Your DoD Contract Requires CMMC. Your IT Should Too. DFARS clauses 252.204-7012 through -7021 are already in your contract. Non-compliance means lost contracts, failed audits, and barred re-bids. IT Center builds and manages the CMMC-compliant IT infrastructure Southern California defense contractors need to stay on the award list — at a flat $300/computer user/month.
From prime contractors to Tier 3 subcontractors, from SDVOSB small businesses to base support operators — if your organization touches a DoD contract or military installation, CMMC compliance affects you.
Small and mid-size businesses holding direct DoD contracts. Your DFARS clauses are binding — CMMC Level 2 is the minimum standard for most CUI-handling primes.
CMMC requirements flow down through the supply chain. If you receive a subcontract that requires handling CUI, you inherit the same compliance obligations as the prime.
Facilities management, janitorial, food service, and base operations contractors increasingly require CMMC compliance for access to base IT systems and access control infrastructure.
Service-Disabled Veteran-Owned and Veteran-Owned Small Businesses competing for set-aside contracts. We help you meet the compliance bar that protects your eligibility and competitive edge.
Employers of National Guard and Reserve members with USERRA obligations and potential access to military networks. We help maintain appropriate IT hygiene and separation requirements.
Warehousing, kitting, transportation, and distribution contractors supporting military supply chains. C-TPAT and CMMC requirements increasingly overlap for logistics firms in the defense industrial base.
Understanding the regulatory landscape is the first step. Knowing exactly which requirements apply to your contract — and implementing them correctly — is what keeps you on the award list.
Practices aligned with FAR 52.204-21. Annual self-assessment. Required for contractors handling Federal Contract Information (FCI) only, with no CUI. No third-party assessment required.
Self-AssessmentAll 110 NIST SP 800-171 practices. Triennial third-party C3PAO assessment for most contracts. Covers the vast majority of defense contractors who handle Controlled Unclassified Information.
C3PAO AssessmentNIST SP 800-172 practices layered on top of Level 2. Government-led DCSA assessment. Reserved for programs with the highest risk of advanced persistent threat (APT) activity.
Government-Led AssessmentDFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting. Requires adequate security and 72-hour incident reporting to DoD.
DFARS 252.204-7019Notice of NIST SP 800-171 DoD Assessment Requirements. Contractors must post a current SPRS self-assessment score before award.
DFARS 252.204-7020NIST SP 800-171 DoD Assessment Requirements. Grants DoD the right to conduct medium and high assessments and access contractor systems.
DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements. The CMMC clause — specifies required level and assessment type for the contract.
110 security requirements across 14 control families govern how CUI must be protected. IT Center implements and manages all 14:
ITAR does not apply only to aerospace primes. Any organization that manufactures, exports, or brokers defense articles, technical data, or defense services — including IT support for those activities — may be subject to EAR/ITAR controls.
DoD 8570/8140 Workforce Requirements: If your contract requires IA-qualified personnel, IT Center supports DoD 8140 role-based certification planning and ensures your team meets IAM, IASAE, and IAWF category requirements.
One partner. One flat rate. Everything from your initial gap assessment to ongoing System Security Plan maintenance — all managed by IT Center's defense-experienced team in Southern California.
We audit your current environment against your required CMMC level, score every practice, identify gaps, and produce a prioritized remediation roadmap with realistic timelines and cost estimates. No surprises when the C3PAO arrives.
We write and maintain your SSP describing your security architecture, control implementation, and CUI data flows. We also track your Plan of Action & Milestones so deficiencies are documented and closed on schedule.
Defining your CUI boundary correctly is everything. Too broad and your assessment costs skyrocket. Too narrow and you fail. We scope your environment precisely — identifying which systems, users, and data flows are in scope — and document it defensibly.
Commercial Microsoft 365 is not CMMC Level 2 compliant for CUI. We migrate contractors to GCC High tenants with proper data residency, foreign national access controls, and ITAR technical data segregation — without disrupting operations.
All data at rest and in transit must use FIPS 140-2 validated cryptographic modules. We configure and manage validated encryption across endpoints, storage, email, and network communications — with full documentation to evidence compliance.
NIST 800-171 control 3.5.3 mandates MFA for all CUI-system access. We deploy, manage, and enforce MFA across your environment — including privileged accounts, remote access, and cloud services — to DoD IA standards.
CMMC is not a one-time event. We provide continuous monitoring through our AI-powered SOC, conduct quarterly internal reviews, and manage your annual re-assessment cycle so your SPRS score remains accurate and defensible throughout your contract period.
Your Supplier Performance Risk System score is visible to every contracting officer evaluating your bids. We calculate your score accurately, improve it through systematic remediation, and submit updates to the SPRS portal on your behalf.
Retired hardware that processed CUI or ITAR-controlled technical data must be sanitized to DoD 5220.22-M or NIST SP 800-88 standards. We provide documented, chain-of-custody asset disposal with certificates of destruction.
Government Furnished Equipment requires strict acceptable use controls, audit logging, and network segregation. We implement and document GFE policies, manage device enrollment, and ensure your usage aligns with the terms of your contract.
Southern California is home to one of the largest concentrations of military installations in the United States. The contractor community surrounding these bases requires CMMC compliance across thousands of DoD contract relationships.
USMC Base — North San Diego County
Marine Corps Air Station — San Diego
Naval Air Station — Coronado
MCAGCC — San Bernardino County
National Training Center — Barstow
Air Force Flight Test Center — Kern County
Space Force Base — Santa Barbara County
Thousands of SoCal SMBs supporting these installations
IT Center is based in Corona, CA — centrally located to serve contractors supporting bases across the Inland Empire, Greater Los Angeles, Orange County, and San Diego. Our team provides on-site support when needed and remote-first managed services around the clock.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD's framework for verifying that contractors adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 was incorporated into DFARS via a final rule effective December 16, 2024 (DFARS Case 2019-D041). The DoD is phasing in CMMC requirements across contracts — by fiscal year 2026, CMMC requirements are expected in the vast majority of new DoD solicitations. If you are bidding on DoD contracts now, you should be preparing for CMMC assessment today.
Your required CMMC level is determined by the type of information you handle and the nature of your DoD contract. Level 1 (17 practices, self-assessment) applies to contractors handling only FCI. Level 2 (110 practices, third-party C3PAO assessment) applies to contractors handling CUI — which covers the great majority of defense prime and subcontractors. Level 3 (134+ practices, government-led DCSA assessment) is reserved for contractors supporting the highest-priority DoD programs. Check your contract's DFARS 252.204-7021 clause for the specified level, or contact IT Center for a complimentary contract review.
Not all DoD contracts require CMMC at the same level or timeline. Contracts exclusively for COTS items are exempt. However, if your contract involves any services, development, systems integration, or technical data, there is a high probability that CUI is involved and CMMC Level 2 applies. Even if your direct contract does not yet include DFARS 252.204-7021, clauses 252.204-7012 and 252.204-7019 (adequate security and SPRS self-assessment) likely already apply. Do not wait for the clause to appear — begin now.
A CUI boundary defines exactly which systems, networks, users, and data flows are in scope for your CMMC assessment. Every system inside the boundary must comply with all 110 NIST 800-171 controls. Systems outside with no connection to CUI are out of scope. Properly scoping the CUI boundary is the single most impactful decision in the CMMC process — an overly broad boundary exponentially increases assessment cost, while an unjustifiably narrow boundary risks assessment failure. IT Center's scoping methodology follows NIST SP 800-171A guidance and C3PAO assessment standards.
Yes — with the right partner and architecture. Many small businesses drastically overpay for CMMC compliance by choosing general IT vendors unfamiliar with DoD requirements. IT Center's flat-rate model at $300/computer user/month includes CMMC-aligned security controls, continuous monitoring, SSP maintenance, and help desk — eliminating the need for separate contracts with a security firm, compliance consultant, and MSP. For most small contractors under 50 employees, the all-in monthly cost with IT Center is significantly lower than hiring even a part-time compliance coordinator.
The Supplier Performance Risk System (SPRS) score is your NIST SP 800-171 self-assessment score, posted to the DoD's SPRS portal. Scores range from -203 (every control failed) to +110 (all 110 controls fully implemented). Under DFARS 252.204-7019, a current SPRS score is required before DoD can award or renew a contract. Contracting officers can view your score — a low or missing score is a red flag that costs contracts. IT Center calculates your accurate score, develops your remediation plan, and manages SPRS submissions.
Yes — when you flow CUI to a subcontractor, CMMC requirements flow with it. Under DFARS 252.204-7021(c), prime contractors must ensure that all subcontractors that process, store, or transmit CUI have the required CMMC level before awarding a subcontract. A non-compliant subcontractor handling your CUI exposes you to contract termination and potential False Claims Act liability. IT Center helps primes audit their subcontractor supply chain and can onboard subcontractors as managed clients to bring the entire supply chain into compliance.
The longer you wait, the shorter your runway before assessment day. IT Center's CMMC readiness engagement begins with a no-cost scoping call to understand your contract requirements, estimate your current SPRS score, and map the fastest compliant path forward.
We respond within one business hour during office hours. Urgent inquiries call (888) 221-0098.