CMMC 2.0 is mandatory for US Department of Defense contractors handling Controlled Unclassified Information (CUI). Canadian companies in the US/Canada defence supply chain - including NORAD, NATO, and DND contractors - increasingly face CMMC requirements. ThreeShield delivers CMMC gap assessments backed by government audit experience.
Basic cyber hygiene. Annual self-assessment. Covers Federal Contract Information (FCI) only. Maps to 15 NIST SP 800-171 practices.
Aligns to NIST SP 800-171 in full. Required for contracts involving CUI. Triennial third-party assessment (C3PAO) for critical programs; annual self-assessment for others.
NIST SP 800-172 additional requirements for highest-value DoD programs. Government-led assessments by DCSA. For organizations protecting the most sensitive DoD programs.
The most critical step in CMMC compliance is defining what CUI you handle and where it lives. Overly broad scoping creates unnecessary compliance burden; too narrow creates risk of non-compliance. ThreeShield delivers formal CUI scoping exercises.
CMMC Level 2 requires a documented SSP describing how each NIST SP 800-171 control is implemented. The SSP is the primary document the C3PAO assessor reviews. ThreeShield develops SSPs grounded in your actual technical environment, not templates.
Plan of Action and Milestones (POAM) documents known gaps and remediation timelines. A well-managed POAM demonstrates compliance maturity even when not all controls are fully implemented. ThreeShield maintains POAM tracking continuously.
CMMC certification is a condition of contract award for affected DoD contracts. Non-certified organizations cannot compete for contracts requiring CMMC Level 2 or 3. The DoD has committed to phased CMMC requirements in all new contracts - organizations that aren't certified will lose eligibility for defence contracts they currently hold.
Yes, if you're in the US Department of Defense supply chain - either as a prime contractor with US government contracts, or as a subcontractor to a US prime. Canadian companies building components for US defence programs (aerospace parts, software, services) increasingly face CMMC requirements passed down through their prime contractor's flow-down clauses. NORAD and NATO involvement can also trigger requirements.
It depends on your contract category. Level 1 still allows annual self-assessment. Level 2 for most programs now requires a third-party assessment (C3PAO) on a triennial basis. The self-attestation model that was common under DFARS 252.204-7012 is being replaced by formal CMMC certification. ThreeShield helps you understand which level applies and what certification looks like.
CMMC governs cybersecurity controls for protecting CUI. ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations) govern the export of defence-related technology and information. They're separate regulatory regimes that often apply simultaneously to defence contractors. ThreeShield focuses on the CMMC cybersecurity requirements; ITAR/EAR compliance involves additional export control expertise.
ThreeShield meets you at your current security maturity. Every level includes Lavawall®.
For lean IT teams and cost-conscious organizations with internal security capacity
Expert guidance alongside your team - ideal for MSPs and organizations with some internal IT capacity
Full compliance delivery - ThreeShield manages the entire program end to end
Choose your engagement model: DIY via Lavawall®, supported by ThreeShield's CISSP/CISA team, or fully done-for-you. Every model includes continuous monitoring so you stay compliant year-round.
Book a Scoping CallDIY · Supported · Done-for-You · Available globally