Skip to content

CMMC compliance

Your DoD contract requires Level 3. We get you there — and keep you there.


CMMC 2.0 Level 3 is mandatory for any small business handling Controlled Unclassified Information (CUI) under a DoD contract. A failed assessment doesn’t just cost money — it costs you the contract. GreylineOps specializes exclusively in DIB compliance.


110 controls
NIST SP 800-171 practices required at Level 3
Level 3 certified
Third-party C3PAO or DCSA-led assessment required
Veteran-owned
Built by those who served the mission

Where does your contract fall?

CMMC 2.0 has three levels. Most DoD prime and subcontractor small businesses handling CUI require Level 2 or Level 3. If your contract involves Advanced Persistent Threat (APT) programs, you’re Level 3.

Basic cyber hygiene

  • Practices: 17
  • Assessment: Annual self-assessment with affirmation to DoD
  • Scope: Federal Contract Information (FCI) only — not CUI
  • Who it applies to: Contractors who receive FCI but do not process, store, or transmit CUI

If your contract involves CUI, Level 1 is not sufficient. Most active DoD subcontractors need Level 2 or higher.


What’s at stake

Non-compliance is not a paperwork problem. Here’s what happens on each path.

Without compliance
  • Contract terminated or not awarded
  • False Claims Act liability if SPRS score was self-attested inaccurately
  • Removal from DoD supplier base
  • Reputational damage with prime contractors
  • CUI breach triggers mandatory DFARS 252.204-7012 reporting
With GreylineOps
  • Audit-ready posture maintained continuously
  • Accurate SPRS score submitted to DoD
  • POA&M managed and closed on schedule
  • C3PAO / DCSA assessment passed with confidence
  • Incident response and 72-hour reporting handled
False Claims Act exposure is real. If your company submitted a SPRS score that overstated your compliance posture and a CUI breach occurs, the DoD can pursue civil liability. We calculate your accurate SPRS score as part of every gap assessment.

Our process

We run a structured, repeatable engagement designed specifically for small DIB contractors. No generic frameworks, no enterprise bloat.

### Gap assessment We evaluate your current security posture against all 110 NIST SP 800-171 controls. Every deficiency is documented with severity and remediation effort. **Deliverable:** Prioritized gap report and initial SPRS score calculation. _Timeline: Week 1–2_ ### System Security Plan (SSP) We draft or update your SSP — the foundational document required for any CMMC assessment. This describes your CUI environment, system boundaries, personnel roles, and how each control is implemented or planned. **Deliverable:** Complete, assessment-ready SSP. _Timeline: Week 2–4_ ### Plan of Action & Milestones (POA&M) Every gap gets a remediation task, an owner, a timeline, and a tracking mechanism. We manage the POA&M actively — not just document it. Open items are closed on schedule or escalated with a clear path forward. **Deliverable:** Live POA&M tracked and managed by GreylineOps. _Timeline: Week 3–6_ ### Remediation & hardening We implement the technical and procedural controls — endpoint hardening, MFA, access controls, CUI data flows, audit logging, encryption, and more. We do the work, not just advise on it. **Deliverable:** All POA&M items closed or accepted with documented risk decisions. _Timeline: Week 4–10_ ### C3PAO / DCSA assessment prep We conduct a full mock assessment before your official review — same scope, same rigor. Any remaining gaps surface here, not during your official assessment. We walk you through the process so there are no surprises. **Deliverable:** Mock assessment report and final readiness confirmation. _Timeline: Week 10–12_ ### Continuous compliance monitoring Post-certification, we provide ongoing managed compliance — monitoring, quarterly reviews, annual reassessments, and incident response. CMMC is not a one-time checkbox. We keep you continuously audit-ready. **Deliverable:** Managed compliance service with defined SLAs. _Timeline: Ongoing_

All 14 CMMC practice domains

NIST SP 800-171 is organized into 14 domains. Level 3 requires full compliance across all of them, plus additional practices from NIST SP 800-172. GreylineOps covers every domain.

Domain Abbreviation Practices (L2/L3)
Access Control AC 22
Awareness & Training AT 3
Audit & Accountability AU 9
Configuration Management CM 9
Identification & Authentication IA 11
Incident Response IR 3
Maintenance MA 6
Media Protection MP 9
Physical Protection PE 6
Personnel Security PS 2
Risk Assessment RA 3
Security Assessment CA 4
System & Communications Protection SC 16
System & Information Integrity SI 7
Total 110

Common questions

For most small businesses starting from scratch, 3–6 months is realistic. Organizations with strong existing IT practices can move faster. The timeline depends on how many gaps exist, your team’s bandwidth, and C3PAO / DCSA scheduling. We’ll give you a realistic estimate after the gap assessment — not a number designed to win the deal.
Yes — and we do this specifically for small businesses. CMMC does not have different requirements based on company size. What matters is scoping your CUI environment tightly. A well-scoped small business is often easier to certify than a large one with sprawling infrastructure. Our entire practice is built around making this achievable for companies your size.
The Supplier Performance Risk System (SPRS) score is a self-assessed score ranging from -203 to +110 that DoD contracting officers can review today — before CMMC is fully enforced across all contracts. Submitting an inaccurate or inflated score creates False Claims Act liability. We calculate your accurate SPRS score as part of the gap assessment and ensure your submission is legally defensible.
Not always — but sometimes. CMMC Level 3 requires FedRAMP Moderate or equivalent cloud environments for CUI processing and storage. We assess your current cloud posture early and give you a clear recommendation, including whether Microsoft 365 GCC High, Azure Government, or another solution fits your situation and budget.
  • Level 2 (critical): A certified Third Party Assessment Organization (C3PAO) conducts your assessment every three years.
  • Level 3: The Defense Contract Security Agency (DCSA) conducts a government-led assessment — a higher bar with more rigorous scrutiny.

GreylineOps prepares clients for both, with mock assessments designed to mirror whichever path your contract requires.

Yes. Many of our clients achieve Level 2 certification first and then pursue Level 3 as their contract portfolio grows. The foundational work — SSP, POA&M, control implementation — carries forward. Level 3 adds practices from NIST SP 800-172 and requires a DCSA assessment, but you’re not starting over.

Ready to get assessed?

Most DIB contractors are one audit away from a lost contract. A free gap assessment tells you exactly where you stand — no pressure, no pitch, just a clear picture of your compliance posture.

Free CMMC gap assessment — we review your current posture against all 110 controls, calculate your SPRS score, and give you a prioritized remediation roadmap. No obligation.

Schedule your assessment →

GreylineOps is a veteran-owned small business specializing in CMMC compliance and managed security for Defense Industrial Base contractors. greylineops.com