Federal & Cybersecurity
Securing the defense supply chain through CMMC compliance.
Why CMMC Matters
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Defense Industrial Base. As a DoD contractor and SDVOSB, MeND treats cybersecurity as a core operational requirement — not a checkbox.
Our federal cybersecurity program is built around NIST SP 800-171 Rev. 2, with controls implemented across 14 security domains and continuously monitored.
CMMC enforcement begins November 2026 and reaches full implementation by 2028. MeND is aligning ahead of the rollout so contracting officers, partners, and subcontractors can rely on us through every phase.
CMMC Level 2 Certification — Underway
MeND is actively pursuing CMMC Level 2 certification, the standard required for any DoD contractor handling Controlled Unclassified Information. Implementation of all 110 NIST SP 800-171 controls is in progress, with formal third-party assessment scheduled upon completion.
This investment ensures our customers, partners, and subcontractors can confidently share sensitive program data with us — today and as the DoD enforces CMMC across all new contracts.
CMMC Level 2 Progress Log
Transparency matters. Below is a public log of every milestone in our path to CMMC Level 2 — what's done, what's in motion, and what's next.
Secureframe Consultation & Onboarding
Completed initial consultation with Secureframe, established our organizational account, and gained access to the Secureframe compliance dashboard. This gives MeND a centralized platform for managing every NIST SP 800-171 control, evidence, and policy required for CMMC Level 2.
Dedicated Federal Google Workspace
Stood up a separate Google Workspace tenant on federal.mendsourcing.com to isolate Controlled Unclassified Information (CUI) from our commercial environment. DNS, MX, SPF, DKIM, and DMARC are live; identity, device, and data-loss-prevention policies are being configured.
Policy Implementation & Evidence Collection
Rolling out the full set of Secureframe-managed policies, mapping each to NIST SP 800-171 controls, and connecting Secureframe to our infrastructure for automated, continuous evidence collection.
Internal Readiness Assessment
Self-assessment against all 110 NIST SP 800-171 controls, gap remediation, and documentation of our System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
C3PAO Third-Party Assessment
Engagement with a Certified Third-Party Assessor Organization (C3PAO) to formally validate compliance and award MeND its CMMC Level 2 certification.
What you Need to Know
As a DLA contractor, MeND is preparing for the agency's phased rollout of CMMC requirements. Below is what suppliers, subcontractors, and customers need to know.
Governing DFARS Provisions
DFARS provision 252.204-7025(b)(1) and DFARS clause 252.204-7021(d)(1)(i) together state the CMMC level required for a specific solicitation or contract.
Sets the CMMC level required by the solicitation. The level (or higher) is required prior to award for each contractor information system that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) during contract performance.
Requires the contractor to have and maintain the specified CMMC level (or higher) for the duration of the contract on all information systems used in performance of the contract, task order, or delivery order that process, store, or transmit FCI or CUI.
DLA Phased Implementation Timeline
DLA is implementing CMMC using a three-year phased approach beginning November 10, 2025. After November 10, 2028, suppliers must have a completed CMMC Level 2 Self-Assessment uploaded to SPRS to be eligible for contract award.
Begins at 48 CFR Rule Effective Date. When applicable, solicitations and contracts will require Level 1 (FCI) or Level 2 Self-Assessment (CUI/CDI).
12 months after Phase 1. When applicable, solicitations and contracts will require Level 2 C3PAO Assessment (CUI/CDI).
24 months after Phase 1. When applicable, solicitations and contracts will require Level 3 DIBCAC Assessment (CUI/CDI).
36 months after Phase 1. All solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award.
DLA Procurement Notes & Standard Text Objectives
Suppliers will see DLA Procurement Notes (PN) and/or Standard Text Objectives (STO) in contracts indicating a current or future CMMC requirement.
| CMMC Level | Procurement Note | STO | Description |
|---|---|---|---|
| Level 1 Self-Assessment | L39 | None | CMMC Level 1 Self-Assessment Requirement for Federal Contracting Information (FCI) |
| Level 2 Self-Assessment | L40 | RD004 | CMMC Level 2 Self-Assessment Requirement (Phase In: Nov 10, 2025 – Nov 10, 2028) |
| Level 2 C3PAO | L41 | RD005 | CMMC Level 2 Certified Third-Party Assessment Organization (C3PAO) Requirement (Phase In: Nov 10, 2025 – Nov 10, 2028) |
| Level 3 DIBCAC | L42 | None | CMMC Level 3 Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Assessment Requirement |
Self-Assessment Resources
Official resources for Level 1 and Level 2 self-assessments and for finding C3PAO third-party assessors:
14 Security Domains
Every CMMC Level 2 control maps to one of the 14 NIST SP 800-171 security families. Our policies, procedures, and tooling cover each one.
Powered by Secureframe
MeND has partnered with Secureframe to automate and accelerate our CMMC Level 2 readiness. Secureframe's platform handles continuous control monitoring, evidence collection, policy management, and audit preparation across the full NIST SP 800-171 control set.
Looking to start your own CMMC journey?If you're considering Secureframe for your organization, reach out to us first — we can connect you with our contacts to secure better pricing than going direct.
Get Secureframe Referral Pricing →Talk to Our Federal Team
Questions on CMMC, our compliance posture, or Secureframe referrals? Reach out directly to tristan@federal.mendsourcing.com or use the form below.