Mid-market DIB suppliers handling CUI
Mid-size defense suppliers who have to face a C3PAO and need an honest baseline first.
"Run the full 110-control NIST 800-171 self-assessment before your C3PAO walks in."
See the self-service journey this ICP walks through (PDF) →
~80,000 DIB companies handle CUI and must reach Level 2 — most are not ready.
Level 2 applies to contractors that process, store, or transmit Controlled Unclassified Information (CUI). It is built on NIST SP 800-171 Rev. 2 (with Rev. 3 transition planning underway) and its 110 security requirements, scored per NIST SP 800-171A assessment objectives using the DoD Assessment Methodology (max score 110).
Most Level 2 contracts will require a triennial third-party assessment by a C3PAO listed in the Cyber AB Marketplace, plus an annual senior-official affirmation. A subset of less-sensitive CUI contracts may permit self-assessment at Level 2 — but the assessment rigor is identical.
DoD's rollout phases L2 into solicitations between 2025 and 2028. Prime contractors are not waiting: by mid-2025, many T1 primes had already inserted L2 readiness milestones into supplier development plans. The going rate for a C3PAO assessment is $40k–$150k+ depending on scope, and re-assessments triggered by a failed first attempt double the bill.
The buyer here is no longer just the owner. There is usually an IT director or CISO/vCISO, an internal compliance lead, and a contracts/program manager — and they all have different anxieties. The killer pain is uncertainty: they have a System Security Plan (SSP) and a POA&M somewhere, but no one believes the score on the cover page.
How to filter your list.
- Employee count
- 50–1,000 (sweet spot 100–500)
- Revenue
- $10M–$500M
- NAICS codes
- 334511, 336411, 336413, 336992, 541330, 541380, 541512, 541713, 541714, 541715
- Geography
- DIB clusters: VA/MD/DC, MA, CO, AL, TX, CA, OH, FL
- Government data
- Handles CUI under DFARS 252.204-7012; may include CDI
- Tech stack signals
- GCC High or working on it; Splunk/Sentinel/Defender; MDR/MSSP
- Compliance posture
- Already has an SSP and POA&M; SPRS score often <88 and stale
Who's actually in the room.
IT Director / VP Engineering
- Owns
- The technical environment that has to satisfy 110 controls + the enclave decision (on-prem, GCC High, hybrid).
- Fears
- Failing the C3PAO assessment publicly; being blamed for a missed POA&M.
- Measured on
- C3PAO pass on first try; uptime; budget control.
- Where to find them
- InfoSec subreddits, Project Spectrum, NDIA, BSides regional events.
CISO / vCISO / Compliance Manager
- Owns
- SSP, POA&M, evidence library, supplier risk program.
- Fears
- Auditor finds a control marked 'implemented' that isn't. Personal reputational risk.
- Measured on
- SPRS score; audit findings closed; framework crosswalk maintained.
- Where to find them
- ISACA, ISC2 local chapters, IANS, GRC vendor user groups.
Contracts / Program Director
- Owns
- Customer relationship with the DoD prime or PCO. Reads the DFARS clauses line by line.
- Fears
- A contract is at risk because IT can't produce evidence.
- Measured on
- Contract retention, expansion, on-time deliverables.
- Where to find them
- NCMA, NDIA, supplier-portal training events.
When the buying window opens.
For each trigger, here's how to detect it for free. Set Google Alerts, RSS, or LinkedIn Sales Navigator job-change alerts and you'll see them before competitors do.
What they're losing sleep over.
- !Their SSP was last updated 2 years ago by someone who left
- !POA&M items are open past their original 'milestone' dates
- !Internal IT can't translate NIST 800-171A assessment objectives into evidence
- !GCC High migration is half done and budget is exhausted
- !Procurement is asking for a date-certain Level 2 attestation
- !They got a $80k C3PAO quote and want a baseline before they spend it
- !Subcontractor flow-down: they have to enforce L2 down their own supply chain
- !Cyber insurance underwriter is asking the same control questions
What converts.
"Know your real 110-control posture before a C3PAO walks in the door."
Mapped to NIST 800-171A assessment objectives, scored using the DoD methodology, and exportable as your refreshed SSP + POA&M.
"Protect the contract you have AND the next contract you're bidding."
Show prime contractors and the PCO a defensible score with audit-grade evidence — not last year's spreadsheet.
"Stop paying consultants $300/hr for things your team can self-serve."
Use the consultant for the genuinely hard control families; let your team handle the obvious ones in the platform.
What you'll hear, and what to say.
"We already use Drata / Vanta / Secureframe."
→ Those tools are SOC 2-native and bolt on CMMC. The DoD methodology scores assessment objectives, not controls — different math, different evidence. Worth a parallel score to see if the numbers agree.
"Our RPO is handling everything."
→ Perfect time for an independent baseline. RPOs don't certify and they don't grade themselves; a self-assessment lets you verify their gap analysis matches reality before you spend on C3PAO prep.
"We'll do the C3PAO and skip the self-assessment."
→ C3PAO assessments fail most often on basic evidence hygiene, not control absence. A self-assessment catches the 12–20 controls where 'we do this' isn't yet 'we can prove this' — before the auditor's clock starts.
"NIST is releasing 800-171 Rev. 3, why bother with Rev. 2?"
→ DoD has explicitly stayed on Rev. 2 for CMMC L2 assessments. Rev. 3 work is forward-looking; your contract obligations are Rev. 2 today.
"Too expensive — we'll wait."
→ DoD's phased rollout means the requirement WILL appear in your next recompete. Waiting compresses the timeline; the cost goes UP, not down, when you're racing a contract date.
Copy. Paste. Replace the placeholders.
Six prompts tuned for this ICP. Replace {{placeholders}} with your real inputs. Each prompt names the AI engines it works best with.
Build a CMMC Level 2 readiness brief on {{company}}.
Pull from public sources only:
1. DoD revenue exposure
- Active prime + sub awards in the last 36 months (USAspending.gov).
- Top customer primes; estimated annual DoD revenue.
- Any classified or ITAR indicators (8(a), facility clearance, DDTC registration).
2. CUI footprint indicators
- Job postings mentioning "CUI," "DFARS," "ITAR," "GCC High," "CMMC."
- Press releases mentioning enclave migrations, CMMC roadmaps, or RPO engagements.
3. Buying committee on LinkedIn
- CISO, IT Director, VP Engineering, Compliance Manager, Contracts/Program Director.
- Tenure in role; any recent hires in the last 6 months.
4. SPRS / Cyber AB signals
- Public mention of an SPRS score (rare but check).
- Any C3PAO or RPO listed as a partner.
- Whether {{company}} itself appears in the Cyber AB Marketplace.
5. Trigger surface
- Recent contract awards.
- Recent breach/incident disclosures (state AG portals, DataBreaches.net).
- Funding, M&A, exec hires.
6. Recommended approach
- Likely scope (small enclave vs whole-environment).
- 3 specific control families where they're most likely to struggle (justify with sector context).
Return as markdown with section headers and source URLs.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Generate a list of 20 mid-market US defense suppliers (50–1,000 employees) that are likely 6–18 months away from a C3PAO assessment.
Inclusion signals (any 2+):
- Active DoD prime/sub award ≥$5M in last 24 months (USAspending.gov)
- Recent LinkedIn hires with "CMMC," "compliance," "GRC," or "CISO" in title
- Public mention of GCC High migration, CUI enclave, or "CMMC Level 2"
- NAICS in: 334511, 336411, 336413, 336992, 541330, 541380, 541512, 541713, 541714, 541715
- Headquartered in: {{state_or_region}}
Exclusion signals (any 1):
- Already C3PAO-certified (search "{company name} CMMC certified")
- Listed as a C3PAO themselves on cyberab.org/Marketplace
- Public parent that mandates a specific GRC tool
Return as a table:
| Company | UEI | Est. employees | DoD revenue (proxy) | Top prime | Recent compliance hire? | GCC High signal? | CISO / IT Dir LinkedIn | Recommended opening hook |
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Write a 3-touch outbound email sequence to {{first_name}}, {{title}} at {{company}}.
Context:
- {{company}} handles CUI under DFARS 252.204-7012 and has a {{prime_name}} subcontract.
- Trigger event: {{trigger_event}} (e.g. "hired a Director of Compliance in March," "RFI dropped requiring L2 by FY27").
- They likely have an SSP but it's stale.
- Sender: {{partner_name}} from {{partner_company}}.
Constraints:
- Touch 1: ≤120 words. Opens with the trigger. Frames the assessment as "score the controls the way DoD scores them — before your C3PAO does."
- Touch 2 (day 4): ≤90 words. Drop a specific control-family observation common in their sector (e.g. AC, AU, IR).
- Touch 3 (day 9): ≤50 words. Break-up.
- No "I hope this finds you well." No "circling back."
- CTA: {{affiliate_link}} — frame as a self-service readiness check, NOT a sales call.
Return as three labeled blocks with SUBJECT + BODY.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Draft a 4-step LinkedIn cadence to {{first_name}} ({{title}} at {{company}}).
1. Connection note (≤300 chars): reference a specific recent post they wrote OR their {{trigger_event}}. No pitch.
2. DM #1 (post-accept): observation about a sector-specific CMMC L2 pitfall + one open question.
3. DM #2 (day 5): a single hyperlink — {{affiliate_link}} — with the framing "if you want to score it yourself before the C3PAO clock starts."
4. DM #3 (day 12): one-line break-up that leaves the door open.
Voice: peer security/engineering leader. No buzzwords. No "synergies." Reference NIST 800-171 by section when relevant.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Build a 25-minute discovery script for {{first_name}} ({{title}} at {{company}}).
Sections:
1. Open (2 min): confirm time, restate the hypothesis ("you have an SSP, you're not confident in the score, and you have a C3PAO date forming"), get permission for 6 questions.
2. Six qualifying questions:
- When did you last refresh your SSP, and who owns it now?
- What's your current self-reported SPRS score, and how old is it?
- Have you scoped your CUI environment yet — full org, enclave, or hybrid?
- GCC High: not started / in progress / done / not pursuing?
- Which control families do you suspect are weakest? (AC, AU, IR, CM, MA are common)
- Have you booked a C3PAO yet — and if yes, when's the readiness deadline?
3. Bridge to product (3 min): map their answers to the self-service Level 2 assessment workflow.
4. Close: book a working session, OR send the {{affiliate_link}} for them to start themselves.
Include a branching note: if no CUI is actually present, route to Level 1.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.You are a senior CMMC RP (Registered Practitioner) responding to {{first_name}} ({{title}}, {{company}}).
They just said:
"{{objection}}"
Reply in 3–5 sentences. Rules:
- Acknowledge in their language first.
- Cite NIST SP 800-171 Rev. 2, 800-171A, DFARS 252.204-7012/-7019/-7021, or 32 CFR Part 170 by clause/section when relevant.
- Surface a specific assessment objective if the objection touches a control area.
- End with a forward-moving question, not a pitch.
- No defensive language. No "actually."
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Go deeper.
Authoritative public sources. Bookmark these — they're the source of truth your prospects' own teams are reading.
NIST SP 800-171 Rev. 2 — Protecting CUI in nonfederal systems
The 110 controls that ARE Level 2. Required reading.
NIST SP 800-171A — Assessing security requirements for CUI
The assessment objectives the DoD methodology actually scores against.
DoD Assessment Methodology v1.2.1
How the SPRS score is calculated (max 110, deductions per missed control).
DFARS 252.204-7012 — Safeguarding covered defense information
The clause that already requires NIST 800-171 implementation today.
DFARS 252.204-7019 — NIST SP 800-171 DoD Assessment Requirements
The clause that requires the SPRS score before contract award.
32 CFR Part 170 — CMMC Program final rule
Binding program rule. §170.16/170.17 cover L2 self-assessment vs C3PAO assessment.
Cyber AB Marketplace (C3PAOs, RPOs, RPs)
Find a C3PAO; check if your prospect is already engaged with one.
DoD CUI Registry (NARA)
Definitive list of CUI categories. Determines whether a contract triggers L2.
Project Spectrum
DoD-funded readiness tools small/mid contractors trust.
Microsoft GCC High overview
Many L2 prospects are mid-GCC-High migration; understand the platform.
When NOT to pursue
These prospects won't convert through the self-service flow.
- ×Already has a current C3PAO certification (within 3 years)
- ×Pure commercial business — no DoD or federal exposure
- ×Handles only FCI; Level 1 is the right product
- ×DIB Cybersecurity Strategy is owned by a parent enterprise that mandates a specific platform