Most organizations start the wrong work at the wrong stage. Controls get implemented before scope is decided. Evidence gets built before the boundary is defined. Rework follows.
The stages below exist to prevent that. Find where you are. Start there.
I handle federal contract information but not CUI.
FAR 52.204-21 applies. Fifteen controls. Annual self-attestation. If your contracts involve the federal government and you hold FCI (but may or may not handle CUI), this is your starting point.
I handle CUI under DoD contracts.
DFARS 252.204-7012 applies. 110 controls consisting of 320 individual objectives. CMMC L2 Certification required via self-assessment or third-party C3PAO assessment, as specified in your contract. If your prime is asking about your CMMC status, this is the requirement behind the question.
I handle CUI on high-priority DoD programs.
Builds on Level 2 with additional controls drawn from NIST SP 800-172. Government-led assessment. If your contract specifically requires Level 3, you’ll know. It won’t be ambiguous.
I handle CUI, but only part of my organization touches it.
If CUI is confined to a defined team or set of systems, an enclave right-sizes the compliance boundary. Same protection, smaller scope, lower cost.
I’m certified. I need to stay that way.
Passing a C3PAO assessment isn’t the endpoint. Annual attestations, documentation maintenance, configuration drift, and evidence integrity are ongoing obligations. Certification that can’t be sustained creates its own exposure.
Most CMMC partners engage at assessment prep and disengage after certification. The gap that creates in documentation, configuration alignment, and evidence integrity is where compliance posture degrades.
Agile IT’s team includes Lead CCAs, CCAs, CCPs, and Microsoft-certified specialists. The same practitioners who support pre-assessment work stay involved after certification to keep environments aligned as requirements shift, users change, and operational decisions accumulate.
One hundred and ten controls. One focus.
The Cybersecurity Maturity Model Certification is a DoD requirement that governs how defense contractors safeguard federal contract information and controlled unclassified information. It’s not a framework organizations opt into. If your contracts touch the defense supply chain, the requirement will be stated in your contract.
The distinction is what you handle. If your contracts involve Federal Contract Information but no Controlled Unclassified Information, Level 1 applies. Once CUI enters the picture through your contracts, your data flows, or your prime’s requirements, Level 2 is the standard. Scope determines the answer, not preference.
GCC High satisfies a hosting requirement. It doesn’t satisfy NIST 800-171. Conditional access, audit logging, identity governance, and CUI boundary documentation all require decisions and evidence beyond the platform itself. Being in GCC High is the starting line that provides a FedRAMP-authorized environment and helps satisfy a set of the technical objectives, but there are other nontechnical objectives that need further support.
That’s the most common intake situation. Most organizations have done some work but haven’t formally validated where their scope, evidence, and governance actually stand. A discovery assessment answers the question with specificity.
With what’s most likely to fail under scrutiny. Scope and evidence, not controls. C3PAO assessors validate decisions, not deployments. If scope hasn’t been formally defined and evidence doesn’t tell a consistent story, that’s where remediation starts.
Fill out the form. We’ll figure it out together.