You didn't get into defense work to become a cybersecurity expert. But the clauses changed. DFARS 252.204-7012 already obligates you to protect Controlled Unclassified Information and report incidents. CMMC 2.0 adds the part that hurts: you have to prove it — with a score, an assessment, and an officer of your company signing an affirmation. Miss it and you're not just out of compliance. You're un-biddable, and the work goes to a competitor who's ready.
A prime is about to require proof of your SPRS score before the next purchase order — and you have no documented SSP, no POA&M, and no clear path to a number.
NIST 800-171 reads like a foreign language, and most IT shops hand you a 200-item to-do list and walk away instead of doing the work.
Remediation takes months and a C3PAO assessment has to be scheduled. Wait until a contract requires it and you're already behind.
You don't need to become an expert. You need a partner who already is. The same team that finds the gaps closes them and keeps them closed: a gap assessment against all applicable NIST 800-171 controls, a current SPRS score, your System Security Plan and POA&M, the technical remediation, and the ongoing management that keeps you assessment-ready. We don't certify you — no legitimate partner does both. We prepare you for your C3PAO assessment and run the controls after.
Yes. If a Controlled Unclassified Information requirement flows down to you from a prime, you carry the same obligation the prime does — usually CMMC Level 2. Many subcontractors don't realize their prime is about to require proof of their SPRS score before awarding the next purchase order. If you handle CUI at any tier of the supply chain, CMMC applies to you.
CMMC 2.0 is the streamlined version that replaced the original five-level model. It collapses five levels into three, aligns Level 2 directly with the 110 controls of NIST 800-171, and allows self-assessment for some lower-risk contracts. It's simpler to understand — but the core requirement, actually protecting CUI to the NIST standard, did not get easier.
Plan for several months, not weeks. A contractor with decent IT hygiene might be assessment-ready in a few months; one starting from scratch on MFA, encryption, logging, and documentation should expect longer. The biggest mistake is waiting until a contract requires it — remediation takes time, and a C3PAO assessment has to be scheduled. Starting early is the only way to control the timeline and the cost.
If you can't show the required score, you become un-biddable for contracts that carry the CMMC clause. If you misrepresent your compliance, you also expose your company to False Claims Act liability. The good news: a gap doesn't mean game over. A documented POA&M with a credible remediation timeline keeps you in the game for many requirements — which is exactly what a readiness engagement produces.
No, and that's the honest answer to look for. The assessment that grants certification is performed by an accredited third party (a C3PAO) — no IT partner can be both your preparer and your certifier. LRG gets you ready and manages the controls so you walk into that assessment prepared and on schedule.
Endpoint protection, patching, MFA, and monitoring that satisfy the technical controls.
Gap assessment, SSP/POA&M, remediation, and ongoing managed compliance.
Separating your CUI environment from the rest of the network to keep your assessment small.