GRYHAT CYBERSECURITY LLC

Category: Cybersecurity

GRYHAT cybersecurity insights for businesses and DoD contractors.

  • CMMC 2.0 Is Here: What California Defense Contractors Need to Know Right Now

    CMMC 2.0 Is Here: What California Defense Contractors Need to Know Right Now

    If your company touches a Department of Defense contract — directly as a prime or somewhere down the supply chain as a sub — the rules just changed under your feet. The Cybersecurity Maturity Model Certification program, known as CMMC 2.0, has moved out of “proposed rule” limbo and into the contracts themselves. For California’s dense ecosystem of aerospace, hardware, software, and engineering firms serving the defense sector, this is no longer a future compliance project. It is a present-day requirement, and the assessment clock is already running.

    This guide breaks down what CMMC 2.0 California defense contractors actually need to do right now: what changed, which level applies to you, what an assessment looks like, and how to close the gaps before they cost you an award.

    What CMMC 2.0 Actually Is (and Why It’s Different This Time)

    CMMC is the DoD’s mechanism for verifying that contractors actually protect the sensitive information they handle. For years, the standard was self-attestation: you signed a form promising you met the 110 security controls in NIST SP 800-171, and everyone moved on. The problem was obvious — a signature is not a safeguard, and adversaries were walking out the door with Controlled Unclassified Information (CUI) from contractors who had checked “compliant” without doing the work.

    CMMC 2.0 replaces the honor system with verification. It streamlines the original five-level model down to three, aligns each level to existing NIST standards, and — critically — requires third-party assessment for most companies handling CUI. The framework is now baked into the DFARS rule and is appearing as a condition of award in new solicitations. In short: no certification at the required level, no contract. This is the core of modern defense contractor cybersecurity, and it is enforceable.

    The Three Levels — and How to Know Which One Applies to You

    Your required level is driven by the type of information you handle, and it will be specified in the contract. Here is the practical breakdown of the CMMC compliance requirements by level:

    • Level 1 (Foundational): For contractors handling only Federal Contract Information (FCI). Requires the 17 basic safeguarding practices from FAR 52.204-21. Assessment is an annual self-assessment with an executive affirmation.
    • Level 2 (Advanced): For contractors handling CUI. Requires all 110 controls from NIST SP 800-171. Most companies at this level will need a third-party assessment by a certified C3PAO every three years, with annual affirmations in between.
    • Level 3 (Expert): For the highest-priority programs and the most sensitive CUI. Builds on Level 2 with a subset of NIST SP 800-172 controls and a government-led assessment.

    The mistake we see most often in California’s supply chain is firms assuming they are “just a subcontractor” and therefore exempt. They are not. Flow-down clauses push CMMC requirements to every tier that touches CUI. If a prime needs Level 2, the small machine shop or software vendor they rely on very likely needs it too.

    Why California Contractors Are in the Crosshairs

    California is one of the largest defense economies in the country — Southern California aerospace, the Bay Area’s defense-adjacent tech, San Diego’s naval and unmanned-systems cluster, and a long tail of specialized suppliers across Orange County and the Inland Empire. That density is exactly why the state’s contractors face concentrated risk. Adversaries map the supply chain and attack the softest link, which is almost never the prime — it is the under-resourced supplier with a flat network and no formal security program.

    California firms also carry extra weight: alongside federal rules, you are operating under the CPRA and a maturing set of state data-protection expectations. A well-built CMMC program does double duty here, hardening you for the DoD while strengthening your posture against the breach-notification and privacy obligations that already apply to you at home.

    What a CMMC Assessment Looks Like

    For Level 2, a cybersecurity audit against the 110 NIST 800-171 controls is the heart of it. An assessor doesn’t just want to hear that you have multi-factor authentication or encryption — they want evidence: configuration screenshots, policy documents, access logs, and proof that what you wrote down is what you actually do. Two artifacts carry enormous weight:

    • System Security Plan (SSP): the master document describing your environment, where CUI lives, and how each control is implemented. No SSP, no credible assessment.
    • Plan of Action & Milestones (POA&M): your documented roadmap for closing any gaps, with owners and dates. CMMC 2.0 allows limited POA&Ms for certain controls, but they must be closed within 180 days — they are a short bridge, not a permanent excuse.

    You’ll also be scored. The DoD uses a 110-point SPRS methodology where certain unimplemented controls subtract more than one point. Many contractors who believe they are “mostly there” are shocked to discover a negative score once an honest assessment is applied. Knowing your real number before a C3PAO walks in is the difference between a clean certification and a failed one.

    The Gaps That Sink Contractors Most Often

    Across the assessments and remediation projects our team runs, the same handful of failures repeat:

    • No defined CUI boundary. CUI is scattered across email, file shares, and personal devices with no enclave, which makes the entire environment in-scope and the assessment exponentially harder.
    • Weak or partial MFA. Multi-factor on email but not on the VPN, remote admin, or cloud consoles is a guaranteed finding.
    • Unmanaged endpoints and mobile devices. Laptops and phones that touch CUI without enforced encryption, logging, and remote-wipe capability. Mobile is a particular blind spot — a single unmanaged phone can undo an otherwise solid program. (For locking down the mobile layer specifically, see how Citadel handles mobile and Wi-Fi security.)
    • Missing logging and monitoring. You can’t prove control effectiveness — or detect an incident — without centralized logs you actually review.
    • Policies that don’t match reality. Templated documents pulled off the internet that describe a company you aren’t. Assessors spot this immediately.

    What to Do Right Now

    The contractors who win in this environment are the ones who treated CMMC as a head start instead of a fire drill. Here’s the sequence we recommend:

    1. Confirm your required level by reviewing current and upcoming contracts and the flow-down clauses from your primes.
    2. Scope your CUI. Identify exactly where it lives and draw a defensible boundary around it to shrink your assessment footprint.
    3. Run an honest gap assessment against all 110 controls and calculate your real SPRS score — no grade inflation.
    4. Build the SSP and POA&M as living documents, then remediate the high-impact gaps first.
    5. Operationalize, then certify. Live in the controls for a few months so your evidence is genuine before a C3PAO arrives.

    This is exactly the work our GRYHAT cybersecurity and compliance services are built for — virtual CISO leadership, gap assessments, remediation, and SSP/POA&M development tailored to defense contractors. We translate the framework into a concrete plan and stay in the trenches until you’re certifiable, not just hopeful.

    Don’t Wait for the Solicitation to Force Your Hand

    CMMC 2.0 is not a paperwork exercise you can knock out the week before a bid is due. A Level 2 program typically takes months to stand up and mature. The contractors who start now will have certification as a competitive advantage; the ones who wait will watch awards go to better-prepared rivals — or lose existing work when their primes demand proof they can’t yet provide.

    If you’re a California defense contractor and you’re not certain where you stand, the smartest first move is also the cheapest: find out. Schedule a free initial cybersecurity audit with GRYHAT, and we’ll give you a clear, honest read on your current posture, your real SPRS score, and the fastest defensible path to the CMMC level your contracts require — before it shows up as a condition of award.

  • 48 Vulnerabilities in Two Weeks: What a Real Security Audit Actually Finds

    You opened a business in California. Respect. You dealt with the permits, the taxes, the lease, the payroll, the insurance. You did the hard part most people never do.

    Here’s the part nobody warned you about: the moment you put a sign on the door and a form on your website, you became a target. Not because anyone has a grudge. Because attackers don’t aim — they sweep. They scan thousands of small businesses a day looking for the one with the door left unlocked. Most of the time, it’s a small business. Most of the time, the owner had no idea the door was even there.

    “We’re too small to be a target” is the most expensive sentence in business

    I hear it every week. It’s wrong, and it’s wrong in a specific way. You’re not too small to be a target — you’re exactly the right size. Big companies have security teams. You have a guy who “does the computers.” Attackers know that. Small businesses are the path of least resistance, and automated attacks don’t care how many employees you have.

    A Southern California contractor we worked with believed the same thing. Good business, busy crew, clean books. They asked us to take a look — not because anything was wrong, but because a client of theirs had been breached and it scared them.

    In under two weeks we found and remediated 48 vulnerabilities. Not theoretical ones. Real, exploitable holes: exposed remote-access ports, default passwords still in place on networked hardware, an old employee account that still had the keys to everything, file shares wide open to the internet. None of it was visible from the front office. All of it was visible to anyone scanning.

    What an audit actually looks at

    People think a security audit is a guy in a hoodie typing fast. It isn’t. It’s boring, and boring is the point. Here’s what we actually check:

    • Your perimeter — what’s reachable from the open internet right now. Ports, services, login pages you forgot existed.
    • Your accounts — who has access, who left two years ago and still does, and whether anyone’s reusing the password from their personal email.
    • Your devices — the router the ISP installed, the printer nobody updates, the camera system with the default admin login.
    • Your data — where your customer information lives, who can touch it, and what happens if a laptop gets stolen from a truck.

    Four areas. That’s where almost every breach of a small business starts. Not exotic hacking — basic doors left open.

    CMMC is coming, and “we’ll deal with it later” is not a plan

    If you do any work that touches the Department of Defense — even as a subcontractor three layers down — CMMC compliance is no longer optional, and the clock is real. I won’t bury you in acronyms. The short version: if you handle controlled information for a federal contract, you will have to prove your security meets a standard, on a deadline, or you lose the ability to bid.

    The businesses that wait until a prime contractor demands their certification are the ones that pay triple and scramble. The ones that start now treat it like any other part of running a real company. CMMC readiness for OC contractors

    What to do this week — even if you never call us

    1. Change the default password on your router, your cameras, and anything else with a login. Do it today.
    2. Turn on multi-factor authentication for email and anything with customer data. This one step stops the majority of account takeovers.
    3. Delete old accounts. Every former employee who can still log in is a door you forgot to lock.
    4. Find out what’s exposed. You can’t protect what you can’t see.

    That last one is where most people get stuck, because you can’t scan your own perimeter from the inside. That’s the part we do for free as a first look. No pitch, no pressure — we tell you what’s open, and you decide what to do about it.

    You did the hard part already. You built the business. Let’s make sure you keep it.

    Want the free first look? We run a no-cost perimeter scan for Orange County businesses and DoD contractors — you’ll get a plain-English report of exactly what’s exposed. Request your free scan · gryhat.com