CMMC and NIST 800-171 Managed IT | Cascade Data LLC
For Defense Suppliers and Federal Contractors

Assessment-Ready IT.CMMC. NIST. ITAR.

Veteran-owned managed IT built for Oregon defense-supply-chain manufacturers. CMMC 2.0 Level 2 alignment, NIST SP 800-171 control implementation, ITAR-aware US-person controls, GCC or GCC High deployment, and the SSP and POA&M discipline that gets you through a clean third-party assessment.

Schedule a CMMC Scoping CallRead the Full 2026 Guide

No commitment. No upsell. Month-to-month if we work together.

20 yrs
inside MSPs
5-50
employees served
7+
industry verticals
Veteran-owned
and Sherwood-based

Aligned with the frameworks your industry expects

NIST CSFCISACMMCHIPAAITARNIST 800-171Microsoft 365
9-18 mois the realistic timeline from scoping conversation to a clean third-party assessment. We start with a 60-minute scoping call and a one-page gap report. No commitment, no upsell.

In Plain English

If your business is in the defense supply chain, the federal government will eventually require you to demonstrate that you protect the controlled information you handle. There is a framework, a control list, and an assessment by an outside reviewer. The actual compliance work breaks down into a handful of practical decisions about which Microsoft tenant the controlled data lives in, how your network is segmented, who has access to what, and what your written security plan says about all of it. The technology side is the faster part. The documentation side takes longer.

We have walked manufacturers through this before. We know the federal-cloud setup choice and how to make it. We know the controls list (110 specific items) and how to actually deploy them. We know the two written documents the assessor will read on the day they show up: the security plan, and the gap-tracking document that says how every open item gets closed. We bring a 60-minute scoping call, a one-page report on where you stand today, and a recommendation that names the next three things to do in priority order.

The point of working with us is that you stop having to learn the entire compliance ecosystem yourself. You hire one team to handle the technology, the documentation, and the prep work for the assessment. You spend your time running the business and bidding on contracts. We handle the rest.

What We Cover for Defense Suppliers and Federal Contractors

The vertical-specific work, included by default, not as upsells.

CMMC 2.0 Scoping

The full enterprise does not need to be in scope. Careful enclave design keeps the CUI environment a discrete subset of users, devices, and data flows, dramatically reducing the controls burden. Get this right early.

NIST SP 800-171 Implementation

110 controls across 14 families. Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, and the rest. We deploy, document, and operate them.

GCC vs GCC High

GCC for most CMMC Level 2 work. GCC High for ITAR. The CUI workflow moves to a federal tenant; the commercial tenant the rest of the business runs on stays in place. We handle the migration and ongoing administration.

ITAR US-Person Controls

Foreign nationals may not have access to ITAR-controlled technical data without a license. Identity systems have to enforce that. Personnel screening, data residency, Technology Control Plan support.

OT/IT Segmentation for Production

CNCs, PLCs, CAM systems on a separate network from the CUI environment. Vintage firmware behind a firewall and not exposed to the office. Documented in the System Security Plan.

SSP and POA&M Maintenance

The System Security Plan describes the environment and controls. The Plan of Action and Milestones tracks every gap, who owns it, and when it closes. These two documents are the heart of the assessment.

Common Questions

What is CMMC 2.0 and which level applies to my business?

CMMC 2.0 (Cybersecurity Maturity Model Certification, version 2.0) is the Department of Defense framework that contractors and subcontractors handling federal contract information or controlled unclassified information must comply with. Level 1 covers Federal Contract Information and is self-attested annually. Level 2 covers Controlled Unclassified Information (CUI) and requires either self-attestation or a third-party assessment depending on the contract. Level 3 covers the most sensitive programs and requires a government-led assessment. For a typical small precision-manufacturing supplier in the Department of Defense supply chain, Level 2 is the realistic target.

How is NIST SP 800-171 related to CMMC?

CMMC Level 2 is built on top of NIST SP 800-171, the federal control set for protecting CUI in non-federal systems. NIST 800-171 Revision 2 specifies 110 security controls across 14 control families. Revision 3 (released 2024) reorganizes the controls and adjusts some requirements but is still being incorporated into the contracting machinery. If a contractor is implementing CMMC Level 2, they are implementing NIST 800-171 controls plus the assessment and documentation overhead CMMC adds on top.

Does ITAR apply to my manufacturing business?

ITAR (the International Traffic in Arms Regulations) applies to anyone who designs, develops, manufactures, exports, brokers, or furnishes defense articles, defense services, or related technical data on the United States Munitions List. For a precision-metals supplier this often means yes, even if the work feels mundane. If you make a part that goes into something on the USML, the technical data describing that part is ITAR-controlled. Failure to register and to control access to ITAR data carries significant criminal and civil penalties. Most small manufacturers in the defense supply chain need to register with the State Department Directorate of Defense Trade Controls.

What does an MSP for a CMMC-regulated environment look like?

The MSP itself has to either operate inside the customer's assessment boundary as part of the assessed environment or be carefully structured as outside it via documented service-level controls. The MSP's own systems that touch CUI become in-scope. In practice this means tenant separation, US-person-only support staffing for ITAR data, documented separation between the customer's GCC or GCC-High Microsoft 365 tenant and the MSP's own infrastructure, and a security plan that is itself compliant with NIST 800-171.

How long does CMMC Level 2 implementation actually take?

For a small manufacturer starting from a typical commercial IT environment in 2026, expect 9 to 18 months from first scoping conversation to a clean third-party assessment. The technology side (deploying GCC or GCC-High, EDR, MFA, segmentation, logging, encryption) is usually the faster part. The documentation, policy work, training, and procedural change management is the slower part. Plan on a six-figure first-year investment between technology, professional services, assessment fees, and internal time.

Read the full 2026 guide

Ready for a 60-Minute Assessment?

Bring your current setup, your concerns, and your renewal timeline. We will return a one-page gap analysis. No commitment, no upsell.

Schedule a CMMC Scoping Call