Close-up of server racks with network cables in a data center environment focused on hardware and connectivity.

What Is CMMC Compliance And Which Kansas City Businesses Actually Need It

June 17, 2026

A Kansas City manufacturing shop lost a $240,000 subcontract opportunity because the prime contractor asked for proof of CMMC Level 2 compliance — and the owner had never heard of it. That's the reality facing defense contractors across Northwest Missouri and Northeast Kansas: CMMC (Cybersecurity Maturity Model Certification) is no longer optional, and ignorance of the requirement can cost your business contracts before you even realize you're in scope.

This guide explains which businesses need CMMC certification, what each level requires, and how to prepare without disrupting your operations.

What CMMC Is (And Why the DoD Created It)

CMMC is a unified cybersecurity standard created by the Department of Defense to replace inconsistent self-attestation practices under DFARS 7012, requiring defense contractors to prove — not just claim — they protect sensitive information through third-party assessments.

Why the DoD Tightened Contractor Security Requirements

The 2020 SolarWinds breach exposed how attackers exploit weak points in supply chains to reach high-value targets. SolarWinds was a breach in which nation-state hackers compromised a software vendor's update mechanism to infiltrate federal agencies and private companies. The DoD realized that contractors were the weakest link: many claimed compliance with DFARS 252.204-7012 but had no verification process and no enforcement mechanism.

DFARS 252.204-7012: A Defense Federal Acquisition Regulation Supplement clause requiring contractors to implement specific cybersecurity controls from NIST SP 800-171 and to report breaches within 72 hours.

CMMC replaced the honor system with mandatory third-party assessments. Contractors can no longer self-certify — they must prove their security posture to an accredited auditor before winning or renewing contracts.

What Is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI): Sensitive but unclassified information that requires safeguarding under federal law, including technical specifications, logistics data, personnel records, and procurement details used in defense contracts.

CUI is not limited to classified weapons designs or intelligence reports. If your business handles technical drawings for parts, shipment manifests for defense goods, or employee background check data for federal projects, you are processing CUI. Any business in the defense supply chain — including small fabrication shops, engineering consultants, and logistics providers — is subject to CMMC requirements if they touch this data.

The Three CMMC Levels: Which One Applies to Your Business?

CMMC defines three certification levels based on the sensitivity of information a contractor handles: Level 1 for basic FAR compliance without CUI access, Level 2 for most contractors processing CUI, and Level 3 for the most sensitive defense programs.

CMMC Level Number of Practices Assessment Type Who It Applies To
Level 1 17 Self-assessment Contractors who do not handle CUI but must meet basic FAR security requirements
Level 2 110 Third-party C3PAO assessment Most contractors who process, store, or transmit CUI in any form
Level 3 110+ (not yet finalized) Government-led assessment Contractors supporting the most sensitive DoD programs

CMMC Level 1: Basic FAR Compliance

CMMC Level 1: A self-assessment certification requiring 17 basic cybersecurity practices aligned with FAR 52.204-21, intended for contractors who do not handle CUI but still participate in federal contracts.

Level 1 applies to businesses that provide general commercial products or services to the DoD without accessing technical data, personnel records, or logistics information. Examples include janitorial services, general office supplies, or public-facing marketing work. These contractors can self-assess and attest to compliance without a third-party audit.

CMMC Level 2: Most Defense Contractors

CMMC Level 2: A third-party assessed certification requiring 110 cybersecurity practices derived from NIST SP 800-171, mandated for contractors who process, store, or transmit CUI as part of their defense work.

Level 2 is where most Kansas City businesses fall. If you fabricate parts from engineering drawings, manage logistics for defense shipments, or provide IT consulting that touches federal data, you need Level 2. A fabrication shop in St. Joseph building components from CAD files provided by a prime contractor is handling CUI. A logistics company in Olathe tracking DoD shipment manifests is handling CUI. Both require third-party assessment by a C3PAO (Certified Third-Party Assessment Organization).

C3PAO: A Certified Third-Party Assessment Organization accredited by the Cyber Accreditation Body to conduct CMMC assessments and certify that a contractor meets the required cybersecurity practices.

CMMC Level 3: Highly Sensitive Programs

CMMC Level 3: A government-led assessment for contractors supporting the most sensitive DoD programs, requiring enhanced security controls beyond NIST SP 800-171 and subject to ongoing government oversight.

Level 3 is reserved for businesses working on classified or highly sensitive programs, such as advanced weapons systems or strategic intelligence platforms. The DoD has not finalized Level 3 requirements, and most small to mid-sized contractors will never need this tier.

Decision Tree: Which Level Do You Need?

  • Do you sign non-disclosure agreements (NDAs) for DoD work? If yes, you likely handle CUI and need Level 2.
  • Do you receive technical specifications, blueprints, or engineering files? If yes, those are CUI — you need Level 2.
  • Do you manage logistics, shipping manifests, or procurement data for defense contracts? If yes, you need Level 2.
  • Do you only provide commercial off-the-shelf products with no access to sensitive data? If yes, Level 1 may suffice.

If you are unsure, check your current contracts for the DFARS 252.204-7012 clause or ask your contracting officer directly. That clause is the indicator that CMMC Level 2 will apply when your contract comes up for renewal.

Which Kansas City Industries Are Most Affected

Defense contractors in aerospace manufacturing, professional services, construction, and transportation across the Kansas City metro and Northwest Missouri face CMMC requirements if they process CUI as part of their work for the DoD or its prime contractors.

Aerospace Parts Manufacturing

Aerospace manufacturers in the Kansas City metro supply components to major primes like Honeywell Kansas City and other defense contractors. These manufacturing clients receive detailed CAD files, material specifications, and quality control requirements — all of which qualify as CUI. A machine shop in St. Joseph fabricating precision parts from technical drawings must meet CMMC Level 2 to remain eligible for subcontracts.

Professional Services Firms

Engineering consultants, IT support providers, and program management firms that work on federal contracts handle CUI regularly. A consulting firm in Olathe providing systems engineering support to a DoD project receives technical documentation and project plans that require protection. Professional services firms must implement access controls, encrypt data, and maintain audit logs to meet CMMC Level 2 requirements.

Construction Companies Bidding on Federal Projects

Construction companies bidding on federal projects at military installations or government facilities often handle site plans, security protocols, and personnel vetting documents. These are CUI. A construction firm in Liberty working on a project at Fort Leavenworth or Richards-Gebaur Air Reserve Station must demonstrate CMMC compliance to bid on future contracts.

Transportation and Logistics Companies

Freight carriers and logistics providers moving defense-related goods handle shipment manifests, delivery schedules, and inventory lists that identify sensitive cargo. A transportation company in Kansas City managing DoD freight must secure this data under CMMC Level 2. Failure to comply can disqualify the business from lucrative federal logistics contracts.

Regional Supply Chain Exposure

The Midland Empire region — spanning Northwest Missouri and Northeast Kansas — hosts a significant defense supply chain presence. Even small businesses in St. Joseph, Savannah, or Maryville can find themselves in scope if they support a prime contractor. TS Conard serves businesses across this region, helping local contractors understand their CMMC obligations before they lose contract opportunities.

What CMMC Compliance Actually Requires (Not Just Software)

CMMC Level 2 compliance requires implementing 110 cybersecurity practices across 14 NIST SP 800-171 domains, covering access control, incident response, system integrity, and physical security — and proving those practices through documented policies, employee training records, and audit trails.

The 14 NIST SP 800-171 Domains

NIST SP 800-171: A National Institute of Standards and Technology publication that defines security requirements for protecting CUI in non-federal systems, forming the technical foundation for CMMC Level 2 compliance.

CMMC Level 2 is built on NIST SP 800-171, which organizes cybersecurity requirements into 14 domains. Each domain addresses a specific aspect of information security, and each contains multiple practices that must be implemented and documented.

  • Access Control (AC): Defines who can view, modify, or transmit CUI, using role-based permissions and least-privilege principles.
  • Awareness and Training (AT): Requires documented security training for all employees who handle CUI, with records of completion.
  • Audit and Accountability (AU): Mandates logging of system activity, user actions, and security events for forensic review.
  • Configuration Management (CM): Controls how systems are configured, updated, and documented to prevent unauthorized changes.
  • Identification and Authentication (IA): Ensures users are who they claim to be through multi-factor authentication and strong password policies.
  • Incident Response (IR): Requires a written plan for detecting, reporting, and recovering from cybersecurity incidents.
  • Maintenance (MA): Governs how systems are serviced, updated, and secured during maintenance activities.
  • Media Protection (MP): Protects physical and digital media containing CUI through encryption, secure disposal, and tracking.
  • Personnel Security (PS): Screens employees, contractors, and vendors who access CUI to ensure trustworthiness.
  • Physical Protection (PE): Secures facilities where CUI is stored or processed using locks, visitor logs, and access controls.
  • Risk Assessment (RA): Identifies vulnerabilities, assesses threats, and prioritizes remediation efforts through regular evaluations.
  • Security Assessment (CA): Conducts periodic tests and audits to verify that security controls function as intended.
  • System and Communications Protection (SC): Protects data in transit and at rest through encryption, network segmentation, and boundary defenses.
  • System and Information Integrity (SI): Detects and removes malware, monitors for anomalies, and patches vulnerabilities promptly.

Why Technology Alone Won't Pass an Assessment

Many break-fix IT providers install antivirus software, enable firewalls, and assume that checks the CMMC box. It doesn't. CMMC assessments verify that your business has documented policies, trained employees, and audit trails proving you follow those policies. A C3PAO assessor will ask for your System Security Plan, your incident response procedures, your training logs, and proof that you review access controls quarterly.

System Security Plan (SSP): A formal document describing how a business protects CUI, including network diagrams, security controls, roles and responsibilities, and procedures for maintaining compliance.

TS Conard's approach integrates compliance into your operations. We don't just configure tools — we build the documentation, train your team, and establish the audit trails that prove you meet each requirement. This is part of the broader cybersecurity framework that protects your business beyond CMMC.

Key Technical Controls for CMMC Level 2

  • Multi-Factor Authentication (MFA): Requires two or more verification factors (password plus code from phone or hardware token) to access systems containing CUI.
  • Encrypted Email: Protects CUI in transit using TLS encryption or secure email gateways that enforce encryption policies.
  • Endpoint Detection and Response (EDR): Monitors devices for malicious activity, detects threats in real time, and provides forensic data for incident investigations.
  • Network Segmentation: Isolates CUI systems from general business networks to limit attacker movement if a breach occurs.
  • Patch Management: Applies security updates to operating systems, applications, and firmware within timeframes specified by NIST (typically 30 days for critical patches).
  • Secure Backup Systems: Maintains encrypted, offline backups of CUI with documented recovery procedures and regular restoration tests.

These technologies are necessary, but they are not sufficient. CMMC assessors evaluate whether your employees know how to use these tools, whether your policies define acceptable use, and whether your audit logs prove consistent enforcement. Businesses juggling other compliance requirements like HIPAA or FTC Safeguards Rule benefit from aligning their security programs to meet multiple frameworks simultaneously.

The Timeline: When You Need to Be Compliant

CMMC 2.0 enforcement began in 2024, with full implementation expected by 2025-2026, meaning new contracts already include CMMC requirements in RFP language, and existing contractors must achieve certification at contract renewal or face disqualification.

Current Enforcement Status

The DoD published the final CMMC 2.0 rule in 2024 and began inserting CMMC requirements into new solicitations immediately. Contractors responding to RFPs for defense work are already seeing language that requires proof of CMMC certification as a condition of award. Existing contracts are being phased in — when your contract comes up for renewal, you will be required to demonstrate compliance.

How Long Preparation Takes

Businesses starting from scratch typically need 6-12 months to implement the required controls, document policies, train employees, and prepare for assessment. Smaller operations with simpler IT environments may move faster, while manufacturers with legacy systems or multiple locations need more time. The timeline depends on your current security posture, the complexity of your network, and how quickly you can address gaps identified in the initial assessment.

Contract Clauses That Signal CMMC Requirements

Watch for DFARS clause 252.204-7012 (requiring safeguarding of CUI) and 252.204-7019 or 252.204-7020 (requiring CMMC certification) in your solicitations and contracts. The specific CMMC level required will be stated in the contract language. Primes are also flowing down CMMC requirements to their subcontractors through contract terms, so even if you don't contract directly with the DoD, your prime may require proof of certification.

Common Misconceptions About CMMC

"We're Too Small to Be Targeted"

Small defense contractors often believe cybercriminals won't target their operations, but adversaries specifically seek out smaller suppliers as entry points into the defense supply chain. Your data may be less protected, making you an easier target, and once inside your network, attackers can pivot to larger primes or access CUI that reveals broader program details. CMMC exists precisely because small contractors have been successfully compromised.

"We Can Self-Certify Forever"

CMMC 2.0 allows self-assessment only for Level 1 (basic cyber hygiene). Level 2 requires third-party certification by a C3PAO for contractors handling more sensitive CUI or working on critical programs. The DoD determines which level applies based on the type of information and the criticality of the program. Most manufacturers and engineering firms working with technical data will require Level 2 certification, not self-assessment.

"CMMC Is Just IT's Problem"

Achieving and maintaining CMMC compliance requires involvement from leadership, operations, HR, finance, and facilities — not just IT. Policies around access control, personnel screening, physical security, incident response, and awareness training touch every department. Leadership must allocate budget, staff must follow procedures, and the entire organization must embrace a security-conscious culture. Treating CMMC as purely technical work guarantees failure.

How Kansas City Businesses Can Get Started

Step 1: Determine Your Required CMMC Level

Review your current contracts, solicitations, and customer requirements to identify whether you handle CUI and which CMMC level applies. If you're unsure, consult with your contracting officer or prime contractor. Understanding your target level determines the scope of your compliance project.

Step 2: Conduct a Gap Assessment

Engage a qualified consultant or managed service provider to evaluate your current security posture against the required CMMC practices. This assessment identifies which controls you already meet and which require implementation or improvement. The gap assessment becomes your roadmap for remediation.

Step 3: Develop a Remediation Plan

Prioritize the gaps based on risk, complexity, and cost. Create a project plan with milestones, assign responsibilities, and allocate budget. Address foundational controls first (asset management, access control, network segmentation) before moving to advanced capabilities (incident response, security monitoring).

Step 4: Implement Technical and Administrative Controls

Deploy the required technology solutions, document policies and procedures, configure systems according to NIST standards, and establish logging and monitoring. This phase includes network architecture changes, endpoint protection, multifactor authentication, patch management, and data encryption.

Step 5: Train Your Team and Establish Governance

Security awareness training ensures employees understand their role in protecting CUI. Establish a governance structure with defined roles, regular policy reviews, and ongoing monitoring. Compliance is not a one-time project but a continuous program requiring sustained attention.

Step 6: Schedule Your Assessment

For Level 2, engage a C3PAO to conduct your certification assessment. The assessor will validate that your controls are implemented correctly and operating effectively. Prepare evidence in advance, conduct a readiness review, and address any remaining gaps before the formal assessment begins.

Choosing the Right Partner for CMMC Compliance

Kansas City businesses have access to local IT and cybersecurity providers who understand both CMMC requirements and the regional business environment. Look for partners with demonstrated CMMC experience, technical certifications, and a track record working with defense contractors. The right partner will guide you through the assessment, implement necessary controls, and provide ongoing managed services to maintain compliance.

Evaluate providers based on their methodology, transparency, and ability to explain complex requirements in business terms. Avoid vendors who promise quick certification without addressing foundational security gaps — shortcuts lead to failed assessments and wasted investment. A quality partner will conduct a thorough gap assessment, provide realistic timelines, and build a security program that genuinely protects your business.

Frequently Asked Questions

How much does CMMC certification cost?

CMMC certification costs vary widely depending on your current security posture, company size, and required level. Implementation costs typically range from $50,000 to $300,000+ for most small to mid-sized manufacturers, including technology investments, consulting services, policy development, and the C3PAO assessment fee. Self-assessment for Level 1 costs significantly less. Organizations with mature security programs spend less on remediation, while those starting from scratch require larger investments in infrastructure and processes.

Can I lose existing contracts if I'm not CMMC certified?

Yes. As existing contracts come up for renewal, the DoD will insert CMMC requirements into the new contract terms. If you cannot demonstrate the required certification level, you will be unable to renew the contract. Prime contractors are also flowing down CMMC requirements to subcontractors, meaning your customer may terminate your agreement if you fail to achieve certification. The phase-in period provides time to prepare, but ultimately, CMMC compliance becomes a condition of doing business with the defense industrial base.

What happens if we fail a CMMC assessment?

If you fail a CMMC assessment, you will not receive certification and cannot pursue or renew contracts requiring that certification level. The C3PAO will provide a detailed report identifying deficiencies. You must remediate the gaps and schedule a new assessment, which incurs additional costs and delays. Failed assessments are reportable to the DoD, potentially affecting your reputation with current and prospective customers. Proper preparation through gap assessments and readiness reviews minimizes the risk of failure.

How long does CMMC certification last?

CMMC certification is valid for three years, after which you must undergo reassessment to maintain your certification status. During the three-year period, you must maintain your security controls, conduct annual self-assessments, report cybersecurity incidents, and implement a Plan of Action and Milestones (POA&M) for any identified deficiencies. Significant changes to your IT environment, personnel, or business operations may require updating your System Security Plan and could trigger the need for early reassessment.

Need Help Achieving CMMC Compliance?

TS Conard specializes in helping Kansas City businesses navigate the complexities of CMMC certification. Our cybersecurity experts will assess your current security posture, identify gaps, and guide you through every step of the compliance journey.

Schedule Your Free Consultation

Contact Us Today To Schedule A 15-Minute Discovery Call

 

Recent Articles

Red fire alarm bell with glowing light and warning triangles on textured wall background.

How ‘We’ll Fix It Later’ Turns Into Summer Fire Drills

 Hourglass and laptop on desk with checklist icons symbolizing time management and task completion at sunset.

The Longest Day of the Year and You’re Still Out of Time

 Father and son sit on a couch discussing, laptop and open notebook with pen in foreground on table.

School’s Out, Cybercriminals Are In