A practitioner's roadmap to CMMC 2.0 and CUI protection for small and mid-sized Texas defense suppliers — scoping, NIST 800-171, SPRS, the C3PAO assessment, and how managed services deliver remediation.
If your shop in Fort Worth, Clear Lake, San Antonio, or College Station holds a Department of Defense contract — or wants one — CMMC 2.0 is now the gate you have to walk through. Primes like Lockheed, Bell, and L3Harris are already writing certification requirements into subcontracts, and the DoD has begun phasing CMMC clauses into solicitations. For a small machine shop or engineering firm, the prospect can feel overwhelming: 110 controls, a third-party audit, and a vocabulary full of acronyms. This roadmap cuts through it in plain language, in the order you should actually tackle it, and shows where a managed IT services partner does the heavy lifting.
This is a deep dive that sits under our broader pillar on managed IT services for compliance in Texas. If you also handle patient data or financial information, the same control set extends to our companion guides on HIPAA-compliant managed IT and FTC Safeguards and SOC 2.
CMMC exists to protect two kinds of government data, and the distinction drives everything that follows.
FCI is information provided by or generated for the government under a contract that is not intended for public release — purchase orders, basic specs, delivery schedules. Almost every DoD supplier touches FCI. Protecting it is the floor.
CUI is more sensitive: technical drawings, engineering specifications, ITAR-controlled data, test results, and other information the government has flagged for safeguarding. If a prime sends you a CAD file marked CUI or a spec sheet covered by export control, you are handling CUI — and that pushes you into the higher CMMC tier. The honest first step is an inventory: where does CUI actually live, who touches it, and which machines and emails does it pass through?
CMMC 2.0 collapsed the old five-level model into three. For a plain-English primer, see what is CMMC 2.0.
If you are unsure where you fall, our free CMMC self-assessment tool walks you through it in your browser. And if you are weighing CMMC against the voluntary cybersecurity framework, our CMMC vs NIST CSF comparison explains why CMMC is mandatory and graded while NIST CSF is a flexible self-guide.
CMMC Level 2 is, in practice, NIST SP 800-171. The 110 security requirements are grouped into 14 families — access control, identification and authentication, audit and accountability, configuration management, incident response, media protection, system and information integrity, and more. There is no shortcut around them; certification is built control by control. Our NIST 800-171 reference page breaks down the families, and our dedicated CMMC compliance service turns that list into a project plan rather than a wall of text.
Before any assessment, you self-score your NIST 800-171 implementation and post the result to the Supplier Performance Risk System (SPRS). The methodology starts at 110 and subtracts weighted points for each unmet control — meaning a partially-compliant shop can easily sit at a negative score. Primes increasingly check SPRS before awarding work, so an honest, current score is now part of staying competitive.
Where a control is not yet met, you document a Plan of Action and Milestones (POA&M) describing how and when you will close the gap. Under CMMC 2.0, a limited set of lower-weighted controls may be POA&M'd at assessment time with a deadline (commonly 180 days), but the highest-weighted controls — multifactor authentication, for instance — generally must be fully implemented to pass. Treat POA&Ms as a short, honest punch list, not a parking lot.
For most Level 2 contracts, certification comes from an independent Certified Third-Party Assessment Organization (C3PAO). The assessor reviews your System Security Plan (SSP), interviews staff, and tests evidence that each control is operating — not just written down. Expect them to ask for log samples, screenshots of MFA enforcement, access-review records, and your incident-response runbook. The single biggest reason small suppliers fail is not missing technology; it is missing evidence and documentation. Walking in with a complete SSP and a tidy evidence library is what separates a clean assessment from a painful one.
If you remember one thing from this roadmap, make it this: scope is the dominant driver of CMMC cost and effort. Every system, user, and device that touches CUI falls inside the assessment boundary and must meet all 110 controls. Let CUI sprawl across every laptop, email inbox, and shop-floor PC, and you have just signed up to harden your entire company.
The smarter approach is enclaving — corralling CUI into a small, well-defined environment (a GCC High tenant, a hardened virtual desktop, or a segmented network zone) that only authorized people can reach. Everything outside the enclave is out of scope. A tight enclave can cut the number of in-scope endpoints from dozens to a handful, dramatically lowering both remediation cost and ongoing audit burden. Designing that boundary correctly is one of the highest-value things a CMMC-capable MSP does for you.
Once scope is set, the bulk of CMMC work is implementing and operating technical controls — which is exactly what a managed services provider does day to day. The core building blocks:
Build this baseline once and it maps not only to CMMC but to the other frameworks in the pillar guide — the same controls do double duty for HIPAA, FTC Safeguards, and SOC 2.
Every shop is different, but for a small-to-mid Texas supplier pursuing Level 2, plan in ranges rather than a single number. Remediation and setup — closing control gaps, standing up an enclave, authoring the SSP — commonly runs in the low-to-mid five figures, scaling with how much CUI sprawl you start with. The C3PAO assessment itself is a separate fee, typically several tens of thousands of dollars depending on environment size. Ongoing managed services to operate and maintain the controls fit the broader Texas range of roughly $125-$275 per user per month.
On timeline, a focused engagement from kickoff to assessment-ready usually takes six to twelve months, driven mostly by documentation maturity and how cleanly you can scope CUI. Firms that try to certify their whole environment instead of a tight enclave routinely take longer and spend far more. The offsetting math is real: a clean CMMC posture also tends to earn cyber-insurance premium credits and, more importantly, keeps you eligible for contracts that are simply closed to uncertified suppliers.
Yes. Certification requirements flow down the supply chain. If your prime handles CUI and passes it to you, you must meet the same CMMC level for the work you perform — being a small subcontractor does not exempt you.
Only if you are Level 1 (FCI only) or fall into the narrow set of Level 2 contracts the DoD allows to self-assess. Most CUI contracts require a third-party C3PAO assessment, so confirm your contract language before assuming you can self-attest.
Shrink your scope. Move CUI into a small enclave so only a handful of users and devices are in-scope, then deploy PAM and MFA inside that boundary. Scoping well is the single biggest lever on both cost and timeline.
A Level 2 third-party certification is valid for three years, with an annual affirmation of continued compliance in between. That makes continuous monitoring and an up-to-date evidence library — exactly what managed services provide — essential, not optional.
Ready to scope your CUI and map a realistic path to CMMC 2.0? Contact LayerLogix or call 888-792-8080 for a CMMC readiness assessment built for Texas defense suppliers.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.