Public Sector

CMMC for the contractor who just won their first DoD subcontract

Alebrije Admin February 11, 2026 · 1 min read

CMMC governs the security posture of organizations handling Controlled Unclassified Information or Federal Contract Information for the Department of Defense.

The level matters

Not everyone needs Level 3. Most subcontractors handling FCI but not CUI fall under Level 1, which has 17 controls and a simple self-attestation. CUI handlers move to Level 2.

Scope the environment first

Before you spend a dollar on tooling, map the systems where CUI actually flows. Anything that does not touch CUI is out of scope and stays out.

What we help with

For first-time customers, we typically help with scoping, the System Security Plan, and the technical controls that need new tooling. We do not perform the C3PAO assessment itself.

Tagged Cybersecurity Government IT Compliance CMMC
— Keep reading

Related posts.

Public Sector
March 13, 2026 · 1 min read

Working with local government IT: lessons from five states

Things we have learned supporting city, town, and county IT shops across Colorado, Wyoming, New Mexico, Utah, and Arizona.

Editorial Team
Public Sector
October 30, 2025 · 1 min read

IT for cities under 10,000 residents: doing more with less

Small-town government IT departments often run on a single person, no budget, and infrastructure older than the smartphone. Here is what works.

Editorial Team
Public Sector
July 16, 2025 · 1 min read

The compliance posture nobody tells you to write down

Compliance documentation usually says what you are compliant with. Write down what you are not. The list is more useful.

Editorial Team