CMMC 2.0 is mandatory for US Department of Defense contractors handling Controlled Unclassified Information (CUI). Canadian companies in the US/Canada defence supply chain - including NORAD, NATO, and DND contractors - increasingly face CMMC requirements. ThreeShield delivers CMMC gap assessments backed by government audit experience.
Basic cyber hygiene. Annual self-assessment. Covers Federal Contract Information (FCI) only. Maps to 15 NIST SP 800-171 practices.
Aligns to NIST SP 800-171 in full. Required for contracts involving CUI. Triennial third-party assessment (C3PAO) for critical programs; annual self-assessment for others.
NIST SP 800-172 additional requirements for highest-value DoD programs. Government-led assessments by DCSA. For organizations protecting the most sensitive DoD programs.
The most critical step in CMMC compliance is defining what CUI you handle and where it lives. Overly broad scoping creates unnecessary compliance burden; too narrow creates risk of non-compliance. ThreeShield delivers formal CUI scoping exercises.
CMMC Level 2 requires a documented SSP describing how each NIST SP 800-171 control is implemented. The SSP is the primary document the C3PAO assessor reviews. ThreeShield develops SSPs grounded in your actual technical environment, not templates.
Plan of Action and Milestones (POAM) documents known gaps and remediation timelines. A well-managed POAM demonstrates compliance maturity even when not all controls are fully implemented. ThreeShield maintains POAM tracking continuously.
CMMC Level 2 and Level 3 assessments are a condition of contract award for affected DoD contracts. Level 1 allows annual self-attestation, which ThreeShield delivers directly. For Level 2 and Level 3, a formal third-party assessment by a DoD-authorized C3PAO is required — ThreeShield delivers all readiness work and coordinates the C3PAO engagement as part of one integrated contract. Organizations that haven't completed the required assessment tier will lose eligibility for affected defense contracts.
Many CMMC-required contractors also operate under ITAR (International Traffic in Arms Regulations) obligations. ITAR doesn't just restrict exports — it shapes every aspect of how technical data is accessed, stored, assessed, and documented. Vulnerability assessments in ITAR environments require assessors who understand these constraints, not just NIST 800-171.
ThreeShield's principal has conducted cybersecurity and vulnerability assessments in ITAR-regulated environments for US military contractors including Pratt & Whitney, Sikorsky, UTC, and Hamilton Sundstrand. This includes direct experience with: the foreign national access restrictions that apply to systems containing ITAR technical data; the enclave boundary requirements that segregate regulated data; the documentation controls governing how assessment findings may be handled and transmitted; and the interaction between ITAR Part 120–122 obligations and CMMC/NIST 800-171 CUI protection requirements.
If your CMMC readiness engagement involves systems that also carry ITAR obligations — or if you're unsure whether ITAR applies to your environment — ThreeShield can scope the assessment accordingly. This experience is not common in the CMMC readiness market and it matters for accurate scope definition.
Yes, if you're in the US Department of Defense supply chain - either as a prime contractor with US government contracts, or as a subcontractor to a US prime. Canadian companies building components for US defence programs (aerospace parts, software, services) increasingly face CMMC requirements passed down through their prime contractor's flow-down clauses. NORAD and NATO involvement can also trigger requirements.
It depends on your contract category. Level 1 still allows annual self-assessment. Level 2 for most programs now requires a third-party assessment (C3PAO) on a triennial basis. The self-attestation model that was common under DFARS 252.204-7012 is being replaced by formal CMMC assessment requirements. ThreeShield delivers Level 1 self-attestation support directly. For Level 2 and Level 3, ThreeShield delivers all readiness work and the formal assessment is performed by a C3PAO (Certified Third-Party Assessment Organization) partner — one contract, one project manager. We help you understand which level applies and prepare you thoroughly for the C3PAO assessment.
CMMC governs cybersecurity controls for protecting CUI (Controlled Unclassified Information). ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations) govern the export and handling of defense-related technology, technical data, and defense articles — including many items that don't obviously look like weapons. They're separate regulatory regimes, but they frequently apply simultaneously to the same defense contractor environments.
ThreeShield has direct, significant experience conducting vulnerability assessments and cybersecurity evaluations in environments subject to ITAR controls. This includes work for US military contractors handling ITAR-regulated technical data — environments where the security requirements are shaped not just by CMMC but by ITAR's access control obligations, the prohibition on unauthorized foreign national disclosure, and the system boundary requirements that flow from those restrictions. Our principal's background includes ITAR-classified military environments at organizations including Pratt & Whitney, Sikorsky, UTC, and Hamilton Sundstrand, as well as ITAR-adjacent work where the regulated technical data shaped what could be scanned, how findings were documented, and who could review the results.
In practice, this means ThreeShield's vulnerability assessments in ITAR-affected environments account for: the foreign national access restrictions that define who may access systems containing ITAR technical data; the enclave boundary requirements that keep regulated data segregated; the documentation controls that govern how assessment findings are handled, stored, and transmitted; and the interaction between ITAR Part 120/121/122 obligations and the CUI handling requirements CMMC is designed to enforce. If your CMMC readiness engagement involves systems that also carry ITAR obligations, that experience is directly relevant and ThreeShield can factor it into the assessment scope.
ThreeShield meets you at your current security maturity. Every level includes Lavawall®.
For lean IT teams and cost-conscious organizations with internal security capacity
Expert guidance alongside your team - ideal for MSPs and organizations with some internal IT capacity
Full compliance delivery - ThreeShield manages the entire program end to end
Choose your engagement model: DIY via Lavawall®, supported by ThreeShield's CISSP/CISA team, or fully done-for-you. Every model includes continuous monitoring so you stay compliant year-round.
Book a Scoping CallDIY · Supported · Done-for-You · Available globally