CMMC Level 2 Certification – New Mexico
New Mexico Department of War (DoW) contractors and subcontractors are now required to comply with the Cybersecurity Maturity Model Certification (CMMC 2.0) framework. It is designed to ensure those working in the Defense Industrial Base (DIB) have appropriate safeguards to protect controlled unclassified information (CUI). Those who handle, process, store, or transmit CUI are required to comply with 110 security requirements from NIST SP 800. In other words, these companies are required to meet CMMC Level 2 requirements, as defined in 32 CFR Part 170 and related DFARS, to continue doing business with the DoW. CMMC Level 2 Certification requirements are required to be added to applicable contracts starting November 10, 2026. To bid on those contracts, the DIB is required to attain a favorable CMMC Level 2 Certification status from a CMMC Third Party Assessor Organization (C3PAO). Only CP3AO certified assessors are permitted by the DoW to conduct the assessment and confirm compliance with established requirements.
CMMC Level 2 Certification – New Mexico
McKonly & Asbury is authorized as a CMMC C3PAO for level 2 certification assessments. We have worked with dozens of DoW contractors and subcontractors either with the certification assessment or with mock assessments. Our team has undergone significant training on the certification process and undergoes regular training on cybersecurity and data management. If your company needs a Level 2 certification, McKonly & Asbury stands ready to assist.
Industry Involvement
CMMC Certification Solutions – New Mexico
By leveraging our tiered cybersecurity services, you can prepare your New Mexico organization to meet DoW and industry-related cybersecurity standards. Explore our suite of security audit and assessment solutions:
- CMMC Level 2 Certification
- CMMC Mock Assessment
CMMC Frequently Asked Questions
CMMC Level 2 is intended for organizations that process, store and transmit Controlled Unclassified Information (CUI) and requires implementation of all 110 security requirements from NIST SP 800-171. In contrast, Level 1 only includes 17 basic safeguarding requirements for Federal Contract Information (FCI).
Yes, most organizations seeking Level 2 certification must undergo a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). However, some contracts may only require a CMMC Level 2 self-assessment with affirmation. The Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self).
The duration can vary depending on the scope of the environment, type of implementation, number of physical locations and amount physical controlled unclassified information (CUI). Typically, the assessment will cover a three-to-six-week time period. This includes the pre-assessment, assessing conformity of the security requirements and completing and reporting the assessment results. There is usually one week dedicated to interviews during the assessment of conformity.
Key steps include identifying the scope and boundaries, conducting a gap analysis against NIST SP 800-171, documenting a system security plan (SSP) performing a self-assessment. It is recommended that your chosen C3PAO is engaged to perform a Level 2 mock assessment several months prior to the Level 2 Certification assessment.
Once granted, CMMC Level 2 certification is valid for three years, with annual affirmations required to ensure continued compliance.
You’ll need comprehensive documentation, including a System Security Plan (SSP), network diagrams, asset inventories, controlled unclassified information (CUI) data flow diagram, self-assessment with Met/Not Met and explanation for all 320 security requirements, policies, procedures, and supporting evidence of implementation of the security requirements.
A CMMC Third-Party Assessment Organization (C3PAO) is an authorized assessor that assesses your organization’s CMMC Level 2 implementation and verifies whether you meet the CMMC Level 2 requirements before issuing a final or conditional CMMC Level 2 certification.
If your organization fails, you will receive a report of Met, Not Met, or N/A for all 320 security requirements. If a security requirement is Not Met, the report will include a clear explanation of why the security requirement was Not Met. You will be required to engage a C3PAO and go through the entire CMMC Level 2 Certification assessment process again. M&A recommends that you engage your selected C3PAO to perform a Mock Assessment of selected control objectives as part of preparation for the Level 2 Certification Assessment.
C3PAOs are forbidden from consulting on CMMC implementation and conducting the CMMC assessment for the same organization. A C3PAO can consult if they are not doing the assessment. A Registered Practitioner Organization (RPO) should be engaged to assist with CMMC implementation. We also recommend engaging your selected C3PAO to perform a Mock Assessment several months before the scheduled CMMC Level 2 Certification Assessment.
New Mexico DoD Contractor Community
New Mexico’s Department of Defense contractor community is heavily influenced by advanced research, aerospace engineering, national security technology, and weapons systems development, with activity centered around installations such as Kirtland Air Force Base, White Sands Missile Range, and Holloman Air Force Base, as well as the broader innovation ecosystem tied to the state’s national laboratories. Albuquerque serves as a major hub for defense contractors focused on cybersecurity, directed energy, space systems, and intelligence support, while southern New Mexico benefits from missile testing, aviation training, and range operations that generate opportunities for engineering firms, logistics providers, and specialized manufacturers.
The presence of research institutions such as Sandia National Laboratories and Los Alamos National Laboratory reinforces a strong pipeline of high-tech contractors working on advanced sensors, nuclear deterrence programs, and next-generation defense technologies, attracting both prime contractors and highly specialized small businesses. Across the state, universities and workforce programs help sustain a technically skilled labor pool that supports innovation in aerospace, energy resilience, and digital modernization, making New Mexico’s DoD contractor community uniquely research-driven and closely aligned with federal priorities around national security, space exploration, and emerging defense technologies
National Reach
McKonly & Asbury offers CMMC certification to DoD contractors in Alabama (AL), Colorado (CO), Florida (FL), Georgia (GA), Illinois (IL), Indiana (IN), Maryland (MD), Michigan (MI), New Jersey (NJ), New Mexico (NM), New York (NY), North Carolina (NC), Ohio (OH), South Carolina (SC), Tennessee (TN), Texas (TX), Washington DC, Wisconsin (WI), and Virginia (VA).