Skip to content

CMMC compliance

Your DoD contract requires Level 3. We get you there — and keep you there.


CMMC 2.0 Level 3 is mandatory for any small business handling Controlled Unclassified Information (CUI) under a DoD contract. A failed assessment doesn’t just cost money — it costs you the contract. GreylineOps specializes exclusively in DIB compliance.


110 controls
NIST SP 800-171 practices required at Level 3
Level 3 certified
Third-party C3PAO or DCSA-led assessment required

Where does your contract fall?

CMMC 2.0 has three levels. Most DoD prime and subcontractor small businesses handling CUI require Level 2 or Level 3. If your contract involves Advanced Persistent Threat (APT) programs, you’re Level 3.

Basic cyber hygiene

  • Practices: 17
  • Assessment: Annual self-assessment with affirmation to DoD
  • Scope: Federal Contract Information (FCI) only — not CUI
  • Who it applies to: Contractors who receive FCI but do not process, store, or transmit CUI

If your contract involves CUI, Level 1 is not sufficient. Most active DoD subcontractors need Level 2 or higher.


What’s at stake

Non-compliance is not a paperwork problem. Here’s what happens on each path.

Without compliance
  • Contract terminated or not awarded
  • False Claims Act liability if SPRS score was self-attested inaccurately
  • Removal from DoD supplier base
  • Reputational damage with prime contractors
  • CUI breach triggers mandatory DFARS 252.204-7012 reporting
With GreylineOps
  • Audit-ready posture maintained continuously
  • Accurate SPRS score submitted to DoD
  • POA&M managed and closed on schedule
  • C3PAO / DCSA assessment passed with confidence
  • Incident response and 72-hour reporting handled
False Claims Act exposure is real. If your company submitted a SPRS score that overstated your compliance posture and a CUI breach occurs, the DoD can pursue civil liability. We calculate your accurate SPRS score as part of every gap assessment.

All 14 CMMC practice domains

NIST SP 800-171 is organized into 14 domains. Level 3 requires full compliance across all of them, plus additional practices from NIST SP 800-172. GreylineOps covers every domain.


DomainAbbreviationPractices (L2/L3)
Access ControlAC22
Awareness & TrainingAT3
Audit & AccountabilityAU9
Configuration ManagementCM9
Identification & AuthenticationIA11
Incident ResponseIR3
MaintenanceMA6
Media ProtectionMP9
Physical ProtectionPE6
Personnel SecurityPS2
Risk AssessmentRA3
Security AssessmentCA4
System & Communications ProtectionSC16
System & Information IntegritySI7
Total110

Common questions

How long does CMMC Level 3 certification take?
For most small businesses starting from scratch, 3–6 months is realistic. Organizations with strong existing IT practices can move faster. The timeline depends on how many gaps exist, your team’s bandwidth, and C3PAO / DCSA scheduling. We’ll give you a realistic estimate after the gap assessment — not a number designed to win the deal.
We’re a 12-person company. Is CMMC Level 3 even achievable for us?
Yes — and we do this specifically for small businesses. CMMC does not have different requirements based on company size. What matters is scoping your CUI environment tightly. A well-scoped small business is often easier to certify than a large one with sprawling infrastructure. Our entire practice is built around making this achievable for companies your size.
What is a SPRS score and why does it matter right now?
The Supplier Performance Risk System (SPRS) score is a self-assessed score ranging from -203 to +110 that DoD contracting officers can review today — before CMMC is fully enforced across all contracts. Submitting an inaccurate or inflated score creates False Claims Act liability. We calculate your accurate SPRS score as part of the gap assessment and ensure your submission is legally defensible.
Do we need to move to a GovCloud or DoD-specific cloud environment?
Not always — but sometimes. CMMC Level 3 requires FedRAMP Moderate or equivalent cloud environments for CUI processing and storage. We assess your current cloud posture early and give you a clear recommendation, including whether Microsoft 365 GCC High, Azure Government, or another solution fits your situation and budget.
What’s the difference between a C3PAO and a DCSA assessment?
  • Level 2 (critical): A certified Third Party Assessment Organization (C3PAO) conducts your assessment every three years.
  • Level 3: The Defense Contract Security Agency (DCSA) conducts a government-led assessment — a higher bar with more rigorous scrutiny.

GreylineOps prepares clients for both, with mock assessments designed to mirror whichever path your contract requires.

Can we start with Level 2 and upgrade to Level 3 later?
Yes. Many of our clients achieve Level 2 certification first and then pursue Level 3 as their contract portfolio grows. The foundational work — SSP, POA&M, control implementation — carries forward. Level 3 adds practices from NIST SP 800-172 and requires a DCSA assessment, but you’re not starting over.

Ready to get assessed?

Most DIB contractors are one audit away from a lost contract. A free gap assessment tells you exactly where you stand — no pressure, no pitch, just a clear picture of your compliance posture.

Free CMMC gap assessment — we review your current posture against all 110 controls, calculate your SPRS score, and give you a prioritized remediation roadmap. No obligation.

Schedule your assessment → HERE


GreylineOps is a veteran-owned small business specializing in CMMC compliance and managed security for Defense Industrial Base contractors. greylineops.com