CMMC

The Cybersecurity Maturity Model Certification (CMMC) is a DoD requirement for any contractor handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0 consolidates the original five levels into three: Level 1 (foundational, 15 practices from FAR 52.204-21), Level 2 (advanced, 110 practices from NIST SP 800-171 Rev 2), and Level 3 (expert, NIST SP 800-172 controls). Level 2 and Level 3 require third-party or government-led assessments.

Top Floor helps defense contractors and their subcontractors understand where they stand, close gaps, and prepare for assessment. We perform a detailed review of your System Security Plan (SSP), map your current controls against NIST SP 800-171, identify POA&M items, and build an actionable remediation roadmap. For organizations that need to establish or refine their CUI boundary, we provide scoping guidance to minimize the assessment surface without sacrificing compliance.

This is not a check-the-box exercise. CMMC assessors will probe for evidence of operational effectiveness, not just policy documents. We prepare you for that level of scrutiny by validating that controls are actually implemented and producing artifacts that demonstrate real practice.

Frameworks: CMMC 2.0, NIST SP 800-171 Rev 2, NIST SP 800-172, FAR 52.204-21