CMMC Level 2 Certification – Ohio
Ohio Department of War (DoW) contractors and subcontractors are now required to comply with the Cybersecurity Maturity Model Certification (CMMC 2.0) framework. It is designed to ensure those working in the Defense Industrial Base (DIB) have appropriate safeguards to protect controlled unclassified information (CUI). Those who handle, process, store, or transmit CUI are required to comply with 110 security requirements from NIST SP 800. In other words, these companies are required to meet CMMC Level 2 requirements, as defined in 32 CFR Part 170 and related DFARS, to continue doing business with the DoW. CMMC Level 2 Certification requirements are required to be added to applicable contracts starting November 10, 2026. To bid on those contracts, the DIB is required to attain a favorable CMMC Level 2 Certification status from a CMMC Third Party Assessor Organization (C3PAO). Only CP3AO certified assessors are permitted by the DoW to conduct the assessment and confirm compliance with established requirements.
CMMC Level 2 Certification – Ohio
McKonly & Asbury is authorized as a CMMC C3PAO for level 2 certification assessments. We have worked with dozens of DoW contractors and subcontractors either with the certification assessment or with mock assessments. Our team has undergone significant training on the certification process and undergoes regular training on cybersecurity and data management. If your company needs a Level 2 certification, McKonly & Asbury stands ready to assist.
Industry Involvement
CMMC Certification Solutions – Ohio
By leveraging our tiered cybersecurity services, you can prepare your Ohio organization to meet DoW and industry-related cybersecurity standards. Explore our suite of security audit and assessment solutions:
- CMMC Level 2 Certification
- CMMC Mock Assessment
CMMC Frequently Asked Questions
CMMC Level 2 is intended for organizations that process, store and transmit Controlled Unclassified Information (CUI) and requires implementation of all 110 security requirements from NIST SP 800-171. In contrast, Level 1 only includes 17 basic safeguarding requirements for Federal Contract Information (FCI).
Yes, most organizations seeking Level 2 certification must undergo a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). However, some contracts may only require a CMMC Level 2 self-assessment with affirmation. The Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self).
The duration can vary depending on the scope of the environment, type of implementation, number of physical locations and amount physical controlled unclassified information (CUI). Typically, the assessment will cover a three-to-six-week time period. This includes the pre-assessment, assessing conformity of the security requirements and completing and reporting the assessment results. There is usually one week dedicated to interviews during the assessment of conformity.
Key steps include identifying the scope and boundaries, conducting a gap analysis against NIST SP 800-171, documenting a system security plan (SSP) performing a self-assessment. It is recommended that your chosen C3PAO is engaged to perform a Level 2 mock assessment several months prior to the Level 2 Certification assessment.
Once granted, CMMC Level 2 certification is valid for three years, with annual affirmations required to ensure continued compliance.
You’ll need comprehensive documentation, including a System Security Plan (SSP), network diagrams, asset inventories, controlled unclassified information (CUI) data flow diagram, self-assessment with Met/Not Met and explanation for all 320 security requirements, policies, procedures, and supporting evidence of implementation of the security requirements.
A CMMC Third-Party Assessment Organization (C3PAO) is an authorized assessor that assesses your organization’s CMMC Level 2 implementation and verifies whether you meet the CMMC Level 2 requirements before issuing a final or conditional CMMC Level 2 certification.
If your organization fails, you will receive a report of Met, Not Met, or N/A for all 320 security requirements. If a security requirement is Not Met, the report will include a clear explanation of why the security requirement was Not Met. You will be required to engage a C3PAO and go through the entire CMMC Level 2 Certification assessment process again. M&A recommends that you engage your selected C3PAO to perform a Mock Assessment of selected control objectives as part of preparation for the Level 2 Certification Assessment.
C3PAOs are forbidden from consulting on CMMC implementation and conducting the CMMC assessment for the same organization. A C3PAO can consult if they are not doing the assessment. A Registered Practitioner Organization (RPO) should be engaged to assist with CMMC implementation. We also recommend engaging your selected C3PAO to perform a Mock Assessment several months before the scheduled CMMC Level 2 Certification Assessment.
Ohio DoD Contractor Community
Ohio hosts one of the most deeply institutionalized and technically sophisticated Department of Defense contractor communities in the United States, built on a long history of aerospace innovation, advanced manufacturing, and sustained federal research investment. The state’s defense ecosystem is geographically diverse, with major concentrations in Dayton, Columbus, Cleveland, and Lima, creating a broad and resilient contractor base that supports air superiority, research and development, ground systems, and next-generation defense technologies.
The backbone of Ohio’s DoD contractor community is the Dayton region, anchored by Wright-Patterson Air Force Base, one of the most important Air Force installations in the world. Wright-Patt serves as a global center for aerospace research, testing, acquisition, and lifecycle management, housing Air Force Materiel Command, the Air Force Research Laboratory, and numerous program offices. Contractors in the region are deeply embedded in mission-critical work involving aircraft development, sensors, autonomy, materials science, human performance, cybersecurity, and advanced analytics. The presence of long-term R&D missions has fostered a dense network of engineering firms, technology developers, and professional services providers that specialize in highly technical, clearance-intensive programs with multi-decade lifecycles.
National Reach
McKonly & Asbury offers CMMC certification to DoD contractors in Alabama (AL), Colorado (CO), Florida (FL), Georgia (GA), Illinois (IL), Indiana (IN), Maryland (MD), Michigan (MI), New Jersey (NJ), New Mexico (NM), New York (NY), North Carolina (NC), Ohio (OH), South Carolina (SC), Tennessee (TN), Texas (TX), Washington DC, Wisconsin (WI), and Virginia (VA).