FIELD GUIDE · FOR DIB CEOS & COOs
Don't find out your CMMC Level 2 program has gaps in front of an assessor.
Some contractors are further from Level 2 than their consultant or MSP has told them. The seven resources below show what’s required, where programs typically break down, and the cybersecurity controls defense contractors should have before and after the assessment.
Credentials:
CMMC L2 · 110/110
Cyber AB RPO-2284
ISO 27001
Microsoft Partner
Don’t forget…
Certification is just a moment. But contract eligibility requires ongoing monitoring.
IN THIS GUIDE
02 110/110 Assessment
03 False Claims Act
04 Buyer’s Guide
05 Enclave vs. Migration
06 FIPS Encryption
07 AI Adoption
— 01 · The MSP Problem
Two months in. No roadmap. No scope. No gap analysis. Just invoices.
CMMC Level 2 C3PAO assessments are required for some contract awards starting November 10, 2026.
So, having an IT vendor that says, “We’ll get to it as soon as we can” is not a viable option. See what happened in this real-life story.
— 02 · The Assessment from the Inside
Most CMMC guidance comes from people who advise on audits. This comes from a team who completed one.
Cofounders Reid Johnston and Gar Whaley walk through Teal’s CMMC Level 2 assessment from start to finish, including what scoping required, how they built evidence, and what assessors actually scrutinized.
Teal scored 110/110 with zero POA&M findings. See how they did it before you start your audit.
— 03 · The Legal Stakes
Compliance gaps have legal consequences.
Since launching its Civil Cyber Fraud Initiative in 2021, the DOJ has announced roughly 15 False Claims Act settlements tied to contractor cybersecurity misrepresentations.
Overstated self-assessments, incomplete SSPs, and misrepresented controls have each resulted in multi-million dollar settlements – and in several cases – the end of those contracts.
~15
DOJ settlements tied to cybersecurity misrepresentation since 2021.
$9M+
Largest single-firm settlement to date under the FCA cyber theory.
3
Most common findings: false self-attestation, missing SSPs, unimplemented controls.
— 04 · MSP Buyer’s Guide for DIB Contractors
Certification is a moment. Staying eligible requires an IT partner for ongoing compliance.
The gap most contractors discover too late is in who owns the compliance after the audit dust has settled. If you want an MSP to manage it, you need to know:
- Who is accountable for data classification?
- What happens when your managed IT provider says they’re experienced, but the roadmap never shows up?
— 05 · Environment architecture
GCC High: Full migration or secure enclave? The decision is more than technical.
Either path can support a defensible CMMC posture. The right one depends on your contract mix, your CUI flow, and where the business is headed.
Decide before you build, or you’ll pay twice.
— 06 · Defensible Technical controls
One encryption gap can fail an assessment your team spent a year preparing for.
FIPS-validated encryption is one of the most misunderstood requirements in CMMC Level 2. Encryption that feels secure but isn’t FIPS-validated puts your assessment at risk.
Contractors find gaps in three places: where it applies, what “validated” means under NIST, and how the SSP documents it. Each is verifiable. Each can sink you.
01101001 00100000 01000110 01001001 01010000 01010011
FIPS 140-3 VALIDATED
— 07 · Compliance as your environment evolves
54% of defense contractors use AI in proposals weekly. Most haven't asked whether those tools touch CUI.
Under CMMC Level 2, any system that processes, stores, or transmits CUI is in scope for your assessment – including AI platforms, productivity tools with AI features built in, and cloud-hosted assistants your team adopted informally.
The goal isn't certification. It's everything that comes after. That's what our CMMC managed services are built for.
Regulated businesses across the DIB trust Teal to do more than get them through an assessment. Our CMMC consulting and managed IT services cover the full compliance lifecycle – from readiness to ongoing monitoring to every renewal cycle after – so your pipeline stays protected long after the auditor leaves.