CMMC Level 2 Certification – Maryland
Maryland Department of War (DoW) contractors and subcontractors are now required to comply with the Cybersecurity Maturity Model Certification (CMMC 2.0) framework. It is designed to ensure those working in the Defense Industrial Base (DIB) have appropriate safeguards to protect controlled unclassified information (CUI). Those who handle, process, store, or transmit CUI are required to comply with 110 security requirements from NIST SP 800. In other words, these companies are required to meet CMMC Level 2 requirements, as defined in 32 CFR Part 170 and related DFARS, to continue doing business with the DoW. CMMC Level 2 Certification requirements are required to be added to applicable contracts starting November 10, 2026. To bid on those contracts, the DIB is required to attain a favorable CMMC Level 2 Certification status from a CMMC Third Party Assessor Organization (C3PAO). Only CP3AO certified assessors are permitted by the DoW to conduct the assessment and confirm compliance with established requirements.
CMMC Level 2 Certification – Maryland
McKonly & Asbury is authorized as a CMMC C3PAO for level 2 certification assessments. We have worked with dozens of DoW contractors and subcontractors either with the certification assessment or with mock assessments. Our team has undergone significant training on the certification process and undergoes regular training on cybersecurity and data management. If your company needs a Level 2 certification, McKonly & Asbury stands ready to assist.
Industry Involvement
CMMC Certification Solutions – Maryland
By leveraging our tiered cybersecurity services, you can prepare your Maryland organization to meet DoW and industry-related cybersecurity standards. Explore our suite of security audit and assessment solutions:
- CMMC Level 2 Certification
- CMMC Mock Assessment
CMMC Frequently Asked Questions
CMMC Level 2 is intended for organizations that process, store and transmit Controlled Unclassified Information (CUI) and requires implementation of all 110 security requirements from NIST SP 800-171. In contrast, Level 1 only includes 17 basic safeguarding requirements for Federal Contract Information (FCI).
Yes, most organizations seeking Level 2 certification must undergo a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). However, some contracts may only require a CMMC Level 2 self-assessment with affirmation. The Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self).
The duration can vary depending on the scope of the environment, type of implementation, number of physical locations and amount physical controlled unclassified information (CUI). Typically, the assessment will cover a three-to-six-week time period. This includes the pre-assessment, assessing conformity of the security requirements and completing and reporting the assessment results. There is usually one week dedicated to interviews during the assessment of conformity.
Key steps include identifying the scope and boundaries, conducting a gap analysis against NIST SP 800-171, documenting a system security plan (SSP) performing a self-assessment. It is recommended that your chosen C3PAO is engaged to perform a Level 2 mock assessment several months prior to the Level 2 Certification assessment.
Once granted, CMMC Level 2 certification is valid for three years, with annual affirmations required to ensure continued compliance.
You’ll need comprehensive documentation, including a System Security Plan (SSP), network diagrams, asset inventories, controlled unclassified information (CUI) data flow diagram, self-assessment with Met/Not Met and explanation for all 320 security requirements, policies, procedures, and supporting evidence of implementation of the security requirements.
A CMMC Third-Party Assessment Organization (C3PAO) is an authorized assessor that assesses your organization’s CMMC Level 2 implementation and verifies whether you meet the CMMC Level 2 requirements before issuing a final or conditional CMMC Level 2 certification.
If your organization fails, you will receive a report of Met, Not Met, or N/A for all 320 security requirements. If a security requirement is Not Met, the report will include a clear explanation of why the security requirement was Not Met. You will be required to engage a C3PAO and go through the entire CMMC Level 2 Certification assessment process again. M&A recommends that you engage your selected C3PAO to perform a Mock Assessment of selected control objectives as part of preparation for the Level 2 Certification Assessment.
C3PAOs are forbidden from consulting on CMMC implementation and conducting the CMMC assessment for the same organization. A C3PAO can consult if they are not doing the assessment. A Registered Practitioner Organization (RPO) should be engaged to assist with CMMC implementation. We also recommend engaging your selected C3PAO to perform a Mock Assessment several months before the scheduled CMMC Level 2 Certification Assessment.
Maryland DoD Contractor Community
Maryland has one of the most concentrated and strategically important Department of Defense contractor ecosystems in the country, anchored by its proximity to Washington, D.C. and a dense cluster of federal installations. The state’s DoD community is deeply intertwined with defense policy, intelligence, cybersecurity, research, and advanced systems development, making Maryland a critical hub for both prime contractors and highly specialized small and mid-sized firms. Much of this activity is centered around Fort Meade, home to U.S. Cyber Command and the National Security Agency, which has driven a massive ecosystem of cybersecurity, intelligence analysis, cloud engineering, and zero-trust architecture contractors throughout Anne Arundel, Howard, and Montgomery counties.
In northern Maryland, Aberdeen Proving Ground serves as a long-standing nucleus for Army research, testing, and evaluation, supporting contractors focused on weapons systems, C5ISR, autonomous systems, logistics, and battlefield communications. Firms operating around Aberdeen often specialize in engineering services, modeling and simulation, test instrumentation, and sustainment support, with many holding deep experience navigating FAR, DFARS, and cost-reimbursable contract structures. Southern Maryland adds another major pillar through Naval Air Station Patuxent River, where naval aviation programs fuel demand for aerospace engineering, systems integration, flight testing, and lifecycle program management services.
National Reach
McKonly & Asbury offers CMMC certification to DoD contractors in Alabama (AL), Colorado (CO), Florida (FL), Georgia (GA), Illinois (IL), Indiana (IN), Maryland (MD), Michigan (MI), New Jersey (NJ), New Mexico (NM), New York (NY), North Carolina (NC), Ohio (OH), South Carolina (SC), Tennessee (TN), Texas (TX), Washington DC, Wisconsin (WI), and Virginia (VA).