CMMC
DoD-mandated cybersecurity maturity for the defense industrial base.
Overview
What it is, in plain English.
CMMC is the Department of Defense's mandatory cybersecurity certification for the entire defense industrial base — every prime, sub, and supplier handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). With the CMMC final rule now in effect, contracts are flowing with CMMC clauses, and uncertified suppliers will lose award eligibility. Lyra's Cyber AB Registered Practitioners run the readiness, remediation, and pre-assessment work to get you certified at the level your contracts require.
CMMC Level 1, 2, and 3 readiness — including gap assessment, remediation, and audit preparation. Backed by Cyber AB Registered Practitioners on staff.
Who needs it
Built for organizations that have to get this right.
Defense primes and subcontractors handling FCI or CUI
Manufacturers, engineering firms, and suppliers in the DIB
Universities and research labs with DoD contracts
Any organization that has seen DFARS 7012 or CMMC clauses in a contract
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Level Determination & Scoping
We work with your contracts team to determine whether you need Level 1 (FCI), Level 2 (CUI), or Level 3 (advanced CUI), and define the CUI enclave scope.
- 02
Gap Assessment Against NIST 800-171
Detailed assessment against all 110 NIST 800-171 controls (Level 2) or 800-172 enhanced controls (Level 3), with a SPRS-ready score.
- 03
Remediation & Enclave Build
We design and implement the CUI enclave — often using GCC High, Azure Government, or a segmented on-prem environment — and remediate every gap.
- 04
C3PAO Pre-Assessment & Audit Support
Mock assessment to surface findings before the C3PAO, then full support through the certification assessment.
Key controls
What's actually in scope.
All 110 controls of NIST SP 800-171 Rev. 2
CUI marking, handling, and flow-down requirements
Multifactor authentication on all CUI-handling systems
FIPS-validated cryptography for CUI at rest and in transit
Incident reporting to DoD Cyber Crime Center within 72 hours
System Security Plan (SSP) and Plan of Action & Milestones (POA&M)
Deliverables
What you walk away with.
Scoping diagram and CUI data flow documentation
System Security Plan (SSP) and POA&M
SPRS score submission
CUI enclave architecture and deployment
C3PAO-ready evidence package and pre-assessment report
Timeline
Level 1 self-assessment: 4–8 weeks. Level 2 certification: 6–12 months including enclave build, remediation, and C3PAO scheduling.
Questions we hear
Straight answers to the real questions.
- Do I really need a separate enclave?
- If you handle CUI, almost always yes. Trying to bring an entire commercial M365 tenant into scope is dramatically more expensive than building a small GCC High enclave for the people and systems that actually touch CUI.
- What is a C3PAO?
- A Certified Third-Party Assessor Organization — the only entities authorized by the Cyber AB to perform Level 2 certification assessments. We are not a C3PAO (we cannot assess clients we remediate), but we prepare you for one.
- What if my SPRS score is negative?
- Most companies score deeply negative the first time. That is normal. The point of remediation is to bring you to a passing score and submit an honest, defensible self-attestation.
Other frameworks we support
SOC 2 (Type 1 and Type 2)
AICPA SOC 2
Learn moreISO 27001
ISO/IEC 27001 ISMS
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreNIST CSF (including 2.0)
NIST Cybersecurity Framework
Learn moreHIPAA / HITRUST
Healthcare privacy and security
Learn morePCI DSS
Payment Card Industry Data Security Standard
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.