Gravity Networks

Defense Industrial Base · CMMC 2.0 Level 1 & Level 2

CMMC 2.0 compliance for Utah & Tennessee defense contractors

Gap assessment, SSP & POA&M, 24/7 human-led SOC, and the control stack that actually runs — operated by engineers on the ground in Salt Lake City and Knoxville.

Book a CMMC Scoping Call

CMMC 2.0 isn’t a paperwork exercise.

If your business does work with a Department of Defense prime, supplies a DIB manufacturer, or bids on federal contracts that touch Controlled Unclassified Information (CUI), you’ve already seen the letters: your prime wants CMMC 2.0 Level 2 by the next renewal.

The path to Level 2 isn’t a checklist someone hands your internal IT generalist. It’s 110 controls from NIST SP 800-171 Rev. 2, each requiring deployed technology, written policy, and evidence the assessor will ask to see. Most SMBs in the Utah Defense Industrial Base around Hill AFB — and the East Tennessee DIB clusters around Oak Ridge and the I-75 corridor — can’t run that stack internally without hiring three full-time roles they’d rather not pay for.

Gravity Networks runs the controls andwrites the documentation, from one engagement, with engineers on the ground in both metros. By the time the C3PAO walks in, your environment has been operating at Level 2 for months — not assembled for the audit.

How a CMMC engagement actually runs

Phase 1

Gap assessment (2 weeks)

We walk all 110 NIST SP 800-171 Rev. 2 controls against your current environment. Each control is mapped to owner, evidence location, and remediation effort. You get a prioritized punch list with realistic timeline before any implementation work starts.

Phase 2

CUI enclave architecture (3–4 weeks)

Define the scope boundary. Segment systems that touch CUI (engineering workstations, file shares, email handling marked-CUI threads) into a tightly-controlled enclave — usually Microsoft 365 GCC High or a hardened Azure subscription with access controls, conditional access, and logging.

Phase 3

Control deployment (4–8 weeks)

Roll out the technical control stack: managed EDR on every endpoint, 24/7 human-led SOC, ITDR on the M365 tenant, centralized SIEM, phishing-resistant MFA for privileged accounts, encrypted backups with tested restores, vulnerability scanning on cadence.

Phase 4

SSP & POA&M documentation (parallel)

Written System Security Plan covering all 110 controls in plain English — how each one is implemented in your environment. Plan of Action & Milestones for any gaps with named owners and target dates. Updated quarterly during operations.

Phase 5

Mock assessment (1 week)

We bring in an experienced reviewer (independent of the implementation team) to walk your SSP and evidence as though they were the C3PAO. You find the gaps now, not in front of the real assessor. Remediation cycle before submission.

Phase 6

Operate + maintain (ongoing)

Controls have to keep running. We operate the stack, update the SSP quarterly, close POA&M items on schedule, and produce the evidence packet ready for the next assessment window — so you don't rebuild from scratch every three years.

What’s in the stack

Roughly two-thirds of CMMC Level 2 controls map to technology we already operate for every Gravity client. Our cybersecurity stack covers the heavy ones; the CMMC engagement adds CUI-specific architecture, documentation, and the assessment-prep work.

  • Managed EDR on every endpoint touching CUI — host isolation in one click, host-level audit trail
  • 24/7 human-led SOC (analysts triage alerts in real time — no after-hours coverage gap)
  • Managed ITDR on the Microsoft 365 tenant — account-takeover, BEC, rogue OAuth app detection
  • Centralized SIEM with 90+ day log retention across email, endpoints, network, and cloud
  • Phishing-resistant MFA (hardware key / Passkey) for privileged and admin accounts
  • Conditional access policies blocking legacy authentication on every CUI-scoped account
  • Encryption at rest (BitLocker, M365) and in transit (TLS 1.2+) with documented configuration
  • Immutable backups with a defined restore-test cadence and a written DR runbook
  • Vulnerability scanning + patch management on a documented cadence (not 'when we get to it')
  • Security awareness training with phishing simulations — annual minimum, monthly for privileged users
  • Written incident response plan + annual tabletop exercise with your leadership
  • System Security Plan (SSP) and Plan of Action & Milestones (POA&M) — written, updated, audit-ready

Why a bi-state DIB MSP matters

Local in both Utah and Tennessee.

Utah’s Defense Industrial Base ecosystem runs from Hill Air Force Base south through Salt Lake County into Utah Valley — sustainment, engineering, software, cyber, and supply-chain contractors all subject to CMMC 2.0 Level 2.

East Tennessee’s DIB is anchored by Oak Ridge National Laboratory and the I-75 corridor manufacturers feeding DoD programs out of Knoxville. Same control bar, same assessment timelines.

We operate from offices in Salt Lake City and Knoxville, with engineers who know both ecosystems. One team, one runbook, two states.

Go deeper

Plain-English writeups on the pieces of the CMMC puzzle that show up on prime questionnaires.

CMMC 2.0 Level 2 readiness checklist

The plain-English version, written for Utah and East Tennessee defense contractors.

SPRS score explained

How the DoD self-assessment math works and what primes see when they look you up.

Cyber insurance renewal walkthrough

What carriers actually ask now — most of it overlaps with the CMMC control set.

CMMC QUESTIONS FROM DIB OWNERS

What defense contractors ask us before the first scoping call.

Do I need CMMC 2.0 Level 1 or Level 2?

Level 1 (17 controls) is required if you handle Federal Contract Information (FCI) but no Controlled Unclassified Information (CUI). Level 2 (110 controls aligned to NIST SP 800-171 Rev. 2) is required for any DoD prime, sub, or supplier handling CUI — which includes most engineering drawings, technical specs, and program documentation marked Distribution Statement B/C/D/E/F. Most DIB SMBs need Level 2. If you're unsure, your contracting officer or prime can tell you whether your work touches CUI.

How long does it take to reach CMMC 2.0 Level 2?

For a typical 25–75 employee Utah or Tennessee defense contractor: 90–150 days from kickoff to internal pre-assessment, depending on the starting posture and whether you need a CUI enclave architecture. The longest pole is usually segmenting CUI-touching systems and writing the System Security Plan (SSP). The control stack itself (EDR, SOC, MFA, logging, encryption) deploys in weeks once scoped.

What's the difference between a CMMC self-assessment and a C3PAO assessment?

Self-assessments (for Level 1, and for Level 2 contracts that don't require third-party verification) post a score to the DoD's SPRS database. C3PAO assessments (required for most Level 2 work) are formal third-party evaluations by a certified assessment organization. We prep clients for either path — same control stack, same SSP/POA&M, with a mock assessment by an experienced reviewer before the real one.

Do you handle the SSP and POA&M, or just the technical implementation?

Both. We deploy and operate the technical controls (EDR, SIEM, ITDR, encryption, MFA, conditional access, logging) AND we write the documentation an assessor reads — the System Security Plan, Plan of Action & Milestones, data-flow diagrams, and the procedural documentation that proves each control is actually operating. Many MSPs do one or the other; we do both because in a real assessment the two have to match.

Where does Utah fit into CMMC?

Hill Air Force Base in northern Utah anchors a large Defense Industrial Base supply chain — engineering, manufacturing, sustainment, and IT services contractors all flow through the Hill ecosystem and increasingly require CMMC 2.0 Level 2 for renewal. Utah and Tennessee defense contractors face the same control bar; we operate from both metros so the support is local in either state.

Will we be locked into Gravity for the operational phase?

No. Like the rest of our managed services, CMMC engagements run month-to-month after the implementation project. Every SSP, POA&M, configuration document, and evidence file is yours — if you ever leave, you take the full assessment-ready packet with you. We hold clients by doing the work well, not by contract language.

What if our prime contractor pushes the renewal deadline forward?

It happens. When a prime accelerates the requirement, the playbook compresses by prioritizing ruthlessly: deploy the technical control stack first (EDR, SOC, MFA, logging — these score the most points in the SPRS rubric), write the SSP in parallel, and document non-critical gaps in the POA&M with target dates rather than completion dates. Talk to us early — even a 30-day head start materially changes what's achievable inside the new window.

Related pages

Defense Contractors Industry

How we work with DIB primes and subs — beyond CMMC, into ITAR, NIST SP 800-171, and DFARS expectations.

Learn more →

Cybersecurity Services

The 24/7 SOC, managed EDR, ITDR, and SIEM stack that satisfies most of CMMC Level 2's technical controls out of the gate.

Learn more →

Managed IT Services

The operational layer underneath CMMC — patching, monitoring, identity management, and the helpdesk that keeps controls running daily.

Learn more →