CMMC Level 2 Certification – California
California Department of War (DoW) contractors and subcontractors are now required to comply with the Cybersecurity Maturity Model Certification (CMMC 2.0) framework. It is designed to ensure those working in the Defense Industrial Base (DIB) have appropriate safeguards to protect controlled unclassified information (CUI). Those who handle, process, store, or transmit CUI are required to comply with 110 security requirements from NIST SP 800. In other words, these companies are required to meet CMMC Level 2 requirements, as defined in 32 CFR Part 170 and related DFARS, to continue doing business with the DoW. CMMC Level 2 Certification requirements are required to be added to applicable contracts starting November 10, 2026. To bid on those contracts, the DIB is required to attain a favorable CMMC Level 2 Certification status from a CMMC Third Party Assessor Organization (C3PAO). Only CP3AO certified assessors are permitted by the DoW to conduct the assessment and confirm compliance with established requirements.
CMMC Level 2 Certification – California
McKonly & Asbury is authorized as a CMMC C3PAO for level 2 certification assessments. We have worked with dozens of DoW contractors and subcontractors either with the certification assessment or with mock assessments. Our team has undergone significant training on the certification process and undergoes regular training on cybersecurity and data management. If your company needs a Level 2 certification, McKonly & Asbury stands ready to assist.
Industry Involvement
CMMC Certification Solutions – California
By leveraging our tiered cybersecurity services, you can prepare your California organization to meet DoW and industry-related cybersecurity standards. Explore our suite of security audit and assessment solutions:
- CMMC Level 2 Certification
- CMMC Mock Assessment
CMMC Frequently Asked Questions
CMMC Level 2 is intended for organizations that process, store and transmit Controlled Unclassified Information (CUI) and requires implementation of all 110 security requirements from NIST SP 800-171. In contrast, Level 1 only includes 17 basic safeguarding requirements for Federal Contract Information (FCI).
Yes, most organizations seeking Level 2 certification must undergo a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). However, some contracts may only require a CMMC Level 2 self-assessment with affirmation. The Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self).
The duration can vary depending on the scope of the environment, type of implementation, number of physical locations and amount physical controlled unclassified information (CUI). Typically, the assessment will cover a three-to-six-week time period. This includes the pre-assessment, assessing conformity of the security requirements and completing and reporting the assessment results. There is usually one week dedicated to interviews during the assessment of conformity.
Key steps include identifying the scope and boundaries, conducting a gap analysis against NIST SP 800-171, documenting a system security plan (SSP) performing a self-assessment. It is recommended that your chosen C3PAO is engaged to perform a Level 2 mock assessment several months prior to the Level 2 Certification assessment.
Once granted, CMMC Level 2 certification is valid for three years, with annual affirmations required to ensure continued compliance.
You’ll need comprehensive documentation, including a System Security Plan (SSP), network diagrams, asset inventories, controlled unclassified information (CUI) data flow diagram, self-assessment with Met/Not Met and explanation for all 320 security requirements, policies, procedures, and supporting evidence of implementation of the security requirements.
A CMMC Third-Party Assessment Organization (C3PAO) is an authorized assessor that assesses your organization’s CMMC Level 2 implementation and verifies whether you meet the CMMC Level 2 requirements before issuing a final or conditional CMMC Level 2 certification.
If your organization fails, you will receive a report of Met, Not Met, or N/A for all 320 security requirements. If a security requirement is Not Met, the report will include a clear explanation of why the security requirement was Not Met. You will be required to engage a C3PAO and go through the entire CMMC Level 2 Certification assessment process again. M&A recommends that you engage your selected C3PAO to perform a Mock Assessment of selected control objectives as part of preparation for the Level 2 Certification Assessment.
C3PAOs are forbidden from consulting on CMMC implementation and conducting the CMMC assessment for the same organization. A C3PAO can consult if they are not doing the assessment. A Registered Practitioner Organization (RPO) should be engaged to assist with CMMC implementation. We also recommend engaging your selected C3PAO to perform a Mock Assessment several months before the scheduled CMMC Level 2 Certification Assessment.
California DoD Contractor Community
California hosts one of the largest and most strategically important Department of Defense communities in the United States, serving as a cornerstone of military readiness, advanced research, and defense manufacturing. The state supports a dense concentration of installations across every branch of the armed forces, making it central to naval operations in the Pacific, aerospace testing and development, space launch and missile defense, logistics, and large-scale training and sustainment activities. Major facilities such as Naval Base San Diego, Vandenberg Space Force Base, Edwards Air Force Base, Marine Corps Air Station Miramar, and Naval Air Weapons Station China Lake anchor a statewide military footprint that spans coastal, inland, and desert regions.
The economic impact of the DoD presence in California is substantial, with tens of billions of dollars flowing into the state each year through military payroll, operations, and federal contracting. Hundreds of thousands of active-duty service members, civilian employees, reservists, and National Guard personnel live and work in California, supporting local economies and creating deep ties between military installations and surrounding business communities. Defense activity supports a broad ecosystem of professional services, construction, logistics, healthcare, cybersecurity, and technical consulting firms that specialize in serving military and federal clients.
National Reach
McKonly & Asbury offers CMMC certification to DoD contractors in Alabama (AL), Colorado (CO), Florida (FL), Georgia (GA), Illinois (IL), Indiana (IN), Maryland (MD), Michigan (MI), New Jersey (NJ), New Mexico (NM), New York (NY), North Carolina (NC), Ohio (OH), South Carolina (SC), Tennessee (TN), Texas (TX), Washington DC, Wisconsin (WI), and Virginia (VA).