CMMC 2.0 Readiness for San Diego Small Businesses: What Defense Subcontractors Need to Know

Why This Matters Now

If you are a San Diego small business that does any work for the Department of Defense, or you are a subcontractor to a company that does, CMMC 2.0 is no longer optional. The Department of Defense published the final CMMC rule in October 2024, and it became effective in contracts starting in late 2025. By 2028, every DoD contract that touches Federal Contract Information or Controlled Unclassified Information will require CMMC certification at the appropriate level.

San Diego has one of the largest concentrations of defense contractors in the country. Naval Base San Diego, MCAS Miramar, and the Navy shipyards drive billions of dollars in prime contract awards every year, and those primes subcontract extensively to local small businesses. If your business is in that ecosystem, or if you want to be, CMMC readiness is the gate you have to clear.

I have walked several small businesses through CMMC self-assessments, and I see the same pattern every time. The technology is not the hard part. The hard part is understanding what the standard actually requires, where your gaps are, and how to close them in a way that stands up to an audit.

What CMMC 2.0 Actually Is

CMMC stands for Cybersecurity Maturity Model Certification. Version 2.0 is the streamlined model that replaced the original five-level framework. Under CMMC 2.0, there are three levels, and which level applies to you depends entirely on what kind of data you handle.

Level 1 (Foundational) applies to contractors that handle Federal Contract Information, or FCI. FCI is information provided by or generated for the government that is not intended for public release. Level 1 requires 17 basic safeguarding practices, all drawn from FAR clause 52.204-21. Level 1 is a self-assessment, submitted annually.

Level 2 (Advanced) applies to contractors that handle Controlled Unclassified Information, or CUI. This is the level most small defense subcontractors end up at. Level 2 requires 110 security practices aligned to NIST SP 800-171. For most Level 2 contracts, you need a third-party assessment from a Certified Third-Party Assessor Organization, or C3PAO, every three years. Some lower-risk Level 2 contracts allow annual self-assessments.

Level 3 (Expert) applies to contractors handling CUI associated with the highest priority programs. Level 3 requires the 110 Level 2 practices plus additional controls from NIST SP 800-172. Level 3 assessments are conducted by the government directly. Most small businesses will never need Level 3.

The 110 Controls That Define Level 2

The 110 practices in CMMC Level 2 come directly from NIST SP 800-171, a document first published in 2015. The controls are organized into 14 families, and each family covers a specific area of cybersecurity. Here is what those families look like in practical terms.

Access Control covers who can log into your systems, what they can do once they are in, and how you manage privileged accounts. Multi-factor authentication on every system that stores CUI is required. Shared logins are prohibited. Role-based access must be documented and enforced.

Awareness and Training requires that every person with access to CUI receives regular security training, and that the training is documented. A one-time onboarding video is not sufficient.

Audit and Accountability means you log security-relevant events on systems that process CUI, and you actually review those logs. Log retention and log review cadence have to be documented.

Configuration Management requires a documented baseline for every system that handles CUI, and a change control process for any modifications to that baseline.

Identification and Authentication goes beyond MFA. It requires that every user has a unique identifier, that passwords meet complexity requirements, and that failed login attempts are tracked.

Incident Response means a documented plan, tested at least annually, for detecting, containing, and reporting cybersecurity incidents. Reporting to the DoD Cyber Crime Center within 72 hours of discovery is mandatory.

Maintenance controls cover how you patch and update systems, and how you handle third-party technicians who work on systems that store CUI.

Media Protection requires that you know where CUI lives, that you mark it properly, that removable media is controlled, and that you sanitize or destroy media before disposal.

Personnel Security covers background screening before granting access to CUI and access termination procedures when people leave.

Physical Protection applies to any facility where CUI is processed or stored. Visitor logs, locked spaces, and escort policies are all in scope.

Risk Assessment requires a documented, periodic risk assessment of systems that handle CUI, plus vulnerability scanning.

Security Assessment means you test your own security controls, document the results, and remediate deficiencies on a defined timeline.

System and Communications Protection covers network boundary protection, encryption of CUI in transit and at rest, and secure configuration of communication channels.

System and Information Integrity requires that you identify, report, and correct system flaws, that you protect against malicious code, and that you monitor systems for signs of compromise.

Where Small Businesses Actually Get Stuck

After walking multiple small businesses through CMMC self-assessments, I can tell you the gaps cluster in four places.

Documentation. The single biggest reason a business fails a CMMC assessment is not a missing control. It is a missing artifact. You might actually be doing the right thing, but if you cannot produce a written policy, a procedure, or a log showing that you did it, the assessor cannot give you credit. CMMC requires a System Security Plan, or SSP, that describes how every one of the 110 controls is implemented in your environment. It requires a Plan of Action and Milestones, or POAM, that tracks any gaps and when they will be closed. Most small businesses do not have either until the assessment is imminent.

Scope definition. CMMC does not apply to every system in your business. It applies to the systems that process, store, or transmit CUI. Defining your CMMC scope correctly can be the difference between a three-system audit and a forty-system audit. I have seen businesses waste tens of thousands of dollars locking down systems that were never in scope, because nobody drew the boundary clearly up front.

Multi-factor authentication on everything in scope. CMMC Level 2 requires MFA on every system that handles CUI, and on every privileged account across the enterprise. Most small businesses have MFA on some systems. Getting to universal coverage is rarely a technology problem. It is a rollout and training problem.

Third-party risk. If you store CUI in Microsoft 365, that tenant has to meet specific requirements. Standard Microsoft 365 Business Standard does not meet CMMC Level 2 on its own. You need Microsoft 365 GCC High for CUI handling, or you need to contractually and technically prove that your cloud environment meets the same controls. This one surprises business owners because they already paid for Microsoft 365 and did not realize they bought the wrong tier.

A Realistic Path to Level 2 Readiness

For a small business that is not starting from zero, Level 2 readiness is typically a six to nine month project. Here is the sequence that works.

Month 1: Scoping and gap assessment. Identify every system that touches CUI. Draw the boundary. Map your current state against the 110 controls, family by family. Produce a gap report that is honest about what is missing.

Months 2 and 3: Policy and procedure development. Write or update the 14 policy documents required by the 14 control families. Write the System Security Plan. Write the Incident Response Plan. Start the POAM.

Months 4 and 5: Technical remediation. Close the technical gaps. Deploy MFA everywhere in scope. Tighten access controls. Implement logging and monitoring. Encrypt CUI at rest and in transit. Segment the network if needed.

Month 6: Training and tabletop. Train every employee with access to CUI. Run a tabletop exercise on your incident response plan. Document everything.

Months 7 to 9: Pre-assessment and remediation. Run an internal mock assessment. Fix anything the mock surfaces. Schedule the C3PAO if Level 2 certification is required. Be ready to produce evidence on demand.

What It Costs

The honest answer is it depends on how far from compliant you start. For a small business that already has reasonable cybersecurity hygiene, Level 2 readiness runs $15,000 to $40,000 in consulting plus whatever technology upgrades are needed. For a business starting from near-zero, the number can be double that.

The C3PAO assessment itself typically runs $20,000 to $50,000 for a small business, and certification lasts three years. Annual surveillance activities and remediation of any deficiencies identified during the assessment are additional.

Compare that to the cost of not being compliant. If CMMC is required for a contract and you are not certified, you do not get to bid. If the contract is worth $500,000 over two years, the math on getting certified is not hard.

Where To Start This Week

If CMMC is on your horizon and you have not started, three things this week will put you ahead of most of your competitors.

First, read the solicitations you are planning to bid on. Find the CMMC requirement. Confirm the level. If you cannot find it, ask the contracting officer.

Second, identify every place CUI lives in your business. File shares, laptops, email, backups, contractor devices. Draw the boundary on paper.

Third, download the NIST SP 800-171 self-assessment handbook from the NIST website. It is free. Work through the 110 controls and mark where you stand on each one. Do not guess. If you do not know, mark it unknown and plan to find out.

That gap assessment is the foundation for everything else. Without it, you are guessing. With it, you have a real plan.