-7012, 252.204-7019, 252.204-7020, or 252.204-7021
- Your prime contractor has notified you that you receive or generate CUI
- Your work involves technical drawings, specifications, research data, or program information
- You are not sure whether your CUI obligations require a self-assessment or a C3PAO certification
See Where You Stand
Why ResilientTech Advisors
We’re a senior-led team of practitioners. Every engagement is led by a Lead CMMC Certified Assessor (LCCA). We don’t hand your project to a junior analyst after the kickoff call.
Our approach is business first. That means every recommendation connects to contract eligibility, revenue protection, and operational risk. We help you build a program that passes the assessment and works with your operations.
What We Offer:
- LCCA-led delivery on every engagement. The expertise you bought is the expertise that shows up.
- We know exactly what a C3PAO will look for because we’ve been on both sides of the assessment.
- Fractional, not transactional. We’re embedded in your team through the certification process.