Overwatch Tools

Certify Your Whole Company or Just Create a CUI Enclave?

Adm1n — Mon, 13 Apr 2026 16:01:19 +0000

Certify Your Whole Company or Just a CUI Enclave? The CMMC L2 Scope Decision | Overwatch Tools

📋 CMMC: THE L2 DECISION SERIES — PART 5 OF 6

Certify Your Whole Company or Just Create a CUI Enclave?

The Scope Decision That Changes Your Compliance Cost Entirely

By Overwatch Tools | CMMC Compliance Specialists

CMMC Level 2 doesn't have to apply to your whole company. For most small contractors with a limited CUI footprint, it shouldn't.

This is the question that gets skipped in most CMMC conversations — and it's the one that matters most to your bottom line. Where you draw the compliance boundary determines what Level 2 costs you, how long it takes to implement, and whether it's manageable for a small business or a multi-year enterprise project.

The answer, for the majority of small contractors handling Controlled Unclassified Information (CUI) under a DoD contract, is the enclave approach: isolate CUI to a dedicated, separate environment — dedicated devices and a government-tier cloud platform — and scope your CMMC Level 2 compliance to that enclave only.

Let's walk through how that decision works, what each path actually costs, and how to know which one fits your situation.

Not Sure Which Approach Fits Your Situation?

Before you read the whole framework — if you'd rather talk through your specific contracts and CUI handling, book a free 30-minute scope review. We'll help you figure out whether the enclave approach is the right fit.

📅 Book a Free Scope Review View Our Packages

What "Scope" Actually Means in CMMC

In CMMC, your assessment scope is the boundary you draw around the systems, devices, and platforms that process, store, or transmit CUI. Everything inside the boundary must meet Level 2 requirements. Everything outside the boundary doesn't.

This matters enormously because Level 2 has 110 practices mapped to 182 defined artifacts — policies, procedures, configuration guides, evidence records, a System Security Plan, and more. Applying all of that to your entire company is a fundamentally different undertaking than applying it to a scoped, isolated enclave.

Scoping isn't a workaround or a shortcut. It's the strategy the CMMC framework is designed to support. The DoD wants contractors to protect CUI. Scoping is how you limit what "protecting CUI" touches — and by extension, what it costs.

The Key Principle

Your CMMC Level 2 compliance boundary should match your CUI boundary — not your whole company. If CUI only touches specific projects, specific people, and specific systems, those are the things that need Level 2. The rest of your business runs on CMMC Level 1.

The Two Approaches: Side by Side

There are two fundamental paths to CMMC Level 2 compliance. Here's what each one looks like in practice.

✅ Recommended for Most Small Contractors

The Enclave Approach

CUI lives in a dedicated, isolated environment
Separate devices for CUI work (dedicated Windows laptops or Chromebooks)
Isolated platform tier: Google Workspace for Government or Microsoft 365 GCC High
Clear boundary — your main business operations stay on L1
No Active Directory, no SIEM, no enterprise IT required
Right-sized for small businesses with limited CUI exposure
110 practices → 182 artifacts scoped to the enclave only
Implementable part-time with time estimates on every task

⚠️ For Organizations Where CUI Touches Everything

The Full-Company L2 Approach

Level 2 requirements applied across the entire organization
All devices, all platforms, all personnel in scope
Enterprise IT infrastructure typically required
Active Directory, SIEM, and dedicated IT staff common
Significantly higher implementation and ongoing cost
Appropriate for large contractors where CUI is pervasive
Enterprise consulting engagements often run $50K–$200K+
Multi-year implementation timelines common

For a small defense contractor with a handful of CUI-related contracts and a small team, the enclave approach isn't just cheaper — it's the correct architectural answer. You're not cutting corners; you're implementing compliance at the right scope.

What the Enclave Approach Actually Looks Like

A CUI enclave is a dedicated, isolated environment — separate from your general business operations — where all CUI is processed, stored, and transmitted. Think of it as a compliance perimeter. Inside: CUI and everything it touches. Outside: your regular business, running on Level 1 compliance.

In practice, a right-sized CUI enclave for a small contractor typically means:

        What a Small-Contractor CUI Enclave Looks Like
        Dedicated devices: Specific Windows laptops or Chromebooks used only for CUI work — not your general business machines
Isolated platform: A separate tenant on Google Workspace for Government or Microsoft 365 GCC High — not your general business Google Workspace or commercial M365
Defined users: Only the people who actually need to access CUI have accounts in the enclave platform
Clear data handling procedures: Written policies defining what goes into the enclave, how it moves, and how it's protected
Documented configuration: Every setting on every device and platform configured and recorded per L2 requirements
Evidence locker: Ongoing records demonstrating the enclave is operating as documented

    

Your general business operations — email, proposals, billing, HR, general communications — continue on your existing platform (Level 1 compliant). The CUI enclave is the additional layer that handles the sensitive DoD work.

"The enclave doesn't replace your Level 1 compliance. It adds the Level 2 layer for the specific systems where CUI lives. Your main business continues on L1. Together, you have full compliance coverage for both your FCI and CUI obligations."

When Does Full-Company L2 Apply? (Probably Not Your Situation)

Full-company Level 2 compliance is appropriate when CUI is so pervasive throughout an organization that isolating it into an enclave isn't architecturally realistic. Think of a large defense prime where hundreds of employees across dozens of systems all regularly handle CUI as part of their daily work. You can't enclave that — it's everywhere.

That's not most small contractors. If you're a 5-person shop with two CUI-related contracts, or a 15-person firm where only 4 people regularly touch CUI documents, the enclave approach is almost certainly the right fit.

⚠️ Signs You Might Need Full-Company L2 (Rare for Small Contractors)

CUI is routinely accessed by a large majority of your employees as part of their normal daily work
Your existing IT infrastructure is deeply integrated with CUI handling in ways that can't be isolated
Your contract language or DoD program office has specifically directed a full-company assessment scope
You already have enterprise IT (Active Directory, SIEM, dedicated IT staff) managing CUI access across all systems

If this describes your situation, a consultation is the right starting point — these cases require a custom scoping conversation.

If none of those conditions apply — and for most small contractors, they don't — the enclave approach is both appropriate and more manageable.

Decision Framework: Is the Enclave Approach Right for You?

Use this checklist to assess your fit. The more "yes" answers, the stronger the case for the enclave approach.

📋 Enclave Approach Fit Checklist

☐

Is your CUI limited to specific projects or contracts? If CUI exposure is tied to particular DoD programs rather than pervasive across all your work, the enclave approach is a natural fit. Your CUI work happens in the enclave; everything else stays on L1.

☐

Can you dedicate specific devices to CUI work? The enclave requires dedicated devices — laptops or Chromebooks used exclusively for CUI handling. If you can designate specific machines (even just 1–2 to start), you have what you need.

☐

Are you willing to use Google Workspace for Government or Microsoft 365 GCC High for your CUI environment? These are the government-tier cloud platforms that meet L2 requirements for cloud-based CUI handling. The enclave runs on one of these — not general commercial cloud.

☐

Is your CUI team small, without a large IT department managing CUI access? If the people who handle CUI are a defined subset of your team, the enclave scope is naturally bounded. You don't need enterprise IT infrastructure to build a right-sized enclave.

☐

Does your program qualify for annual self-assessment (vs. requiring a C3PAO)? The enclave approach for Level 2 is specifically designed for self-assessment eligible programs. If your contract is C3PAO-required, that's a different scope conversation. (Not sure? A free consultation can clarify this.)

If you answered yes to most of these, you're a strong candidate for the enclave approach. If there's ambiguity — particularly around self-assessment eligibility — a consultation can confirm your situation before you commit to a compliance path.

A Note on Platform Choice for the Enclave

The CUI enclave runs on a government-tier cloud platform — not your standard commercial Google Workspace or Microsoft 365. This is a key requirement, not an option.

For Level 2, the two supported paths are:

Google Workspace for Government — the government edition of Google Workspace, meeting FedRAMP requirements for CUI
Microsoft 365 GCC High — Microsoft's government cloud tier, meeting requirements for CUI and higher sensitivity DoD data

Both paths are supported in the L2 CUI Enclave Package. You choose your platform; Overwatch Tools provides the configuration guides, templates, and consulting sessions for that specific platform. We provide templates and guides — you implement, with expert support throughout.

Not Sure Which Platform to Choose?

If you don't have a strong existing preference, a consultation will help identify the right fit based on your contract requirements, your team's existing tools, and your budget. Both platforms can support a compliant Level 2 enclave — the choice depends on your specific situation.

The Math: Enclave Approach vs. Full-Scope L2

Here's where the enclave approach creates a dramatically different financial picture.

The Two-Package Approach

Full compliance coverage — L1 for your main business, L2 enclave for your CUI footprint

$2,495

L1 Turnkey Package
Save $500 — Limited Time

$3,495

L2 CUI Enclave Package

$5,990/year

Full L1 + L2 enclave coverage for your main business and CUI operations

vs. enterprise consulting for full-scope L2: commonly $50,000–$200,000+ with no guaranteed scope

What makes $5,990 possible is exactly what we've been discussing: scope. The L2 CUI Enclave Package is designed for a bounded CUI footprint — not an enterprise-wide L2 implementation. The enclave approach is what makes this price point achievable. Full-scope L2 with enterprise consultants is a completely different financial universe.

The L1 Turnkey Package handles your main business — all 15 Level 1 practices mapped to 142 required artifacts. The L2 CUI Enclave Package handles your CUI environment — 110 Level 2 practices mapped to 182 defined artifacts, with a pre-filled SSP, POAM framework, Risk Register, and evidence checklist.

⚠️ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope. If you're unsure whether your program qualifies for self-assessment, a free consultation can clarify your specific situation before you commit to a compliance path.

Let's Figure Out the Right Scope for Your Business

Your scope decision depends on your specific contracts, how CUI moves through your organization, and your program's self-assessment eligibility. A free 30-minute consultation gives you a clear answer — not a generic framework.

📅 Schedule Your Free 30 Minutes Explore Our Packages

The Bottom Line

CMMC Level 2 compliance is achievable for small defense contractors — but the path matters enormously. For most small businesses with a limited CUI footprint, the enclave approach is the right answer: scoped to where CUI actually lives, using government-tier cloud platforms, and implemented without enterprise IT complexity.

The full-company L2 approach is real, necessary for some organizations, and financially significant. But it's probably not your situation if you're a small contractor with bounded CUI exposure and a handful of DoD contracts.

The two-package approach — $2,495 for your L1 main business compliance, $3,495 for your L2 CUI enclave — gives you full coverage at a price point that reflects the actual scope of your compliance obligation. That's what right-sized means.

✅ What the Two-Package Approach Gives You

L1 Turnkey Package ($2,495): 15 practices → 142 artifacts, 8 bi-weekly consulting sessions, platform-specific templates for M365 or Google Workspace, evidence locker, SPRS report
L2 CUI Enclave Package ($3,495): 110 practices → 182 artifacts, 12 bi-weekly consulting sessions, dedicated CUI enclave configuration guides for GWS for Government or M365 GCC High, SSP, POAM, Risk Register, time estimates on every task
Together: Complete compliance coverage for both your FCI obligations (L1) and your CUI obligations (L2 enclave)

Scope the enclave right. Build it once. Maintain it as an ongoing part of your contract compliance program. And stop worrying about whether compliance requires overhauling your whole company — for most small contractors, it simply doesn't.

110 Practices. 182 Artifacts.Here’s What CMMC Level 2 Actually Requires.

Adm1n — Wed, 08 Apr 2026 16:35:56 +0000

110 Practices, 182 Artifacts: What CMMC Level 2 Actually Requires | Overwatch Tools

CMMC: The L2 Decision Series — Part 4 of 6

110 Practices. 182 Artifacts.
Here's What CMMC Level 2 Actually Requires.

Less overwhelming than it sounds — when you understand what's in scope.

⚠️ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope. Not sure which applies to you? A free 30-minute consultation can help you figure it out.

When people hear that CMMC Level 2 has 110 practices and 182 artifacts, they picture an enterprise compliance program — the kind that requires a dedicated security team, months of work, and a six-figure consultant. That picture is wrong if you're using the CUI enclave approach.

Here's the key reframe: those 110 practices apply to your CUI enclave — not your entire company. If your contract involves handling Controlled Unclassified Information (CUI) in a defined, limited footprint, CMMC Level 2 is scoped to that footprint. Your main business systems, admin tools, and general email traffic outside the enclave aren't in scope.

This post breaks down what 110 practices actually cover, what 182 artifacts look like in plain language, how the work is divided across roles, and why the right package maps every single practice to a defined deliverable — so nothing is left to guesswork.

110

CMMC L2 Practices across 14 domains

182

Defined artifacts — policies, procedures, config guides, evidence

Security domains covered

~176

Total files including SSP, POAM, Risk Register

The Scope Is Smaller Than You Think

The first thing to understand about CMMC Level 2 and CUI is that compliance is scoped. You're not certifying your entire organization — you're securing the environment where CUI lives.

In practice, this means a dedicated CUI enclave: a defined set of devices, a cloud platform (Google Workspace for Government or Microsoft 365 GCC High), and the users who access CUI. That's your compliance boundary. Everything inside gets assessed. Everything outside stays out of scope.

What "Enclave Scoped" Means in PracticeA small, defined set of devices — dedicated Windows laptops or Chromebooks used for CUI
One cloud platform — Google Workspace for Government or Microsoft 365 GCC High
A limited set of CUI users — the team members who access, process, or share CUI
No Active Directory required. No SIEM required. No full-time IT staff required.
Your main business systems (general email, accounting software, etc.) remain out of scope

This is the right-sizing that makes CMMC Level 2 achievable for small businesses. You're not rebuilding your entire IT infrastructure — you're securing a defined, bounded environment.

The 14 CMMC Level 2 Domains — What Each One Covers

CMMC Level 2 maps to NIST SP 800-171 and organizes its 110 practices into 14 security domains. Here's what each domain actually covers in plain terms:

Access Control

Who can get into your CUI systems, how access is granted and revoked, and what limits are placed on what users can do.

Awareness & Training

Security awareness for anyone who touches CUI — what they know, how they're trained, and how that training is documented.

Audit & Accountability

Logging activity in your CUI environment — who did what, when, and being able to review those logs.

Configuration Management

Establishing baseline configurations for your CUI devices and systems — and controlling changes to those configurations.

Identification & Authentication

Verifying that users are who they say they are — strong passwords, MFA, and managing credentials for CUI access.

Incident Response

What you do when something goes wrong — detecting incidents, responding to them, and documenting what happened.

Maintenance

How CUI systems are maintained and updated — patches, remote maintenance controls, and who is authorized to perform it.

Media Protection

How physical and digital media containing CUI is handled, stored, transported, and destroyed.

Physical Protection

Controlling physical access to CUI systems and devices — who can get to the hardware, and how that access is managed.

Personnel Security

Screening individuals before they handle CUI and managing what happens when someone leaves the organization.

Risk Assessment

Identifying, analyzing, and prioritizing risks to your CUI environment — and keeping a Risk Register current.

Security Assessment

Evaluating your security controls, developing a System Security Plan, and maintaining a Plan of Action & Milestones (POAM).

System & Communications Protection

How CUI is protected in transit and how your system boundaries are defined and enforced.

System & Information Integrity

Protecting your CUI systems from malware, monitoring for threats, and keeping software patched and current.

When you look at them this way, none of these domains are exotic or surprising. They're the fundamentals of securing a defined system. The challenge isn't understanding what they require — it's having the documentation, configuration, and evidence to prove you're doing it.

Want to See the Full Artifact Breakdown for Your Platform?

That's exactly what a free 30-minute consultation covers. We'll walk through what the 182 artifacts look like specifically for Google Workspace for Government or Microsoft 365 GCC High — and which ones apply to your CUI footprint.

Book Your Free 30-Minute Walkthrough Learn About the L2 Package

What "182 Artifacts" Actually Means

An artifact is just proof. It's a document, a configuration record, a screenshot, a log, or a signed policy that demonstrates you're actually implementing a security practice — not just saying you are. "182 artifacts" sounds like a mountain of paperwork until you break it down by type.

~36

Policies

Written statements of what your organization will and won't do. Owner/Manager signs these. One to two pages each.

~47

Procedures

Step-by-step instructions for how to carry out security activities. Your IT Point Person and CUI Users follow these.

~30

Config Guides

Platform-specific setup instructions for your CUI enclave — GCC High or Google Workspace for Government.

~40

Evidence Templates

Structured forms and checklists for capturing screenshots, logs, and records that prove controls are operating.

System Security Plan

The master document describing your CUI enclave — scope, boundaries, controls, and responsible parties. Pre-filled template included.

POAM

Plan of Action & Milestones — tracks known gaps and your timeline to close them. Required for honest self-assessment.

Risk Register

Documents identified risks, their likelihood and impact, and how your organization is addressing or accepting each one.

~26

Supporting Docs

Training records, checklists, role assignments, vendor assessments, and other required supporting documentation.

📌 Important framing: You don't write 182 documents from scratch. The L2 CUI Enclave Package provides pre-filled templates for every artifact. Your job is to customize them to reflect your specific organization, platform, and CUI footprint — and then implement the controls they describe. We provide the templates and consulting; you implement.

Who Does What: The Three Roles in L2 Compliance

One of the most practical ways to understand the 182 artifacts is to look at which role is responsible for each type. Most small businesses handle all three roles with two or three people — and the package is designed with that in mind.

👤 Owner / Manager

Signs and dates policies (approx. 36 documents)
Makes formal approval decisions on access and risk
Conducts quarterly security reviews
Signs the annual self-assessment affirmation
No technical implementation required

🖥️ IT Point Person

Implements configuration guides for the CUI enclave
Performs monthly maintenance and patching
Collects and files evidence (screenshots, logs)
Manages user access and MFA enforcement
Primary implementer — does not need to be a full-time IT staffer

📋 CUI Users

Follows written procedures for handling CUI
Completes annual security awareness training
Reports security incidents per the IR procedure
Uses only authorized CUI devices and platforms
Acknowledges policies they've read and understood

Time estimates are included for every task in the L2 CUI Enclave Package, so you can plan implementation around existing work commitments. The goal is a compliance program that's implementable part-time — not a second job for your whole team.

L1 + L2 Side-by-Side: The Complete Compliance Stack

If you're a contractor who handles both FCI (Federal Contract Information) and CUI, you may need both levels. L1 covers your main business systems under your prime contract. L2 covers your CUI enclave specifically. Together, they represent full coverage.

CMMC Level 1

Covers Your Main Business

15 practices across 6 domains
142 defined artifacts
Applies to all systems that process Federal Contract Information (FCI)
Annual self-assessment required
Affirmation submitted to SPRS
Most clients complete in 2–4 weeks
$2,495/year — includes 8 consultation sessions

CMMC Level 2 (CUI Enclave)

Covers Your CUI Enclave

110 practices across 14 domains
182 defined artifacts
Applies to the enclave where CUI is processed and stored
Annual self-assessment (self-assessment programs only)
SPRS score + self-assessment package
Implementable part-time with time estimates provided
$3,495/year — includes 12 consultation sessions

Combined Stack: $5,990/year

L1 Turnkey Package ($2,495) + L2 CUI Enclave Package ($3,495) = complete CMMC compliance coverage for contractors who handle both FCI and CUI. Both packages include bi-weekly expert consulting sessions, platform-specific templates, and defined artifacts for every practice.

L1 currently includes a $500 limited-time discount. Regular price is $2,995.

Platform Variants: Google Workspace for Government vs. M365 GCC High

The L2 CUI Enclave Package is designed for one of two platforms. Your artifact set is tailored to whichever you choose — you won't be translating enterprise documentation or adapting generic templates. You get only what applies to your environment.

🔵 Google Workspace for Government

Chromebook or Windows configuration guides included
GWS admin console configuration documented
Drive, Meet, Gmail CUI handling procedures
Google Vault for audit log retention
BeyondCorp / context-aware access controls

🟣 Microsoft 365 GCC High

Intune / Endpoint Manager configuration guides included
Teams, SharePoint, Exchange CUI handling procedures
Conditional Access Policy documentation
Defender for Business integration steps
Windows 11 CUI device configuration guides

In both cases, the package provides configuration guides and templates — clients implement the controls using their own platform subscription. Overwatch Tools does not have access to your environment or provide hands-on configuration services.

Every Practice Mapped. No Guesswork on What Counts as Evidence.

One of the most common failure points in CMMC self-assessment isn't implementing the controls — it's not knowing what evidence to collect, how to format it, or which artifact satisfies which practice. A blank-slate compliance effort leaves you constantly asking: "Is this enough? Does this count?"

The L2 CUI Enclave Package eliminates that ambiguity. Every one of the 110 practices maps to a defined artifact. You know exactly what document you're producing, what it needs to contain, and which practice it satisfies.

What "Every Artifact Defined" Looks Like

AC.1.001 → Access Control Policy (template provided, Owner signs)

IA.3.083 → MFA Configuration Guide + Evidence Screenshot Template

CM.2.061 → Baseline Configuration Procedure + Device Configuration Checklist

IR.2.092 → Incident Response Plan + Incident Log Template

CA.3.162 → System Security Plan (pre-filled SSP template, ~40 pages)

RA.3.144 → Risk Register (structured template, updated quarterly)

This mapping is what distinguishes a compliance package from a generic consulting engagement. You're not starting with a list of requirements and figuring out what to create. You're starting with a complete library of defined deliverables and working through implementation with consulting support.

Ready to Walk Through What This Looks Like for Your Business?

A free 30-minute consultation covers your CUI footprint, your platform options, and what the 182 artifacts look like in your specific context. No obligation — just clarity.

Schedule Your Free 30 Minutes View the L2 CUI Enclave Package

The Bottom Line

110 practices and 182 artifacts is not a small compliance program — but it's a manageable one when three things are true:

The scope is limited to your CUI enclave — not your whole organization
Every practice maps to a defined artifact — no guesswork on what counts
Time estimates exist for every task — so implementation is plannable part-time

Small defense contractors have been achieving CMMC Level 2 self-assessment without enterprise IT, without full-time security staff, and without six-figure consultants. The right structure makes the difference.

⚠️ Reminder: The L2 CUI Enclave Package is designed for CMMC Level 2 programs eligible for annual self-assessment. If your contract requires a C3PAO assessment, this package is not in scope for that requirement. Consult your contracting officer or the CMMC-AB to confirm your assessment type before purchasing.

Overwatch Tools | CMMC Compliance Solutions

Making CMMC Compliance Achievable for Small Defense Contractors

overwatchtools.com | info@overwatchtools.com

You might qualify for CMMC L2 self-assessment

Adm1n — Wed, 01 Apr 2026 18:35:00 +0000

CMMC Level 2 Self-Assessment: Who Qualifies and What's Required? | Overwatch Tools

CMMC: The L2 Decision Series | Part 3 of 6

CMMC Level 2 Self-Assessment:
Who Qualifies and What's Required?

The difference is worth $47,000. Most small contractors don't know which path applies to them.

By Overwatch Tools | CMMC Compliance Specialists | March 2026

Most small contractors assume CMMC Level 2 automatically means a C3PAO. That assumption is costing them — not just in unnecessary anxiety, but potentially in $47,000 of real money they're pre-committing without realizing there's another option.

Here's the truth: not all CMMC Level 2 programs require a Certified Third-Party Assessment Organization (C3PAO). A significant number of L2 contracts — particularly those involving limited CUI exposure with smaller contractors — are eligible for annual self-assessment, at least during the first two years of the CMMC 2.0 rollout.

Understanding which path applies to your specific program isn't just a compliance question. It's a business planning decision worth tens of thousands of dollars. This post breaks down who qualifies, what the self-assessment window actually means, and what the smart financial play looks like for eligible small businesses.

⚠️ Self-Assessment Programs Only. The L2 CUI Enclave Package and the guidance in this post are scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs where the DoD has required a C3PAO are not in scope. Always review your contract language and consult your contracting officer to determine your program's assessment requirements.

Not sure if your program qualifies for L2 self-assessment?
A free 30-minute eligibility review can clarify your path before you spend a dollar on compliance.

Book Your Free 30-Minute Eligibility Review →

The Misconception That's Costing Contractors

CMMC 2.0 introduced three levels of certification. Level 1 covers Federal Contract Information (FCI) and requires annual self-assessment — no third-party auditor required. Level 3 is reserved for the most sensitive programs and requires government-led assessments. Level 2, which covers Controlled Unclassified Information (CUI), sits in the middle — and it's the most nuanced.

The nuance is this: some Level 2 programs require a C3PAO assessment every three years. Others are permitted to self-assess annually. The determination is made by the DoD at the program level, based on the criticality and sensitivity of the CUI involved.

When contractors hear "Level 2," many assume the expensive path is mandatory. They either delay compliance entirely because the cost seems unreachable, or they start pricing out C3PAO assessments before confirming whether they're actually required. Neither approach is good.

What "Self-Assessment" Means at CMMC Level 2

Self-assessment at Level 2 is not a lighter version of compliance. The practices, artifacts, and documentation requirements are identical regardless of whether a third-party assessor is involved. The difference is who conducts the assessment and validates your posture — not how rigorously you must comply.

A C3PAO is a certified third-party organization that physically reviews your environment, interviews your team, and issues a formal certification. For self-assessment programs, your organization conducts the assessment internally and submits the results to the Supplier Performance Risk System (SPRS) — the DoD's compliance database.

Both paths require:

Full compliance with all applicable NIST SP 800-171 practices
A completed System Security Plan (SSP)
A Plan of Action and Milestones (POAM) for any gaps identified
An SPRS score submission reflecting your current posture
Annual review and re-attestation for self-assessment programs

The stakes are real either way. Falsely attesting to compliance in SPRS carries significant legal exposure under the False Claims Act. The self-assessment path is an alternative to a C3PAO — not an easier standard.

Who Qualifies for L2 Self-Assessment?

Eligibility for self-assessment is determined at the program level by the Department of Defense — not by the contractor. The DoD designates which contracts require C3PAO certification based on the sensitivity and criticality of the CUI involved.

Programs Likely Eligible for Self-Assessment

Contracts involving CUI that is not related to critical defense programs or weapons systems
Small contractors with limited, well-scoped CUI handling — a defined enclave rather than enterprise-wide CUI exposure
Programs where the contracting officer has not specified C3PAO certification as a requirement
Contracts early in the CMMC 2.0 phased rollout where self-assessment is the designated path

Programs Likely Requiring a C3PAO

Contracts explicitly designating CMMC Level 2 with C3PAO certification language
Programs involving CUI related to critical defense systems or national security priorities
Contracts with prime contractors who have specified C3PAO as a supply chain requirement
Programs the DoD has designated as "prioritized acquisitions" under CMMC 2.0

How Do You Know Which Applies to You?

Review your contract's DFARS clause language — specifically DFARS 252.204-7012, 7019, 7020, and 7021. Your contracting officer can confirm the CMMC level and assessment pathway required for your specific program. If you handle CUI but your contract doesn't specify C3PAO certification, you may be in a self-assessment program — but confirm before proceeding.

The 2-Year Window: What It Is, What It Enables

During the CMMC 2.0 phased implementation, the DoD established a transition period during which self-assessment is the pathway for eligible Level 2 programs — before mandatory C3PAO assessments phase in more broadly. For many contractors, this window represents up to two years of self-assessment eligibility.

What does that mean practically?

You can demonstrate compliance via self-assessment — completing your SSP, POAM, and SPRS submission without a C3PAO
You can win and retain CUI contracts during this period with a valid self-assessment on record
You can use this time to build a compliant posture that would hold up under C3PAO scrutiny — so when the window closes, you're ready

The critical point here is the last one. The smart play isn't just to "get through" the self-assessment window. It's to use the window to build the real posture — so that when C3PAO becomes mandatory for your program (if it does), you're walking in with confidence instead of hoping for the best.

⚠️ What Happens When the Window Closes?

For programs that transition to mandatory C3PAO assessment, there's no grandfather clause on your self-assessment. You'll need a C3PAO to formally certify your environment. If your posture isn't genuinely solid when that happens, you're looking at a failed assessment — and paying full price again.

The self-assessment window is a financial opportunity. It's also a preparation opportunity. Use it both ways.

The C3PAO Cost Reality: $50,000 Per Cycle

Let's talk numbers, because this is where the financial case for using the self-assessment window becomes impossible to ignore.

~$50,000

Typical cost of a C3PAO assessment per cycle

— — vs. — —

$3,495/yr

L2 CUI Enclave Package — build full compliance during the self-assessment window

A C3PAO assessment for a small business typically runs $40,000–$60,000, depending on scope, complexity, and the number of assessor days required. That figure assumes you pass on the first attempt.

What Happens If You Fail?

Fail a C3PAO Assessment = Pay Full Price Again

A failed C3PAO assessment isn't a partial refund situation. Assessors are paid for their time — not for your outcome. If gaps are identified that prevent certification, you remediate and schedule a reassessment. That reassessment costs money. For a small contractor, this scenario represents $80,000–$120,000 in assessment costs alone, not counting remediation effort.

Mock assessments — sometimes marketed as preparation for C3PAOs — typically run $15,000–$25,000 and provide limited remediation detail. They tell you where you stand, but they don't build your artifacts or fix your gaps.

The Budget Gap Nobody's Talking About

Most small defense contractors priced their contracts before CMMC 2.0 requirements were finalized. They didn't build $50,000 C3PAO assessment cycles into their overhead rates. That money has to come from somewhere — contract margins, cash reserves, or worse, from not being able to pursue the next contract at all.

The self-assessment window is a chance to get compliant at a fraction of that cost, document your posture rigorously, and enter any future C3PAO process from a position of genuine readiness rather than scrambling catch-up.

Self-Assessment Window vs. C3PAO Path: Side by Side

Factor	✓ Self-Assessment (Window)	⚠ C3PAO Assessment
Who conducts	Your organization (internally)	Certified Third-Party Assessor
Assessment cost	$0 — you conduct it yourself	~$40K–$60K per cycle
Compliance standard	Full NIST SP 800-171 — no shortcuts	Full NIST SP 800-171 — no shortcuts
SPRS submission	Required — annual	Required — every 3 years
SSP required	Yes	Yes
POAM required	Yes (if gaps exist)	Yes (if gaps exist)
Fail = pay again	N/A — internal process	Yes — full assessor cost
Availability	Eligible programs only — confirm your contract	Any L2 program
Timeline pressure	Window is open now — use it	Scheduling backlog building

L2 Doesn't Replace L1 — It Builds On It

An important clarification: if your systems handle both FCI (Federal Contract Information) and CUI, you need to address both Level 1 and Level 2 requirements. L2 compliance is not a standalone path that bypasses L1 — it encompasses L1 and extends significantly beyond it.

For contractors new to CMMC who handle CUI, the typical path is:

Establish CMMC Level 1 compliance for FCI-handling systems (15 practices → 142 artifacts)
Build a dedicated CUI enclave for Controlled Unclassified Information handling
Address all 110 CMMC Level 2 practices → 182 defined artifacts within the enclave
Complete SSP, POAM, Risk Register, and SPRS submission

What the L2 CUI Enclave Package Delivers

The L2 CUI Enclave Package is built specifically for small contractors with eligible self-assessment programs — businesses that handle CUI in a limited, defined scope without enterprise IT infrastructure.

L2 CUI Enclave Package — $3,495/year

$3,495 /year

Self-Assessment Programs Only — optimized for Google Workspace for Government or Microsoft 365 GCC High

12 bi-weekly expert consulting sessions (1 hour each)
110 CMMC L2 practices → 182 defined artifacts
System Security Plan (SSP) — pre-filled template
POAM framework and Risk Register
SPRS scoring documentation
Dedicated CUI enclave configuration guides (Google & M365)
Evidence checklist — packaged and date-stamped
Time estimates for every task — implementable part-time
Designed for Windows laptops or Chromebooks (CUI-only devices)
No Active Directory, no SIEM, no enterprise IT required
Free 30-minute kickoff consultation

Pair the L2 package with the L1 Turnkey Package and you have a complete compliance posture for both FCI and CUI — with expert consulting included at every step.

✓ The Smart Play: $5,990/Year During the Window

L1 Turnkey Package: $2,495/year (LIMITED TIME: Save $500) — 8 sessions, 15 practices → 142 artifacts

L2 CUI Enclave Package: $3,495/year — 12 sessions, 110 practices → 182 artifacts

Combined: $5,990/year for full L1 + L2 compliance with expert consulting — vs. $50,000+ for a C3PAO assessment you aren't fully prepared for.

Use the self-assessment window to build a posture you can stand behind. When C3PAO eventually becomes mandatory for your program, you'll be ready — and you'll know it.

How Implementation Works

The L2 CUI Enclave Package provides templates, configuration guides, consulting sessions, and documentation frameworks. Your team implements the controls. We provide the roadmap — you drive.

Here's the practical breakdown:

Owner/Manager: Signs policies, makes approval decisions, conducts quarterly reviews — typically 2–4 hours/month once configured
IT Point Person: Implements technical controls using our platform-specific configuration guides (Google Workspace for Government or M365 GCC High), handles monthly evidence collection
CUI Users: Follow documented procedures, complete annual awareness training, report incidents per defined policy

Every task includes a time estimate. The package is designed to be completed part-time — no dedicated compliance officer required.

The Path Through the Self-Assessment Window

Confirm Your Program's Assessment Pathway

Review contract language (DFARS 252.204-7021 / 7020). Confirm self-assessment eligibility with your contracting officer. Book a free eligibility review with Overwatch Tools.
Run the Free CMMC Assessment Tool

Evaluate all applicable practices, identify your gaps, and get a prioritized remediation roadmap. No credit card — results in under 30 minutes.
Begin L1 Compliance (FCI Systems)

The L1 Turnkey Package gets your FCI-handling systems compliant — 15 practices, 142 artifacts, 8 consulting sessions. Most clients complete in 2–4 weeks.
Build Your CUI Enclave (L2)

Stand up your dedicated CUI environment on Google Workspace for Government or M365 GCC High. Complete 110 practices, 182 artifacts, SSP, POAM, and Risk Register with 12 consulting sessions.
Submit to SPRS

Complete your self-assessment, calculate your SPRS score, and submit your attestation. You provide the submission — we provide the documentation package.
Maintain Annual Compliance

Review and update your posture annually. When C3PAO eventually becomes required for your program, you'll have a documented, tested environment ready for external review.

A Note on SPRS Submission

Self-assessing at Level 2 requires an annual SPRS score submission — the same system used for Level 1. Your organization submits the assessment results and attestation directly. Overwatch Tools provides the scoring framework and documentation package. You make the submission.

Intentional misrepresentation in SPRS can expose your organization to liability under the False Claims Act. The goal of the L2 CUI Enclave Package is to help you achieve genuine compliance — so your attestation accurately reflects your posture.

The Window Is Open. The Question Is Whether You Use It.

A C3PAO will cost ~$50,000 when your program requires one. The self-assessment window is your opportunity to arrive at that assessment fully prepared — having already built, validated, and documented your posture.

Let's confirm your eligibility and map out a path while the window is open. The consultation is free. The information is yours either way.

Schedule Your Free 30-Minute Eligibility Review →

Not sure where you stand?
Start with our free CMMC Assessment Tool — no credit card required. Evaluate your current posture across all applicable practices and get a prioritized remediation roadmap in under 30 minutes.

Run Your Free CMMC Assessment →

Bottom Line

Not every CMMC Level 2 program requires a C3PAO. Many small contractors with limited CUI exposure qualify for annual self-assessment — and during the current transition period, that window is open right now.

The difference between entering that window with a documented, verified compliance posture vs. scrambling when it closes is the difference between a $5,990 annual investment and a $50,000+ assessment gamble you're not sure you'll pass.

The compliance rigor is the same either way. The preparation, the artifacts, the platform configuration, the SSP, the POAM — it all has to be real. The L2 CUI Enclave Package is built to make that real for small businesses, part-time, without enterprise IT.

The window is open. Use it.

⚠️ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope. Always confirm your program's assessment pathway with your contracting officer before proceeding.

What is a CUI enclave? (And do you need one?)

Adm1n — Mon, 30 Mar 2026 02:38:10 +0000

What Is a CUI Enclave and Do You Need One? | Overwatch Tools

CMMC: The L2 Decision Series — Part 2 of 6

What Is a CUI Enclave?
(And Do You Need One?)

No enterprise IT. No Active Directory. No SIEM. Here's what a CUI enclave actually looks like for a small defense contractor.

When most small contractors hear the phrase "CUI enclave," one of two things happens: their eyes glaze over, or their stomach drops. Both reactions make sense. The word "enclave" sounds like something that belongs in a Fortune 500 security operations center — dedicated servers, full-time IT staff, a SIEM dashboard blinking in the dark.

It's not that. Not even close.

A CUI enclave is simply a controlled, isolated environment where Controlled Unclassified Information (CUI) is processed and stored — separated from your everyday business operations. Think of it less like building a new facility and more like designating a secure room inside the office you already have. The rest of your business keeps running normally. The enclave is just the defined boundary around where CUI lives.

This article walks through what a CUI enclave actually is, what goes inside it (and what doesn't), why isolation matters for CMMC Level 2, and how small contractors are implementing this without any enterprise IT complexity.

The Simplest Way to Understand a CUI Enclave

Here's the analogy that makes it click for most people: imagine your office building has a room where sensitive client documents are stored. You lock that room. Only authorized staff have keys. Documents that belong in that room don't leave it, and general office materials don't go in.

That's an enclave.

Now apply that same concept to your digital environment. Your CUI enclave is a dedicated, separated digital workspace where:

Only authorized personnel access it
CUI is processed, stored, and transmitted — and only CUI
The devices used for CUI work are dedicated to that purpose
The platform (your cloud collaboration suite) is a government-tier environment, isolated from your regular business tools
Access is documented, controlled, and auditable

That's it. The "enclave" is the boundary. Everything inside the boundary is subject to CMMC Level 2 controls. Everything outside it stays under your existing CMMC Level 1 posture.

Inside vs. Outside the Enclave

Outside the Enclave — Your General Business

General email and collaboration tools
Non-CUI staff and contractors
Regular business devices (shared or personal)
Standard business operations (invoicing, HR, etc.)
FCI-only work (covered under CMMC L1)

Inside the Enclave — CUI Only

Dedicated CUI devices (Windows laptops or Chromebooks)
Google Workspace for Government or M365 GCC High account
CUI files, emails, and collaboration — enclave only
Authorized CUI users — documented and access-controlled
All CMMC L2 controls applied here

Notice what the enclave doesn't include: your entire company, your entire IT infrastructure, or anything beyond the specific systems where CUI lives. That scope limitation is one of the most powerful compliance strategies available to small contractors.

Why Isolation Is the Key Compliance Strategy

CMMC Level 2 includes 110 practices across 14 security domains. That sounds like a lot — because it is. But here's what changes the calculation for small businesses: those 110 practices only apply to systems that are in scope for CUI.

If your CUI environment is clearly defined and isolated from your general business systems, your assessment scope shrinks dramatically. You're not trying to apply enterprise security controls to every laptop in the company, every email account, every shared drive. You're applying them to a focused, bounded environment where CUI actually lives.

That's the entire logic behind the enclave approach. Contain the scope. Implement strong controls within that scope. Document everything inside the boundary.

Scope Containment in Practice

A contractor with 12 employees might handle CUI on only 2 or 3 specific projects. The CUI users might be just 2–3 people. Those users work on dedicated devices, using a dedicated government-tier platform login. The other 9–10 employees and their systems are simply outside the enclave — they're not in scope for L2 assessment at all.

Without an enclave approach, every system in the business could be considered in scope. With one, the assessment footprint is tight, defined, and manageable.

What's Actually Inside a CUI Enclave

Let's get concrete. For a small contractor implementing the enclave approach, here's what the environment looks like in practice:

Dedicated Devices

CUI users work on dedicated devices — Windows laptops or Chromebooks that are used only for CUI work. These devices are configured to CMMC Level 2 requirements: encryption enabled, screen lock enforced, specific security baselines applied. They don't browse the general internet, handle personal email, or run non-work software.

Overwatch Tools provides configuration guides for every supported device type. Clients implement the configuration on their own hardware — we provide the step-by-step instructions, not the devices themselves.

A Government-Tier Platform

The enclave uses either Google Workspace for Government or Microsoft 365 GCC High — not a standard business edition of either platform. These tiers provide the data residency, access controls, and compliance features required for CUI. This is a separate account from your regular business Google or Microsoft environment.

The choice between Google and Microsoft depends on your team's existing tools and preferences. Both are valid paths. A later blog in this series goes deeper on the platform comparison — for now, know that both options are fully supported by the L2 CUI Enclave Package.

Restricted, Documented Access

Access to the enclave is not open to everyone on your team. Only personnel who need CUI for their work have accounts. Those accounts are documented, access is controlled, and role-based permissions are applied. Joiners and leavers have a formal process.

Documented Procedures

The enclave isn't just a technical environment — it's a procedural one. There are written policies governing how CUI is handled, how devices are used, how incidents are reported, and how access is maintained. These aren't complicated enterprise documents; they're practical, right-sized procedures that reflect how your small team actually works.

No Enterprise IT Required

This is the point that surprises most small contractors when they first hear about the enclave approach. Let's be direct about what you don't need:

🚫 No Active Directory Identity management is handled through your Gov/GCC High platform — no on-premise directory required.

🚫 No SIEM Security event logging is handled through built-in platform audit logs — no enterprise monitoring stack needed.

🚫 No Full-Time IT Staff The enclave is designed for implementation and maintenance by a part-time IT point person, not a security team.

🚫 No On-Premise Servers Everything lives in the cloud on your government-tier platform. No server room, no rack, no physical infrastructure.

The L2 CUI Enclave Package is specifically designed for small businesses with limited CUI needs. If your CUI footprint is focused — a handful of users, a defined set of projects, dedicated devices — this approach is right-sized for you. No enterprise-grade IT complexity required.

How the Enclave Sits on Top of Your L1 Compliance

One thing that trips up small contractors: the CUI enclave doesn't replace your CMMC Level 1 work. It sits on top of it.

Here's how to think about it:

CMMC Level 1 covers how your general business handles Federal Contract Information (FCI) — the basic cybersecurity hygiene practices that apply across your entire operation.
CMMC Level 2 (CUI enclave) adds a dedicated, controlled layer for the subset of your work that involves Controlled Unclassified Information.

You need both. Your general systems stay under L1 rules. Your CUI environment gets the full L2 treatment. The enclave is the clear dividing line between the two.

The Full Compliance Picture

Overwatch Tools offers both packages as a combined path:

L1 Turnkey Package ($2,495/year): 15 practices → 142 artifacts. Covers your general FCI environment. Most clients complete in 2–4 weeks.
L2 CUI Enclave Package ($3,495/year): 110 practices → 182 artifacts. Platform-specific guides for Google Workspace for Government or M365 GCC High. No enterprise IT. Self-assessment only.
Combined: $5,990/year — full coverage for contractors with both FCI and CUI obligations.

Is the Enclave Approach Right for You?

The free 30-minute consultation is the fastest way to find out. We'll walk through your CUI footprint, confirm your program's self-assessment eligibility, and explain exactly what implementation would look like for your situation.

Book Your Free 30-Minute Consultation →

What the L2 CUI Enclave Package Provides

Once you've confirmed the enclave approach fits your situation, here's what the package delivers:

Component	Details
110 Practices → 182 Artifacts	Every CMMC L2 practice mapped to a defined, named artifact. No guessing what you need to produce.
Platform-Specific Configuration Guides	Dedicated CUI enclave configuration guides for Google Workspace for Government or Microsoft 365 GCC High. Step-by-step. You implement; we guide.
12 Bi-Weekly Expert Consulting Sessions	1 hour each. Keep implementation moving with expert guidance throughout the process.
System Security Plan (SSP)	Pre-filled SSP template — one of the most time-consuming documents in any L2 assessment.
POAM Framework & Risk Register	Structured templates for managing open findings and ongoing risk documentation.
SPRS Scoring & Self-Assessment Docs	Everything you need to score, document, and submit your self-assessment.
Free 30-Min Kickoff Consultation	Confirm scope, platform choice, and implementation path before you begin.

The package is designed to be implemented part-time. Every task includes a time estimate so you can plan the work around your existing schedule. No full-time IT dedication required.

A Realistic Day-in-the-Life of the Enclave

Here's what working within the enclave actually looks like for someone on your team:

An authorized CUI user starts the morning. They pick up their dedicated CUI laptop (not their regular work machine), log in with their government-tier platform credentials, and open the specific project files they need — all within the enclave environment. When they're done, they log out. That's it.

For general email, invoicing, or non-CUI collaboration, they use their regular business tools on their regular device. The two worlds are separate — not because it's complicated, but because the procedures and device separation make it straightforward.

When it's time for a monthly maintenance review, your IT point person logs in, checks the audit logs, confirms access is current, and records the review. With time estimates on every task in the package, maintenance is planned work — not a surprise burden.

How to Know If You Need an Enclave

The core question is simple: Do you handle Controlled Unclassified Information under a DoD contract?

If your contract involves CUI — and your contract documentation or your contracting officer can confirm this — then CMMC Level 2 applies to your work. The enclave is the approach that makes Level 2 achievable for small businesses without a dedicated IT department.

The questions that matter most:

Does your DoD contract reference CUI or DFARS clause 252.204-7012?
Is your program potentially eligible for annual self-assessment (vs. requiring a C3PAO)?
Is your CUI footprint limited — a defined set of users, projects, and devices?
Are you using or willing to move to Google Workspace for Government or Microsoft 365 GCC High?

If most of those answers are yes, the enclave approach — and the L2 CUI Enclave Package — is likely the right fit.

A note on complexity: If your CUI environment is large, sprawling, or deeply integrated with legacy enterprise systems, the enclave approach may not be sufficient on its own. The L2 package is designed for limited CUI footprints. When in doubt, the free consultation will help you assess fit honestly — including if a different path makes more sense for your situation.

Start With a Conversation

The free 30-minute consultation is where we confirm your program's eligibility, map your CUI footprint, and walk you through what implementation would realistically look like. No pressure, no obligation — just a clear picture of where you stand and what comes next.

Book Your Free 30-Minute Consultation →
Explore All Packages at Overwatch Tools →

Next in the Series: Platform Choice

The next post in the CMMC L2 Decision Series goes deep on platform selection — Google Workspace for Government vs. Microsoft 365 GCC High. What are the real differences, what does each require, and how do you choose?

Also check out: CMMC Level 1 vs. Level 2: Which Applies to Your Business? — the first post in this series, covering the FCI vs. CUI distinction and how to determine your compliance tier.

Do you handle CUI? Your CMMC level depends on it. L1 vs. L2 — and why most CUI handlers need both.

Adm1n — Wed, 25 Mar 2026 21:33:16 +0000

CMMC Level 1 vs. Level 2: Which Applies to Your Business? | Overwatch Tools

📋 CMMC: The L2 Decision Series — Article 1 of 6

CMMC Compliance Guide for Defense Contractors

CMMC Level 1 vs. Level 2: Which Applies to Your Business?

Published by Overwatch Tools · March 2026 · 12 min read

Before you can comply with CMMC, you need to know which level actually applies to you. For a lot of small contractors, the answer isn't what they expect — and it's not just one level.

Many small defense contractors assume they only need to worry about CMMC Level 1. Some have never heard of Level 2 at all. A few have heard of it and assume it's only for large prime contractors running classified programs. Most of these assumptions are wrong.

The key distinction that determines your CMMC level isn't your company size, your revenue, or how long you've been in the defense industrial base. It comes down to one question: What kind of federal information do you handle?

The answer to that question — FCI, CUI, or both — determines whether you need Level 1, Level 2, or both stacked together. Let's break it down clearly.

What Is FCI? (And Why It Triggers Level 1)

Federal Contract Information (FCI) is information provided by or generated for the federal government under a contract to develop or deliver a product or service — but not intended for public release.

In plain terms: if your company performs work on a DoD contract, you almost certainly handle FCI. It includes things like:

Contract deliverables and performance data
Pricing, cost, and schedule information from your contract
Communications with contracting officers about your work
Project documentation created for government use
Proposals, reports, and status updates tied to a contract

FCI is not classified. It's not necessarily sensitive in an intelligence sense. But it's not meant to be publicly shared, and it needs to be protected.

CMMC Level 1 Applies If You Handle FCI

If your company holds or performs a DoD contract, you almost certainly handle FCI — which means CMMC Level 1 applies to your entire organization. Level 1 requires 15 cybersecurity practices drawn from FAR 52.204-21 and is satisfied through an annual self-assessment. There is no third-party assessment option for Level 1 — it is always self-assessed.

The Overwatch Tools L1 Turnkey Package ($2,495/year) is built specifically for this: 15 practices mapped to 142 required artifacts, platform-specific templates for Microsoft 365 or Google Workspace, bi-weekly consulting sessions, and SPRS reporting. Most clients complete their Level 1 assessment in 2–4 weeks.

What Is CUI? (And Why It Triggers Level 2)

Controlled Unclassified Information (CUI) is a step above FCI in sensitivity. It's information the government has designated as requiring safeguarding under law, regulation, or government-wide policy — but it's not classified.

CUI is identified in your contract documents — often in a DD Form 254 (Contract Security Classification Specification) or in the contract's performance work statement. If your work involves any of the following, there's a strong likelihood CUI is in play:

Technical drawings, design specifications, or engineering data
Export-controlled data (ITAR/EAR-related information)
Research and development information under DoD programs
Certain contract performance data explicitly marked as CUI
Information marked with CUI category labels (e.g., "CUI//SP-CTI" or "CUI//PRVCY")
Data shared under a controlled distribution notice

If you receive, generate, store, process, or transmit any of this kind of information as part of your contract, CMMC Level 2 also applies to your organization — specifically to the systems and devices that touch that CUI.

⚠️ "I Don't Think I Handle CUI" Is Not the Same as "I Don't Handle CUI"

Many contractors are surprised to find out they handle CUI. It's often not labeled clearly in the day-to-day work. Technical drawings from a prime contractor, performance data under certain programs, and engineering specifications can all constitute CUI without a visible label on every document. If your contract includes a DD Form 254, there's a strong chance CUI is involved. When in doubt, a 30-minute scope review with an expert is the fastest way to know for sure.

FCI vs. CUI: A Side-by-Side View

CMMC LEVEL 1

Federal Contract Information (FCI)

What it is: General contract work product not for public release
Who has it: Virtually all DoD contractors
Examples: Deliverables, schedules, pricing, status reports
Assessment: Annual self-assessment only
Practices: 15 practices
Scope: Entire company environment
Investment: $2,495/year (L1 Turnkey)

CMMC LEVEL 2 (ADDITIONAL)

Controlled Unclassified Information (CUI)

What it is: Sensitive data requiring enhanced protection
Who has it: Contractors with marked CUI in their contracts
Examples: Tech drawings, ITAR data, R&D specs, marked contract data
Assessment: Self-assessment (eligible programs) or C3PAO
Practices: 110 practices → 182 artifacts
Scope: CUI enclave only
Investment: $3,495/year (L2 CUI Enclave)

The critical insight here: Level 2 does not replace Level 1. It is applied on top of it — to your CUI environment specifically.

Do You Handle CUI? A Plain-Language Self-Check

Use the following checklist to help you identify whether CUI is likely part of your contract. This is not a definitive legal assessment — it's a practical starting point.

CUI Self-Identification Checklist

◆ My contract includes a DD Form 254 (Contract Security Classification Specification)
◆ I receive or access technical drawings, specifications, or engineering data from the government or a prime contractor
◆ My work involves items on the ITAR U.S. Munitions List or EAR Commerce Control List
◆ I generate or store research and development data under a DoD-funded program
◆ I've received documents or files marked "CUI," "FOUO," "Controlled," or similar markings
◆ My prime contractor or customer has mentioned CUI handling or DFARS 252.204-7012 in my contract
◆ My work involves design, development, testing, or production of defense systems or components

If you checked even one of these, CUI may be in scope for your business. A free 30-minute scope review is the fastest way to confirm.

Not Sure Which Level Applies to Your Contracts?

Start with the free CMMC Assessment Tool — no credit card, no obligation. Results in under 30 minutes. It evaluates all 15 Level 1 practices, identifies gaps, and flags whether Level 2 may apply to your contracts.

Start Your Free Assessment → Book a Free 30-Min Scope Review

Why Most CUI Handlers Need Both Levels

Here's the part that surprises many contractors: if you handle CUI, you don't get to skip Level 1. Level 1 applies to your entire business environment. Level 2 applies additionally to the specific systems and devices where CUI lives.

Think of it as two layers of compliance working at different scopes:

CMMC Level	What It Covers	Assessment Type	Annual Cost (Overwatch Tools)
Level 1	Your entire company environment — all devices and systems used for contract work	Annual self-assessment	$2,495/yr
Level 2	Your CUI enclave only — the dedicated, isolated environment where CUI is handled	Annual self-assessment (eligible programs) or C3PAO	$3,495/yr
Both Combined	Full FCI + CUI coverage — complete CMMC posture for CUI-handling contractors	Self-assessment for both levels	$5,990/yr

The combined investment of $5,990/year covers both your Level 1 and Level 2 self-assessments — full CMMC posture for a small contractor handling CUI. Compare that to a C3PAO third-party assessment, which runs $50,000 or more and is required if your program is not eligible for self-assessment at Level 2.

✓ The Math Is Straightforward

$5,990/year for complete FCI + CUI coverage through self-assessment. A C3PAO third-party assessment for Level 2 programs not eligible for self-assessment runs $50,000+ — and that doesn't include implementation support. For small contractors with programs eligible for self-assessment, the numbers make the decision easy.

A Brief Introduction to the CUI Enclave

When we talk about Level 2 applying to your CUI footprint, what does that actually mean in practice? The short answer: a CUI enclave.

A CUI enclave is a dedicated, isolated environment — separate from your general business systems — where all CUI is stored, processed, and transmitted. Think of it as a walled-off digital workspace that only handles CUI, running on separate devices or accounts that never touch your everyday business tools.

For a small contractor, this doesn't mean building an enterprise data center. It means setting up a focused, right-sized environment using a government-grade cloud platform — either Google Workspace for Government or Microsoft 365 GCC High — on dedicated devices (Windows laptops or Chromebooks). No Active Directory. No SIEM. No full-time IT staff required.

The Overwatch Tools L2 CUI Enclave Package is built specifically for this: 110 practices mapped to 182 defined artifacts, dedicated enclave configuration guides for both platforms, a pre-filled System Security Plan, and 12 bi-weekly consulting sessions — all implementable part-time, with time estimates on every task.

We cover the CUI enclave in much greater depth in Article 2 of this series: "What Is a CUI Enclave and Do You Need One?"

A Note on Self-Assessment Eligibility

Not every CMMC Level 2 program qualifies for self-assessment. Under the CMMC framework, some programs are designated as requiring a Certified Third-Party Assessment Organization (C3PAO) — a formal, expensive, multi-day assessment process. These programs cannot self-assess at Level 2.

However, many Level 2 programs — particularly those at smaller contractors with limited CUI scope — are eligible for annual self-assessment. This is the window the Overwatch Tools L2 CUI Enclave Package is built for.

⚠️ Self-Assessment Programs Only

The Overwatch Tools L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope for this package. Not sure which category your program falls into? A 30-minute scope review can clarify this quickly.

How do you know if your program qualifies for self-assessment? The short answer: check your contract and your program designation. Your contracting officer or the prime contractor above you in the supply chain can often confirm this. A consultation with a CMMC specialist is also a fast and reliable way to determine your assessment path.

We cover self-assessment eligibility, how to confirm your program status, and what happens if requirements change in Article 3 of this series: "CMMC Level 2 Self-Assessment: Who Qualifies and What's Required?"

Putting It All Together: Which Level Applies to You?

Here's a simple decision map based on what your contracts involve:

Your Situation	CMMC Level Required	Assessment Type
You perform DoD contract work — no CUI identified in your contracts	Level 1 only	Annual self-assessment
You handle CUI under an eligible self-assessment program	Level 1 + Level 2	Self-assessment for both levels
You handle CUI under a program designated for C3PAO assessment	Level 1 + Level 2	L1 self-assessment + L2 C3PAO
You're not sure which category applies to your contracts	Start with the free assessment tool	Book a free scope review to confirm

The Short Version

If you're a DoD contractor, you need Level 1 at minimum. If your contracts involve CUI — and many do, often without contractors fully realizing it — you need Level 2 as well, scoped to your CUI enclave. The two levels cover different things and work together, not in place of each other.

What's Next in This Series

This article established the foundation: FCI vs. CUI, and how each maps to a CMMC level. The rest of the C Series goes deeper on each piece:

Article 2: What Is a CUI Enclave and Do You Need One? — A practical guide to understanding and scoping a CUI enclave for a small contractor.
Article 3: CMMC Level 2 Self-Assessment: Who Qualifies and What's Required? — Eligibility, program designation, and what the self-assessment process actually looks like.
Article 4: Google Workspace for Government vs. Microsoft 365 GCC High for Your CUI Enclave — A platform comparison for small contractors making this decision.
Article 5: 110 Practices, 182 Artifacts: What CMMC Level 2 Self-Assessment Actually Requires — A ground-level look at the documentation and evidence requirements.
Article 6: Scoping Your CUI Enclave: How to Limit What Level 2 Applies To — Right-sizing your CUI footprint to reduce compliance burden without cutting corners.

Ready to Confirm Which Levels Apply to Your Business?

The free CMMC Assessment Tool evaluates all 15 Level 1 practices, generates an instant gap analysis, and flags whether Level 2 may apply to your contracts. No credit card required. Results in under 30 minutes.

If you'd rather talk it through, our 30-minute scope review is the fastest way to get a clear answer on exactly which levels apply and what the path looks like.

Start Your Free Assessment → Schedule a Free Scope Review

Investment Summary

L1 Turnkey Package $2,495 per year · CMMC Level 1
15 practices · 142 artifacts
Limited time: Save $500

L2 CUI Enclave Package $3,495 per year · CMMC Level 2
110 practices · 182 artifacts
Self-assessment only

Combined L1 + L2 $5,990 per year · Full coverage
FCI + CUI compliance
vs. $50K+ C3PAO

⚠️ L2 Self-Assessment Programs Only

The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope. Consult your contract documents or schedule a free scope review to confirm your program's assessment designation.

About Overwatch Tools

overwatchtools.com · info@overwatchtools.com

Remote Work Is Your Biggest CMMC Blind Spot

Adm1n — Wed, 18 Mar 2026 20:33:00 +0000

Remote Work Is Your Biggest CMMC Blind Spot | Overwatch Tools

CMMC Level 1: The Reality Check — Part 6 of 6

Remote Work Is Your Biggest CMMC Blind Spot

Home offices, personal devices, and the compliance gaps assessors find

By Overwatch Tools | CMMC Level 1 Compliance | March 2026

You've configured your office. You've set up your cloud platform. You've worked through the documentation requirements, maybe even started collecting evidence. You're feeling like you've got a handle on this.

Now: what happens when your team logs in from home?

For most small defense contractors, this is the question that breaks otherwise solid compliance work. Remote work is genuinely complicated territory under CMMC — not because the requirements are unfair, but because every home setup is different, the judgment calls are real, and most compliance guides skip this chapter entirely.

This guide won't skip it. We're going to walk through the specific gaps that appear most often in home office and remote work setups, explain what the CMMC framework expects, and be honest about where the right answer requires expert judgment rather than a generic checklist.

What We'll Cover

First: Is your home office even in scope?
Gap 1 — Home network security
Gap 2 — Personal device use (BYOD)
Gap 3 — Physical access and printed materials
Gap 4 — Screen lock and unattended device policies
Gap 5 — VPN: when you need it and when you don't
Gap 6 — Documentation: can you prove remote workers are compliant?
Platform-specific remote considerations: GWS vs. M365
What a complete remote work compliance picture looks like

First: Is Your Home Office Even In Scope?

Before we talk about gaps, we need to talk about scope — because this is where a lot of confusion starts.

CMMC compliance applies to systems that process, store, or transmit Federal Contract Information (FCI). So the first question isn't "how do I make my home office compliant?" — it's "does FCI flow through my home office at all?"

For many small contractors, the answer is yes. If your employee's home laptop is the device they use to access email containing contract details, open documents in your cloud platform, or communicate with your prime contractor — then that home setup is part of your CMMC boundary.

The Scoping Reality for Remote Teams

A well-scoped CMMC environment for a remote team typically includes:

The cloud platform your team uses for work (Microsoft 365 or Google Workspace)
The devices your employees use to access that platform
The networks those devices connect through — including home networks
Any physical locations where FCI might be stored or viewed (yes, including home offices)

This doesn't mean your employees' entire home life is in scope. It means the parts of their environment that touch FCI are in scope — and that line requires a thoughtful judgment call.

The good news: scoping your remote environment thoughtfully can significantly reduce the compliance burden. A consultant who helps you define scope carefully is giving you real value — not just telling you everything is in scope and handing you a 400-page policy binder.

The Six Remote Work Compliance Gaps

These are the gaps we encounter most often when working with small contractors whose teams work from home. They're not hypothetical — they come up in consultation sessions regularly, and they're the areas where DIY compliance tends to have the biggest holes.

⚠ Remote Risk #1

Home Network Security

The risk: A home network is a fundamentally different environment from a corporate network. There's typically no enterprise firewall, no IT-managed router, and no network monitoring. The same WiFi your employee uses to access contract work is often shared with family members, streaming devices, smart home gadgets, and sometimes neighbors if the router password hasn't been changed in years.

What compliant looks like: CMMC Level 1 physical protection requirements don't stay at the office door — they extend to wherever FCI is accessed. For home networks, this generally means ensuring the work device connects to a reasonably secured network: strong WiFi password, WPA2 or WPA3 encryption, and ideally guest network separation for IoT and personal devices.

The judgment call: There's no CMMC requirement that employees have enterprise-grade home networks. But there's also no free pass for networks that present obvious risk. Where that line falls — and how you document your position on it — is exactly the kind of question that benefits from expert input. "We use WPA2 with a strong password and IoT devices are on a separate guest network" lands very differently than "we're not sure what settings the router is on."

⚠ Remote Risk #2

Personal Device Use (BYOD)

The risk: Personal devices are one of the most common sources of compliance gaps in remote setups. If an employee accesses your Microsoft 365 or Google Workspace tenant from their personal laptop — a device that isn't managed, doesn't have compliant security settings, and may have software installed that you'd never approve on a work device — you have a problem that doesn't disappear because you didn't ask about it.

What compliant looks like: The cleanest CMMC position is company-owned, company-managed devices only. If that's not realistic for your team right now, BYOD under CMMC is possible — but it requires clear policies, device enrollment, and platform-specific enforcement (conditional access in M365, context-aware access in Google Workspace). "We asked employees not to use personal devices" is not a compliant BYOD policy.

The judgment call: Personal devices create real complexity. If an employee reads a work email with contract details on their personal iPhone, is that phone in scope? These questions don't have clean universal answers — they depend on your specific setup, what your policies say, and what you can actually enforce. Experienced guidance prevents you from either over-scoping (treating every device any employee owns as a compliance problem) or under-scoping (ignoring genuine risk because you didn't want to deal with it).

⚠ Remote Risk #3

Physical Access and Printed Materials

The risk: CMMC has explicit physical protection requirements. "Limit physical access to organizational systems" doesn't just apply to office buildings — it applies wherever your systems and FCI are located. In a home office, that means thinking about who else can access the physical space, whether documents get printed and left on a shared desk, and whether a guest or family member could view contract information on an unlocked screen.

What compliant looks like: At minimum, employees should understand that printed FCI materials are controlled documents — not items to leave on the kitchen counter. Home offices don't need to be physical vaults, but there should be documented awareness and expectations around physical handling of contract materials. If employees regularly print contract documents, that practice needs to be addressed in your policies.

The judgment call: Physical protection requirements for home offices are among the most variable in CMMC. An employee with a dedicated home office and a closed door is a very different situation from someone working at a shared kitchen table with three roommates. Your policies need to acknowledge this variability and establish appropriate expectations — which means you need to actually know what your employees' home setups look like.

⚠ Remote Risk #4

Screen Lock and Unattended Device Policies

The risk: CMMC requires session lock after inactivity. In an office, enforcing screen lock via group policy or MDM is straightforward. At home, the same technical controls should apply — but enforcement is harder to verify, and the risks are different. A laptop sitting open on a home desk with a work session active is a real exposure when others are in the space.

What compliant looks like: Screen lock settings need to be configured on every device that accesses FCI — whether it's in the office or at home. This is a technical control, not just a policy statement. You need evidence showing screen lock is configured to activate after an appropriate inactivity period on all managed devices. "We have a policy that employees should lock their screens" is not the same as "we have configuration evidence showing screen lock is enforced at 5 minutes of inactivity on all managed devices."

The judgment call: Screen lock is more straightforward than some remote work requirements — it's a technical control that can and should be enforced centrally. The gap isn't usually in knowing the requirement exists. It's in having documentation that proves it's implemented everywhere, including remote devices, and that addresses what happens when employees use personal devices.

⚠ Remote Risk #5

VPN Requirements — When You Need It and When You Don't

The risk: Whether remote workers need a VPN comes up constantly, and the answer is genuinely more nuanced than most guides acknowledge. If your FCI lives entirely in a properly secured cloud platform (Microsoft 365 or Google Workspace), a VPN may not be required — because FCI is protected at the application layer by the cloud platform itself. However, if you have any on-premises infrastructure, VPN becomes a different conversation entirely.

What compliant looks like: For cloud-only environments, the security question shifts to the platform itself. Is your Microsoft 365 or Google Workspace configured with appropriate conditional access policies, MFA, and session controls? If yes, remote access over a home network may have adequate security. If no, you have more fundamental problems to solve first.

The judgment call: VPN is a tool, not a magic compliance checkbox. Whether you need one, what type, and how it's configured depends heavily on your infrastructure. This is also an area where the wrong decision creates compliance problems that aren't obvious until an assessor asks about your remote access architecture. The right answer depends on your specific environment — and it's a question you need a clear, documented answer to.

⚠ Remote Risk #6

Documentation — Can You Prove Remote Workers Are Compliant?

The risk: This gap catches people off guard even when they've done everything else reasonably well. You may have thought through home networks, locked down device policies, and addressed BYOD. But can you show evidence of all of it? For remote workers specifically, assessors will want to know: How do you ensure remote worker compliance? What documentation covers home office setups? What training have remote workers received? What evidence shows their devices are configured correctly?

What compliant looks like: Remote work compliance documentation should include: a remote work or telework policy that addresses home office security requirements; device configuration evidence for all remote devices; employee acknowledgment records showing remote workers received and understood the policy; and evidence that platform-level controls (conditional access, MFA, device enrollment) are active and applied.

The judgment call: The depth of documentation required scales with your risk profile and setup specifics. But the baseline is clear: "we trust our employees to handle this" is not an assessable compliance position. You need artifacts that demonstrate the controls exist and are implemented — not just that you intended to implement them.

Remote Work Is Where We Find the Most Gaps

Home office configurations are the most variable element in CMMC compliance — and they're where we spend the most time in our consultation sessions. Every setup is different, which means generic checklists don't cut it here. Let's look at yours specifically.

Schedule Your Free 30-Minute Consultation Explore the Turnkey Package

Platform-Specific Remote Work Considerations

How you address remote work compliance depends significantly on whether your team runs on Google Workspace or Microsoft 365. The controls exist in both platforms — but they're configured differently, and the specific questions to answer are different.

Google Workspace

Key Remote Work Controls

Context-Aware Access — Restrict access to Workspace based on device security posture, network location, or both. Personal devices without endpoint verification can be blocked or limited.
Device Policies via Admin Console — Enforce screen lock, encryption, and OS version requirements on enrolled devices, including remote employee machines.
Mobile Device Management — Manage both company-owned and BYOD devices, with the ability to wipe access remotely if a device is lost or an employee departs.
Login Challenges — Additional verification when access is attempted from an unrecognized device or location.
2-Step Verification Enforcement — Mandatory MFA at the org level ensures remote employees can't bypass it.
Session Controls — Configure session duration limits to reduce risk from unattended sessions.

Microsoft 365

Key Remote Work Controls

Conditional Access Policies — Gate access to M365 resources based on device compliance status, location, and risk score. Home networks can trigger MFA challenges or block access from unmanaged devices.
Microsoft Intune — Enforce device configuration policies (screen lock, encryption, OS version) on enrolled devices, including remote machines. BYOD enrollment enables policy enforcement without full device management.
Azure AD Identity Protection — Risk-based controls that flag unusual sign-in behavior, including from unfamiliar locations.
Compliant Device Requirement — Conditional Access can require a device to pass Intune compliance checks before accessing M365 data.
MFA Enforcement — Security Defaults or Conditional Access policies ensure remote employees authenticate with MFA.
Session Timeout Policies — Configurable for inactive sessions in SharePoint, Teams, and other M365 services.

Key Point

Both platforms have the controls you need for remote worker compliance — but neither platform configures them for you by default. Out-of-the-box Google Workspace and Microsoft 365 do not enforce compliant remote work policies. These controls need to be intentionally configured, documented, and maintained. That's not a criticism of the platforms; it's the reality of enterprise software that serves a broad range of customers with different needs.

The Configuration Gap

The remote work conversation isn't just "does my platform support this?" — it does. The question is "have I configured it correctly, can I prove it, and does my documentation cover my remote employees specifically?" In our experience, the answer to the documentation question is most often no — even when the technical configuration is mostly right.

What a Complete Remote Work Compliance Picture Looks Like

A small contractor with remote workers who is genuinely CMMC Level 1 compliant for remote setups has addressed all of the following:

Policy and Documentation Layer

A remote work or telework policy covering home office security expectations
Scope documentation clearly defining what's in scope for remote workers and what's out
Employee acknowledgment records showing remote workers received and understood the policy
A BYOD policy — or a documented prohibition on BYOD (both are defensible, depending on your setup)
Physical media and print handling guidance for home office environments

Technical Controls Layer

MFA enforced at the platform level for all users, including remote employees
Screen lock enforced via device management — not just a policy request
Device enrollment for all devices that access FCI, including remote worker devices
Platform-level conditional access or context-aware access controls in place
Evidence that these configurations are active and applied to remote devices specifically

Evidence Layer

Screenshots or exports showing device policy enforcement is active
MFA enrollment records for all users
Device compliance reports from Intune or Google Admin Console
Signed policy acknowledgments from remote employees
Evidence of regular review (annual policy review, periodic device audits)

This is achievable. None of it requires enterprise IT infrastructure, a dedicated security team, or a six-month implementation timeline. But it does require knowing what to build, how to configure the controls in your specific platform, and how to organize the evidence in a way that holds up to scrutiny.

Why DIY Compliance Most Often Stalls Here

Remote work compliance is the area where self-directed implementation most commonly has gaps — not because the requirements are unusually complex, but because they require judgment. Every home setup is different. Whether a personal device is adequately secured isn't answered by a checkbox — it's answered by understanding what controls are available in your platform and what policies are enforceable given your team's actual situation.

Generic templates don't answer these questions. A remote work policy downloaded from the internet doesn't know whether your team uses Chromebooks or Windows laptops, whether you have BYOD or company-owned devices, or how your home networks are structured. You need documentation that reflects your actual environment.

That's the whole point of platform-specific consultation sessions: not to give you a template to fill out alone, but to work through your specific setup — who's working from home, what devices they're on, how your platform is configured — and build documentation that accurately reflects what you've actually implemented.

How the Turnkey Package Addresses Remote Work

The L1 Turnkey Package ($2,495/year, limited time — save $500) includes platform-specific guidance for both Google Workspace and Microsoft 365 remote configurations — not generic templates, but configuration guides and artifact templates built around the actual controls in your platform.

The 8 bi-weekly consultation sessions are where remote work specifics get addressed. You bring your setup — what devices your team uses, where they work, what your home office situations look like — and we work through the scope questions, configuration requirements, and documentation together. The 142 artifacts cover everything needed to document remote worker compliance: policies, procedures, configuration evidence templates, and employee acknowledgment forms.

Most clients complete their full Level 1 assessment in 2–4 weeks. Remote work doesn't have to be the part that slows you down.

The Honest Takeaway

Remote work compliance isn't impossibly complex. It's variable — and that variability is what makes it hard to do well without guidance. The gaps are real, they come up in assessments, and they're exactly where DIY compliance tends to leave the most holes.

The good news: if you've addressed the technical controls, the documentation is achievable. A thoughtful scope definition can significantly reduce your burden. And with a structured approach — platform-specific configuration guides, clear policy templates, and expert review of your specific setup — remote work compliance becomes the solved problem it should be, not the lingering uncertainty it often is.

Every home office is different. That's precisely why this one needs a conversation, not a checklist.

Let's Talk About Your Remote Setup Specifically

Remote and home office configurations are where we find the most gaps — and where we add the most value. Schedule a free 30-minute consultation and we'll work through your specific situation: what devices your team uses, how your platform is configured, and what documentation you need to cover remote workers in your self-assessment.

No sales pitch. Just an honest look at where you stand and what you need to do next.

Schedule Your Free Consultation Learn About the Turnkey Package

About Overwatch Tools

Overwatch Tools specializes in CMMC Level 1 and Level 2 self-assessment compliance solutions for small defense contractors. Founded by government contracting veterans with 25+ years of experience, we built the L1 Turnkey Package to give small contractors everything they need — platform-specific templates, configuration guides, expert consultation, and structured evidence collection — without enterprise bloat or $50K consultant fees.

Website: overwatchtools.com | Email: info@overwatchtools.com | Chesapeake, Virginia

Why DIY CMMC Compliance Stalls — And What Actually Works

Adm1n — Sun, 15 Mar 2026 19:12:40 +0000

Why DIY CMMC Compliance Stalls — And What Actually Works | Overwatch Tools

CMMC Level 1: The Reality Check — Part 5 of 6

Why DIY CMMC Compliance Stalls — And What Actually Works

The honest case for structure over willpower

Overwatch Tools · CMMC Compliance Specialists · March 2026

Most small contractors don't fail CMMC compliance because they didn't try. They stall — often more than once. They download the requirements, start a spreadsheet, bookmark the NIST 800-171 publication, and then... somewhere between "Limit system access to authorized users" and "Establish and document configuration settings," life happens. The effort goes on pause. Weeks pass. The spreadsheet gets reopened six months later.

This isn't a motivation problem. And it isn't a capability problem. The contractors I've watched stall are smart, capable business owners who managed DoD work for years. The issue is structural — and once you understand the architecture of why unguided compliance stalls, the solution becomes obvious.

Let's walk through it honestly. I'll also tell you where the free tools actually help, where they fall short, and why the Turnkey approach exists — not to do compliance for you, but to provide the structure that lets you actually finish.

Start Here: Free CMMC Assessment Tool

Before anything else, run the free CMMC Assessment Tool at overwatchtools.com. It evaluates all 15 CMMC Level 1 practices, generates an instant gap analysis report, and tells you in under 30 minutes where you stand. No credit card. No obligation. It's a legitimate first step — and if you come back after trying DIY and having questions, it gives us a concrete starting point for the consultation.

The Structural Reasons DIY CMMC Stalls

Reading NIST SP 800-171 is a reasonable starting point. Some contractors will work through it successfully on their own. But most don't — and when you look at why, the same patterns appear every time. These aren't motivation problems. They're architecture problems.

Stall Reason #1

Requirements Language Written for Auditors, Not Implementers

NIST SP 800-171 requirement 3.1.1 says: "Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)." That's a reasonable sentence. But what does it mean in a 5-person company that uses Google Workspace, has three people accessing shared files from home laptops, and occasionally has a subcontractor log in? The NIST language is precise enough for an assessor to evaluate — but it doesn't tell you what to actually configure, in what platform, at what setting. The gap between "understand the requirement" and "implement it correctly" is enormous, and it's filled with platform-specific research, interpretation, and trial-and-error that most small contractors don't have time for.

Stall Reason #2

Nobody Warns You About the 142-Artifact Problem

Most DIY efforts stall here. CMMC Level 1 has 15 practices. Fifteen sounds manageable. But those 15 practices map to 142 required artifacts — policies, procedures, configuration records, training logs, evidence screenshots, access control documentation, incident response records, and more. Most contractors don't discover this until they're well into implementation and realize that "write an access control policy" is actually "write the policy, implement the controls, document how they're configured, train users, and capture evidence that all of it actually happened." Without a defined artifact list, you're guessing — and guessing means rework.

Stall Reason #3

No Implementation Order Creates Rework

CMMC compliance has a logical sequence: configure your systems, then write policies that reflect how they're actually configured, then collect evidence that the configuration exists, then package it for assessment. DIY efforts frequently jump to policy-writing before configuring systems — which means the policies don't match reality and have to be rewritten later. Or they configure systems first without documenting anything, so there's no evidence trail when assessment time comes. Without a defined implementation order and someone to tell you what comes next, you can invest significant time and still end up with a partially complete package that doesn't hold up.

Stall Reason #4

No Accountability Structure Means "Finish Later" Becomes the Default

Compliance work is important but rarely urgent — right up until it is. In a small business, every day brings genuinely urgent priorities: a customer call, a contract deliverable, a hiring issue. CMMC work that has no external deadline or checkpoint gets pushed. Without scheduled sessions and someone expecting updates, most compliance efforts lose momentum after the first few weeks. The work doesn't disappear — it just keeps getting put off until a contract requirement forces the issue, usually at the worst possible time.

Stall Reason #5

Platform-Specific Configuration Is Non-Obvious

Configuring Google Workspace or Microsoft 365 for CMMC compliance isn't like configuring them for general business use. You need specific admin console settings, Conditional Access policies, audit log configurations, and more — and wrong configurations don't generate error messages. They just silently fail to meet requirements. Unless you've done this before in these specific platforms, you're researching from scratch, interpreting Google or Microsoft documentation through a CMMC lens, and hoping you haven't missed something that an assessor will flag.

Stall Reason #6

Evidence Collection Is the Final Boss

Most DIY efforts that make it this far produce reasonably good policies. What they can't produce is organized, dated, assessment-ready evidence that demonstrates the policies are actually being followed. Assessors don't just review documents — they verify that the controls work and that you can prove it. Screenshots without timestamps, policies without training records, and access control lists that haven't been reviewed in six months all create findings. Evidence collection is the most underestimated part of CMMC compliance, and it's rarely addressed in free online resources.

A Useful Self-Check

If you've nodded your head at two or more of the stall reasons above, you're describing a structural problem — not a personal failing. The question isn't whether you could eventually work through it. It's whether the time cost, the rework risk, and the quality of the final package are worth attempting unguided. For most small contractors, they aren't.

What the Turnkey Package Actually Provides

The Turnkey CMMC Level 1 Compliance Package isn't a service where Overwatch Tools does the work for you. It's a structured, guided process where you do the work — with expert support, defined deliverables, and the accountability structure that prevents stalling.

Here's how it addresses each of the structural stall points above:

True DIY (Unguided)

Interpret NIST language yourself
Guess at what "artifacts" are required
Determine your own implementation sequence
Set your own (easily missed) deadlines
Research platform configurations from scratch
Build evidence collection from nothing
No review before you submit

Turnkey Guided (L1 Package)

Platform-specific guides translate requirements
142 artifacts pre-defined — no guesswork
Structured sequence prevents rework
8 bi-weekly sessions create accountability
Step-by-step config guides for every device type
Evidence locker + templates included
Expert pre-assessment review in session 7

The bi-weekly session structure deserves particular mention. Having a scheduled call where someone is expecting your progress creates the external accountability that makes compliance work happen consistently rather than in occasional bursts. Most clients complete their Level 1 assessment in 2–4 weeks — timeline varies based on existing infrastructure and responsiveness, but the structured pace is what makes that speed achievable.

What's Inside the L1 Turnkey Package

8 bi-weekly expert consultation sessions (1 hour each)
All 15 CMMC Level 1 practices broken down to 142 required artifacts
Platform-specific templates for Microsoft 365 or Google Workspace
8 device & network configuration guides (Windows, Mac, iOS, Android, home/small office networks)
Implementation procedures and workflows — what to do and in what order
Evidence locker & SPRS report — packaged and date-stamped for assessment
Self-assessment documentation ready to submit
Free 30-minute kickoff consultation

$2,495/year — LIMITED TIME: Save $500 (Regular price $2,995)

The Math: What Compliance Is Actually Worth

Compliance conversations tend to focus on cost. That's the wrong frame. The right question is: what is a DoD contract worth to your business?

$50K–$500K+

Typical DoD contract value for small subcontractors

$2,495

L1 Turnkey Package (limited-time price)

$200–$400/hr

Traditional compliance consultant rate, no defined scope

A traditional compliance consultant charges $200–$400 per hour with no fixed deliverable list and no guarantee of what you'll have at the end. A single DoD subcontract lost to a competitor who got compliant first is worth multiples of the Turnkey Package. And a failed first CMMC assessment doesn't just cost money — it costs time, delays contracts, and raises questions with prime contractors about your operational readiness.

The Turnkey Package is $2,495/year. That's the fully loaded cost. No hourly billing, no surprise scope expansion, no "we need another 10 hours to finish the evidence review." What you see is what you pay.

Ready to Stop Stalling?

The free 30-minute consultation is where we figure out exactly where you are and what it takes to get you across the finish line — whether you're starting fresh or picking up a stalled effort.

Schedule Your Free 30-Minute Call
Start with the Free Assessment Tool

If Your Work Involves CUI: The Financial Reality of CMMC Level 2

This section is for contractors who handle Controlled Unclassified Information (CUI) — not just Federal Contract Information (FCI). If your contract involves CUI, CMMC Level 2 may apply, not Level 1. And if L2 applies, there's a financial planning argument for acting now that most small contractors have never run the numbers on.

Here's the situation: CMMC Level 2 programs that are eligible for self-assessment — meaning DoD has not designated them as requiring a C3PAO assessment — have a two-year self-assessment window. During that window, you can self-assess annually. After two years, you're required to use an accredited C3PAO assessor.

C3PAO assessments cost $40,000–$50,000 per assessment cycle. If you fail, you pay full price again for a follow-up assessment. Most small and medium contractors have not priced these costs into their existing contract structures — they're looking at a future obligation that isn't in their current budget.

Mock assessments (often positioned as preparation for C3PAO) run approximately $20,000 — and they typically provide limited remediation detail, because the assessor's business model is to be your C3PAO. You get a pass/fail outcome with high-level findings, not a detailed artifact-by-artifact gap analysis you can act on.

The Self-Assessment Window Is a Real Financial Opportunity

The smart move for eligible small contractors: use the 2-year self-assessment window to get fully compliant, validate your security posture, and know you'll pass before committing to $40,000–$50,000 in C3PAO assessment fees. Don't enter a formal C3PAO assessment underprepared. Use the window that exists specifically for organizations at your scale.

That's exactly what the L2 CUI Enclave Package is designed for. At $3,495/year, it's built around the self-assessment window — providing the 110 practices mapped to 182 defined artifacts, a dedicated CUI enclave configuration approach for Google Workspace for Government or Microsoft 365 GCC High, a pre-filled System Security Plan template, POAM framework, Risk Register, and 12 bi-weekly expert consulting sessions.

Importantly, this package is designed for contractors with limited CUI needs who don't have enterprise IT infrastructure. No Active Directory required. No SIEM required. No full-time security staff. The package includes dedicated Windows laptop or Chromebook configuration guides — you provide the hardware, we provide the templates and step-by-step implementation guides. You implement; we advise and review.

L1 + L2 Combined Investment vs. C3PAO Assessment Cost

L1 Turnkey Package: $2,495/year
L2 CUI Enclave Package: $3,495/year
Combined (full coverage): $5,990/year
Single C3PAO assessment: $40,000–$50,000 (fail = pay again)
Mock assessment: ~$20,000 (limited remediation detail)

For contractors handling both FCI and CUI: the combined L1 + L2 investment is roughly one-eighth the cost of a single C3PAO assessment cycle — and it gets you prepared to pass that assessment confidently when the time comes.

⚠️ Important — Self-Assessment Programs Only

The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Organizations required to use a C3PAO assessor are not in scope. Not sure which applies to your program? That's one of the things we clarify in the free 30-minute consultation.

So Which Path Is Right for You?

True DIY — working from free NIST resources, generic templates, and YouTube tutorials — is legitimate. Some contractors will get there on their own. But if you've attempted it and stalled, or if you're looking at the structural challenges above and recognizing that your business doesn't have the time to research and recover from each one, the Turnkey path exists specifically for that situation.

The Turnkey isn't for contractors who want compliance done for them. It's for contractors who are willing to do the work and want a defined structure, expert guidance, and a clear endpoint. The bi-weekly sessions, the 142 defined artifacts, the platform-specific guides, and the pre-assessment review are all designed to solve exactly the stall points outlined above.

For CUI handlers, the L2 package adds the dedicated enclave approach and the 182-artifact L2 framework — purpose-built for small businesses that want to use their self-assessment window wisely before C3PAO costs become the only option.

The free 30-minute consultation is the right next step if you have any uncertainty about which level applies, where you currently stand, or what it would realistically take to get you to a submitted SPRS score. We'll pick up wherever you are — fresh start, stalled effort, or "I have no idea where to begin."

Let's Pick Up Where You Left Off

Whether you're starting fresh, recovering a stalled effort, or figuring out whether L1 or L2 applies — the free 30-minute consultation is where we build your actual plan. No sales pressure. Just clarity.

Book Your Free Consultation
Run the Free CMMC Assessment First

L1 Turnkey Package: $2,495/year (save $500 limited time) · L2 CUI Enclave Package: $3,495/year · Free Assessment Tool: No credit card required

Overwatch Tools · CMMC Compliance Solutions · Chesapeake, Virginia

overwatchtools.com · info@overwatchtools.com

We just launched something for contractors who handle CUI

Adm1n — Thu, 12 Mar 2026 01:38:34 +0000

Introducing the L2 CUI Enclave Package | CMMC Level 2 Self-Assessment for Small Contractors | Overwatch Tools

CMMC Level 1: The Reality Check — Part 4 of 6

🚀 New Product Launch

Introducing the L2 CUI Enclave Package

CMMC Level 2 self-assessment — right-sized for small defense contractors. No enterprise IT. No C3PAO fees. Built on Google Workspace for Government or Microsoft 365 GCC High.

Overwatch Tools | CMMC Compliance Specialists · New for 2026

We Heard You. Level 2 Is Now in Scope.

Since launching the L1 Turnkey package, one question has come up more than any other: "We handle CUI. Does Overwatch Tools have something for Level 2?"

For a long time, the honest answer was: not yet. The L2 compliance space is dominated by enterprise-scale solutions built for large organizations with dedicated IT departments, full-time security staff, and budgets to match. Small contractors handling modest amounts of CUI — a few people, a focused scope, a DoD contract that doesn't justify a $50,000+ C3PAO engagement — were largely left to figure it out on their own.

That changes today.

We're launching the L2 CUI Enclave Package — a complete CMMC Level 2 self-assessment solution built specifically for small defense contractors with limited CUI needs. Same philosophy as the L1 Turnkey: every artifact defined, every session with a purpose, platform-specific rather than generic. Just built for the depth and scope that Level 2 requires.

⚠️ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope. Not sure which applies to you? The free 30-minute consultation is the right first step.

Ready to talk about Level 2?

Schedule a free 30-minute intro call. We'll look at your contract, your CUI scope, and your program eligibility — and give you a straight answer on which package fits.

Schedule Your Free 30-Minute Consultation →

Who the L2 CUI Enclave Package Is Built For

Before we get into what's included, it's worth being specific about who this is — and isn't — designed for. Level 2 is a bigger undertaking than Level 1, and the right-fit matters.

This package is right for you if:

Your DoD contract requires handling Controlled Unclassified Information (CUI)
Your program is eligible for annual self-assessment — not C3PAO-required
You have limited CUI needs — a defined, focused scope rather than organization-wide CUI handling
You're running Google Workspace for Government or Microsoft 365 GCC High (or ready to move to one)
You don't have — and don't want to build — enterprise IT infrastructure like Active Directory or a SIEM
You want expert consulting and defined artifacts, not a blank compliance framework to fill in yourself

This package is not right for you if:

✗ Your program requires a C3PAO assessment — self-assessment eligibility is a prerequisite for this package
✗ Your CUI handling is broad and organization-wide — this package is designed for a dedicated enclave scope
✗ You only handle FCI (Federal Contract Information) — in that case, Level 1 is what you need

Still not sure which level applies? That's more common than you'd think, and it's exactly what the free consultation is designed to sort out.

What Is a CUI Enclave — and Why Does It Matter?

A CUI enclave is a defined, isolated environment where all Controlled Unclassified Information is created, stored, processed, and transmitted. Instead of trying to apply CMMC Level 2 controls across your entire organization — every device, every user, every system — an enclave approach lets you draw a boundary around the CUI-handling environment and apply controls within that boundary.

For small contractors, this is the difference between a manageable compliance project and an enterprise-scale IT overhaul. You don't need to make every laptop, every phone, and every system in your business CMMC Level 2 compliant. You need to build and operate a secure, documented enclave where CUI lives — and keep everything else outside of it.

What the Enclave Looks Like in Practice

The L2 CUI Enclave Package is built around a dedicated CUI environment on either Google Workspace for Government or Microsoft 365 GCC High — your choice. CUI-only devices (dedicated Windows laptops or Chromebooks) access the enclave. Non-CUI work stays on separate systems. The enclave is configured, documented, and assessed as a defined scope. We provide the configuration guides — clients implement.

This is not a workaround or a shortcut. It's the correct approach for organizations with limited CUI needs, and it's how the DoD's own guidance expects small contractors to structure their compliance. The L2 CUI Enclave Package gives you every artifact, template, and configuration guide to build and document this enclave correctly.

What's Included in the L2 CUI Enclave Package

L2 CUI Enclave Package New

CMMC Level 2 — Enclave Self-Assessment

Google Workspace for Government or Microsoft 365 GCC High

$3,495/year

⚠️ Self-Assessment Programs Only. Scoped for CMMC Level 2 programs eligible for annual self-assessment. C3PAO-required programs are not in scope.

A complete, right-sized CUI Enclave compliance package for limited CUI needs. No Active Directory, no SIEM, no full-time IT staff required. You choose your platform; we provide the templates, configuration guides, and expert consulting to get you across the finish line.

12 bi-weekly expert consulting sessions — a deeper, structured program to match L2's expanded scope across 110 practices
Your choice of platform: Google Workspace for Government or Microsoft 365 GCC High — we specialize in both
110 practices → 182 defined artifacts — every CMMC Level 2 requirement mapped to a specific deliverable
Dedicated CUI enclave configuration guides — step-by-step setup for your chosen platform, built for the enclave scope
System Security Plan (SSP) — pre-filled template tailored to your enclave environment
POAM framework, Risk Register & evidence checklist — everything required for the self-assessment package
Time estimates for every task — the entire program is designed to be implementable part-time, without a full-time IT resource
SPRS scoring & self-assessment documentation — packaged, date-stamped, and ready for submission
Free 30-minute kickoff consultation — before you commit to anything

110 Practices. 182 Artifacts. What That Actually Means.

CMMC Level 2 is based on NIST SP 800-171 and covers 110 security practices across 14 domains: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity.

That's a significant scope — and the reason most small contractors either avoid Level 2 entirely or hand it off to an expensive consultant who hands them back a stack of generic documents that don't reflect their actual environment.

The L2 CUI Enclave Package maps every one of those 110 practices to a specific, defined artifact — 182 total. Not "create a policy for this domain." A defined deliverable for each requirement: the specific policy, the specific configuration screenshot, the specific procedure document, the specific evidence item. You know exactly what you're building at every step.

The Difference Between Defined and Undefined Artifacts

Most compliance frameworks tell you what to satisfy. We tell you what to produce. For every one of the 182 artifacts in the L2 package, you get a template or configuration guide, a description of what it should contain, and a time estimate for completing it. No interpretation required.

Why Platform Specificity Matters at Level 2

CMMC Level 2 introduces requirements that go well beyond Level 1 — audit logging, configuration management, system protection controls, and more. The way you satisfy these requirements looks fundamentally different depending on whether your enclave runs on Google Workspace for Government or Microsoft 365 GCC High.

Generic compliance documents — the kind that say "configure your email platform to retain audit logs" without telling you which setting to click in which admin console — fail at Level 2. The requirements are too specific, and the verification too granular, for platform-agnostic guidance to hold up.

The L2 CUI Enclave Package is built around your chosen platform from the ground up. Configuration guides are written for the specific admin consoles, settings, and capabilities of Google Workspace for Government and M365 GCC High. You're not translating enterprise documentation into something that applies to your environment. It starts in your environment.

Consideration	Google Workspace for Government	Microsoft 365 GCC High
Best for	Teams already on Google, Chromebook-friendly workflows	Teams already on Microsoft, Windows-native workflows
CUI device	Dedicated Chromebook (CUI-only)	Dedicated Windows laptop (CUI-only)
Audit logging	Google Admin audit logs, Workspace alerts	Microsoft Purview, Defender for M365
Config management	Google Admin Console, Chrome Enterprise	Intune, Conditional Access, Defender
Included guides	✓ Google Workspace for Gov configuration guide	✓ M365 GCC High configuration guide

Not sure which platform is the right fit? We'll help you work through that in the kickoff consultation. Both are fully supported — the choice is yours.

No Enterprise IT Required. Seriously.

One of the most persistent myths about CMMC Level 2 is that you need enterprise IT infrastructure to comply. Active Directory. A SIEM. A full-time security engineer. A dedicated compliance team. For large defense contractors, that might be true. For small contractors with a defined CUI enclave, it's not.

The L2 CUI Enclave Package is explicitly designed for organizations without enterprise IT. Here's what that means in practice:

No Active Directory required — identity management through Google Workspace for Government or M365 GCC High admin consoles
No SIEM required — audit logging handled through platform-native tools (Google Admin audit logs or Microsoft Purview)
No full-time IT staff required — time estimates on every task are designed for a part-time IT point person
No enterprise hardware required — CUI-only dedicated laptops or Chromebooks; we provide the config guides, not the hardware
No security team required — the Owner/Manager, an IT point person, and your CUI users are the three roles the program is built around

This doesn't mean Level 2 is simple. It means it's achievable for small organizations with a focused CUI scope — which is exactly what the enclave approach is designed to enable.

How the 12-Session Program Works

The L2 CUI Enclave Package follows the same session-based structure as the L1 Turnkey — defined focus per session, clear deliverables, bi-weekly cadence — but expanded to 12 sessions to cover Level 2's broader scope.

Program Structure at a Glance

Sessions 1–2: Kickoff, gap assessment, CUI flow mapping, enclave scoping, action plan
Sessions 3–4: Access control, authentication, identity management, MFA, account policies
Sessions 5–6: Device configuration, CUI-only device setup, configuration management baselines
Sessions 7–8: Platform deep dive — GWS for Gov or M365 GCC High audit logging, enclave configuration, sharing controls
Sessions 9–10: SSP completion, POAM framework, Risk Register, policy and documentation review
Session 11: Evidence collection, Evidence Locker organization, pre-assessment dry run across all 110 practices
Session 12: SPRS scoring, submission documentation, affirmation prep, post-submission support

Sessions are 1 hour each, conducted virtually, every two weeks. Between sessions, you complete implementation work using the 182 defined artifacts, platform configuration guides, SSP template, and POAM framework. Email support is available throughout.

"The entire program is designed with time estimates on every task — so you know going in what you're committing to, and can plan implementation around your existing workload."

L1 Turnkey vs. L2 CUI Enclave: Which One Is Right for You?

If you're not sure which level applies to your situation, this comparison is a good starting point. The key question is whether your DoD contract involves CUI — and if so, whether your program is eligible for self-assessment.

Feature	L1 Turnkey Package	L2 CUI Enclave Package
CMMC Level	Level 1	Level 2
Information type	FCI (Federal Contract Information)	CUI (Controlled Unclassified Information)
Assessment type	Annual self-assessment	Annual self-assessment (eligible programs only)
Practices	15 practices	110 practices
Defined artifacts	142 artifacts	182 artifacts
Consulting sessions	8 bi-weekly sessions	12 bi-weekly sessions
Platform	Google Workspace or Microsoft 365	Google Workspace for Gov or M365 GCC High
SSP required	No	Yes — pre-filled template included
POAM / Risk Register	No	Yes — framework included
Enterprise IT needed	No	No
Price	$2,495/year (Save $500 limited time)	$3,495/year

Still not certain? The free consultation is built for this exact question. We'll review your contract requirements and your information environment and tell you directly which level applies and which package fits.

Our Full Product Lineup

L1 Turnkey Compliance Package

CMMC Level 1 — Self-Assessment · Most Popular

$2,495/year

$2,995 Save $500 (Limited Time)

8 bi-weekly expert consultation sessions (1 hour each)
All 15 CMMC L1 practices mapped to 142 required artifacts
Platform-specific templates for Microsoft 365 or Google Workspace
8 device & network configuration guides (Windows, Mac, iOS, Android, home/small-office)
Evidence Locker & SPRS report template
Self-assessment documentation package — assembled, packaged, date-stamped
Email support between sessions
Free 30-minute kickoff consultation

L2 CUI Enclave Package New

CMMC Level 2 — Enclave Self-Assessment

Google Workspace for Government or M365 GCC High

$3,495/year

⚠️ Self-Assessment Programs Only. Scoped for CMMC Level 2 programs eligible for annual self-assessment. C3PAO-required programs are not in scope.

12 bi-weekly expert consulting sessions
110 practices mapped to 182 defined artifacts
Your choice of platform: Google Workspace for Government or M365 GCC High
Dedicated CUI enclave configuration guides
System Security Plan (SSP) — pre-filled template
POAM framework, Risk Register & evidence checklist
Time estimates for every task — implementable part-time
SPRS scoring & self-assessment docs — packaged and date-stamped
Free 30-minute kickoff consultation

Not Sure Where You Stand? Start Here — Free

The Overwatch Tools CMMC Assessment Tool is free, takes under 30 minutes, and gives you an instant gap analysis across all 15 CMMC Level 1 practices — plus flags whether Level 2 may apply to your situation. No credit card, no obligation. Start your free assessment →

Ready to Figure Out Where You Stand?

Whether you're handling FCI at Level 1 or CUI at Level 2, the first step is the same — a free 30-minute consultation. We'll review your contract requirements, confirm which level applies, and give you a clear path forward. No pressure, no commitment.

Schedule Your Free 30-Minute Consultation →
Learn More at Overwatchtools.com

Overwatch Tools | CMMC Compliance Solutions

Making CMMC Compliance Achievable for Small Defense Contractors

Chesapeake, Virginia | overwatchtools.com | info@overwatchtools.com

Is your Microsoft 365 actually CMMC-ready?

Adm1n — Mon, 09 Mar 2026 00:54:28 +0000

CMMC Level 1: The Reality Check — Part 3 of 6

Is Your Microsoft 365 Actually CMMC-Ready?

A 12-Point Self-Audit for Defense Contractors

Microsoft 365 has more compliance-relevant settings than any other small business platform. That's its strength — and its risk.

By Overwatch Tools | CMMC Compliance Specialists | March 2026

If you run your business on Microsoft 365 and you're pursuing or maintaining defense contracts, you've probably told yourself at some point: "We have M365. We're probably fine."

Here's the reality: Microsoft 365 is one of the most capable platforms for CMMC Level 1 compliance — but only when it's configured correctly. And it has more compliance-relevant settings, more license-tier dependencies, and more places where a wrong answer quietly breaks your posture than any other small business platform on the market.

This isn't a criticism. It's an honest technical picture. M365's depth is precisely what makes it so powerful for compliance — but that same depth means there are a dozen places where "I think we have that turned on" isn't good enough.

The following 12-point audit is designed for Microsoft 365 users who want to know, with real confidence, where they actually stand. For each item, assess yourself against three statuses:

✅ Confirmed — You've verified this in the admin center and can document it.

⚠️ Unsure — You think it's configured, but haven't verified it recently or can't produce evidence.

❌ Not Done — This isn't configured, isn't applicable yet, or you're not sure where to find it.

Be honest. The whole point of this audit is to find the gaps before an assessor does.

⚠️ Note: This audit does not provide step-by-step fix instructions — that's the work we do together in consultation sessions. Its purpose is to help you accurately assess your current state and identify where you need professional review.

Part 1: The Foundation — Licensing and Account Type

Before you can configure anything correctly, you need to confirm you're working with the right version of Microsoft 365. This is the most frequently overlooked issue we encounter in M365 consultation sessions — and it's the one that makes everything else irrelevant if it's wrong.

Item 1 Licensing Tier — Are You on the Right Plan?

CMMC Level 1 compliance requires security features that are only available in specific M365 tiers. The critical capabilities — Microsoft Intune for device management, Conditional Access policies, and Microsoft Defender for Business — are included in Business Premium and above, but not in Business Basic or Business Standard.

Many defense contractors discover too late that they've been running on Business Standard, assuming it was "good enough." It isn't. If you're not on Business Premium (or a GCC variant), you literally cannot configure several of the controls CMMC Level 1 requires.

What to verify: Log into your Microsoft 365 admin center → Billing → Your products. Confirm your subscription tier.

Special note for CUI handlers: If you handle Controlled Unclassified Information and may be subject to CMMC Level 2, commercial M365 tiers are not sufficient — you will need Microsoft 365 GCC High. More on this at the end of this post.

✅ Confirmed ⚠️ Unsure ❌ Wrong Tier / Not Checked

Part 2: Core Security Configuration

Once you've confirmed you're on the right licensing tier, the next layer is configuration. This is where the real complexity lives — and where most organizations have gaps they don't know about.

Item 2 Conditional Access Policies ⚠ Common Gap

Multi-Factor Authentication is necessary but not sufficient. Per-user MFA (the basic version most small businesses enable) does not enforce policy-based access control. CMMC requires policy-enforced MFA — which means Conditional Access policies configured in Azure Active Directory / Entra ID.

The difference matters: per-user MFA can be bypassed in certain authentication flows. Conditional Access closes those gaps by applying rules at the policy level — requiring MFA based on user, device, location, and app conditions.

What to verify: Go to Microsoft Entra ID → Protection → Conditional Access. Are there active policies? Are they enforced (not just in report-only mode)?

✅ Policies Active & Enforced ⚠️ Report-Only Mode ❌ Per-User MFA Only

💬 Conditional Access is one we always review in the first two consultation sessions. If you're unsure, don't guess — schedule a free session to verify it together.

Item 3 Intune Device Enrollment and Management ⚠ Common Gap

Microsoft Intune is the device management backbone for CMMC-compliant M365 environments. But there's an important distinction: devices can be registered in Intune without being fully enrolled and managed. Registered devices don't receive the compliance policies, configuration profiles, or security baselines that CMMC requires.

Company-owned devices used for DoD work need to be fully enrolled in Intune, with compliance policies applied and actively monitored — not just registered for basic sync.

What to verify: In the Microsoft Intune admin center → Devices → Overview. Are company devices enrolled? Are compliance policies applied and returning "compliant" status?

✅ Enrolled & Managed ⚠️ Registered Only ❌ Not Configured

Item 4 Microsoft Defender for Business — Configured, Not Just Licensed

Microsoft Defender for Business is included with Business Premium — but included doesn't mean configured. Many small businesses have Defender sitting in their tenant, untouched, because the license was part of a bundle purchased for other reasons.

For CMMC, Defender needs to be actively deployed to devices, configured with security policies, and monitored. An endpoint protection tool that isn't deployed is the same as not having one.

What to verify: In the Microsoft Defender portal, check whether onboarded devices appear under Assets → Devices. Are alerts being generated and reviewed?

✅ Deployed & Monitored ⚠️ Licensed, Not Configured ❌ Not Set Up

Counting Your "Unsure" Answers?

If you've marked more than 2 items as Unsure or Not Done so far, a professional review is genuinely warranted — not as a criticism, but because the M365 admin environment is complex and these gaps are extremely common.

Schedule a Free 30-Minute Review

Part 3: Logging, Data Controls, and Access Management

Item 5 Audit Log Retention — Is It Even Enabled? ⚠ Common Gap

Unified audit logging in Microsoft Purview is the backbone of your ability to detect, investigate, and document security events. Here's what surprises many M365 users: it is not enabled by default in all tenants. Older tenants may have it disabled entirely.

If audit logging isn't enabled, you have no searchable record of user sign-ins, file access, admin changes, or security events — which means you cannot produce the evidence CMMC assessors look for.

What to verify: In the Microsoft Purview compliance portal → Audit → Search. If you can run a search, logging is enabled. If you see a setup screen or error, it's off.

✅ Enabled & Searchable ⚠️ Not Sure ❌ Disabled / Never Set Up

💬 Audit logging is one we always verify in the first two consultation sessions. It's silent when it's off — you won't know it's missing until you need it.

Item 6 External Sharing Policies in SharePoint and OneDrive

By default, Microsoft 365 is designed to make collaboration easy — which includes allowing users to share files externally with anyone who has a link. For defense contractors handling Federal Contract Information, this is a significant risk that directly violates CMMC access control requirements.

Your SharePoint and OneDrive sharing settings need to be configured to prevent FCI from being shared with unauthorized external parties. This includes tenant-level sharing settings and site-level policies.

What to verify: In the SharePoint admin center → Policies → Sharing. What is your tenant-level external sharing setting?

✅ Restricted — Internal / Specific Users Only ⚠️ Default / Unsure ❌ Open Sharing Enabled

Item 7 Admin Account Separation

Do your administrators perform admin tasks — adding users, changing security settings, managing licenses — using their regular day-to-day accounts? If so, this is a security gap. Privileged admin tasks should be performed from dedicated accounts separate from standard user accounts.

This reduces the blast radius if a standard account is compromised. A compromised regular account shouldn't also give an attacker global admin access to your M365 tenant.

What to verify: In Microsoft Entra ID → Users, check whether admin role assignments are on standard accounts or dedicated admin accounts.

✅ Dedicated Admin Accounts in Use ⚠️ Not Sure ❌ Admins Using Regular Accounts

Item 8 Legacy Authentication Blocking ⚠ Common Gap

Legacy authentication protocols — Basic Authentication, SMTP AUTH, POP3, IMAP — predate modern MFA. They cannot be protected by Conditional Access policies, which means any account that supports legacy authentication has a pathway to bypass your MFA entirely.

Microsoft has deprecated Basic Authentication in most M365 tenants, but SMTP AUTH and other legacy protocols may still be enabled. Attackers specifically target legacy auth because it sidesteps MFA controls.

What to verify: In Microsoft Entra ID → Monitoring → Sign-in logs, filter for "Legacy authentication client." Also check Conditional Access for a legacy auth block policy.

✅ Blocked via Conditional Access ⚠️ Partially Disabled ❌ Still Enabled / Unknown

💬 Legacy auth blocking is one we always review in the first two consultation sessions. It's the most common MFA bypass vector and the most frequently overlooked setting in small business M365 tenants.

Part 4: Process Controls and Assessment Evidence

Configuration gets you to the technical baseline. Process controls and documentation evidence are what turn a secure environment into a demonstrably compliant one. This is the layer most small contractors underinvest in.

Item 9 User Offboarding — Documented and Enforced

When an employee leaves, how quickly is their M365 access revoked? "As soon as we remember to" is not a CMMC-compliant answer. You need a documented, enforced offboarding process that includes immediate account disabling, revocation of active sessions, mailbox reassignment or archival, and removal from security groups.

CMMC requires that access is terminated promptly when it's no longer needed. Your offboarding procedure needs to be documented, and you need to be able to show evidence that you follow it.

What to verify: Do you have a written offboarding procedure that references your M365 environment? Can you show a recent log of a completed offboarding?

✅ Documented & Practiced ⚠️ Informal Process Only ❌ No Documented Process

Item 10 Microsoft Secure Score — Reviewed and Triaged

Microsoft Secure Score is a useful lens on your M365 security posture, but it requires interpretation. Not every recommendation is CMMC-relevant, and chasing a high Secure Score number isn't the same as being CMMC-compliant. The goal is to understand which items map to CMMC practices — and which don't.

Have you reviewed your Secure Score and categorized recommendations by compliance relevance? A score in isolation tells you very little — the triage is what matters.

What to verify: In the Microsoft Defender portal → Secure Score → Recommended actions. Have you reviewed and triaged these for CMMC relevance?

✅ Reviewed & Triaged for CMMC ⚠️ Looked, Not Triaged ❌ Never Reviewed

Item 11 Incident Response Documentation — M365 Specific

A generic incident response plan isn't sufficient for CMMC. Your IR documentation needs to reference your specific M365 environment — including your tenant name, admin contacts, the location of your audit logs, and steps specific to isolating or investigating a compromise within your M365 setup.

Assessors look for evidence that your IR plan is operational, not theoretical. A plan that could apply to any organization doesn't demonstrate that your team knows how to respond in your specific environment.

What to verify: Does your IR plan mention Microsoft 365 by name, include your tenant admin contacts, and reference Purview audit log access steps?

✅ M365-Specific & Current ⚠️ Generic Plan Exists ❌ No IR Documentation

Item 12 Annual Security Review Evidence

CMMC is not a one-time pass. It requires ongoing management and periodic review of your security posture. For your assessment, you need to demonstrate that you have reviewed your M365 security configuration within the past 12 months — not just set it up correctly once.

This means dated documentation showing a review was conducted, what was checked, what (if anything) was changed, and who performed the review.

What to verify: Can you produce documentation showing a security review of your M365 environment with a date within the last 12 months?

✅ Documented Within 12 Months ⚠️ Reviewed, Not Documented ❌ No Formal Review

Reading Your Results

Add up your responses. Here's what the distribution typically tells us:

Your Score Profile	What It Means
10–12 Confirmed	Strong baseline. Focus on evidence quality and documentation consistency for your assessment package.
5–9 Confirmed, rest Unsure	Common position for organizations that have made genuine security investments but haven't documented or verified them formally. Consultation sessions are exactly right for this profile.
3+ Gaps in Items 2, 3, 5, or 8	Technical gaps that need to be resolved before assessment. Configuration work is required alongside documentation.
Multiple Not Done in Items 1–4	Licensing or foundational configuration issues. These need to be resolved first — other items can't be addressed correctly until the foundation is right.

💡 Pro Tip: The four most commonly deficient items across all M365 reviews we conduct are Items 2, 3, 5, and 8 — Conditional Access, Intune enrollment, audit logging, and legacy auth blocking. If you're doing a focused spot-check before scheduling a consultation, start there.

A Note for Contractors Who Handle CUI

This audit covers CMMC Level 1 — the baseline requirement for all defense contractors handling Federal Contract Information. If your contract involves Controlled Unclassified Information (CUI), you may be subject to CMMC Level 2, which has significantly more extensive requirements.

The key platform distinction for Level 2: commercial Microsoft 365 tiers (including Business Premium) are not sufficient for CUI environments. CMMC Level 2 programs require Microsoft 365 GCC High, a government-community cloud variant with enhanced data residency and compliance controls.

⚠️ Self-Assessment Programs Only. The Overwatch Tools L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to engage a C3PAO for third-party assessment are not in scope. If you're unsure which category applies to your program, the free consultation is the right place to start.

How the Turnkey Package Addresses the M365 Gap

The Overwatch Tools Turnkey CMMC Level 1 Compliance Package is built around the practical reality that M365 compliance takes expertise — not because the controls are impossible, but because knowing which controls matter, where to find them, and how to document them correctly is what separates organizations that pass from organizations that scramble.

What's Included for M365 Users

M365-specific configuration guides — step-by-step instructions across the M365 admin center, Entra ID, Intune, Defender, Purview, and SharePoint. Not generic cloud guidance.

All 15 CMMC Level 1 practices mapped to 142 required artifacts — every policy, procedure, screenshot, and evidence document defined, with M365-specific templates for each.

8 bi-weekly expert consultation sessions — where we review your actual M365 configuration, not a generic checklist. Items 2, 5, and 8 are standard first-session agenda items.

Evidence locker and SPRS report — packaged and date-stamped, assessment-ready.

Device and network configuration guides — for Windows, Mac, iOS, Android, and home/small office networks.

Free 30-minute kickoff consultation — before work begins, so we understand your exact setup.

Most clients working from an existing M365 Business Premium environment complete their Level 1 assessment package in 2–4 weeks. Timeline varies based on your current configuration state and availability for consultation sessions.

Let's Look at Your M365 Tenant Together

Before your assessment does. A free 30-minute consultation review covers the configuration items most likely to create problems — and gives you a clear picture of what you need to address before moving forward.

Book Your Free 30-Minute Consultation See the Turnkey Package →

No obligation. No sales pressure. Just a professional review of where you actually stand.

Is Your Google Workspace Actually CMMC-Ready? Take the 12-Point Self-Audit

Adm1n — Wed, 04 Mar 2026 15:45:16 +0000

Google Workspace CMMC Level 1 Self-Audit: 12 Things Assessors Actually Check | Overwatch Tools

📋 CMMC Level 1: The Reality Check — Part 2 of 6

Is Your Google Workspace Actually CMMC-Ready? Take the 12-Point Self-Audit

A compliance diagnostic for GWS defense contractors — no guesswork, no jargon

Published by Overwatch Tools | CMMC Compliance Specialists | Chesapeake, Virginia

You've set up Google Workspace. You're using it every day for email, docs, and file sharing. You've even heard it can be configured for CMMC Level 1 compliance.

So you're good, right?

Maybe. But "using Google Workspace" and "having a CMMC-compliant Google Workspace configuration" are very different things — and the gap between them is exactly where small defense contractors fail self-assessments.

This audit isn't designed to scare you. It's designed to give you an honest picture of where you stand before an assessor, a prime contractor, or a DoD audit does. Go through each item and answer as truthfully as you can: ✅ Confirmed, ⚠️ Unsure, or ❌ Not Done.

How to Use This Checklist

For each of the 12 items below, assess your current Google Workspace configuration honestly. If you're not certain — if you'd have to go look, ask someone, or guess — mark it ⚠️ Unsure. Uncertainty counts the same as a gap when an assessor is in the room.

Track your results. We'll help you interpret your score at the end.

The 12-Point Google Workspace CMMC Self-Audit

Item 1

Admin Account Separation

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: Your Google Workspace super admin account is a dedicated administrative account — separate from anyone's day-to-day email and productivity account. No one uses the admin account to read email or create documents.

Non-compliant commonly looks like: The owner or IT lead logs into their normal Google account to access the Admin Console, and that same account is their personal email, Drive, and Calendar. One account wearing all the hats.

Why it matters: Super admin accounts have the keys to your entire organization. If that account is compromised — through phishing, password reuse, or a device breach — everything is exposed. Separation limits blast radius and demonstrates access control hygiene that CMMC assessors look for.

Item 2

MFA Enforcement at the Organization Level

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: 2-Step Verification is enforced at the organization level in the Google Admin Console — meaning users cannot bypass it, cannot opt out, and will be locked out if they haven't enrolled. Enrollment is mandatory, not optional.

Non-compliant commonly looks like: 2SV is enabled or "allowed" in the Admin Console, and a policy document says users should use it, but it isn't actually enforced. Some users have it set up; others don't. There's no guarantee.

This is one of the most common configuration gaps we encounter. Having 2FA available is not the same as having it required. The distinction is made in the Admin Console under Security → 2-Step Verification → Enforcement. If you haven't confirmed the enforcement setting yourself recently, you may not know what it's actually set to.

Item 3

External Drive Sharing Settings

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: Google Drive sharing is configured at the Admin Console level to restrict or prohibit external sharing of sensitive files. Users cannot share files with people outside your organization without deliberate admin-level exceptions, and those exceptions are documented.

Non-compliant commonly looks like: Default sharing settings are in place. Anyone in your organization can share a Drive file with anyone on the internet, including setting it to "Anyone with the link." This is Google's default behavior and most small orgs never change it.

⚠️ We find gaps here frequently. Default Google Workspace sharing settings are intentionally permissive for productivity — and intentionally problematic for CUI protection. This is one of the items we review directly in consultation sessions with Turnkey clients.

Item 4

Google Vault Configuration

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: Google Vault is not just enabled — it is actively configured with retention rules that cover email and Drive data, and you have run at least one audit log review to verify it's capturing what it should. You know where to find audit logs and have reviewed them.

Non-compliant commonly looks like: Vault is included in your subscription (it comes with Business Plus and above) and you've seen it in the Admin Console, but you haven't set up any retention policies, exported any logs, or verified it's actually capturing anything useful. It's "on" but not configured.

⚠️ We find gaps here frequently. Vault is one of those features that gives a false sense of security. Many contractors assume that because it's included in their plan, it's working. Configuration and usage are two different things — and assessors want to see evidence of the latter.

Not sure if your Vault is actually configured? This is exactly what we review in Session 2 of the Turnkey program — and it takes less than an hour to get it right.

Schedule a free 30-minute consultation to talk through your setup →

Item 5

Device Management and Endpoint Policies

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: Company devices — laptops, phones — are enrolled in Google Workspace's endpoint management. Policies are actively enforced: screen lock is required, disk encryption is verified, and you have a way to remotely wipe a device if it's lost or stolen.

Non-compliant commonly looks like: Devices are not formally enrolled. Employees access company email and Drive from personal devices with no centralized policy enforcement. Or device management is set up for mobile but not for laptops. Or enrollment is in place but no policies are actually applied.

Device management becomes especially important for remote and hybrid workers — which describes most small defense contractors today. If an employee's laptop is stolen at a coffee shop and you have no way to wipe it or verify it was encrypted, that's a significant CMMC gap.

Item 6

Third-Party App Access Control

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: You have reviewed which third-party apps and integrations have access to your Google Workspace data. You have a process for approving or blocking connected apps, and you've removed any apps that don't have a clear business justification.

Non-compliant commonly looks like: Employees have connected various tools — project management apps, browser extensions, productivity add-ons — to their Google accounts, and none of this has been reviewed at the admin level. Some apps may have broad data access permissions that were granted years ago.

Google Workspace allows granular control over which apps can access organizational data. If you haven't reviewed this in the Admin Console → Security → API controls section, you may have more data exposure than you realize.

Item 7

User Offboarding Process

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: You have a written, documented procedure for revoking access when an employee leaves — covering Google account suspension, Drive access transfer, removal from groups, and device wipe. You've tested this process. You can show evidence it's been followed for past departures.

Non-compliant commonly looks like: When someone leaves, you remember to change their password or suspend their account — eventually. There's no checklist. The process varies by person and urgency. Former employees may still have access to shared Drives they were added to via a link.

⚠️ We find gaps here frequently. Offboarding documentation is one of the highest-impact, easiest-to-fix CMMC gaps — and one of the most commonly missing. Assessors will ask to see it. "We handle it when it comes up" is not an acceptable answer.

Item 8

Audit Log Review Practice

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: Someone in your organization reviews Google Workspace audit logs on a regular, documented schedule — looking for unusual sign-in activity, external sharing events, admin changes, and other anomalies. That review is logged, even informally.

Non-compliant commonly looks like: Audit logs exist — you know they're in the Admin Console somewhere — but no one reviews them proactively. You'd only go looking if something went obviously wrong. There's no scheduled review, no documentation of past reviews.

⚠️ We find gaps here frequently. Having logs is the baseline. Actually reviewing them is what demonstrates ongoing security awareness — and what CMMC requires. This is reviewed in the Turnkey program's consultation sessions, along with what to look for and how often.

Unsure what to look for in your audit logs — or how often you should be reviewing them? Session 2 of the Turnkey program covers this directly, including a review of your actual Admin Console configuration.

Talk to a compliance expert — free, 30 minutes →

Item 9

Password Policy Enforcement

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: Your password strength requirements are set and enforced in the Google Admin Console — minimum length, complexity, and reuse restrictions are applied at the organizational level, not just described in a policy document that people may or may not have read.

Non-compliant commonly looks like: You have a written password policy in a handbook or security document, but the Admin Console password settings are at Google's defaults. There's no technical enforcement — it's honor system.

Policy documents are necessary but not sufficient. CMMC requires that controls be implemented — meaning technically enforced, not just written down and hoped for. Admin Console password settings and policy documentation need to align and reinforce each other.

Item 10

Google Workspace Edition Verification

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: You are running Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, or a comparable edition that includes Google Vault, advanced endpoint management, and enhanced security controls. You have verified this in the Admin Console.

Non-compliant commonly looks like: You're running Business Starter or Business Standard — common for small companies that signed up years ago — and don't have access to Vault or advanced endpoint management. Or you're unsure what edition you have.

Edition matters more than most small contractors realize. Lower tiers of Google Workspace lack security features that are not optional for CMMC Level 1. We've covered this in detail in our Google Workspace edition guide for defense contractors — worth reviewing if you're not 100% certain what you're running.

Item 11

Incident Response Documentation

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: You have a written incident response plan that references your Google Workspace environment specifically — who gets notified if there's a breach or suspicious activity, what steps are taken, how the incident is documented, and when/how you notify the DoD.

Non-compliant commonly looks like: You have a general idea of what you'd do if something went wrong, but it isn't written down. Or you have a generic incident response template that doesn't mention Google Workspace, specific contacts, or the 72-hour DoD reporting requirement.

⚠️ We find gaps here frequently. Incident response plans that actually reference your specific environment — your tools, your contacts, your escalation path — are rare. Generic templates don't satisfy assessors, and more importantly, they don't help you when something actually goes wrong. The Turnkey program includes GWS-specific IR procedures.

Your incident response plan needs to reference Google Workspace specifically — not just be a generic template. This is one of the documents we help customize in the Turnkey program's consultation sessions.

Schedule a free consultation to see what's in the Turnkey IR package →

Item 12

Annual Security Review Evidence

✅ Confirmed ⚠️ Unsure ❌ Not Done

Compliant looks like: You have documented evidence — a log, a dated report, meeting notes, a compliance review record — showing that your Google Workspace security settings were reviewed within the past 12 months. Someone signed off on it. It's findable.

Non-compliant commonly looks like: You've reviewed your settings informally, or you set them up when you first configured Workspace and haven't formally revisited them since. There's no dated record of a security review. "We check it when something seems off" doesn't count.

CMMC isn't a one-time event — it's ongoing. Annual reviews with documented evidence demonstrate that compliance is maintained, not just achieved once and forgotten. This is something many contractors only realize they need after their first assessment cycle.

How Many "Unsure" Answers Did You Get?

Be honest with yourself. Each "Unsure" is a gap in your compliance posture — not because you're doing something wrong, but because you don't have confirmed evidence that you're doing it right. In a self-assessment, unconfirmed controls don't count.

0–1 Unsure

Strong

You likely have solid fundamentals. Consider a consultation to confirm before your formal assessment.

2–4 Unsure

At Risk

You have real gaps that need to be addressed. A consultation will help you prioritize and fix them efficiently.

5+ Unsure

Exposed

Your configuration hasn't been verified against CMMC requirements. Starting with expert guidance will save significant time and risk.

If you marked more than 2 items as "Unsure" or "Not Done," a consultation is worth your time — not because you've failed anything, but because you now know exactly where to focus.

What the Turnkey Program's GWS Consultation Sessions Actually Cover

The Overwatch Tools Turnkey CMMC Level 1 Compliance Package includes 8 bi-weekly expert consultation sessions, and for Google Workspace users, several of those sessions are dedicated directly to the items in this checklist.

Here's what that looks like in practice:

        GWS-Specific Consultation Coverage
        Admin Console walkthrough: We review your actual settings — MFA enforcement, sharing controls, password policies, app access — not hypothetically but in your specific configuration.
Vault setup and verification: We confirm retention policies are configured correctly and that audit logs are being captured and accessible.
Device management review: We assess your endpoint enrollment and policy settings, including the common gaps for organizations with mixed personal/company devices.
Offboarding documentation: We build a GWS-specific offboarding checklist that becomes part of your evidence library.
Incident response plan: We customize your IR procedures to reference your Google Workspace environment, your contacts, and DoD notification requirements specifically.
Annual review evidence: We document your review sessions so you have dated, signed-off records from day one.

    

The Turnkey program also includes the complete GWS configuration guide — step-by-step instructions for configuring each of the 12 areas above in your Admin Console. We don't just tell you what needs to be done; we show you exactly how to do it for your specific workspace.

⚠️ A Note on Edition Requirements

Several of the controls above — including Google Vault and advanced endpoint management — are only available in Business Plus or Enterprise editions. If you're running a lower tier, your configuration gaps may be subscription-level, not just settings-level. Our edition guide covers exactly which features are required and which plans include them.

Most Turnkey clients with Google Workspace complete their Level 1 assessment preparation in 2–4 weeks. The primary factors that determine timeline are your existing infrastructure, your edition level, and how quickly you can implement the configuration changes from your consultation sessions.

What Comes Next

This checklist gives you a clear picture of where your Google Workspace stands against CMMC Level 1 requirements. But knowing the gaps is only the first step — closing them is what actually moves the needle.

If you marked any items "Unsure" or "Not Done," you have two paths forward:

Self-guided with the Turnkey Toolkit: Use the GWS configuration guide and 400+ templates to work through each item systematically, with 8 expert sessions to keep you on track.
Start with a free consultation: Talk through your specific configuration and get a prioritized action list before committing to anything.

The consultation is free, it's 30 minutes, and you'll leave with a clearer sense of what your actual compliance posture looks like — not what you hope it is.

Get a GWS Compliance Expert on the Phone

We've helped dozens of small defense contractors close exactly the gaps in this checklist. In 30 minutes, we can tell you where you stand and what needs to happen before your assessment.

No sales pressure. No obligation. Just a straight answer about your compliance posture.

Book Your Free 30-Minute Consultation Explore the Turnkey Program

Turnkey CMMC Level 1 Package — $2,495/year · Includes GWS configuration guides, 8 consultation sessions, and 400+ templates

About This Series

This post is Part 2 of 6 in the "CMMC Level 1: The Reality Check" series — a diagnostic series designed to help small defense contractors identify their actual compliance posture, not their assumed one.

Part 1: The Most Common CMMC Level 1 Mistakes
Part 2: Google Workspace Self-Audit (this post)
Part 3: Microsoft 365 Self-Audit
Part 4: Evidence Collection — The Task Nobody Warns You About
Part 5: SPRS Scoring — What It Means and How to Avoid Getting It Wrong
Part 6: Maintaining Compliance After Your Assessment

Overwatch Tools | CMMC Compliance Specialists | Chesapeake, Virginia
info@overwatchtools.com | overwatchtools.com

Overwatch Tools

Certify Your Whole Company or Just Create a CUI Enclave?

Certify Your Whole Company or Just Create a CUI Enclave?

Not Sure Which Approach Fits Your Situation?

What "Scope" Actually Means in CMMC

The Key Principle

The Two Approaches: Side by Side

The Enclave Approach

The Full-Company L2 Approach

What the Enclave Approach Actually Looks Like

What a Small-Contractor CUI Enclave Looks Like

When Does Full-Company L2 Apply? (Probably Not Your Situation)

⚠️ Signs You Might Need Full-Company L2 (Rare for Small Contractors)

Decision Framework: Is the Enclave Approach Right for You?

📋 Enclave Approach Fit Checklist

A Note on Platform Choice for the Enclave

Not Sure Which Platform to Choose?

The Math: Enclave Approach vs. Full-Scope L2

The Two-Package Approach

Let's Figure Out the Right Scope for Your Business

The Bottom Line

✅ What the Two-Package Approach Gives You

110 Practices. 182 Artifacts.Here’s What CMMC Level 2 Actually Requires.

110 Practices. 182 Artifacts.Here's What CMMC Level 2 Actually Requires.

The Scope Is Smaller Than You Think

What "Enclave Scoped" Means in Practice

The 14 CMMC Level 2 Domains — What Each One Covers

Want to See the Full Artifact Breakdown for Your Platform?

What "182 Artifacts" Actually Means

Who Does What: The Three Roles in L2 Compliance

L1 + L2 Side-by-Side: The Complete Compliance Stack

Covers Your Main Business

Covers Your CUI Enclave

Combined Stack: $5,990/year

Platform Variants: Google Workspace for Government vs. M365 GCC High

Every Practice Mapped. No Guesswork on What Counts as Evidence.

What "Every Artifact Defined" Looks Like

Ready to Walk Through What This Looks Like for Your Business?

The Bottom Line

You might qualify for CMMC L2 self-assessment

CMMC Level 2 Self-Assessment:Who Qualifies and What's Required?

The Misconception That's Costing Contractors

What "Self-Assessment" Means at CMMC Level 2

Who Qualifies for L2 Self-Assessment?

Programs Likely Eligible for Self-Assessment

Programs Likely Requiring a C3PAO

How Do You Know Which Applies to You?

The 2-Year Window: What It Is, What It Enables

⚠️ What Happens When the Window Closes?

The C3PAO Cost Reality: $50,000 Per Cycle

What Happens If You Fail?

Fail a C3PAO Assessment = Pay Full Price Again

The Budget Gap Nobody's Talking About

Self-Assessment Window vs. C3PAO Path: Side by Side

L2 Doesn't Replace L1 — It Builds On It

What the L2 CUI Enclave Package Delivers

L2 CUI Enclave Package — $3,495/year

✓ The Smart Play: $5,990/Year During the Window

How Implementation Works

The Path Through the Self-Assessment Window

A Note on SPRS Submission

The Window Is Open. The Question Is Whether You Use It.

Bottom Line

What is a CUI enclave? (And do you need one?)

What Is a CUI Enclave?(And Do You Need One?)

The Simplest Way to Understand a CUI Enclave

Inside vs. Outside the Enclave

Why Isolation Is the Key Compliance Strategy

Scope Containment in Practice

What's Actually Inside a CUI Enclave

Dedicated Devices

A Government-Tier Platform

Restricted, Documented Access

Documented Procedures

No Enterprise IT Required

How the Enclave Sits on Top of Your L1 Compliance

The Full Compliance Picture

Is the Enclave Approach Right for You?

What the L2 CUI Enclave Package Provides

A Realistic Day-in-the-Life of the Enclave

110 Practices. 182 Artifacts.
Here's What CMMC Level 2 Actually Requires.

CMMC Level 2 Self-Assessment:
Who Qualifies and What's Required?

What Is a CUI Enclave?
(And Do You Need One?)