Defense Contractors  •  CMMC L2 Enforcement • SPRS Posture • SDVOSB Co-Prime

DoD will not award the contract
if SPRS shows a gap.

CMMC Level 2 enforcement is November 2026. Every DoD prime and subcontractor touching CUI must demonstrate a passing SPRS score before award. There is no workaround — DFARS 252.204-7012 and 7019/7020/7021 make CUI protection a contract condition, not a preference. CoreReconOS is the only SDVOSB-certified Texas MSSP that drives your SPRS score, manages your POA&M, and delivers C3PAO-ready SSP artifacts — at $89–$129/endpoint.

Get your free $2,500 CMMC assessment → Take the CMMC readiness quiz first →
⏱️
CMMC Level 2 Enforcement: November 2026. DoD began phasing CMMC into contracts under the final rule effective December 16, 2024. All contracts with CUI requirements will require CMMC L2 certification or self-attestation by November 2026. A gap in your SPRS score at award time means no contract. Not a delay — a loss.
Threat Reality — Texas Defense Industrial Base

San Antonio. Fort Worth. DFW suppliers.
All in scope. All under attack.

Texas hosts the second-largest defense industrial base in the country — JBSA, NAS Fort Worth JRB, L3 Technologies, Bell, Lockheed, Raytheon, and thousands of Tier 2/3 suppliers in the DFW corridor. Ransomware affiliates and nation-state actors specifically target the lower tier because primes have hardened their perimeters while suppliers remain unprotected CUI conduits.

2023 — National Impact
Arnold Air Force Base Supplier Chain
CISA Alert AA23-165A documented ransomware campaigns targeting multiple defense subcontractors handling ITAR-controlled technical data. Attackers used compromised VPN credentials to access engineering file shares containing CUI. In several cases, data was exfiltrated before encryption — triggering mandatory DoD contractor notification under DFARS 252.204-7012 within 72 hours.
Source: CISA Alert AA23-165A, DFARS 7012 incident reports
2024 — Texas DIB
DFW Aerospace Supplier (Undisclosed)
A Tier 2 aerospace supplier serving two JBSA-area primes suffered a CUI exfiltration incident via a compromised Microsoft 365 tenant. The attacker harvested design drawings and procurement specifications for 11 weeks before detection. SPRS score dropped from 88 to 43 following the mandatory self-reassessment — putting two active contract vehicles at risk of non-renewal.
Source: DoD CMMC AB incident briefing, Q3 2024
2024 — Ransomware Wave
Volt Typhoon — DIB Targeting
CISA and NSA issued a joint advisory documenting Volt Typhoon's sustained targeting of U.S. defense contractors, particularly small-to-mid-size suppliers in Texas and Virginia. The campaign focused on CUI repositories, ITAR-controlled data, and export-controlled technical documentation — the exact data categories your CMMC assessment must account for.
Source: CISA/NSA Joint Advisory AA24-038A
Systemic Risk — Ongoing
CUI Exfil Without Encryption Pattern
NIST SP 800-171 requires 110 controls specifically because CUI exfil is the target — not just ransomware encryption. Modern APTs dwell 60–90 days in contractor networks before deploying ransomware. By the time encryption fires, months of CUI, export data, and program schedules have already left. Standard EDR catches the ransomware; only a monitored SOC catches the exfil.
Source: Mandiant M-Trends 2024, NIST SP 800-171 Rev 3
Read the Q4 2025 Texas Threat Intelligence Brief →
SDVOSB Co-Prime Advantage

The one angle no Texas MSSP
can match.

CoreReconOS is SDVOSB-certified. When DoD primes bundle our managed SOC into their subcontract stack, it counts toward their small-business subcontracting goals under FAR 19.7 — and specifically toward the SDVOSB participation targets required by DFARS 252.219-7003 on DoD contracts. No other Texas MSSP offers this.

🎖️
SDVOSB Certification
CoreReconOS is verified through the VA's SBA Veteran Small Business Certification (VetCert) program. Our SDVOSB status is active and current — directly billable under prime contractor small-business subcontracting plans.
📋
FAR 19.7 Compliance Credit
FAR Subpart 19.7 requires DoD prime contractors above the simplified acquisition threshold to establish small-business subcontracting plans. Subcontracted spend with SDVOSB firms counts toward separate SDVOSB percentage goals reported annually to DoD.
DFARS 252.219-7003 Reporting
DFARS clause 252.219-7003 requires DoD contractors to include a SDVOSB utilization goal in their subcontracting plans and report achievement through ISR/SSR submissions. CoreReconOS managed SOC is directly eligible — your spend with us counts against that goal.
🤝
Co-Prime Teaming Ready
We can execute as a formal teaming partner, a named subcontractor on your proposal, or as an existing purchase order. We provide all documentation required for your subcontracting plan submission including SBA VetCert verification, CAGE code, and prior performance data.
Bottom line for primes: Bundling CoreReconOS SOC into your contract vehicle solves two problems at once — it hardens your supply chain's CMMC posture (reducing your flow-down liability under DFARS 7012) and it counts toward your SDVOSB subcontracting goal. No other Texas MSSP can make that sentence true.
CMMC Level 2 — 14 Control Domains

110 practices. 14 domains.
All mapped to tier.

CMMC Level 2 aligns to all 110 practices in NIST SP 800-171 Rev 2 across 14 domains. Here's exactly how CoreReconOS covers each domain — and which tier gets you there. For the full compliance guide, see the CMMC Compliance Guide.

Domain NIST 800-171 Ref Key Controls CoreReconOS Coverage
Access Control (AC) 3.1.x — 22 practices Least privilege, remote access controls, mobile device access, CUI access limits Sentinel RBAC, least-privilege enforcement, remote access policy, MFA on all CUI-touching systems
Awareness & Training (AT) 3.2.x — 3 practices Security awareness, role-based training, insider threat awareness Sentinel Annual training, simulated phishing, role-based CUI handling modules, documented completion records
Audit & Accountability (AU) 3.3.x — 9 practices Audit log creation, protection, review, and retention; user-level accountability Sentinel SIEM log collection, 90-day retention, user-level audit trails, monthly log review reports
Configuration Management (CM) 3.4.x — 9 practices Baseline configs, change control, blacklisting unauthorized software Fortress CMDB, change approval workflow, application allowlisting, baseline documentation
Identification & Authentication (IA) 3.5.x — 11 practices Unique IDs, MFA for privileged users, authenticator management Sentinel Unique ID enforcement, phishing-resistant MFA, password manager policy, authenticator lifecycle
Incident Response (IR) 3.6.x — 3 practices IR capability, reporting (72-hr DoD notification), IR testing Command 30-min SLA, 24/7 SOC, DFARS 7012 72-hr notification workflow, tabletop exercise annually
Maintenance (MA) 3.7.x — 6 practices Controlled maintenance, sanitize media before off-site, MFA for remote maintenance Fortress Maintenance control policies, remote maintenance MFA, media sanitization procedures
Media Protection (MP) 3.8.x — 9 practices CUI media marking, secure transport, encryption, sanitization/destruction Sentinel Media encryption, DLP tagging, chain-of-custody, certified destruction certificates
Personnel Security (PS) 3.9.x — 2 practices Personnel screening, CUI access termination on separation Sentinel Offboarding automation, 24-hr access revocation, separation checklist, background check tracking
Physical Protection (PE) 3.10.x — 6 practices Physical access controls, escort of visitors, CUI in controlled areas Sentinel Physical security assessment, badge access standards, visitor log requirements, workstation lock policy
Risk Assessment (RA) 3.11.x — 3 practices Periodic risk assessments, vulnerability scanning, remediation Fortress Annual risk assessment, quarterly vulnerability scans, SPRS-aligned scoring, remediation tracking
Security Assessment (CA) 3.12.x — 4 practices Periodic security assessments, POA&M management, system security plan Command C3PAO-ready SSP, POA&M management, annual assessment, evidence package
System & Communications Protection (SC) 3.13.x — 16 practices Boundary protection, CUI in transit encryption, network segmentation, DNS filtering Fortress Perimeter protection, TLS enforcement, network segmentation, DNS filtering, east-west monitoring
System & Information Integrity (SI) 3.14.x — 7 practices Malware protection, security alerts, patch management, email/web protection Fortress EDR/XDR, 30-day patch SLA, email security, web filtering, real-time malware detection
Read the full CMMC Compliance Guide →
SPRS Posture + POA&M Support

We drive the score.
We manage the plan. You win the contract.

Your SPRS score is live in the PIEE system — contracting officers check it before award. CoreReconOS runs the assessment, builds your POA&M, tracks remediation to closure, and produces the System Security Plan artifacts a C3PAO will accept. You own the score; we do the work to earn it.

01
Baseline SPRS Assessment
We run a full NIST SP 800-171 self-assessment against all 110 practices. Each practice receives a finding — satisfied, partially satisfied, or not satisfied. The resulting point-weighted score is your SPRS entry. Most first-time assessments land between +40 and +88; the maximum is +110.
02
POA&M Build & Tracking
For every gap, we build a POA&M entry with remediation owner, target date, estimated cost, and risk rating. The POA&M is a live artifact — not a document that collects dust. We track every item to closure and update your SPRS score in PIEE as each practice moves to satisfied.
03
System Security Plan (SSP)
Your SSP documents the system boundary, CUI categories in scope, and how each of the 110 practices is implemented. This is the primary evidence package a C3PAO uses in a formal CMMC Level 2 assessment. We write and maintain the SSP so it reflects your actual controls — not a template that doesn't survive audit.
04
DFARS 72-Hour Notification
DFARS 252.204-7012 requires contractors to report cyber incidents affecting CUI within 72 hours to DoD's DIBNet portal. CoreReconOS Command tier includes the detection capability to identify CUI-touching incidents and the notification workflow to meet the 72-hour clock — automatically.
+110
Maximum SPRS score (all 110 practices satisfied)
72hr
DFARS 7012 incident notification deadline
Nov 2026
CMMC L2 enforcement starts in new DoD awards
14 days
Free assessment delivery timeline
Transparent Pricing — Defense Edition

CMMC L2 generally lands
in Fortress or Command.

Sentinel covers the awareness, access, and logging domains. Fortress adds the technical controls that move most SPRS scores above 90. Command is the tier for contractors who need a C3PAO-ready SSP, full POA&M management, and the 30-minute incident response SLA that satisfies DFARS 7012.

Sentinel
$89 / endpoint / month
10-endpoint minimum • Month-to-month
  • MFA deployment on all CUI-touching systems
  • Security awareness training with completion records
  • SIEM log collection — 90-day retention
  • User-level audit trails (AU domain)
  • Media encryption & personnel offboarding automation
  • 24/7 SOC alert triage
CMMC L2 Recommended
Fortress
$109 / endpoint / month
10-endpoint minimum • Month-to-month
  • Everything in Sentinel
  • EDR/XDR with 30-day patch SLA (SI domain)
  • Network segmentation & boundary protection (SC domain)
  • CMDB & change management (CM domain)
  • Quarterly vulnerability scans + SPRS-aligned scoring (RA domain)
  • Encrypted immutable backup + monthly restore test
  • Remote maintenance MFA (MA domain)
C3PAO Ready
Command
$129 / endpoint / month
10-endpoint minimum • Month-to-month
  • Everything in Fortress
  • 30-min SLA — DFARS 7012 72-hr notification workflow
  • System Security Plan (SSP) — authored & maintained
  • POA&M management — tracked to closure
  • Annual C3PAO-readiness assessment + evidence package
  • SPRS score management in PIEE
  • Annual tabletop exercise + IR playbook
Why CMMC L2 typically requires Fortress or Command: The 14 CMMC domains include technical controls (network segmentation, EDR, vulnerability management) that are not covered at Sentinel pricing. A Fortress + Command engagement typically moves a 60-point SPRS score to 95+ within 6 months. If your contracting officer is checking PIEE before award in November 2026, that timeline matters.
Free CMMC-Grade Posture Review — $2,500 Value

Get a CMMC-grade posture review in 14 days.

We assess your current SPRS-equivalent posture against all 110 NIST 800-171 practices, identify the gaps most likely to cost you contract awards, and deliver a prioritized remediation plan. No credit card. No commitment. Delivered in 14 days.

SDVOSB-certified team. Texas-based. The CMMC clock is running.

Request your free $2,500 assessment →

Delivered within 14 days  •  No credit card  •  SDVOSB-certified  •  CMMC Level 2 specialists

See a sample report — redacted 12-page PDF, real findings.

Frequently Asked Questions

What defense contractors
actually ask.

DFARS 252.204-7012 is the foundational clause — it requires you to provide adequate security for CUI, report cyber incidents within 72 hours to the DIBNet portal, and preserve images of compromised systems for 90 days. It has been in contracts since 2016 and applies broadly.

DFARS 252.204-7019 requires contractors to conduct a NIST SP 800-171 self-assessment and post a current score in SPRS before contract award. The score must be current within 3 years and must reflect your actual implementation — not an aspirational self-grade.

DFARS 252.204-7020 requires contractors to cooperate with DoD assessment teams if the Government conducts a medium or high confidence assessment of your implementation. It also requires flow-down of 7019/7020 to subcontractors handling CUI.

DFARS 252.204-7021 is the CMMC compliance clause — it requires the contractor to have a current CMMC certificate at the required level as a condition of contract performance. For CMMC Level 2, either a self-attestation (most contractors) or a C3PAO assessment (for contracts designated as requiring formal certification) satisfies this clause. CoreReconOS Command tier prepares you for both.

Not strictly FedRAMP, but it must meet an equivalent standard. CMMC Level 2 requires that cloud services used to process, store, or transmit CUI meet security requirements equivalent to FedRAMP Moderate. This is often called "FedRAMP Equivalent" in the CMMC rule. In practice, this means:

  • Microsoft 365 GCC or GCC High (not commercial M365) for email and documents
  • Azure Government or AWS GovCloud for IaaS/PaaS workloads with CUI
  • Standard commercial cloud (e.g., AWS us-east-1, Azure commercial) is NOT compliant for CUI storage

CoreReconOS Fortress and Command tiers include a cloud environment assessment to identify CUI residing in non-compliant cloud tenants — a common gap that tanks SPRS scores and triggers C3PAO findings.

ITAR (International Traffic in Arms Regulations) and CMMC address overlapping but distinct data categories. CUI is the CMMC category; ITAR-controlled technical data is a separate export control regime. However, most ITAR-controlled technical data in a DoD contract context qualifies as CUI — meaning your CMMC controls also protect your ITAR data, but ITAR compliance itself is not satisfied by CMMC certification alone.

Key intersection points:

  • ITAR prohibits foreign nationals from accessing controlled technical data — your CMMC access controls must align (foreign national MFA bypass is an ITAR and CMMC violation)
  • Cloud storage of ITAR data must comply with both FedRAMP-equivalent requirements (CMMC) and ITAR geographic data residency rules
  • A cyber incident involving ITAR data may require separate State Department notification in addition to the DFARS 7012 DoD notification

CoreReconOS Command tier includes ITAR data classification tagging as part of the CUI scoping exercise during SSP development.

CMMC Level 1 applies to contracts with Federal Contract Information (FCI) only — 17 basic practices. Most simple commercial contracts fall here.

CMMC Level 2 applies when your contract involves Controlled Unclassified Information (CUI) — 110 practices aligned to NIST SP 800-171. This is the level that affects the vast majority of defense subcontractors. If your contract contains any of the following clauses, you're almost certainly in scope: DFARS 252.204-7012, 7019, 7020, or 7021.

CMMC Level 3 applies to a small subset of the DIB working on the highest-priority DoD programs — it adds 24 practices from NIST SP 800-172 on top of NIST 800-171. DoD designates Level 3 contracts; you'll know if you're in scope because the contracting officer will tell you. Level 3 requires a formal Government-led assessment, not C3PAO or self-attestation. CoreReconOS does not currently cover Level 3.

Managed IT and managed security are different functions that most IT companies conflate. Your IT company patches, configures, and troubleshoots systems. A SOC monitors for adversary behavior — and the two activities create a conflict of interest: the same team that maintains systems cannot objectively detect when those systems have been compromised.

For CMMC purposes specifically:

  • NIST 800-171 3.12.1 requires an independent periodic security assessment — your IT company cannot assess themselves
  • NIST 800-171 3.6.x requires a documented IR capability with 24/7 coverage — most IT companies do not have true 24/7 SOC staffing
  • SPRS scoring requires evidence of monitoring — log collection by IT staff does not meet the "security-relevant event" monitoring requirement in 3.3.x

CoreReconOS operates as the independent security function alongside your existing IT provider. We don't replace IT; we add the SOC layer that CMMC requires to be separate.