CMMC Level 2 Certification – Sterling Heights (MI)
Sterling Heights and Michigan Department of War (DoW) contractors and subcontractors are now required to comply with the Cybersecurity Maturity Model Certification (CMMC 2.0) framework. It is designed to ensure those working in the Defense Industrial Base (DIB) have appropriate safeguards to protect controlled unclassified information (CUI). Those who handle, process, store, or transmit CUI are required to comply with 110 security requirements from NIST SP 800. In other words, these companies are required to meet CMMC Level 2 requirements, as defined in 32 CFR Part 170 and related DFARS, to continue doing business with the DoW. CMMC Level 2 Certification requirements are required to be added to applicable contracts starting November 10, 2026. To bid on those contracts, the DIB is required to attain a favorable CMMC Level 2 Certification status from a CMMC Third Party Assessor Organization (C3PAO). Only CP3AO certified assessors are permitted by the DoW to conduct the assessment and confirm compliance with established requirements.
CMMC Level 2 Certification – Sterling Heights (MI)
McKonly & Asbury is authorized as a CMMC C3PAO for level 2 certification assessments. We have worked with dozens of DoW contractors and subcontractors either with the certification assessment or with mock assessments. Our team has undergone significant training on the certification process and undergoes regular training on cybersecurity and data management. If your company needs a Level 2 certification, McKonly & Asbury stands ready to assist.
Industry Involvement
CMMC Certification Solutions – Sterling Heights (MI)
By leveraging our tiered cybersecurity services, you can prepare your Sterling Heights and Michigan organization to meet DoW and industry-related cybersecurity standards. Explore our suite of security audit and assessment solutions:
- CMMC Level 2 Certification
- CMMC Mock Assessment
CMMC Frequently Asked Questions
CMMC Level 2 is intended for organizations that process, store and transmit Controlled Unclassified Information (CUI) and requires implementation of all 110 security requirements from NIST SP 800-171. In contrast, Level 1 only includes 17 basic safeguarding requirements for Federal Contract Information (FCI).
Yes, most organizations seeking Level 2 certification must undergo a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). However, some contracts may only require a CMMC Level 2 self-assessment with affirmation. The Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self).
The duration can vary depending on the scope of the environment, type of implementation, number of physical locations and amount physical controlled unclassified information (CUI). Typically, the assessment will cover a three-to-six-week time period. This includes the pre-assessment, assessing conformity of the security requirements and completing and reporting the assessment results. There is usually one week dedicated to interviews during the assessment of conformity.
Key steps include identifying the scope and boundaries, conducting a gap analysis against NIST SP 800-171, documenting a system security plan (SSP) performing a self-assessment. It is recommended that your chosen C3PAO is engaged to perform a Level 2 mock assessment several months prior to the Level 2 Certification assessment.
Once granted, CMMC Level 2 certification is valid for three years, with annual affirmations required to ensure continued compliance.
You’ll need comprehensive documentation, including a System Security Plan (SSP), network diagrams, asset inventories, controlled unclassified information (CUI) data flow diagram, self-assessment with Met/Not Met and explanation for all 320 security requirements, policies, procedures, and supporting evidence of implementation of the security requirements.
A CMMC Third-Party Assessment Organization (C3PAO) is an authorized assessor that assesses your organization’s CMMC Level 2 implementation and verifies whether you meet the CMMC Level 2 requirements before issuing a final or conditional CMMC Level 2 certification.
If your organization fails, you will receive a report of Met, Not Met, or N/A for all 320 security requirements. If a security requirement is Not Met, the report will include a clear explanation of why the security requirement was Not Met. You will be required to engage a C3PAO and go through the entire CMMC Level 2 Certification assessment process again. M&A recommends that you engage your selected C3PAO to perform a Mock Assessment of selected control objectives as part of preparation for the Level 2 Certification Assessment.
C3PAOs are forbidden from consulting on CMMC implementation and conducting the CMMC assessment for the same organization. A C3PAO can consult if they are not doing the assessment. A Registered Practitioner Organization (RPO) should be engaged to assist with CMMC implementation. We also recommend engaging your selected C3PAO to perform a Mock Assessment several months before the scheduled CMMC Level 2 Certification Assessment.
Contact our Sterling Heights CMMC Team
Michigan DoD Contractor Community
The Sterling Heights Department of Defense (DoD) contractor community is one of the most concentrated and strategically important ground vehicle and defense manufacturing hubs in the United States, driven largely by its proximity to the Detroit Arsenal and the U.S. Army Tank-automotive and Armaments Command (TACOM). This region plays a central role in the design, development, procurement, and lifecycle management of the Army’s ground combat and tactical vehicle systems, making Sterling Heights a focal point for defense contractors specializing in armored vehicles, weapons systems, and military mobility platforms. The area’s deep integration with Army operations creates a steady flow of both prime contracts and subcontracting opportunities tied to major defense programs.
A defining feature of the Sterling Heights GovCon ecosystem is the strong presence of major defense contractors, including General Dynamics Land Systems, which is headquartered in the city and serves as a primary manufacturer of platforms such as the Abrams main battle tank and Stryker combat vehicle. This concentration of prime contractors supports a robust network of small and mid-sized suppliers that provide precision machining, fabrication, electronics integration, and specialized components essential to defense production. Many of these firms operate as Tier 2 and Tier 3 subcontractors, deeply embedded in long-term defense programs that require consistent quality, compliance, and scalability.
National Reach
McKonly & Asbury offers CMMC certification to DoD contractors in Alabama (AL), Colorado (CO), Florida (FL), Georgia (GA), Illinois (IL), Indiana (IN), Maryland (MD), Michigan (MI), New Jersey (NJ), New Mexico (NM), New York (NY), North Carolina (NC), Ohio (OH), South Carolina (SC), Tennessee (TN), Texas (TX), Washington DC, Wisconsin (WI), and Virginia (VA).