CMMC 2.0 for Mid-Market Defense Suppliers

A C3PAO assessor sits across from your IT director. She asks: "Show me evidence that your organization reviews audit logs at least weekly, per NIST 800-171 control 3.3.1." Your IT director opens a spreadsheet. It says "Compliant" in a green cell. The assessor asks: "Where are the review records?" Silence.

This scenario is playing out across the defense industrial base right now. The DoD's CMMC 2.0 rule (32 CFR Part 170) became effective December 16, 2024. Contracts are being awarded with CMMC Level 2 certification requirements. And mid-market suppliers, companies with 100 to 2,000 employees handling Controlled Unclassified Information, are discovering that the spreadsheet-based self-attestation model they've used for NIST 800-171 since 2017 doesn't survive contact with a third-party assessor.

The certification clock is running. If CMMC Level 2 shows up in your next contract renewal, you need a certified assessment, not a self-attestation score.

Why mid-market gets hit hardest

Large primes (Lockheed, Raytheon, Northrop Grumman) have dedicated GRC teams, existing FedRAMP-authorized infrastructure, and the budget to stand up CMMC programs. Small suppliers under Level 1 (17 practices, self-attestation only, no CUI) face minimal obligations.

Mid-market sits in the worst position. CMMC Level 2 requires implementation of all 110 security requirements from NIST SP 800-171 Rev 2. That's the same scope as the primes. But mid-market companies typically have 1-3 people in compliance roles (often split with IT operations), limited GRC tooling (usually spreadsheets or a basic ticketing system), and no prior C3PAO assessment experience.

The math is simple: 110 practices. Each requiring implementation evidence, operational evidence, and assessment documentation. Multiplied across every system that processes, stores, or transmits CUI. Divided by a compliance team of 1-3 people who also do other jobs.

That's not a staffing problem you solve with overtime. It's an architecture problem.

What C3PAO assessors actually evaluate

A CMMC Level 2 assessment isn't a document review. The CMMC Assessment Process (CAP) requires assessors to evaluate three things for each of the 110 practices:

Objective evidence. Does documentation exist that describes how the practice is implemented? This includes policies, procedures, system security plans, and network diagrams.

Operational evidence. Is the practice actually running? Assessors examine configurations, logs, and system outputs. They interview personnel. They observe processes in action.

Assessment evidence. Can the organization demonstrate that it evaluates its own implementation? Self-assessment records, internal audit results, and corrective action tracking.

The scoring model is MET, NOT MET, or NOT APPLICABLE. No "partially met." A practice is either fully implemented with evidence across all three categories, or it's not met. At Level 2, you need all 110 practices MET (or have an approved POA&M for a limited subset).

This is where spreadsheet attestation fails. A green cell is objective evidence at best (weak objective evidence). It provides zero operational evidence. An assessor can't observe a process by reading a status field.

The POA&M trap

CMMC allows Plans of Action and Milestones (POA&Ms) for some deficiencies, but with strict constraints defined in 32 CFR 170.21. A POA&M is not a free pass. It's a ticking clock.

Key constraints:

POA&Ms must be closed within 180 days of the conditional certification date
Certain practices cannot be POA&M'd (those related to the 24 "highest-weighted" requirements in NIST 800-171A)
A conditional certification granted with open POA&Ms reverts to no certification if the 180-day deadline passes without closure
The C3PAO must verify POA&M closure through a separate assessment event

This means your compliance obligations don't end at certification. They create a continuous monitoring requirement. Every control in your POA&M needs a remediation plan with milestones, evidence of progress, and final evidence of closure, all within six months.

Organizations that treat CMMC as a point-in-time event discover the POA&M clock the hard way. You pass conditionally in March. Your POA&M items are due in September. If you haven't built the operating infrastructure to track remediation and produce evidence continuously, September arrives and you're back to zero.

The 110 practices by domain

NIST 800-171 Rev 2 organizes its 110 requirements across 14 security families. The distribution isn't even. Some families have 2 requirements. Others have 22. Understanding the weight distribution matters for resource allocation:

Security Family	Practice Count	Key Challenge for Mid-Market
Access Control (AC)	22	Requires per-system access policies, separation of duties, and remote access management across all CUI systems
Audit & Accountability (AU)	9	Requires automated log collection, review processes, and long-term retention infrastructure
Awareness & Training (AT)	3	Requires role-based training with completion records, not just annual security awareness
Configuration Management (CM)	9	Requires baseline configurations, change control, and least-functionality principles for all CUI systems
Identification & Authentication (IA)	11	Requires MFA, password complexity, and authentication management across all users and systems
Incident Response (IR)	3	Requires tested incident response capabilities, not just a written plan
Maintenance (MA)	6	Requires controlled maintenance procedures and media sanitization for removed equipment
Media Protection (MP)	9	Requires CUI marking, storage, transport, and sanitization procedures for all media types
Personnel Security (PS)	2	Requires screening and access revocation, minimal burden for most organizations
Physical Protection (PE)	6	Requires physical access controls and monitoring for CUI processing areas
Risk Assessment (RA)	3	Requires periodic vulnerability scanning and risk assessments with remediation tracking
Security Assessment (CA)	4	Requires periodic self-assessment and a system security plan that's maintained
System & Comms Protection (SC)	16	Requires boundary protection, encryption in transit/at rest, and session management
System & Info Integrity (SI)	7	Requires flaw remediation, malicious code protection, and system monitoring

The Access Control family alone has 22 practices. Multiply across 14 families and the scale becomes clear: this isn't a project, it's an operating model.

Why the investment should serve multiple frameworks

Here's the mid-market reality: you're not only facing CMMC. If you handle healthcare data, HIPAA applies. If you accept credit cards, PCI DSS. If you have SOC 2 requirements from commercial customers, add another framework.

The traditional approach builds separate compliance programs for each. The unified approach recognizes that these frameworks overlap significantly. NIST 800-171's Access Control requirements map directly to ISO 27001 Annex A.9, SOC 2 CC6.1, PCI DSS Requirement 7, and HIPAA 164.312(d). The same Conditional Access policy in Entra ID satisfies all of them.

NIST IR 8477 formalizes this through Set Theory Relationship Mapping (STRM), defining five relationship types: equivalent, subset, superset, overlap, and disjoint. For a mid-market company answering to CMMC, ISO 27001, and SOC 2, overlap analysis typically shows 55-65% of requirements mapping to shared control intents. The CMMC investment, properly architected, covers more than half your other framework obligations simultaneously.

But only if your control architecture supports cross-framework mapping. Spreadsheets can't represent relationship types, calculate coverage, or propagate evidence across assessments.

How Kyudo builds the operating model

Kyudo's Controls Hub stores all 110 NIST 800-171 practices as scored controls with explicit relationships to every other framework in your scope. The STRM Engine (backed by NIST IR 8477 relationship semantics) maps each practice to its equivalents across ISO 27001, SOC 2, PCI DSS, HIPAA, and 80+ other frameworks.

Here's how the pieces work for CMMC specifically:

Controls Hub + Framework Registry: All 110 practices loaded with assessment objectives from NIST 800-171A. Each practice scored 0-100 across five maturity levels. The Framework Registry tracks your active frameworks and calculates cross-framework coverage automatically. Add ISO 27001 to your scope and immediately see which CMMC controls already satisfy ISO requirements.

CMCAE (Continuous Multi-Framework Control Assessment Engine): Evaluates control health continuously, not quarterly. When a Defender for Cloud signal fires indicating a configuration drift on a CUI system, CMCAE degrades the affected control score in real time. You don't discover the gap during assessment prep. You discover it when it happens.

Evidence Hub: Captures operational evidence from Microsoft Sentinel, Defender for Cloud, Entra ID, and Azure Policy. Log review records (3.3.1), access control configurations (3.1.x), encryption settings (3.13.x), and vulnerability scan results (3.11.2) flow in automatically. Each evidence artifact timestamps itself, links to the control it attests to, and ages out if not refreshed.

Tensei Copilot: When an assessor asks a question, Tensei surfaces relevant evidence with full provenance. "Show me evidence for 3.3.1 audit log review" returns timestamped review records, the mandating policy, and the system configurations. Every response includes confidence scores and citations to Compliance Graph nodes.

POA&M tracking: Open POA&M items live in the Risk Registry with the 180-day clock visible. Each item has milestones, assigned owners, evidence of progress, and automatic escalation when deadlines approach. The conditional certification date anchors the countdown.

The result: your 1-3 person compliance team manages CMMC alongside your other frameworks through a single control architecture. They're not maintaining separate spreadsheets. They're operating one system that produces evidence for every framework simultaneously.

The counter-argument: "We'll just hire a consultant"

Many mid-market companies plan to hire a CMMC consultant to get them through assessment. This works, up to a point. Consultants leave. What remains after the engagement determines whether you maintain certification or lose it.

CMMC isn't a one-time certification. It's valid for three years with annual affirmations required (32 CFR 170.22). The POA&M clock creates continuous obligation within year one. If your operating model depends on a consultant being present, you have a project plan with an expiration date, not an operating model.

Consultants can't produce operational evidence. They can write your audit log review procedure. They can't perform weekly audit log reviews for the next three years. That's your team's job, and they need infrastructure that makes it sustainable at their staffing level.

Your assessment readiness checklist

Scope your CUI boundary. Define exactly which systems process, store, or transmit CUI. Every system in that boundary needs all 110 practices evidenced. Too broad means unnecessary work, too narrow means assessment failure.
Score yourself honestly against all 110 practices. Use NIST 800-171A assessment objectives. For each practice, ask: do I have objective evidence, operational evidence, and assessment evidence? If any is missing, the practice is NOT MET.
Identify the 24 non-POA&M-eligible practices. These cannot be deferred. They must be MET at assessment time with no exceptions. Prioritize these for immediate remediation.
Map your CMMC controls to your other frameworks. If you're also maintaining ISO 27001 or SOC 2, 55-65% of your CMMC evidence likely satisfies those frameworks too. Architect evidence collection to serve all of them.
Build evidence pipelines that run without human initiation. The practices that trip up mid-market companies require ongoing operational evidence: log reviews, vulnerability scanning, access reviews, configuration monitoring. If these require someone to remember, they'll fail. Automate collection. Make human review the decision layer.

Regulatory clocks don't accommodate staffing constraints. CMMC Level 2 requires the same 110 practices whether you have 3 compliance staff or 300. The operating model is what makes the difference.

Kyudo's STRM Engine maps all 110 NIST 800-171 practices to 80+ frameworks using Set Theory Relationship Mapping. One assessment investment. Every framework it overlaps.

Book a demo to see your CMMC readiness score alongside your other framework obligations.