CMMC Phase 2 Deadline: . What Defense Contractors Must Do Now.
On , mandatory C3PAO Level 2 certification becomes the default for DoD contracts involving CUI. Self-assessments won't cut it anymore. Here's the reality of where the defense industrial base stands — and what you need to do before the window closes.
Talk to a ProCMMC Phase 2 starts . It makes third-party C3PAO Level 2 certification mandatory for most DoD contracts involving Controlled Unclassified Information. As of February 2026, only about 1,042 organizations out of 76,598 that need certification have completed it — that's 99% of the defense industrial base still uncertified.
C3PAO wait times are already stretching past six months, the DOJ recovered $52 million in False Claims Act cybersecurity settlements last fiscal year, and GSA just released its own CUI requirements that raise the bar even further. If you're a defense contractor handling CUI and you haven't started this process, you're running out of runway.
What Changed Between CMMC Phase 1 and Phase 2 — and Why the CMMC Phase 2 Deadline Is Non-Negotiable
Let's be direct about what happened and what's coming.
Phase 1 started November 10, 2025. It required self-assessments for Level 1 and Level 2 contracts — meaning you could still attest to your own compliance, submit your SPRS score, and compete for contracts. It was the government saying: "We're serious. Get your house in order."
Most contractors treated Phase 1 the way they've treated every CMMC deadline since 2020 — they waited. And here we are.
Phase 2 is different. Starting , contracting officers will begin requiring C3PAO-assessed Level 2 certification as the default for contracts involving CUI. That means an independent, authorized third-party assessor has to verify — through documentation review, interviews, and technical testing — that you actually meet all 110 NIST 800-171 security requirements. A self-assessment won't count. A binder full of policies you wrote last week won't count.
You want to play in the sandbox? This is what you have to do to play in the sandbox.
Where the Defense Industrial Base Actually Stands
The numbers from the February 2026 Cyber AB Town Hall paint a stark picture. Of the 76,598 organizations that the DoD estimates need Level 2 C3PAO certification, only about 1,042 have completed the process. That's 1.4%.
Let that sink in. 99% of the organizations that need certification don't have it yet — and the Phase 2 deadline is eight months away.
The Capacity Problem Nobody's Talking About
There are about 80 authorized C3PAOs serving the entire defense industrial base. DoD projections from the 32 CFR rule anticipated only 517 C3PAO assessments in Year 1, ramping to 2,599 in Year 2. That means demand will massively outstrip capacity well into the Phase 2 window. If you wait until mid-2026 to start, you may not be able to schedule an assessment before the November deadline — regardless of how ready your environment is.
And it's not just about getting in line. The organizations that started early locked in assessment scheduling when C3PAO availability was better. The ones that wait will face longer queues and fewer options.
Here's the part most people miss: the DoD expects these 76,000+ organizations to work through this process over the next decade, not all at once. But if your contracts require CMMC certification after , "next decade" doesn't help you. Your next contract opportunity is your deadline.
What Does Each CMMC Phase Actually Require?
Notice what NAVFAC Southwest has already stated publicly: they anticipate all solicitations issued on or after will require CMMC Level 2 certification or higher. If your company is not certified, you will not be eligible for contract award. Period.
Is the DOJ Already Enforcing CMMC Before Phase 2?
Here's what should keep defense contractor executives up at night: the Department of Justice recovered $52 million across nine cybersecurity-related False Claims Act settlements in fiscal year 2025 alone. That figure has more than tripled in each of the past two years.
In January 2026, Deputy Assistant Attorney General Brenna Jenny made it clear at the ACI False Claims Act Forum: cybersecurity enforcement cases are "not about data breaches" — they're "premised on misrepresentations." That means you don't have to get hacked to get sued. You just have to say you're compliant when you're not.
And with CMMC, the government has handed the DOJ an incredibly clean enforcement mechanism. Under 32 CFR 170.22, a senior company executive — the "affirming official" — must submit an annual affirmation in SPRS that your organization has implemented and will maintain all applicable security requirements.
That's a recurring legal certification submitted as a condition of contract eligibility. If that affirmation is false, or made with reckless disregard for the truth, it's a potential False Claims Act violation carrying treble damages and per-claim penalties.
The Real-World Enforcement Pattern
In 2025, the DOJ settled seven cybersecurity FCA cases — including the first enforcement action against a subcontractor and a case holding an acquiring company liable for a contractor's pre-acquisition cybersecurity violations. Whistleblowers continue to drive many of these cases. If your IT staff or compliance team knows your SPRS score is inflated, the DOJ has made it very easy for them to act on that knowledge.
The cost of making a mistake here can be the difference between your company running and being out of business.
Why Isn't CMMC Just a DoD Requirement Anymore?
If you thought CMMC was just a DoD problem, think again. In January 2026, the General Services Administration quietly released new requirements for protecting CUI on nonfederal contractor systems — published as an update to an IT security procedural guide, not as a major regulatory announcement.
Here's why that matters: GSA's new requirements are based on NIST 800-171 Revision 3, not Revision 2. CMMC is locked to Revision 2 — the DoD can't move to Revision 3 without further rulemaking. The differences between those revisions are significant. Revision 3 contains more assessment objectives, meaning it represents a higher bar for contractors.
If you're a contractor who works with both DoD and GSA, you now face two different compliance standards built on two different versions of the same NIST framework. And both of them require third-party assessments.
This is exactly why we tell our clients: don't build your security architecture around passing a single audit. Build it around actually being secure. If your controls are solid, adapting to framework changes is a documentation exercise, not a panic. If you built a Potemkin village of policies to pass CMMC, every new requirement is a crisis.
Conditional Certification: The Safety Net With a Timer
For organizations that can't achieve full Level 2 compliance before their assessment, conditional certification exists — but the rules are strict and the clock starts immediately.
| Requirement | What It Means |
|---|---|
| Minimum SPRS Score | Must score at least 88 out of 110 (80%) with remaining gaps documented in a POA&M |
| High-Value Controls | Controls weighted at 3 or 5 points must be fully implemented — no POA&M allowed for critical controls |
| Prohibited POA&M Items | Basic safeguarding requirements under FAR 52.204-21 and DFARS 252.204-7012 cannot be on a POA&M |
| Closure Deadline | 180 days from certification date to close all POA&M items with documented evidence |
| Consequence of Missing Deadline | Conditional status expires immediately — you become ineligible for contracts requiring Level 2 |
| Closeout Assessment | C3PAO must validate that all POA&M items were actually closed — not just documented |
Conditional certification buys you time, but it's not a workaround. You still need to score at least 88 out of 110. You still need every high-value control fully implemented. And you have exactly 180 days to close every gap — or your certification disappears and you're back to ineligible.
This is the most underappreciated risk in Phase 2. Contractors who treat conditional certification as a way to cut corners will find themselves in a worse position six months later when their status expires and they're scrambling to close gaps they should have addressed before the assessment.
How the Enclave Model Gets You Certified Without Overhauling Your Entire Business
Here's the approach we've been deploying for defense contractors since CMMC was still in draft form: the enclave model.
The concept is simple. Instead of making every system in your organization CMMC-compliant — every laptop, every server, every network segment, every application — we build a separate, hardened environment specifically for the people and systems that handle CUI. We call it the enclave.
Employees working on government contracts use the enclave. Everyone else keeps working normally on the commercial side of the house.
Why does this matter? Because the alternative is trying to change a tire on a highway at 80 miles per hour. Most mid-market defense contractors run mixed environments — some people touch CUI, most don't. Trying to apply 110 NIST 800-171 controls across the entire organization means every machine, every user, every application has to meet the standard.
Your commercial operations get dragged into a compliance program that was never designed for them. It's slower, more expensive, and vastly more likely to produce gaps your C3PAO will find.
The enclave flips the problem. Scope goes from "everything" to "only the CUI boundary." Fewer systems to harden, fewer systems to assess, fewer systems to maintain in continuous compliance.
What's Inside the Enclave?
Our CMMC enclave architecture covers 106 out of 110 CMMC controls out of the box. The remaining four controls are addressed through policy documentation — not technology. That's not a gap. CMMC explicitly accounts for controls that are satisfied through documented policies and procedures rather than technical implementations.
Here's each component and what it actually does in the context of CMMC controls:
| Component | Role in the Enclave |
|---|---|
| Microsoft 365 GCC High | Government-grade M365 licensing — FedRAMP High authorized. Your email, SharePoint, Teams, and OneDrive for CUI-handling users live here, completely isolated from your commercial M365 tenant. Includes Defender for baseline endpoint protection and Microsoft Purview for data classification and CUI sensitivity labels. Controls: Media Protection, System & Comms Protection |
| Microsoft Intune | Endpoint management with Windows 11 DISA STIG security baseline. Every enclave device is enrolled, configured to baseline, and monitored for drift. Handles BitLocker encryption, application whitelisting, USB restrictions, and automatic patching. If a device falls out of compliance, it gets flagged before your next affirmation — not during the C3PAO assessment. Controls: Configuration Management, Maintenance |
| Okta Identity Management |
Single sign-on and adaptive multi-factor authentication for every enclave user — FedRAMP High authorized. Okta handles the entire Identification and Authentication control family: user lifecycle management, password complexity enforcement, replay-resistant authentication, session timeouts, and role-based access control. This is the front door. When CrowdStrike Identity Protection integrates with Okta, you get coverage both at login and after authentication — which is where most identity-based attacks actually happen. Controls: Access Control, Identification & Authentication (entire IA domain — 11 controls) |
| CrowdStrike Falcon EDR + Identity + MDR |
Falcon Enterprise for EDR/XDR plus Identity Protection for post-authentication behavioral monitoring, with Falcon Complete for managed detection and response. Full triage on every alert — persistence checks, PowerShell inspection, C2 analysis. In our internal cyber range testing, CrowdStrike took approximately three months to bypass against 260 reverse-engineered CISA threat samples, while comparable tools were bypassed within three days. Results may vary by environment and threat type. FedRAMP High authorized. Controls: Incident Response, System & Information Integrity |
| Zscaler ZIA/ZPA Zero Trust Access |
ZIA inspects all outbound traffic — catches credential exfiltration, C2 callbacks, and sensitive data leaving the boundary. ZPA provides Zero Trust Network Access into the enclave, replacing VPN entirely. Application-level access only. No network footprint. No split tunneling. No VPN concentrator to patch. FedRAMP High authorized. Controls: Access Control, System & Comms Protection, Media Protection |
| Azure Sentinel SIEM / SOAR |
The central nervous system. Every component — Zscaler, Okta, CrowdStrike, Intune, Defender, AvePoint, Qualys — streams its logs into Sentinel. AI-driven correlation connects events across all tools. SOAR playbooks automate incident response workflows. When the C3PAO asks to see your audit logs, event correlation, and incident handling capability, Sentinel is where all of that evidence lives. Controls: Audit & Accountability (entire AU domain — 9 controls), Incident Response |
| Qualys Vulnerability Mgmt |
Continuous vulnerability scanning across the enclave. VMDR identifies missing patches, misconfigured baselines, and exploitable vulnerabilities — then prioritizes remediation by actual risk, not just CVSS score. CrowdStrike Spotlight tells you the problems; Qualys fixes them. Feeds scan results and remediation evidence directly into Sentinel. Controls: Risk Assessment (entire RA domain — 3 controls), Configuration Management |
| KnowBe4 Security Awareness |
Phishing simulations, role-based security training, and insider threat awareness — because 68% of breaches involve a human element. Covers all three Awareness and Training controls and generates the training completion records your C3PAO will ask for. FedRAMP Moderate authorized. Controls: Awareness & Training (entire AT domain — 3 controls) |
| AvePoint Data Gov & Backup |
Cloud-to-cloud backup for GCC High — SharePoint, Teams, Exchange, OneDrive. Microsoft backs up their infrastructure, not your data. If ransomware encrypts your Teams files, Microsoft's SLA doesn't cover recovery. AvePoint does. Also handles M365 data governance and delegated admin controls. FedRAMP Moderate authorized. Controls: Media Protection, System & Comms Protection |
What Does This Look Like for Your Team?
One of the first questions we get from defense contractors is: "What changes for my employees?" The answer depends on which side of the enclave boundary they sit on.
Employees who handle CUI (typically 20-50% of your workforce) get an enclave-enrolled device managed through Intune. They authenticate through Okta with adaptive MFA — phishing-resistant, not SMS-based. From there, they access GCC High for email, SharePoint, and Teams. Their internet traffic routes through Zscaler ZIA, which inspects outbound data to prevent CUI leakage.
When they connect to internal applications or shared resources, they use Zscaler ZPA — zero trust network access, no VPN. Their endpoint runs CrowdStrike, monitored by our SOC, with every log flowing into Azure Sentinel for centralized correlation and incident response. The experience feels like using a modern, well-configured laptop. The security is mostly invisible except when something genuinely suspicious happens.
Employees who don't handle CUI keep working exactly as they do today. Same commercial M365 tenant. Same devices. Same workflows. They're not dragged into a compliance program that doesn't apply to their work. This is the entire point of the enclave — the compliance boundary matches the data boundary, not your org chart.
Here's What Your Current Provider Probably Isn't Telling You
Most CMMC compliance shops are all-Microsoft. They put you on GCC High, deploy Intune, turn on Defender and Entra, and call it a day. That checks some boxes — but it doesn't stop a sophisticated attacker, and it leaves gaps in identity, visibility, and vulnerability management.
Defender is a solid baseline, but it's not CrowdStrike. Microsoft Entra handles identity, but Okta's adaptive MFA and lifecycle automation cover the entire IA control family more completely. Microsoft's built-in ZTNA (Global Secure Access) is architecturally sound but operationally immature — version 1.0 of something versus Zscaler's 15+ years of battle-hardened deployment.
And without a real SIEM aggregating logs across all your tools, your audit trail is scattered across six different consoles. We bring CrowdStrike, Zscaler, Okta, and Sentinel into the enclave because we've seen what happens in environments that rely solely on Microsoft-native security. We tested it in our cyber range. The results aren't close.
How Does Ridge IT Implement CMMC Without Disrupting Your Business?
We don't over-architect. We don't try to solve every problem in week one. The enclave build follows a phased approach because doing it right matters more than doing it fast — and rushing compliance work is exactly how contractors end up with inflated SPRS scores, thin documentation, and a DOJ problem two years down the road.
Phase 1 — Scope and Gap Assessment (Weeks 1-4). Map every system that processes, stores, or transmits CUI. Identify who needs enclave access and who doesn't. Run the gap assessment against all 110 NIST 800-171 controls. Flag the 3-point and 5-point controls that can't go on a POA&M. Produce the remediation roadmap with realistic timelines.
Phase 2 — Enclave Build (Weeks 4-12). Stand up GCC High tenant. Configure Intune with DISA STIG baselines. Deploy CrowdStrike, Zscaler, and Okta to enclave endpoints and users. Stand up Azure Sentinel as the central SIEM and connect log streams from every component. Configure Qualys for continuous vulnerability scanning. Roll out KnowBe4 security awareness training. Migrate enclave users to the government environment. For defense contractors moving to cloud infrastructure alongside CMMC certification, see our managed cloud migration services for Zero Trust architecture integrated with your enclave.
Begin generating evidence artifacts — because the C3PAO needs to see that controls have been operating, not just that they were turned on yesterday.
Phase 3 — Evidence Maturation and SOC Integration (Weeks 12-24). Run the enclave under operational monitoring. Accumulate the evidence logs, incident response records, and configuration management documentation that demonstrate your controls are institutionalized — not just implemented. Prepare the System Security Plan (SSP) and POA&M documentation. Book the C3PAO assessment.
Phase 4 — Assessment Support and Ongoing Compliance. Ridge IT supports the C3PAO assessment as your RPO — providing architecture documentation, answering technical questions, and demonstrating control implementation. After certification, we don't disappear. Our managed SOC continues monitoring the enclave. Continuous compliance maintenance means your next annual affirmation is based on a real operating posture, not a scramble to recreate evidence from twelve months ago.
Total timeline from kickoff to C3PAO assessment readiness: typically 4-6 months for a well-scoped mid-market enclave. Organizations with more complex environments or significant remediation gaps may need 6-9 months. The DoD's MSP pilot demonstrated that a managed service approach can achieve full compliance in as little as two months for prepared organizations — the enclave model is built for exactly this kind of acceleration.
41 Documents. All 110 Controls. All 14 Domains.
Here's the part that usually surprises contractors: documentation is the biggest bottleneck in CMMC certification, not technology. Most organizations underestimate how much policy, procedure, and evidence documentation a C3PAO assessment requires.
We've built a complete CMMC documentation library — 41 documents covering every control across all 14 NIST 800-171 domains. That includes the full System Security Plan with all 110 controls pre-populated for the enclave architecture, 17 policy and procedure documents, an evidence collection tracker mapped to all 110 controls with interview prep for 7 key roles, operational tools like maintenance checklists and change management logs, and user agreements and forms for account requests, remote access, and CUI handling.
The scoping and boundary documentation covers CUI data flow diagrams, system boundary definitions, and FIPS 140-2 crypto module inventories — everything C3PAOs review before they even start assessing controls. Your team isn't starting from a blank page.
CMMC Enclave Architecture: How Ridge IT Scopes and Isolates CUI
The enclave architecture isn't magic — it's a deliberate separation strategy. Contractors often make the mistake of thinking "bigger scope is more secure" when the opposite is usually true. A larger scope means more attack surface, more systems to harden, more users to manage, and more places where gaps hide from assessors.
Ridge IT's approach starts with scoping: define exactly what systems touch CUI and what systems don't. Then build a hardened boundary around just the systems that need it. This isn't network segmentation alone — it's a complete isolation strategy: separate Microsoft 365 tenant (GCC High for CUI, commercial for operations), separate Intune enrollment, separate Zero Trust identity boundary, separate network segments, separate backup and disaster recovery, separate incident response procedures.
The result? An enclave that's auditable, secure, and fast to certify because the scope is small enough to be controllable.
Why Does the Enclave Approach Win on Scope, Speed, and Ownership?
The enclave model's biggest advantage is scope reduction. Instead of hardening every system in your organization, you define a CUI boundary and only the systems inside that boundary get assessed. Correctly scoping your CUI environment can dramatically reduce the number of systems the C3PAO needs to evaluate — which means a faster assessment, fewer potential gaps, and a cleaner path to certification.
The smaller the enclave, the fewer systems to harden, the fewer endpoints to monitor, and the less documentation to maintain between assessment cycles. Organizations that try to make their entire environment compliant end up with a larger attack surface for the assessor to examine and more places where gaps can hide.
And here's the number that matters most: zero. That's what your certification is worth when you lose a contract because you weren't ready. The enclave isn't overhead — it's the cost of staying in the defense business.
You Own Everything. Always.
Every license in the enclave stack — GCC High, CrowdStrike, Zscaler, Okta, Sentinel, Qualys, KnowBe4, AvePoint — is purchased in your name, under your admin control. If you ever decide to leave Ridge IT, your licenses stay with you. Your data stays with you. Your SSP stays with you.
We don't believe in black boxing. That's not just a policy — it's how we operate. A lot of providers build environments designed to make you dependent on them. We build environments that make you independent and secure.
What Should Defense Contractors Do Before June 2026?
If you're reading this in March 2026 and you haven't started your CMMC journey, here's the honest truth: you probably can't get fully certified before November 10. Typical Level 2 certification takes 6-12 months from gap assessment to successful C3PAO evaluation. But you can be in process — and being in process with a booked C3PAO, a completed gap assessment, and active remediation puts you in a vastly better position than having done nothing.
Step 1: Know your level. If you only handle Federal Contract Information (FCI) and never touch CUI, you're Level 1 — annual self-assessment, 15 controls, no C3PAO required. But if any contract involves CUI — and many contractors discover more CUI touchpoints than they initially estimated — you need Level 2. Check your contract DFARS clauses. Don't guess.
Step 2: Scope your CUI environment. Map every system that processes, stores, or transmits CUI. Most organizations discover 30-40% more CUI touchpoints than they initially thought. This is where the enclave model pays for itself — by reducing scope to a defined boundary instead of trying to make everything compliant.
Step 3: Run a real gap assessment. Not a checkbox exercise. A technical assessment against all 110 NIST 800-171 controls that shows you exactly where you stand and what needs to change. Pay attention to the 3-point and 5-point controls — those cannot be on a POA&M.
Step 4: Book your C3PAO now. Quality assessors are booking months in advance. The longer you wait, the fewer options you'll have. Lock in your assessment slot even if you're still remediating.
Step 5: Make sure your SPRS profile is current and accurate. As of February 2025, DIB organizations can enter CMMC Level 2 self-assessment data in SPRS. Your score must be no older than three years, and annual affirmation is now required. If your SPRS score is stale or inflated, fix it before the DOJ fixes it for you.
Don't Let the Tail Wag the Dog
You don't do the audit to tell you what you're supposed to do from a security perspective. You do the security things, and the audit gives you the thumbs up. If your CMMC program starts and ends with compliance paperwork, you'll pass the first audit and fail the operational reality — and that operational reality is what the DOJ cares about.
Passing the Audit Isn't Enough — You Need Actual Security
Here's what your current provider probably isn't telling you: CMMC certification and operational security are two different things. You can pass a C3PAO assessment and still get breached. You can have a perfect SPRS score and still have an attacker sitting in your network for months.
Compliance says you have the right controls documented. Security says those controls actually stop threats. We've been in the business long enough to know that the organizations that get breached almost always had "compliance" — they just didn't have someone actually watching the alerts, actually triaging the events, actually checking for persistence and lateral movement.
That's the difference between a compliance partner and an operating security partner. A compliance consultant tells you what to do. We actually do it. We build the enclave, deploy the stack, run the SOC, and respond to incidents — and the CMMC certification is a byproduct of doing security right, not a product in itself.
| Approach | Compliance Consultant | Ridge IT (Operating Security Partner) |
|---|---|---|
| Delivers | Policies, gap report, SSP documentation | Enclave architecture, deployed security stack, managed SOC, documentation |
| After Certification | Engagement ends or becomes annual retainer for documentation maintenance | Managed SOC monitoring, full triage on every alert, continuous compliance maintenance |
| When Threats Appear | Calls you to report it | Stops it, triages it, documents it, reports it |
| License Ownership | Varies | You own everything. Full admin access. Always. |
| CMMC Controls Covered | Depends on which tools you bring | 106 of 110 out of the box with our enclave stack |
| CUI Scope Reduction | Advises on it | Architects and builds the enclave that achieves it |
CMMC Level 2 Certification Requirements: The Full Compliance Checklist
CMMC Level 2 requires compliance with 110 NIST 800-171 controls across 14 domains: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Recovery, System & Communications Protection, System Development & Quality, and Supply Chain Risk Management.
What makes Level 2 "Level 2" is the requirement for C3PAO (Third-Party Assessor Organization) assessment. Unlike Level 1, which allows self-assessment, Level 2 requires an independent assessor to validate that your controls operate as described in your System Security Plan. The assessment itself takes 1-2 weeks depending on scope, but the real work is the months of preparation: policy documentation, control implementation, evidence collection, and operations under real-world monitoring.
Ridge IT's 106-of-110 enclave stack addresses the technical controls immediately. The remaining 4 controls — organizational policy and procedures — are handled through our complete CMMC documentation library. Your C3PAO assessment doesn't discover gaps. It validates that controls are working.
CMMC Phase 2 FAQ
CMMC-Adjacent Capabilities
CMMC Compliance
RPO-level enclave architecture covering 106 of 110 controls. Gap assessments, remediation, and ongoing compliance management.
Find out how →Zero Trust Architecture
The security foundation of our CMMC enclave. Zscaler ZIA/ZPA, CrowdStrike, Microsoft Entra — trust nothing, verify everything.
Find out how →Managed SOC / MDR
Managed SOC monitoring with full triage on every alert — not just criticals. Persistence checks, PowerShell inspection, C2 analysis.
Find out how →Security Assessment
External and internal penetration testing for regulated industries. The gap assessment that tells you where you actually stand.
Find out how →Manufacturing & Defense Compliance
CMMC + ITAR + DFARS compliance for defense manufacturing. Industry-specific controls for production environments and supply chain.
Find out how →Cloud Infrastructure Migration
Managed cloud migration with CMMC-ready architecture. Azure, AWS, Microsoft 365 with Zero Trust security built in from day one.
Find out how →Sources & Methodology
- DoD CMMC Program Office — CMMC 2.0 framework structure, level definitions, and assessment requirements.
- OUSD(A&S) CMMC Documentation — 110 NIST SP 800-171 controls mapped to CMMC Level 2.
- NIST SP 800-171 Rev. 2 — Protecting Controlled Unclassified Information in Nonfederal Systems.
- Federal Register, October 2024 — CMMC 2.0 final rule publication and implementation timeline.
- Ridge IT internal enclave architecture data — 106/110 NIST SP 800-171 controls covered by Ridge IT's standard enclave. Remaining 4 controls are organization-specific (e.g., personnel screening, physical security) and vary by client environment.
- Ridge IT internal cyber range testing — CrowdStrike bypass time based on internal testing against 260 reverse-engineered CISA threat samples. Results may vary by environment and threat type.
The Clock Started Months Ago.
Your Move.
Whether you need a gap assessment, an enclave build, or a full CMMC compliance program — let's talk about where you are and what it takes to get certified before November.
Talk to a Pro