CMMC 2.0 is now a contract requirement — not a recommendation. Defense contractors and subcontractors that cannot demonstrate compliance posture to a C3PAO assessor cannot bid on DoD contracts. The assessment evaluates documented evidence of 110 practices across 14 domains. Pistos builds and maintains that evidence record continuously.
Defense contractors operate under the most rigorous cybersecurity requirements in any commercial sector. The framework is not optional — it is baked into contract language.
Cybersecurity Maturity Model Certification — DoD
Level 1 (17 practices) applies to FCI — Federal Contract Information. Level 2 (110 practices) applies to CUI — Controlled Unclassified Information — and requires third-party assessment. Pistos is built around the Level 2 practice set derived from NIST SP 800-171 Rev 2 and Rev 3.
Protecting CUI in Nonfederal Systems
The technical foundation for CMMC Level 2. 110 security requirements across 14 families — access control, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity, and awareness and training.
Defense Federal Acquisition Regulation Supplement
Requires contractors to implement NIST SP 800-171 security requirements, report cyber incidents to DoD within 72 hours, provide access to systems for damage assessment, and maintain a current System Security Plan and Plan of Action and Milestones.
Security and Privacy Controls — Federal Systems
Applies to federal agencies and contractors working on federal information systems. More comprehensive than 800-171 — over 1,000 controls across 20 families. FedRAMP authorization requires 800-53 compliance for cloud service providers serving federal agencies.
Sentinel maps all 110 CMMC Level 2 practices to CIS Controls v8.1 safeguards. Skopein reads the technical configuration state. Manthesis satisfies the training domain. Every practice has a control record, an evidence status, and a remediation path.
22 practices. User access, remote access, mobile device management, CUI access limitations.
3 practices. Security awareness, role-based training, insider threat awareness.
9 practices. Audit log creation, review, retention, and protection.
4 practices. System assessment, plan of action, continuous monitoring, internal system connections.
9 practices. Baseline configurations, system change control, least functionality, unauthorized software.
11 practices. User identification, MFA, password management, replay-resistant authentication.
3 practices. Incident response capability, reporting, and testing.
6 practices. System maintenance controls, maintenance tools, remote maintenance.
9 practices. Media access, marking, storage, transport, sanitization, and disposal.
2 practices. Personnel screening and termination procedures.
6 practices. Physical access authorization, monitoring, and visitor control.
3 practices. Risk assessment, vulnerability scanning, and risk response.
16 practices. Boundary protection, encryption in transit, network segmentation, CUI in public cloud.
7 practices. Malware protection, security alerts, software and firmware integrity, security architecture.
Request a briefing and we will walk you through Sentinel against the CMMC Level 2 practice set for your organization.
Request a defense briefing