// Pillar Guide · 2026 Edition · ~25 min read

CMMC COMPLIANCE FOR FLORIDA DEFENSE CONTRACTORS.

What CMMC 2.0 actually requires for Florida aerospace and defense SMBs in 2026, the three levels and which applies to your contract, the 110 NIST 800-171 controls and the 10 most defense contractors miss, the subcontractor flow-down path from Embry-Riddle / Lockheed / Northrop, ITAR and export-control overlay, Microsoft 365 GCC vs GCC High, the C3PAO audit process, real cost and timeline numbers, and how Simply IT runs CMMC engagements. Written by a veteran-owned managed IT provider headquartered in Ocala, FL.

By Steve Condit, USMC Veteran · 30+ yrs ITPublished 2026-05-14Updated 2026-05-14
Get a Free CMMC Scoping Call →Jump to Guide ↓
// What's In This Guide

ELEVEN SECTIONS. ABOUT 4,000 WORDS.

  1. // 01What CMMC Is and Why It Matters in 2026
  2. // 02CMMC 2.0 Levels (1 / 2 / 3) — Which Applies to Your Contract
  3. // 03DFARS 252.204-7012 and NIST SP 800-171 — The Underlying Controls
  4. // 04The 110 NIST 800-171 Controls — Top 10 Florida Defense Contractors Miss
  5. // 05Embry-Riddle, Lockheed, Northrop Subcontractor Path
  6. // 06ITAR / EAR Layered on CMMC — Export-Control Considerations
  7. // 07Microsoft 365 GCC and GCC High — When You Need Each
  8. // 08The C3PAO Audit Process — Selecting an Assessor
  9. // 09Cost and Timeline — Real Florida SMB Numbers
  10. // 10Common Failures and How to Avoid Them
  11. // 11The Simply IT CMMC Engagement
  12. // 12Frequently Asked Questions
// 01

WHAT CMMC IS AND WHY IT MATTERS IN 2026.

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's certification framework requiring defense contractors and their subcontractors to demonstrate cybersecurity controls before they handle DoD-sensitive information. The framework formalizes what DoD has technically required since 2017 under DFARS 252.204-7012: protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) using the controls specified in NIST SP 800-171.

Before CMMC, defense contractors self-attested to NIST 800-171 compliance. Many did so generously. CMMC closes that gap by requiring third-party assessment by accredited C3PAOs (CMMC Third Party Assessment Organizations) for the higher levels. The DoD started phasing CMMC into solicitations through 2025 and the final DFARS rule fully embeds the requirement into contracts in 2026. The practical effect for a Florida aerospace or defense SMB: bidding on DoD work (directly or as a subcontractor to a prime) now requires a documented CMMC status that matches the level the contract specifies.

Florida has a substantial defense supply chain. Direct DoD contractors operate around MacDill, Eglin, Hurlburt, Tyndall, NAS Jacksonville, NAS Pensacola, Patrick SFB, and across the Cape Canaveral / Kennedy Space Center corridor. Subcontractor activity reaches into every county in the state — aerospace machine shops, electronics suppliers, software vendors, IT services firms, and professional-services subcontractors all touch CUI under prime contracts to Lockheed Martin, Northrop Grumman, L3Harris, Embry-Riddle Aeronautical University (in its DoD research role), Boeing, Raytheon Technologies, and General Dynamics.

If your Florida small business does any defense-adjacent work and CUI is mentioned in your contracts or your prime's flow-down clauses, CMMC is now binding. The good news: the controls themselves are achievable for a 10-50 person SMB, the cost is manageable when planned, and a tested CMMC posture also satisfies most of the other compliance frameworks (cyber-insurance underwriter checklist, basic state data-protection rules, much of the FTC Safeguards Rule).

// 02

CMMC 2.0 LEVELS — WHICH APPLIES TO YOUR CONTRACT.

CMMC 2.0 collapsed the original five-level model into three levels. The level required is specified in the DoD contract clause and flows down to subcontractors that handle the same scope of information.

Level 1 (Foundational)

Applies to contracts where the contractor handles Federal Contract Information (FCI) but not CUI. About 15 basic safeguarding requirements drawn from FAR 52.204-21. Self-attestation is permitted — the company's senior official signs an annual affirmation that the controls are in place. No third-party assessment required at Level 1.

Level 2 (Advanced)

The level most Florida defense SMBs operate at. Applies to contractors handling CUI. Aligns with all 110 controls of NIST SP 800-171 across 14 control families. Most Level 2 contracts require triennial C3PAO assessment — the contractor is assessed every three years by an independent C3PAO; lower-risk Level 2 contracts may permit self-assessment with senior-official affirmation. The DoD specifies which Level 2 contracts permit self-assessment versus require C3PAO; check the solicitation language.

Level 3 (Expert)

The highest-risk DoD programs. Adds a subset of the enhanced controls in NIST SP 800-172 on top of the 110 NIST 800-171 baseline. Government-led assessment — not a private C3PAO — conducted by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center). Typical Florida small business will not see Level 3 directly; it's reserved for tier-1 primes and select critical suppliers.

The honest answer to “which level applies”: read your contract. The level is specified in the DFARS clause invoked by the contract or the subcontract flow-down. A defense-adjacent Florida machine shop that never sees CUI may be Level 1. A subcontractor to Lockheed on an aircraft-systems program that touches export-controlled technical data is almost certainly Level 2 with GCC High. A subcontractor on a classified or special-access program is potentially Level 3, but at that point the prime usually provides specific guidance.

One critical scoping decision: the assessment boundary. The CMMC scope is limited to the environment where FCI/CUI is actually stored, processed, or transmitted — not the entire company. A 30-person Florida aerospace SMB with a 10-person CUI enclave can certify the 10-person enclave at Level 2 and keep the other 20 users in a less expensive baseline managed-IT environment. Scoping correctly is the single largest cost lever in a CMMC engagement.

// 03

DFARS 252.204-7012 AND NIST SP 800-171 — THE UNDERLYING CONTROLS.

CMMC is a verification framework on top of an underlying set of controls. The controls themselves come from NIST Special Publication 800-171, the federal cybersecurity standard for protecting CUI in non-federal systems. The contractual obligation to implement them comes from DFARS 252.204-7012 (and the related -7019 and -7020 clauses). Understanding both is the foundation of any CMMC engagement.

DFARS 252.204-7012 has been in defense contracts since 2017. The clause imposes four substantive requirements:

  • Provide “adequate security” for Covered Defense Information — defined as the controls in NIST SP 800-171.
  • Rapidly report cyber incidents to DoD via dibnet.dod.mil within 72 hours of discovery.
  • Preserve and protect media and conduct a forensic image of affected information systems for at least 90 days.
  • Flow the same clause down to subcontractors that will handle Covered Defense Information.

NIST SP 800-171 specifies the controls. The current revision a Florida SMB engaging in 2026 should plan against is Revision 3, which restructured the requirements and clarified several control families. Revision 2 remains in effect for many existing contracts; the C3PAO will use the revision specified in the contract or the most current revision applicable at assessment time. The 110 requirements span 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

The primary work product of NIST 800-171 implementation is the System Security Plan (SSP) — a written document describing how the organization implements each of the 110 requirements, including any compensating controls, scoping decisions, and operational procedures. The SSP is the document the C3PAO assesses against. A well-written SSP is the difference between a smooth assessment and a painful one.

// 04

TOP 10 NIST 800-171 CONTROLS FLORIDA DEFENSE CONTRACTORS MISS.

Walking through all 110 controls would be its own 100-page document. In our experience with Florida aerospace SMBs, ten controls consistently produce the most pre-assessment findings — and ten controls consistently produce the most C3PAO non-conformities at actual assessment. These are where to spend remediation effort first.

  1. 01
    3.1.1 / 3.1.2 — Account Authorization and Access Enforcement
    Many contractors have over-privileged user accounts and no documented process for limiting access to CUI based on role. The fix is a written access-control policy plus role-based access groups in Entra ID.
  2. 02
    3.1.13 — Encrypted Remote Access
    Remote access to CUI environments must use FIPS-validated cryptography. Most consumer VPN solutions and many SMB firewall VPNs are not FIPS-validated. The C3PAO will ask for the FIPS validation certificate.
  3. 03
    3.3.1-3.3.9 — Audit Logging
    Comprehensive audit logging of CUI access, with logs protected from modification, retained for the contract-specified period, and reviewed regularly. Most SMBs collect logs but don't review them — the documented review is what the assessor wants.
  4. 04
    3.4.6 / 3.4.7 — Configuration Baselines and Least Functionality
    Documented baseline configurations for every system that handles CUI, with ports/protocols/services restricted to those needed for operation. CIS Benchmarks for Windows and the relevant DISA STIGs are the typical baseline references.
  5. 05
    3.5.3 — Multi-Factor Authentication
    MFA on every account with access to CUI, including local administrator accounts. Many SMBs MFA the cloud accounts but leave on-prem local admin accounts MFA-less — that's a finding.
  6. 06
    3.8.1-3.8.9 — Media Protection
    Sanitization of removable media before reuse or disposal. Many SMBs don't have a documented media sanitization procedure or a media destruction vendor with a certificate trail.
  7. 07
    3.10.6 — Alternate Work Sites
    Remote-work environments (home offices, alternate sites) must apply equivalent safeguards to the primary site. Post-COVID this is a common gap — the home-office posture is often less hardened than the office.
  8. 08
    3.13.11 — FIPS-Validated Cryptography
    All cryptographic protection of CUI must use FIPS-140-validated modules. This affects encryption-at-rest configuration, VPN selection, and TLS configurations.
  9. 09
    3.14.6 / 3.14.7 — Monitoring for Unauthorized Use
    Continuous monitoring for unauthorized use of organizational systems. SIEM or equivalent, with documented alert review procedures and incident-response playbook.
  10. 10
    POAM and SSP Maintenance — the meta-control
    The SSP must be current; the POAM must accurately track open remediation items with target dates. Assessors find more SSPs that are 18 months out of date than they find missing controls.

Closing these ten typically takes 60-70% of the remediation effort in a CMMC engagement. The remaining 100 controls are mostly checkbox work once the environment is properly designed.

// 05

EMBRY-RIDDLE, LOCKHEED, NORTHROP SUBCONTRACTOR PATH.

Most Florida aerospace and defense SMBs encounter CMMC not because they hold a direct DoD prime contract, but because a Florida-presence prime is flowing the requirement down to them. The pattern we see most often:

  • Embry-Riddle Aeronautical University (Daytona Beach): in its DoD-research and contract-research capacity, ERAU flows CMMC requirements to its subcontractors and supplier base — including Florida machine shops, electronics suppliers, IT services firms, and consulting firms.
  • Lockheed Martin (Orlando, Ocala-area suppliers): LM's missiles, simulation, and rotary/mission-systems business units carry the full DoD compliance posture and flow CMMC down through several subcontractor tiers.
  • Northrop Grumman (Melbourne, statewide suppliers): aircraft, electronics, and space-systems business units flow CMMC down to a broad supplier base across Florida.
  • L3Harris (Melbourne, Palm Bay, statewide): communications, electronic warfare, and space-systems work all carries DoD compliance overhead.
  • Boeing, Raytheon, General Dynamics, BAE Systems: have Florida presence either directly or through major supplier networks.
  • Cape Canaveral / Kennedy Space Center primes: SpaceX, Blue Origin, Boeing, ULA, Lockheed all have local supplier ecosystems with DoD compliance requirements where the workload touches national-security space.

The subcontractor path: the prime's contracting officer (or supplier-quality group) sends a flow-down letter or contract amendment specifying the CMMC level required for ongoing subcontract activity. The subcontractor typically has 6-18 months to achieve the required CMMC status — sometimes shorter, sometimes longer, depending on the specific program timeline.

The reality for the Florida subcontractor: delayed response costs business. Primes are increasingly consolidating their supplier base toward suppliers who can demonstrate CMMC status, because the prime's own DoD compliance is at risk if a supplier touches CUI without the right certification. Suppliers who move first on CMMC tend to grow share within the prime's portfolio; suppliers who delay tend to see contract volumes shift to compliant competitors.

// 06

ITAR / EAR LAYERED ON CMMC — EXPORT-CONTROL CONSIDERATIONS.

For Florida aerospace, defense electronics, and space-systems suppliers, two export-control regimes layer on top of CMMC: the International Traffic in Arms Regulations (ITAR) administered by the State Department, and the Export Administration Regulations (EAR) administered by the Commerce Department. ITAR governs defense articles and defense services on the US Munitions List; EAR governs dual-use technologies on the Commerce Control List.

The relevant question for CMMC: where does export-controlled data live in your IT environment, and who can access it? ITAR specifically prohibits making technical data available to foreign persons (including foreign-national employees on US soil) without specific authorization. That requirement cascades into IT system design:

  • Data residency: ITAR technical data must reside on systems where access is restricted to US persons. Microsoft 365 Commercial — with global support staffing and data potentially residing in non-US data centers — is not appropriate for ITAR data without specific contractual arrangements.
  • Support staffing: the support staff who can access the tenant must themselves be US persons. Microsoft GCC High is staffed by US-citizen personnel; GCC is staffed by US persons in many cases but not categorically; Commercial offers no such guarantee.
  • Cryptographic protection: FIPS 140-validated cryptography is required for protection of ITAR technical data both at rest and in transit.
  • Foreign-national workforce: if any employees are foreign nationals (including legal permanent residents in some cases), the contractor needs an export-authorization plan or technical access controls that prevent foreign-national access to ITAR data.

The practical reality: Florida aerospace SMBs that touch ITAR technical data typically need Microsoft 365 GCC High, FIPS-validated network cryptography, and a documented foreign-national access policy. CMMC alone is necessary but not sufficient — the ITAR overlay can require equal or greater attention. The Simply IT CMMC engagement always includes an ITAR/EAR scoping conversation up front; the worst outcome is a CMMC-aligned environment that's also an ITAR violation.

// 07

MICROSOFT 365 GCC AND GCC HIGH — WHEN YOU NEED EACH.

Microsoft offers three distinct Microsoft 365 environments for US customers: Commercial, GCC (Government Community Cloud), and GCC High. The decision among them is one of the largest cost and complexity drivers in a CMMC engagement.

Microsoft 365 Commercial

The standard M365 environment used by most US small businesses. Adequate for many Level 1 FCI scenarios where the data does not include CUI. Not adequate for ITAR technical data or for many Level 2 CUI scenarios. Pricing: Business Basic $7.50, Standard $15, Premium $27 per user/month.

Microsoft 365 GCC

The mid-tier government cloud. Data resides in US data centers, screening of support personnel, FedRAMP Moderate authorization. Appropriate for many Level 2 CUI workloads that do not include ITAR-controlled technical data or other export-controlled categories. Pricing roughly 1.5-2x Commercial per user, depending on SKU. Eligibility requires DoD-supplier or government-customer status.

Microsoft 365 GCC High

The highest-trust commercial M365 environment. US-sovereign cloud, US-citizen-only support personnel, FedRAMP High authorization, ITAR-compliant by design, NIST 800-171 alignment built into the platform. Required for most ITAR-data-handling contractors and for many Level 2 environments where the prime contract specifies GCC High. Pricing roughly 2.5-3.5x Commercial per user. Eligibility requires DoD-supplier status with appropriate justification.

The selection criteria in plain English:

  • Handle ITAR technical data? GCC High, almost always.
  • Prime contract specifies GCC or GCC High? Follow the contract specification.
  • Level 2 CUI with no ITAR overlay? GCC is usually sufficient; some contracts require GCC High.
  • Level 1 FCI only, no CUI? Commercial may be acceptable; many SMBs choose GCC anyway for the easier compliance posture.

The mistake to avoid: starting in Commercial “to save money,” then needing to migrate to GCC High mid-engagement. Migration is painful (data movement, license re-procurement, tenant rebuild) and typically costs $20,000-$80,000 for a small SMB — much more than just starting in the right environment.

// 08

THE C3PAO AUDIT PROCESS — SELECTING AN ASSESSOR.

C3PAOs (CMMC Third Party Assessment Organizations) are the accredited firms that conduct Level 2 CMMC assessments. The Cyber AB (the body that accredits C3PAOs) maintains a public marketplace listing of currently authorized C3PAOs at cyberab.org. Selecting the right C3PAO for your engagement is one of the higher-stakes decisions in the process.

The assessment process at a high level:

  1. Pre-engagement: scope confirmation, fee proposal, contract execution.
  2. Pre-assessment review: C3PAO reviews the SSP, POAM, and key evidence to confirm readiness. Sometimes a separate “pre-assessment” or “readiness review” engagement.
  3. On-site or virtual assessment: 1-2 weeks for a small SMB. Lead assessor and supporting team interview personnel, observe controls in operation, review evidence, and document findings.
  4. Out-brief: findings presented at end of assessment. Any deficiencies that prevent certification are identified.
  5. Remediation window: for limited deficiencies, contractors may have 90-180 days to remediate before re-assessment of the affected controls.
  6. Final report and certificate: if successful, the C3PAO reports the assessment to the DoD's Supplier Performance Risk System (SPRS). Certification is valid for three years subject to annual affirmation by the contractor's senior official.

Selection criteria for the C3PAO: experience with your industry (aerospace, manufacturing, IT services), availability that matches your timeline, geographic flexibility for any on-site work, pricing transparency, references from organizations of similar size, and cultural fit. The assessment is intensive, and a constructive working relationship with the C3PAO makes the experience materially better.

Simply IT helps every CMMC client run a structured C3PAO selection — typically 3-5 RFPs with comparable scope. Typical assessment fee for a Level 2 engagement at a 10-30 person Florida SMB: $25,000-$60,000. We do not act as a C3PAO ourselves (that's a separate accreditation) but we know the Florida-active C3PAOs well and help our clients pick the right partner.

// 09

COST AND TIMELINE — REAL FLORIDA SMB NUMBERS.

The honest cost picture for a Florida small business (10-30 employees) pursuing CMMC Level 2 in 2026, all-in across 12-18 months:

  • Pre-assessment gap analysis and SSP development: $20,000-$50,000. Detailed inventory of current controls against all 110 requirements, identification of gaps, drafting of the System Security Plan and Plan of Action and Milestones.
  • Remediation consulting: $10,000-$40,000. Designing the fix for each gap, writing the supporting policies and procedures, implementing the technical changes.
  • Tooling and licensing: $20,000-$60,000 (year-one), $30,000-$90,000 (annual ongoing). GCC or GCC High licensing for the CUI-handling workforce, FIPS-validated VPN, SIEM or managed-detection, security awareness training platform, vulnerability management, hardware refresh where needed.
  • C3PAO assessment: $25,000-$60,000 for a Level 2 engagement at a small SMB. May include a separate pre-assessment readiness review of $5,000-$15,000.
  • Annual surveillance: $5,000-$20,000 per year. Annual affirmation, continued evidence maintenance, periodic readiness review.
  • Internal staff time: typically 200-500 hours of internal staff effort across the 12-18 months for project management, evidence collection, training, and assessor interviews.

Total Year 1 cost: $75,000-$250,000 for a typical Florida SMB. Total ongoing annual cost: $40,000-$120,000 plus the managed-IT relationship that runs the day-to-day environment.

Timeline: 12-18 months is realistic for a Florida SMB starting from a baseline managed-IT posture with no prior CMMC preparation. Faster is possible for organizations that already have mature NIST 800-171 alignment from prior compliance work, but rushing typically costs 30-50% more and produces a higher-risk assessment. Slower than 18 months is usually a sign the project lost momentum mid-engagement and needs a reset.

The most important budgeting principle: start before the contract requires it. Reactive CMMC engagements that respond to a contract clause already in effect pay premium pricing and still risk missing the contract deadline. Proactive engagements that begin when CMMC language first appears in solicitations the business is pursuing pay normal pricing and have a calm execution path.

// 10

COMMON FAILURES AND HOW TO AVOID THEM.

Five failure patterns we see consistently at Florida SMBs attempting CMMC without experienced support, and the avoidance pattern for each:

  1. Wrong M365 tenant for the data: CUI ends up in Commercial when GCC or GCC High was required. Avoidance: data classification and ITAR/EAR scoping before any tenant decisions. Migration mid-engagement is painful and expensive.
  2. Scope creep through the whole company: entire business gets pulled into CMMC scope when only an enclave needs to be. Avoidance: deliberate enclave design with network segmentation, identity boundaries, and data-flow control.
  3. Incomplete System Security Plan: SSP describes generic implementations rather than the specific environment. Avoidance: write the SSP after the environment is designed, not before; each of the 110 controls gets a specific, contextual description.
  4. Missing or stale POAM: Plan of Action and Milestones doesn't actually track open remediation. Avoidance: monthly POAM review with the contractor's senior accountable official; treat the POAM as a living document.
  5. Workforce training and evidence gaps: security awareness, role-based training, and CUI-handling training don't have documented completion for every workforce member. Avoidance: integrated training platform with automatic evidence collection and quarterly compliance review.

The other meta-failure: choosing an IT provider with no DoD-side experience to lead the engagement. CMMC has its own cultural rhythms — contracting officers, supplier-quality groups, security officials, audit assessors — that are unfamiliar to most commercial-only IT providers. Working with a partner who has been in that environment makes the difference between a smooth engagement and a frustrating one.

// 11

THE SIMPLY IT CMMC ENGAGEMENT.

Simply IT runs CMMC engagements as a structured 12-18 month project layered on top of the Simply Compliant managed-IT relationship ($150 per user per month). We are veteran-owned — Steve Condit is a USMC veteran with 30+ years in IT and direct comfort with DoD culture — and Ocala is well-positioned geographically for the Florida defense supply chain: 90 minutes from Daytona/Embry-Riddle, two hours from the Cape Canaveral / KSC corridor, three hours from MacDill, four hours from Eglin and the Panhandle bases.

The Simply IT CMMC engagement phases:

  • Phase 1 — Scoping (4-6 weeks): data classification, CUI inventory, ITAR/EAR analysis, enclave design, M365 tenant selection, target CMMC level confirmation, rough timeline and budget.
  • Phase 2 — Pre-Assessment Gap Analysis (6-8 weeks): detailed inventory of current controls against all 110 NIST 800-171 requirements, gap report, initial SSP draft, initial POAM.
  • Phase 3 — Remediation (4-9 months): implementation of technical changes, drafting of policies and procedures, workforce training, evidence library buildout, GCC or GCC High deployment if applicable.
  • Phase 4 — Readiness Review (4-6 weeks): internal mock assessment against the SSP, gap closure, final SSP and POAM, C3PAO selection complete.
  • Phase 5 — C3PAO Assessment Support (4-8 weeks): we are present for the assessment (subject to C3PAO rules), support evidence presentation, and assist with any in-assessment remediation.
  • Phase 6 — Annual Surveillance (ongoing): annual affirmation support, evidence maintenance, training cadence, POAM updates, preparation for the triennial re-assessment.

Pricing is project-scoped after the initial scoping phase — we do not quote a CMMC engagement blind. The Simply Compliant managed-IT relationship runs at the standard $150 per user per month for the certified-scope users; CMMC project fees are quoted separately by phase. No long-term contracts, no minimum engagement.

If your Florida aerospace, defense, or DoD-adjacent business is seeing CMMC language in solicitations or flow-down letters and you're not sure whether it applies, what level, or what it'll cost — the right next step is a free 30-minute scoping call. We'll tell you honestly whether CMMC binds you, what level you're looking at, and roughly what the engagement looks like — with no obligation either way.

// 12

FREQUENTLY ASKED QUESTIONS.

What is CMMC?+
CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's certification framework that defense contractors and their subcontractors must achieve to handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It codifies the cybersecurity controls in NIST SP 800-171 and adds third-party assessment by accredited C3PAOs for the higher levels. CMMC 2.0 (the current model) became contract-binding through 2025 phased DFARS rule-making and is now a routine requirement on DoD prime and subcontractor solicitations.
What are the CMMC 2.0 levels?+
Three levels. Level 1 (Foundational) covers basic safeguarding of FCI and applies to about 15 controls; self-attestation is permitted. Level 2 (Advanced) covers the protection of CUI and aligns with all 110 NIST SP 800-171 controls; most contracts require third-party C3PAO assessment, though some lower-risk Level 2 contracts permit self-assessment. Level 3 (Expert) applies to the highest-risk programs, adds a subset of NIST SP 800-172 enhanced controls, and requires government-led assessment. The vast majority of Florida small defense contractors operate at Level 1 or Level 2.
What's the difference between DFARS 252.204-7012 and CMMC?+
DFARS 252.204-7012 is the contract clause that has required defense contractors to safeguard Covered Defense Information since 2017. It mandates compliance with NIST SP 800-171's 110 controls and requires 72-hour reporting of cyber incidents to the DoD. CMMC is the certification framework that verifies compliance with those controls. Before CMMC, contractors self-attested; under CMMC the higher levels require independent C3PAO assessment. The underlying technical controls are largely the same — CMMC adds the verification layer.
Do I need Microsoft 365 GCC High?+
Depends on the data you handle. Microsoft 365 Commercial is sufficient for Level 1 FCI in many cases. Microsoft 365 GCC (Government Community Cloud) is appropriate for some CUI workloads where the data does not include ITAR-controlled technical data or other export-controlled categories. Microsoft 365 GCC High is typically required when CUI includes ITAR technical data, certain export-controlled categories, or when the prime contract specifies GCC High. The decision should be made before you build the environment — migrating from Commercial to GCC High mid-engagement is painful and expensive.
How much does CMMC cost for a Florida small business?+
Typical Florida small defense contractor (10-30 employees) all-in cost for Level 2 CMMC certification: $75,000-$250,000 over 12-18 months. Breakdown: $30,000-$80,000 in pre-assessment gap analysis and remediation consulting; $20,000-$60,000 in tooling and licensing (GCC High licensing, FIPS-validated VPN, SIEM, hardware refresh where needed); $15,000-$60,000 for the C3PAO assessment itself; plus internal staff time. Ongoing annual cost: $40,000-$120,000 for the GCC High licensing, MSP, continuous-monitoring tooling, and surveillance audits between full assessments.
How long does CMMC certification take?+
12-18 months from kickoff to certification is the typical Florida SMB timeline. Approximately 3-6 months of gap analysis and System Security Plan (SSP) development, 6-9 months of remediation and control implementation, 1-2 months of pre-assessment readiness review, and 2-4 weeks of C3PAO assessment. Contractors who start late (e.g., respond to a contract requirement after award) often pay 30-50% more in expedited fees and still risk missing the contract deadline. The right time to start is when you first see CMMC language appearing in solicitations you bid on.
What are the 110 NIST 800-171 controls?+
NIST SP 800-171 (Revision 2 and Revision 3) organizes 110 security requirements across 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. The requirements range from familiar (multi-factor authentication, encryption at rest, security awareness training) to specialized (FIPS 140-validated cryptography for CUI in transit, specific audit log retention, separation of duties for privileged operations). A System Security Plan (SSP) documents the implementation status of each requirement.
What is subcontractor flow-down?+
DFARS 252.204-7012 requires the prime contractor to flow the same DFARS clause down to subcontractors at every tier when the subcontractor will handle Covered Defense Information. In practice this means: if your Florida aerospace SMB is a tier-2 subcontractor to Embry-Riddle Aeronautical University, Lockheed Martin, Northrop Grumman, L3Harris, or any other DoD prime — and you touch CUI in performance of that contract — you inherit the same CMMC requirement the prime carries. CMMC level required at the subcontractor depends on what CUI flows down. The prime's contracting officer can require evidence of your CMMC status before issuing the subcontract.
How do I select a C3PAO?+
C3PAOs are CMMC Third Party Assessment Organizations — the firms accredited by the Cyber AB to conduct Level 2 CMMC assessments. The Cyber AB Marketplace at cyberab.org lists current authorized C3PAOs. Selection criteria: experience with your industry (aerospace, manufacturing, IT services), availability that matches your timeline, geographic flexibility for any on-site work, pricing transparency, and references from organizations of similar size. We help every Simply IT CMMC client run a structured C3PAO selection — typically 3-5 RFPs with comparable scope, $25,000-$60,000 typical assessment fee for a Level 2 engagement at a 10-30 person Florida SMB.
How does ITAR overlap with CMMC?+
If your business handles International Traffic in Arms Regulations (ITAR) technical data — common for Florida aerospace, defense electronics, and space-systems suppliers — you have export-control obligations layered on top of CMMC. ITAR requires that controlled data not be accessible to foreign persons (including foreign-person employees on US soil) without proper authorization. This typically forces use of Microsoft 365 GCC High (US data residency, US-citizen-staffed support), FIPS-validated cryptography, and specific access controls. Many Florida aerospace SMBs miscalculate the ITAR overlap and end up with environments that are CMMC-aligned but ITAR-noncompliant — or vice versa.
What are the most common CMMC assessment failures?+
Five patterns we see consistently. (1) Wrong M365 tenant — CUI in a commercial M365 tenant when GCC or GCC High was required. (2) Incomplete System Security Plan — SSP doesn't actually describe how each of the 110 controls is implemented for the specific environment. (3) Missing Plan of Action and Milestones (POAM) — controls that aren't fully met don't have a documented remediation plan. (4) Workforce training gaps — security awareness, role-based training, and CUI-handling training not documented for every workforce member. (5) Inadequate evidence collection — controls implemented but the contemporaneous evidence the assessor needs is not in the document library.
Does Simply IT do CMMC compliance work?+
Yes — CMMC is one of our specialty practices for Florida aerospace and defense SMBs. Founded by a USMC veteran with 30+ years in IT, we're comfortable with the DoD posture and the cultural realities of working with primes like Embry-Riddle, Lockheed, Northrop, and L3Harris. Our CMMC engagement is structured as a scoped 12-18 month project on top of the Simply Compliant managed-IT relationship ($150 per user per month). The project covers pre-assessment gap analysis, SSP development, remediation, GCC or GCC High deployment, evidence collection, and C3PAO audit support. No long-term contracts, no minimum engagement. Veteran-owned, headquartered in Ocala FL — 90 minutes from the Daytona/Embry-Riddle corridor and 2 hours from the Cape Canaveral defense supply chain.
// Related Resources

CONTINUE READING.

Pillar Guide
Microsoft 365 Security Guide →
Pillar Guide
Cyber Insurance: 10 Controls →
Solution
Cybersecurity Services →
Reference
IT Glossary →
FAQ Hub
Frequently Asked Questions →
Get Started
Free CMMC Scoping Call →
READY FOR CMMC AT YOUR FLORIDA DEFENSE BUSINESS?

Get a free 30-minute CMMC scoping call with Steve Condit, a USMC veteran with 30+ years in IT and the founder of Simply IT. We'll review your contract flow-down, your data scope (ITAR, EAR, CUI, FCI), your target CMMC level, and the rough cost and timeline — and tell you honestly whether you're a CMMC client or whether your current managed-IT relationship already covers what you need.

By submitting you consent to be contacted by Simply IT via phone, email, or SMS. Reply STOP to opt out of SMS at any time. Privacy Policy

Or call us directly: 352-723-5003