CMMC 2.0 Compliance for Central Florida Defense Contractors

Central Florida is one of the most concentrated defense industrial bases in the United States. From the simulation and training facilities clustered around Lake Nona to the aerospace primes lining the I-4 corridor through Orlando, Kissimmee, and into the Space Coast, the region generates billions of dollars in Department of Defense contracts annually. That concentration of defense work means one thing for the hundreds of companies in the supply chain: the Cybersecurity Maturity Model Certification program is no longer optional.

CMMC 2.0 has been codified into the Defense Federal Acquisition Regulation Supplement. Contract clauses are appearing in new solicitations, and the DoD has made clear that contractors who handle Controlled Unclassified Information must demonstrate compliance with NIST SP 800-171 and, in many cases, undergo a third-party assessment before award. For the defense industrial base in Central Florida, the question is no longer whether CMMC compliance is required but whether your organization is ready for assessment today.

This guide is written for security practitioners, compliance leads, and executives at defense contractors in the Orlando metro area. It covers what CMMC 2.0 Level 2 actually requires, how CUI handling translates into concrete controls, why penetration testing fits into the compliance framework, and how to build an assessment-ready program.

Why Central Florida Is Ground Zero for CMMC

The I-4 corridor has a defense industrial footprint that rivals any metro in the country outside of the Beltway. Lockheed Martin's Orlando facility is one of the largest producers of guided weapon systems in the world. L3Harris Technologies, headquartered in Melbourne, is a major prime contractor with a significant Orlando presence. Raytheon Technologies and Northrop Grumman both maintain substantial operations in the region. Collins Aerospace, Leidos, SAIC, and dozens of mid-tier defense companies round out the prime contractor landscape.

But the prime contractors are not the ones scrambling for CMMC compliance. They have entire compliance and information security organizations. The companies that face the most acute CMMC pressure are the hundreds of small and mid-sized subcontractors in the supply chain: the engineering firms, software developers, systems integrators, simulation technology companies, and specialized manufacturers that flow down from those primes.

Florida's Modeling, Simulation, and Training industry is particularly relevant. The Orlando region has the largest concentration of MS&T companies in the country, largely because of the proximity to military training ranges and the legacy of STRICOM (now Program Executive Office for Simulation, Training, and Instrumentation, or PEO STRI) at the University of Central Florida Research Park. Companies in this sector routinely handle CUI related to training scenarios, weapons system specifications, and adversary modeling. CMMC Level 2 is the baseline for nearly all of them.

CMMC 2.0: The Three-Level Framework

The original CMMC 1.0 model had five maturity levels. CMMC 2.0, finalized through rulemaking, collapsed those to three levels and aligned them more directly with existing NIST standards. Understanding which level applies to your contracts is the first analytical step.

For the overwhelming majority of Central Florida defense subcontractors, Level 2 is the target. Level 1 applies to companies that handle only general federal contract information with no CUI designation. Level 3 applies to a much smaller set of companies working on specifically designated programs, assessed directly by the Defense Counterintelligence and Security Agency.

The most significant operational change in CMMC 2.0 for Level 2 contractors is the bifurcation between self-assessment and third-party assessment. Whether a given program requires a C3PAO (CMMC Third-Party Assessment Organization) assessment is determined by the contracting officer and specified in the solicitation. Companies should not assume self-assessment suffices for all programs. If the contract solicitation includes DFARS clause 252.204-7021 and specifies Level 2 with a C3PAO assessment, you need a certified third-party assessment before award.

NIST SP 800-171: The Technical Foundation

CMMC Level 2 is a direct mapping to the 110 security requirements in NIST Special Publication 800-171 Revision 2, organized across 14 control families. Understanding the structure of 800-171 is essential to building a compliant program rather than chasing individual controls in isolation.

The 14 Control Families

NIST 800-171 organizes its 110 requirements into the following families:

1. Access Control (AC) — 22 requirements: Who can access what, and under what conditions. Covers user account management, least privilege, remote access controls, and wireless access.
2. Awareness and Training (AT) — 3 requirements: Security awareness training for all personnel and role-based training for those with security responsibilities.
3. Audit and Accountability (AU) — 9 requirements: Logging, log protection, review, and retention. A frequent gap for small contractors who have not deployed a centralized logging solution.
4. Configuration Management (CM) — 9 requirements: Baseline configurations, change control, least functionality, and software restrictions. Running unnecessary services on systems that touch CUI is a common finding.
5. Identification and Authentication (IA) — 11 requirements: Multi-factor authentication for CUI systems is required. This is one of the most frequently failed controls in self-assessments.
6. Incident Response (IR) — 3 requirements: An incident response capability must exist, be tested, and incidents must be reported to appropriate authorities.
7. Maintenance (MA) — 6 requirements: Controlled maintenance, sanitization of media removed from CUI systems, and supervision of maintenance personnel without full access.
8. Media Protection (MP) — 9 requirements: Marking, storage, transport, and sanitization of media containing CUI.
9. Personnel Security (PS) — 2 requirements: Screening of individuals in roles that handle CUI and termination/transfer procedures.
10. Physical Protection (PE) — 6 requirements: Physical access controls to systems that store or process CUI. Relevant for offices, server rooms, and manufacturing floors.
11. Risk Assessment (RA) — 3 requirements: Regular risk assessments, vulnerability scanning, and remediation of identified risks.
12. Security Assessment (CA) — 4 requirements: Periodic assessment of security controls, a system security plan, and a plan of action and milestones (POA&M) for deficiencies.
13. System and Communications Protection (SC) — 16 requirements: Network segmentation, boundary protection, encryption of CUI in transit and at rest, and separation of user functionality from system management.
14. System and Information Integrity (SI) — 7 requirements: Malware protection, security alerts, software and firmware patching, and monitoring of information systems.

A CMMC Level 2 assessment evaluates all 110 requirements. Each requirement is either met, not met, or met with a plan of action. Under CMMC 2.0 rules, a company can receive a conditional certification with an active and credible POA&M for certain deficiencies, but the DoD has published specific limits on which requirements can be in a POA&M and for how long. High-priority requirements like multi-factor authentication cannot be deficient at the time of assessment.

Common High-Risk Control Gaps in the Central Florida Market

Based on working with defense subcontractors in the Orlando region, several control families consistently surface as problem areas:

• Identification and Authentication (IA.3.083): Requiring MFA for all access to systems processing CUI. Many small defense contractors rely on single-factor authentication for internal systems, including email and shared drives that contain CUI. This is a binary requirement with no partial credit.
• Audit and Accountability (AU.2.041 through AU.2.044): Creating and retaining audit logs for events that could affect CUI. Small contractors often have no centralized SIEM, no defined log retention policy, and no process for reviewing logs. Deploying and configuring a logging infrastructure is often the single largest technical project in a CMMC readiness engagement.
• Configuration Management (CM.2.061): Establishing and maintaining baseline configurations for information systems. Ad-hoc workstation management, no group policy enforcement, and no documented baseline are all common findings.
• System and Communications Protection (SC.3.177): Encrypting CUI on mobile devices and portable storage. USB drives with unencrypted data, unencrypted laptops taken to customer sites, and cloud storage without encryption controls are recurring gaps.
• Risk Assessment (RA.2.141): Scanning for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities are identified. Many contractors have never run a vulnerability scan against their own environment.

Controlled Unclassified Information: What It Is and Why It Matters

The entire CMMC Level 2 framework exists to protect Controlled Unclassified Information. But CUI is a category that is widely misunderstood, and that misunderstanding is one of the root causes of compliance gaps.

CUI is not classified information. It is not information that requires a security clearance to access. CUI is a government-designated category of sensitive information that requires safeguarding and dissemination controls pursuant to law, regulation, or government-wide policy. The National Archives administers the CUI Registry, which catalogs the specific categories and subcategories.

For defense contractors in Central Florida, relevant CUI categories typically include:

• Technical Data (CTI): Engineering drawings, specifications, technical manuals, and design documentation for defense systems. Any company receiving CAD files or specifications from a prime contractor is almost certainly handling CTI.
• Export Controlled (EXPT): Information subject to the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). Nearly all MS&T companies handling simulation models of military systems are handling export-controlled CUI.
• Controlled Technical Information (CTI under DoD overlay): Military or space application technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
• Privacy (PVT): Personnel records, employee screening results, and other information protected under the Privacy Act.
• Law Enforcement (LEI): Less common for commercial defense contractors, but may appear in contracts with security agencies.

CUI System Boundary: Defining the Assessment Scope

One of the most critical decisions in a CMMC compliance program is defining the CUI enclave, the boundary of systems, networks, and devices that store, process, or transmit CUI. The scope of a CMMC Level 2 assessment is determined by the CUI enclave. Every system inside the boundary must satisfy all 110 NIST 800-171 requirements. Systems outside the boundary are out of scope.

Scoping the CUI enclave is both a technical and a business decision. A broader enclave simplifies data management (all CUI is in one place) but increases the compliance burden. A narrow enclave reduces the number of systems in scope but requires strict technical controls to ensure CUI cannot flow out of the enclave into out-of-scope systems.

Common enclave architectures for Central Florida defense contractors include:

• Physical isolation: A dedicated workstation or small network that is physically separate from corporate IT. Only individuals who need to access CUI can access these systems. Simple to implement, but operationally restrictive for engineers who need CUI to do their jobs.
• VLAN-based segmentation: A dedicated VLAN with firewall rules that prevent CUI from flowing to corporate systems. Requires documented and tested segmentation to satisfy the CMMC assessor.
• Cloud-based CUI enclave: Using a FedRAMP-authorized cloud environment (such as Microsoft 365 GCC High or Azure Government) as the CUI-handling system, with corporate systems outside the boundary. Growing in adoption because it offloads significant infrastructure compliance burden to the cloud provider.

The System Security Plan: Your Compliance Foundation

NIST 800-171 requires (in CA.2.157) that organizations "periodically assess the security controls in organizational systems to determine if the controls are effective in their application." But the foundational document for a CMMC assessment is the System Security Plan.

The SSP is not optional. It is not a formality. It is the primary artifact that a C3PAO assessor or government assessor reviews to understand your environment, how your controls are implemented, and where gaps exist. A weak or incomplete SSP will fail an assessment before any technical testing begins.

A compliant SSP for CMMC Level 2 must document:

• System boundary and description: What systems are in scope, what they do, and how they connect to each other and to external systems.
• CUI data flows: How CUI enters the environment, where it is stored, how it moves between systems, and how it leaves the environment.
• Control implementation statements: For each of the 110 NIST 800-171 requirements, a description of how the control is implemented. "We use Windows Defender" is not an implementation statement. A compliant statement describes which systems have the control deployed, how it is configured, who is responsible for it, and how compliance is verified.
• Plan of Action and Milestones: For any control that is not fully implemented, the POA&M documents what is missing, what the remediation plan is, and when full implementation will be achieved.
• Supporting policies and procedures: References to the specific policy documents that govern each control area.

The SSP is a living document. It must be updated when the system changes, when controls are added or modified, and prior to each assessment cycle. Assessors will look for date stamps and revision histories to verify that the SSP reflects the current state of the environment, not the state it was in when a consultant wrote it two years ago.

Where Penetration Testing Fits in the CMMC Framework

Penetration testing is not a separate compliance exercise bolted onto CMMC. It is directly referenced in the NIST 800-171 control framework and has specific implications for assessment readiness.

The RA Family: Risk Assessment Requirements

NIST 800-171 Requirement RA.2.141 states: "Periodically scan for vulnerabilities in organizational systems and applications; scan when new vulnerabilities potentially affecting those systems and applications are identified; and remediate vulnerabilities in accordance with organizational assessments of risk."

This requirement establishes the baseline: vulnerability scanning is mandatory. But vulnerability scanning and penetration testing serve different functions. Automated vulnerability scanning identifies known vulnerabilities based on signatures and CVE databases. Penetration testing involves a human attacker using the same techniques as adversaries targeting the defense industrial base to identify exploitable attack paths that scanning cannot detect.

For a CMMC Level 2 assessment, satisfying RA.2.141 requires documented evidence of vulnerability scanning with a defined cadence and a remediation process tied to risk. A best-practice program includes penetration testing to validate the effectiveness of the controls that the 110 requirements mandate, not merely confirm that known CVEs are patched.

The CA Family: Security Assessment Requirements

Requirements CA.2.157 and CA.2.158 require periodic assessment of security controls and the development of action plans for deficiencies. A penetration test is a highly effective mechanism for satisfying the assessment requirement: it provides independent, evidence-based validation of whether the controls you have documented in the SSP are actually working as intended.

A common failure pattern in CMMC assessments is the gap between documented controls and actual implementation. The SSP states that MFA is enforced on all CUI systems. The penetration test discovers that a legacy application bypasses the MFA enforcement because it uses a service account with a static password. This is exactly the kind of finding that a C3PAO assessor will look for, and exactly the kind of finding that a pre-assessment penetration test will surface before it becomes an assessment failure.

Penetration Testing as Pre-Assessment Validation

For Central Florida defense contractors preparing for a C3PAO assessment, a pre-assessment penetration test serves three functions:

1. Control validation: Confirms that the technical controls you have implemented actually prevent the attack scenarios they are intended to prevent. Boundary protection, network segmentation, access controls, and logging can all be independently validated through testing.
2. Gap identification: Surfaces vulnerabilities and control weaknesses before the assessor sees them, giving you the opportunity to remediate before the formal assessment.
3. POA&M scoping: If the penetration test identifies gaps that cannot be remediated before the assessment, it provides precise documentation of what the gap is, what the risk is, and what remediation looks like, which is exactly what a POA&M entry requires.

What a CMMC-Focused Penetration Test Should Cover

A penetration test structured to support CMMC Level 2 assessment readiness should include the following activities:

• External perimeter testing: Attack simulation from the internet targeting any systems in the CUI enclave that have external exposure, including VPN endpoints, remote access portals, and externally accessible services.
• Internal network testing: Lateral movement assessment within the CUI enclave. Can an attacker who gains initial access to one system within the enclave escalate privilege, move laterally, and access CUI that they should not be able to reach?
• Authentication control testing: Validation of MFA enforcement across all CUI systems. This includes testing for bypass paths, legacy authentication protocols, and service accounts that may circumvent MFA policies.
• Segmentation validation: If your CUI enclave is segmented from corporate IT, can an attacker on a corporate system cross the boundary into the CUI enclave? This is directly analogous to PCI-DSS segmentation testing and is equally critical for CMMC.
• Logging and detection assessment: Does the SIEM or logging infrastructure detect and alert on attacker activity? Testing detection coverage is an often-skipped element that directly supports the AU control family.
• Configuration review: Assessment of hardening configurations on in-scope systems, including patch levels, unnecessary services, default credentials, and baseline configuration drift.

We provide CMMC-focused penetration testing structured specifically around NIST 800-171 control validation, including deliverables mapped to specific CMMC requirements to support assessment documentation. Our team is based in Orlando and serves defense contractors throughout the I-4 corridor and Space Coast.

Practical Steps to Prepare for a CMMC Level 2 Assessment

CMMC assessment readiness is a program, not a project. The following roadmap reflects the approach we use with Central Florida defense contractors working toward Level 2 compliance.

Phase 1: Scoping and Gap Analysis (Weeks 1 to 6)

Before any technical work begins, you need to understand what you are protecting and where the gaps are. This phase involves:

• CUI identification: Inventory all CUI in your environment. Where does it enter? Where is it stored? How does it flow? This is a business process exercise as much as a technical one, involving interviews with program managers, engineers, and contracts staff.
• System boundary definition: Based on the CUI inventory, define the boundary of the systems that will be in scope for the assessment. Document the boundary in network diagrams and data flow diagrams.
• NIST 800-171 gap assessment: Evaluate your current implementation against all 110 requirements. Assign a status (implemented, partially implemented, not implemented) and a risk score to each gap. This produces the initial POA&M and drives the remediation prioritization.
• SSP draft: Begin drafting the System Security Plan. Even if many controls are not yet implemented, the SSP structure should be established early so it can be updated as controls are put in place.

Phase 2: Remediation (Months 2 to 9, depending on gap depth)

The gap analysis will produce a prioritized list of control deficiencies. Remediation typically falls into three categories:

• Policy and documentation gaps: Missing or inadequate policies, procedures, and system documentation. These are generally the quickest to close and should be addressed first, because documented controls that are not implemented still demonstrate intent and governance posture.
• Technical control gaps: Missing technical implementations such as MFA, centralized logging, endpoint protection, encryption, or access control configurations. These require IT involvement and may require procurement of new tools or platforms.
• Architectural gaps: Fundamental design issues such as the absence of CUI network segmentation, inadequate boundary protection, or a cloud environment that is not FedRAMP authorized for the data it holds. These take the longest to address and should be identified as early as possible.

Phase 3: Validation and Pre-Assessment Testing (Months 8 to 10)

Before engaging a C3PAO, validate that the controls you have implemented are working as intended. This phase includes:

• Internal control review: Walk through each of the 110 requirements with evidence. Can you produce an artifact that demonstrates the control is operational? Logs, screenshots, configuration exports, signed policies, and training records are all evidence types an assessor will request.
• Penetration test of the CUI enclave: An independent technical assessment of the systems in scope for the CMMC assessment. Structure the test to validate the specific technical controls from the NIST 800-171 framework. Remediate findings before the C3PAO assessment.
• SSP finalization: Update the SSP to reflect the final implemented state of all controls. Ensure every implementation statement is accurate and supported by evidence.
• Mock assessment: For organizations that have not been through a CMMC assessment before, a readiness review by an independent party (not the C3PAO that will perform the formal assessment) can identify last-minute gaps before the clock starts.

Phase 4: C3PAO Assessment

The formal CMMC Level 2 assessment is conducted by a C3PAO listed on the Cyber AB Marketplace. The assessment involves a combination of document review, interviews with personnel, and technical testing. Assessors are not looking to fail contractors; they are verifying that the controls you claim to have implemented are actually in place.

Findings from the assessment are categorized and, if the organization passes (or passes conditionally with a POA&M), the assessment results are submitted to the CMMC Accreditation Body, which issues the certification. Certifications are valid for three years, after which a new assessment is required.

CMMC and the Florida Defense Contractor Supply Chain

One dimension of CMMC that is frequently underestimated by Central Florida defense contractors is the supply chain dimension. If you are a prime contractor, you are responsible for flowing down CMMC requirements to your subcontractors. If you are a subcontractor, you need to understand what your prime is requiring of you, because primes are increasingly including CMMC compliance language in their teaming agreements and subcontracts.

The practical implication is that CMMC compliance is not just your problem. If you share CUI with a subcontractor, that subcontractor must also be CMMC compliant to the appropriate level. A gap in a subcontractor's CMMC posture creates risk for the prime and, ultimately, for the program. We are already seeing Central Florida primes conduct cybersecurity assessments of their supplier base as part of contract onboarding, well before the formal CMMC requirement flows down through a contract clause.

For companies in the supply chain that want to remain competitive for defense work over the next several years, CMMC compliance is a business development imperative as much as a compliance requirement. Primes will increasingly prefer subcontractors who can demonstrate CMMC Level 2 compliance, because working with a non-compliant subcontractor creates supply chain risk that the prime ultimately bears.

How Lorikeet Supports CMMC Compliance in Central Florida

Lorikeet Security is based in Orlando and works extensively with defense contractors throughout Central Florida, including the I-4 corridor, the UCF Research Park area, and the Space Coast. Our security services are structured to support CMMC Level 2 readiness and assessment.

For defense contractors at the beginning of their CMMC journey, we provide gap assessments against all 110 NIST 800-171 requirements with a prioritized remediation roadmap. For contractors who have completed remediation and are preparing for a C3PAO assessment, we provide pre-assessment penetration testing of the CUI enclave with deliverables that map directly to CMMC control requirements.

You can also read our detailed guide on penetration testing for Orlando defense contractors for additional context on how technical security testing supports CMMC compliance specifically in the Central Florida market.

If you are a defense contractor in Central Florida working toward CMMC Level 2 compliance and want to understand your current posture, start with our platform or contact us to discuss a structured readiness engagement.

Lorikeet Security Team

Penetration Testing & Cybersecurity Consulting

We've completed 170+ security engagements across web apps, APIs, cloud infrastructure, and AI-generated codebases. Everything we publish here comes from patterns we see in real client work.