CMMC 2.0 Self-Assessment Guide
CMMC 2.0 is now a contract-eligibility requirement for the DoD supply chain — and Texas hosts a substantial portion of the Defense Industrial Base across Fort Worth (Lockheed Martin F-35 line, Bell, Triumph), San Antonio (Joint Base San Antonio), Bay Area Houston (NASA Johnson Space Center contractor community), and the broader DIB. Most CMMC content on the internet is from boutique consultancies quoting $500K engagements. This guide is from a managed IT provider that delivers CMMC-aligned managed services as a normal part of operations. We cover the three CMMC levels, what level you actually need, the 14 domains of NIST 800-171, the role of Privileged Access Management (PAM) as the highest-leverage technical control, the SSP and POA&M documentation that matters most, the assessment process, and the realistic cost and timeline for a typical Texas defense subcontractor reaching Level 2.
What We Offer
Comprehensive solutions tailored for Houston-area businesses
CMMC Level 1 (Basic)
Required for any DoD contract that involves Federal Contract Information (FCI). 17 controls drawn from NIST 800-171, focused on basic safeguarding (access control, identification and authentication, media protection, physical protection, system communication protection, system and information integrity). Annual self-assessment with executive certification. Most defense suppliers handling only FCI fall here.
CMMC Level 2 (Advanced)
Required for any DoD contract that involves Controlled Unclassified Information (CUI). All 110 NIST 800-171 controls. Triennial third-party assessment by a CMMC-accredited C3PAO (or annual self-assessment for non-prioritized acquisitions). This is where most Texas defense subcontractors land — Lockheed/Bell/Triumph supply chain, NASA contractors, and the broader DIB (Defense Industrial Base).
CMMC Level 3 (Expert)
Required for the most sensitive DoD contracts handling CUI critical to national security. Subset of NIST 800-172 enhancements added on top of Level 2 controls. Triennial DIBCAC-led assessment. Few Texas defense suppliers fall here; if you do, you already know it.
PAM as Foundational Control
Privileged Access Management (PAM) — application allowlisting and ringfencing — satisfies more NIST 800-171 controls per dollar than any other technical investment: 3.1.5 (least privilege), 3.1.7 (non-privileged accounts cannot execute privileged functions), 3.4.6 (least functionality), 3.4.8 (application execution policy), and 3.13.4 (information flow control). One PAM deployment satisfies five distinct control practices and dramatically reduces ransomware risk to CUI-handling endpoints.
The 14 Domains of NIST 800-171
Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity. The 110 Level 2 controls map across these 14 domains. Most gap-analysis findings cluster in Configuration Management, Identification and Authentication (MFA), and System and Communications Protection (FIPS-validated encryption).
The SSP and POA&M
Two documentation artifacts are mandatory: System Security Plan (SSP) describing how each of the 110 controls is implemented in your environment, and Plan of Action and Milestones (POA&M) tracking any controls not yet fully implemented with target dates. The SSP is the single most important CMMC artifact — it is what assessors read before they ever touch your environment. A well-authored SSP can shorten assessment from weeks to days.
Why Choose LayerLogix?
Serving businesses throughout the Greater Houston area including Houston, Fort Worth, Arlington, Dallas, San Antonio, Clear Lake, Sugar Land, College Station, El Paso, Austin.
Keep DoD Contracts
CMMC enforcement is now contract-by-contract. DFARS 252.204-7021 requires CMMC certification for new awards. If you cannot meet your required level when a contract comes up, you do not win it. The math on getting compliant is much better than the math on losing the contract.
Avoid the $500K Consultant Bill
Boutique CMMC consultancies routinely quote $200K-$500K+ for a Level 2 readiness engagement. Most defense suppliers do not need that. A managed IT provider with PAM, MFA, FIPS-validated encryption, and compliance program leadership built into the service baseline can deliver Level 2 readiness for a fraction of that cost — typically $25K-$75K initial readiness plus ongoing managed compliance.
Defensible DIBCAC Assessment
When the DIBCAC assessment cycle starts, the work you did in advance shows up. A well-authored SSP, validated control implementations, documented evidence retention, and a managed compliance program produce a clean assessment. Improvising during assessment produces findings.
Cyber Insurance Premium Reduction
CMMC-aligned environments routinely qualify for better cyber insurance pricing because the underlying controls (PAM, MFA, FIPS encryption, monitoring, IR capability) are exactly what underwriters now require for any insurable account.
A Path to ITAR and Beyond
CMMC controls overlap heavily with ITAR cybersecurity requirements, NIST 800-172 enhanced controls, and the broader federal cybersecurity baseline. Building your CMMC program well positions you for adjacent federal compliance work.
Our Process
Frequently Asked Questions
What level of CMMC do I actually need?▼
How long does CMMC Level 2 readiness take?▼
How much does CMMC Level 2 readiness cost?▼
Can my MSP deliver CMMC compliance?▼
What is a Registered Practitioner Organization (RPO)?▼
How does Privileged Access Management (PAM) help with CMMC?▼
Ready to Get Started?
Contact LayerLogix today for a free consultation. We serve businesses throughout Houston, Fort Worth, Arlington, and the surrounding Greater Houston area.