CMMC Readiness for Tacoma & Pacific Northwest Defense Contractors

Only 1% of defense contractors are fully prepared for a CMMC Level 2 assessment — and the Level 1 picture isn't much better. That is not a projection — it is the headline finding of CyberSheath's 2025 State of the Defense Industrial Base report, published by Merrill Research based on a survey of the defense industrial base. Level 2 contractors (handling Controlled Unclassified Information) need 110 NIST SP 800-171 controls; Level 1 contractors (handling Federal Contract Information under FAR 52.204-21) need 17 basic controls and annual self-assessment. Sixty-nine percent of contractors claim DFARS compliance, but just thirty percent have actually completed the medium or high assessments that validate their cybersecurity posture. With Phase 1 (Level 1 and Level 2 self-assessment with senior official affirmation) live since November 10, 2025, Phase 2 — Level 2 C3PAO third-party assessment — going live November 10, 2026 — and Phase 3 expanding CMMC across all applicable solicitations (including Level 3 DIBCAC assessment for the highest-risk programs) following November 10, 2027 — the gap between perception and reality is no longer hypothetical. It is a contracting eligibility problem playing out across the Pacific Northwest.

What makes the readiness gap especially dangerous is that most contractors do not know they have one. For Level 2 contractors specifically, SSE, a Registered Practitioner Organization that has performed 60+ gap assessments across small and mid-sized defense suppliers, published a number every Pierce County contractor should sit with: the average delta between self-assessed SPRS scores and evidence-based post-assessment scores is negative 133 points. Companies walk in believing they are close to the required 110. They are not. They are missing controls, missing evidence, and misunderstanding scope. Meanwhile, the Department of Justice is no longer waiting — nine cyber-related False Claims Act settlements totaled 52 million dollars in FY2025, including one payout triggered by an internal whistleblower whose own employer fabricated an SPRS score. For Level 1 contractors, the gap is different but equally dangerous: many don't realize their contracts include FCI handling, lack a repeatable annual self-assessment process, or can't produce the senior official affirmation when a prime asks.

For over twenty years, Spyderweb Communications has helped defense contractors and JBLM-adjacent businesses across Tacoma, the South Sound, and the broader Pacific Northwest build cybersecurity programs that actually withstand assessment. A CMMC Readiness Assessment is the starting point — a structured evaluation tailored to your level: the 17 FAR 52.204-21 controls for Level 1, or NIST SP 800-171's 110 controls (and 320 associated assessment objectives) for Level 2, designed to tell you exactly where you stand, what you need to fix, and how long it will take. Whether you are a manufacturer in Lakewood, a logistics provider serving Joint Base Lewis-McChord, or a subcontractor anywhere in the regional defense supply chain, the readiness assessment is how we replace guesswork with a concrete remediation plan.

The first thing any CMMC readiness assessment determines is which level applies to your contracts. Most Pierce County small businesses fall into one of two categories — and the readiness work, the timeline, and the cost differ meaningfully between them.

How to tell which one applies to you: Look at your contract clauses. Level 1 typically references FAR 52.204-21 or Federal Contract Information. Level 2 references Controlled Unclassified Information (CUI), DFARS 252.204-7012, DFARS 252.204-7021, or CUI marking and handling requirements. If you're uncertain, the free 30-minute readiness call clarifies your contract scope and identifies which level your readiness work needs to target. For Level 3 (Expert) — assessed by the government's DIBCAC for the most sensitive DoD programs — see our CMMC services page for full details.

CMMC readiness is not the same as CMMC compliance, and it is not the same as a self-assessment. A self-assessment is the contractor's own opinion of where they stand against NIST SP 800-171 — which, as SSE's data shows, is on average 133 points more generous than reality. CMMC compliance is the certified end state, achieved when an authorized C3PAO assessor signs off on a complete implementation of all 110 controls and the underlying 320 assessment objectives. Readiness sits between the two: an honest, evidence-based evaluation of your environment, scoped to your contracts and CUI footprint, designed to predict what a real assessment would find.

A proper readiness assessment evaluates four dimensions that self-assessments routinely miss: scope (where does in-scope data actually live — FCI for Level 1, CUI for Level 2?), control implementation (are the required controls deployed — 17 for Level 1, 110 for Level 2 — or just on the policy shelf?), evidence (can you prove continuous enforcement when an assessor or affirming official asks?), and documentation (does your System Security Plan match what your systems actually do?). CMMC currently defers to NIST SP 800-171 Revision 2 per the DoD Final Rule (32 CFR Part 170; published September 10, 2025; effective November 10, 2025), with Revision 3 transition timing under DoD review. The output is not a pass/fail grade. It is a forward-looking remediation roadmap that tells you what to fix, in what order, and how long it will take. For organizations without CMMC obligations, our broader IT risk assessment covers the same dimensions across HIPAA, PCI DSS, and general security frameworks.

• 1. Free 30-Minute Readiness Call. We start with a no-obligation discovery call to understand your contracts, your CUI footprint, and your timeline. By the end of the call, you'll know whether a paid readiness assessment is the right next step — or whether you're closer to ready than you thought.
• 2. FCI / CUI Scope Discovery (Week 1). We map the people, systems, processes, and data flows that touch your in-scope data — FCI for Level 1, CUI for Level 2. This is where most assessments succeed or fail before any control work begins.
• 3. Control Inventory (Weeks 1-2). A structured walk-through of the controls that apply to your level — 17 FAR 52.204-21 controls for Level 1, or all 110 NIST SP 800-171 controls and 320 assessment objectives for Level 2. We score every control on deployment status, evidence quality, and gap severity.
• 4. SPRS Validation & POA&M Drafting (Week 2). We validate your SPRS score against the evidence inventory and draft a prioritized Plan of Action and Milestones. Every gap gets an owner, a target date, and a closure criterion.
• 5. Remediation Roadmap Delivery (Week 3). Final deliverable: a phased remediation plan (typically 2-4 months for Level 1, 6-12 months for Level 2), a fixed-fee quote for the full CMMC certification engagement, and a recommendation on whether GCC High migration is required (Level 2 / CUI handling).

• DoD contractors with CMMC clauses already in their contracts. If DFARS 252.204-7012 or the new DFARS 252.204-7021 (CMMC compliance requirements) is in your contract language, the assessment clock has already started.
• Subcontractors near Joint Base Lewis-McChord (JBLM) — including Lakewood, Lacey, and the Pierce-Thurston-King corridor. Even tier-3 and tier-4 subs are seeing flow-down requirements from primes ahead of the November 2026 deadline.
• Pacific Northwest manufacturers, machine shops, and engineering firms — including Tacoma Tideflats and Frederickson industrial-zone shops. Manufacturing has been the most-targeted industry for cyberattacks four years running, and CMMC codifies the floor.
• Tacoma and South Sound defense logistics, professional services, and IT vendors. If you provide services to a prime contractor and any of those services touch CUI, you're in scope — and most companies in this position have never been told.
• Small manufacturers and service providers handling Federal Contract Information (Level 1) but uncertain of compliance status. If your contracts reference FAR 52.204-21 or FCI handling, you need annual evidence of the 17 basic controls — and most small shops don't have a documented self-assessment workflow or current senior official affirmation on file.
• Contractors whose self-assessed SPRS score is "around 80-100." That's the single most dangerous zone in the DIB right now. SSE's -133 point delta data says you're almost certainly not where you think you are.

• A real first conversation, not a sales call. Most national consultants want a paid engagement on day one. We do not. The 30-minute readiness call is a discovery conversation — you walk away knowing where you stand whether or not you continue with Spyderweb.
• Pacific Northwest dispatch without Eastside-premium pricing. We serve Tacoma, JBLM, and the broader Pacific Northwest from a Fircrest headquarters — without the Eastside MSP markup that other regional providers charge.
• Full-stack, not advisory-only. Boutique vCISOs hand you a report and walk away. Spyderweb implements the controls, deploys the tooling, and stays through the C3PAO assessment.
• 20+ years in the Pacific Northwest defense ecosystem. We have been managing IT for Pierce County manufacturers and government suppliers since 2003. The institutional memory matters when a C3PAO asks you to explain a fifteen-year-old system.
• Fixed-fee remediation, scoped after the readiness assessment. CMMC remediation work is scoped to your environment after the readiness assessment so you know the price before you commit — no scope creep, no surprise change orders.