CMMC 2.0 & CUI Protection for Texas Defense Suppliers: A Managed Services Roadmap (2026)

CMMC exists to protect two kinds of government data, and the distinction drives everything that follows.

Federal Contract Information (FCI)

FCI is information provided by or generated for the government under a contract that is not intended for public release — purchase orders, basic specs, delivery schedules. Almost every DoD supplier touches FCI. Protecting it is the floor.

Controlled Unclassified Information (CUI)

CUI is more sensitive: technical drawings, engineering specifications, ITAR-controlled data, test results, and other information the government has flagged for safeguarding. If a prime sends you a CAD file marked CUI or a spec sheet covered by export control, you are handling CUI — and that pushes you into the higher CMMC tier. The honest first step is an inventory: where does CUI actually live, who touches it, and which machines and emails does it pass through?

CMMC 2.0 collapsed the old five-level model into three. For a plain-English primer, see what is CMMC 2.0.

• Level 1 (Foundational) — for FCI only. Fifteen basic safeguards, met by an annual self-assessment. Most distributors and simple-part suppliers land here.
• Level 2 (Advanced) — for CUI. Maps to all 110 controls of NIST SP 800-171. Most contracts that involve CUI require a third-party assessment by a C3PAO every three years. This is where the great majority of Texas defense subcontractors and aerospace suppliers will live.
• Level 3 (Expert) — for the highest-priority programs, adds a subset of NIST 800-172 controls and government-led assessment. Rare for small suppliers.

If you are unsure where you fall, our free CMMC self-assessment tool walks you through it in your browser. And if you are weighing CMMC against the voluntary cybersecurity framework, our CMMC vs NIST CSF comparison explains why CMMC is mandatory and graded while NIST CSF is a flexible self-guide.

CMMC Level 2 is, in practice, NIST SP 800-171. The 110 security requirements are grouped into 14 families — access control, identification and authentication, audit and accountability, configuration management, incident response, media protection, system and information integrity, and more. There is no shortcut around them; certification is built control by control. Our NIST 800-171 reference page breaks down the families, and our dedicated CMMC compliance service turns that list into a project plan rather than a wall of text.

Before any assessment, you self-score your NIST 800-171 implementation and post the result to the Supplier Performance Risk System (SPRS). The methodology starts at 110 and subtracts weighted points for each unmet control — meaning a partially-compliant shop can easily sit at a negative score. Primes increasingly check SPRS before awarding work, so an honest, current score is now part of staying competitive.

Where a control is not yet met, you document a Plan of Action and Milestones (POA&M) describing how and when you will close the gap. Under CMMC 2.0, a limited set of lower-weighted controls may be POA&M'd at assessment time with a deadline (commonly 180 days), but the highest-weighted controls — multifactor authentication, for instance — generally must be fully implemented to pass. Treat POA&Ms as a short, honest punch list, not a parking lot.

For most Level 2 contracts, certification comes from an independent Certified Third-Party Assessment Organization (C3PAO). The assessor reviews your System Security Plan (SSP), interviews staff, and tests evidence that each control is operating — not just written down. Expect them to ask for log samples, screenshots of MFA enforcement, access-review records, and your incident-response runbook. The single biggest reason small suppliers fail is not missing technology; it is missing evidence and documentation. Walking in with a complete SSP and a tidy evidence library is what separates a clean assessment from a painful one.

If you remember one thing from this roadmap, make it this: scope is the dominant driver of CMMC cost and effort. Every system, user, and device that touches CUI falls inside the assessment boundary and must meet all 110 controls. Let CUI sprawl across every laptop, email inbox, and shop-floor PC, and you have just signed up to harden your entire company.

The smarter approach is enclaving — corralling CUI into a small, well-defined environment (a GCC High tenant, a hardened virtual desktop, or a segmented network zone) that only authorized people can reach. Everything outside the enclave is out of scope. A tight enclave can cut the number of in-scope endpoints from dozens to a handful, dramatically lowering both remediation cost and ongoing audit burden. Designing that boundary correctly is one of the highest-value things a CMMC-capable MSP does for you.

Once scope is set, the bulk of CMMC work is implementing and operating technical controls — which is exactly what a managed services provider does day to day. The core building blocks:

• Privileged Access Management (PAM) — As a ThreatLocker partner, LayerLogix deploys application allowlisting, ringfencing, storage control, and just-in-time elevation. One PAM deployment satisfies a cluster of NIST 800-171 requirements at once: least privilege, least functionality, and execution control. See what is privileged access management and our PAM service.
• Phishing-resistant MFA — enforced on every account that can reach CUI, this is a heavily-weighted control and a non-negotiable for passing.
• Encryption — FIPS-validated encryption for CUI at rest and in transit, including on laptops and removable media.
• Centralized logging and monitoring — audit logs collected, retained, and reviewed so you can answer the assessor's evidence questions and detect incidents.
• SSP authoring and documentation — writing the System Security Plan, policies, and POA&Ms, and keeping the evidence library current between assessments.

Build this baseline once and it maps not only to CMMC but to the other frameworks in the pillar guide — the same controls do double duty for HIPAA, FTC Safeguards, and SOC 2.

Every shop is different, but for a small-to-mid Texas supplier pursuing Level 2, plan in ranges rather than a single number. Remediation and setup — closing control gaps, standing up an enclave, authoring the SSP — commonly runs in the low-to-mid five figures, scaling with how much CUI sprawl you start with. The C3PAO assessment itself is a separate fee, typically several tens of thousands of dollars depending on environment size. Ongoing managed services to operate and maintain the controls fit the broader Texas range of roughly $125-$275 per user per month.

On timeline, a focused engagement from kickoff to assessment-ready usually takes six to twelve months, driven mostly by documentation maturity and how cleanly you can scope CUI. Firms that try to certify their whole environment instead of a tight enclave routinely take longer and spend far more. The offsetting math is real: a clean CMMC posture also tends to earn cyber-insurance premium credits and, more importantly, keeps you eligible for contracts that are simply closed to uncertified suppliers.

• Ask whether they have authored real System Security Plans and supported a client through an actual C3PAO assessment — not just "done security."
• Confirm they understand CUI scoping and enclaving, and can architect a GCC High or segmented environment rather than hardening everything.
• Make sure PAM, phishing-resistant MFA, FIPS-validated encryption, and centralized logging are included in the offering, not surprise add-ons.
• Verify they will work directly with your assessor and provide evidence on demand.
• Prefer a partner with Texas defense-supply-chain familiarity who can support you on-site in Fort Worth, the Bay Area, San Antonio, or College Station.

Do I really need CMMC if I am only a subcontractor?

Yes. Certification requirements flow down the supply chain. If your prime handles CUI and passes it to you, you must meet the same CMMC level for the work you perform — being a small subcontractor does not exempt you.

Can I just self-assess instead of paying for a C3PAO?

Only if you are Level 1 (FCI only) or fall into the narrow set of Level 2 contracts the DoD allows to self-assess. Most CUI contracts require a third-party C3PAO assessment, so confirm your contract language before assuming you can self-attest.

What is the fastest way to lower my CMMC cost?

Shrink your scope. Move CUI into a small enclave so only a handful of users and devices are in-scope, then deploy PAM and MFA inside that boundary. Scoping well is the single biggest lever on both cost and timeline.

How long is a CMMC certification good for?

A Level 2 third-party certification is valid for three years, with an annual affirmation of continued compliance in between. That makes continuous monitoring and an up-to-date evidence library — exactly what managed services provide — essential, not optional.

• Fort Worth / DFW CMMC compliance
• Clear Lake / Bay Area CMMC compliance
• Houston CMMC compliance
• Fort Worth managed IT
• Clear Lake / Bay Area managed IT

Ready to scope your CUI and map a realistic path to CMMC 2.0? Contact LayerLogix or call 888-792-8080 for a CMMC readiness assessment built for Texas defense suppliers.