Keep the shop running, make audits boring, prove it with evidence

CMMC Level 2 Compliance for DoD Manufacturers in San Diego, A Plainspoken Guide from the Shop Floor

If you run a manufacturing shop in San Diego and you touch Controlled Unclassified Information, the new DFARS rule makes CMMC Level 2 compliance a contract reality. This is not theory anymore. It is in the Federal Register, it takes effect on November 10, 2025, and it will show up in your solicitations. If you want to keep bidding and winning, you need a steady plan that does not stall production.

This guide explains what changed, what Level 2 really means, how assessments work, when the rule hits your bids, and how to phase your work without slowing the floor. It also shows how managed IT services and IT compliance management work Together.

What the DFARS Final Rule Changes for CMMC Level 2 Award Eligibility

On September 10, 2025, DoD issued the final DFARS rule that ties CMMC to contracts. It requires contracting officers to include the right CMMC level and assessment type in solicitations and awards. The rule takes effect on November 10, 2025, with a phase in period, then becomes standard in applicable contracts.

• Level 1 covers FCI, self assessment, annual affirmation, and SPRS posting.
• Level 2 covers CUI, assessment type depends on risk, some contracts allow self assessment, others require a C3PAO.
• Level 3 covers the most sensitive missions, assessed by DIBCAC.
• Conditional status with a plan of action and milestones is allowed for Level 2 and Level 3 for up to one hundred eighty days.
• Flowdown to subcontractors applies when subs handle FCI or CUI.
• COTS only buys are excluded.
• You must post results to SPRS and affirm compliance annually.

Call to Action
Book a twenty minute CMMC Level 2 readiness call. We will review your pipeline and show you the most likely assessment path for your contracts. Book Now.

CMMC Level 2 Assessment Types, Self vs C3PAO, and What San Diego Manufacturers Should Expect

Your solicitation will tell you if you need a third party assessment or if a self assessment is allowed. When a C3PAO is required, plan for evidence collection, interviews, and technical validation. When a self assessment is allowed, do it with the same rigor. Collect evidence, keep an evidence binder, and assign owners for each control.

Both paths require you to post your status to SPRS and complete an annual affirmation.

How to Post Status in SPRS and Keep Your Annual Affirmation Current

1. Log into the Supplier Performance Risk System with your approved credentials.
2. Enter your CMMC unique identifier and upload your assessment score or certificate.
3. Assign an affirming official and complete the annual affirmation for each in scope system.

Set a calendar reminder thirty days before expiration and assign a backup. Missing this step can block awards.

Flow Down to Subcontractors and Vendor Proof Packets

Primes must verify that subs handling FCI or CUI have the right CMMC status. They cannot view your SPRS directly, so provide a simple proof packet.

Vendor flowdown checklist

• A screenshot or PDF extract of your SPRS status, redacted as needed.
• A signed letter from your affirming official with the date and CMMC unique identifier.
• A one page summary of your assessment type, self or C3PAO, and the status date.
• Contact information for follow up, without exposing sensitive internal identifiers.

Call to Action
Ask us for a vendor flowdown checklist and a proof packet template. Contact Us Here.

Ninety Day Plan to Reach CMMC Level 2 Without Stalling Production

Days one to thirty, scope and baseline

• Confirm where CUI lives, shares, CAD, ERP, email, and vendor portals.
• Decide whether to stand up a CUI enclave that keeps the rest of the network simple.
• Inventory identities, devices, and software, then cut a dedicated boundary with clear policies.
• Run a fast gap analysis against the one hundred ten practices, assign an owner and a due date for each item.
• Start restore tests and time stamp results, who ran the test, what data was restored, and how long it took.

Days thirty one to sixty, close high risk gaps

• Enforce multifactor on all in scope identities, with documented exceptions only while fixing legacy apps.
• Segment the network so CUI stays inside the enclave, block legacy protocols, and use private service endpoints where possible.
• Encrypt data at rest and in transit, enable data loss prevention, and verify that alerts trigger.
• Move CUI email into a protected channel with sensitivity labels, banners, and tested transport rules.
• Plan change windows after hours with rollback steps documented and tested.

Days sixty one to ninety, finish controls and prepare evidence

• Close medium risk gaps, finalize playbooks, and train the team.
• Build the vendor review checklist and update contracts for any supplier who touches CUI.
• Complete the self assessment or schedule your C3PAO if required by the solicitation.
• Post your status to SPRS and identify your affirming official for the annual affirmation.
• Use a plan of action and milestones if allowed and needed for small items at Level 2, then close them within the permitted window.

Managed IT Services and IT Compliance Services, One Steady System

We run managed IT services to keep your floor steady while our compliance team maintains the documentation.

Real Client Outcomes, San Diego Manufacturers on Uptime and Audits

We needed to become CMMC Level 2 compliant, without massive disruption. Noble partnered with our IT team and helped us build a compliant enclave tailored to our stakeholders. Within a year we were securely managing CUI and working with a Defense Prime, without losing efficiency. The team was knowledgeable and easy to work with.

Mike “MK” Kister, VP of Marketing and Product Management, Novagard

When our headquarters burned down, we feared the worst. Thanks to Noble Technology Group, we were back up the next day. They also helped us navigate government cybersecurity expectations. They care about our success and deliver when it matters.

Elliot LeGros, VP and Owner, Westflex

Having an IT provider that manages our locations across time zones is a major benefit. Real time problem solving, reliable service since 2012.

Joshua Carr, President and CEO, California Marine Cleaning

Recent reviews mention fast response, clear communication, and support for NIST and CMMC work. That matters, because CMMC is not a one time push, it is a rhythm. Managed IT services, IT support and services, and IT compliance when the CMMC rule starts impacting awards

Effective date is November 10, 2025, with a three year phase in. Some programs will include CMMC earlier based on risk.

Does Level 2 always require a C3PAO assessment

No. The solicitation sets the assessment type. Some Level 2 contracts allow a self assessment, others require a C3PAO based on the sensitivity and risk.

Can we get conditional status with a POA&M at Level 2

Yes. Conditional status is allowed for Level 2 and Level 3 for up to one hundred eighty days while closing an approved plan of action and milestones. Level 1 requires final status at award.

What must be posted to SPRS for CMMC

Your CMMC assessment result or certificate, the CMMC unique identifier for each in scope system, and an annual affirmation by your affirming official.

Do primes have to verify subcontractor CMMC status

Yes. Primes verify a sub’s current status before sharing FCI or CUI. Since primes cannot see a sub’s SPRS directly, a simple proof packet speeds collaboration.

Final Thoughts

CMMC Level 2 is now a contract gate. The good news, you can meet it without hurting production if you scope well, move in a steady rhythm, and keep your evidence clean. If you want a local partner who will handle the details and bring you proof, we are here.

Call to Action
Book your Plant and Policy Check today.

Sources

• Author, Peter Noble, Founder, Noble Technology Group, serving San Diego manufacturers with managed IT services, IT support and services, and IT compliance services.