The contract you just bid on with a US prime — worth £2.7 million over three years — depends on a single certification your UK firm does not hold. That certification is CMMC 2.0, and the Department of Defense (DoD) is not offering grace periods. If your supply chain software, cloud infrastructure, or engineering data touches Controlled Unclassified Information (CUI) for a US defence contractor, you must prove compliance before the ink dries. UK firms that ignore this reality are leaving bids on the table. Worse, they are exposing themselves to liability when data flows across borders without a proper cybersecurity baseline.
This is not a US-only problem. The DoD’s Cybersecurity Maturity Model Certification (CMMC) 2.0, finalised in December 2024 under 32 CFR Part 170, now applies to any contractor — domestic or foreign — that processes CUI. UK businesses in the F-35 supply chain, naval software, or advanced manufacturing for US defence primes must comply. The UK’s National Cyber Security Centre (NCSC) and the DoD’s Defense Industrial Base (DIB) have aligned on data protection, but CMMC 2.0 carries strict third-party assessment requirements that UK GDPR alone does not satisfy. We have seen UK firms lose contracts worth over £500,000 because they could not prove SPRS score compliance. This is the reality in 2026.
Why CMMC 2.0 Matters for UK Firms Now
CMMC 2.0 replaces the fractured pilot programme with three clear certification levels. Each level maps directly to the sensitivity of the data your firm handles. Level 1 applies only to Federal Contract Information (FCI) — basic data like contract numbers. Level 2 covers CUI and requires alignment with NIST SP 800-171r3 (revised as of May 2025). Level 3 addresses the most sensitive CUI and mandates additional security controls from NIST SP 800-172. UK companies that bid on DoD solicitations must self-attest or undergo a third-party assessment organisation (C3PAO) audit depending on the contract value and data type.
The DoD’s rule (Federal Register, Vol. 89, No. 241, December 2024) mandates enforcement by fiscal year 2027, but many primes have already added CMMC 2.0 clauses into subcontracts for 2026. We are already advising UK firms whose US customers demand proof of certification within 90 days. This is not a future compliance exercise. It is a current contract requirement.
Mapping the 3 CMMC 2.0 Certification Levels
Level 1: Foundational (Self-Assessment)
Level 1 requires 17 basic security practices from FAR Clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). These are not complex: antivirus, access control, incident reporting. UK firms that only handle FCI — for example, quoting on a contract without touching technical drawings or engineering data — can self-attest in the Supplier Performance Risk System (SPRS). The assessment is annual. Cost is minimal. Risk of failure is low. But many UK SMEs underinvest here and lose bids because their SPRS score is missing or outdated.
Level 2: Advanced (C3PAO Assessment)
Level 2 is the most common requirement for UK firms handling CUI. It demands alignment with all 110 security requirements from NIST SP 800-171r3 (the revision that came into effect in May 2025). This includes multi-factor authentication, system monitoring, vulnerability scanning, and a documented incident response plan. For contracts valued over $1 million USD, a third-party C3PAO assessment is mandatory. For contracts under that threshold, a self-assessment with annual affirmation is sufficient — but primes often request proof of assessment nonetheless.
This is where most UK firms stumble. NIST SP 800-171r3 introduced stricter data flow mapping requirements, requiring organisations to document every transmission of CUI across systems. UK firms that outsource cloud services must verify their providers — including AWS, Azure, and UK-based hosts — are FedRAMP Authorised or meet NIST SP 800-171 equivalent controls. Our CloudAuditX platform is specifically designed to map these data flows across multi-cloud environments and flag gaps before an assessment.
Level 3: Expert (Government-Led Assessment)
Level 3 applies to UK firms handling CUI in high-risk areas such as weapons systems, nuclear command, or intelligence. It adds 22 requirements from NIST SP 800-172 (November 2021). The assessment is conducted by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This is not a self-assessment. It is a government-led deep dive into your architecture, supply chain security, and advanced persistent threat (APT) defences. Few UK firms reach this level, but those in the highest-value supply chains must prepare for a 6-12 month preparation cycle.
NIST SP 800-171 Alignment: The Critical Path for UK Firms
Alignment with NIST SP 800-171r3 is the single most important step for UK businesses targeting CMMC 2.0 Level 2. This framework covers 14 families of controls: access control, awareness and training, audit and accountability, configuration management, incident response, maintenance, media protection, physical protection, personnel security, risk assessment, security assessment, system and communications protection, system and information integrity, and supply chain management. Each family has multiple requirements. Failure in any one can sink an entire assessment.
For UK firms, the overlap with ISO 27001 is significant but not complete. ISO 27001 certifies your Information Security Management System (ISMS). NIST SP 800-171 certifies specific control implementations. A UK firm with ISO 27001 certification is roughly 60-70% aligned with NIST SP 800-171, but gaps exist in system monitoring frequency, incident response documentation, and particularly in the requirement to maintain a Plan of Action and Milestones (POA&M) for all unmitigated risks. Our ISO 27001 services at Pyralink Innovation Ltd include specific NIST mapping tasks to close this gap.
Practical action: Start by running a self-assessment against NIST SP 800-171r3. The DoD provides a free assessment tool (the NIST SP 800-171 Assessment Tool, available via the DoD CIO website). Or use our free compliance scanner to identify immediate gaps. Do not wait for a prime to demand proof — get your SPRS score entered now.
Common Mistakes UK Firms Make (And How to Avoid Them)
Mistake 1: Assuming UK GDPR covers CMMC 2.0. UK GDPR addresses personal data protection. CMMC 2.0 covers CUI, which is unrelated to PII. Your DPA 2018 compliance does not equal NIST SP 800-171 alignment. Separate the two programmes.
Mistake 2: Ignoring the cloud provider requirement. If your CUI sits in AWS London or Azure UK South, verify that your cloud provider is FedRAMP Authorised or has a System Security Plan (SSP) aligned with NIST SP 800-171. Many UK cloud providers lack this documentation. We have seen assessments delayed by six months because a SaaS vendor could not produce an SSP.
Mistake 3: Self-attesting without technical evidence. CMMC 2.0 Level 2 for contracts over $1M USD requires a C3PAO assessment. You cannot self-attest and claim compliance. The C3PAO will test controls. If you have not documented evidence (e.g., logs, monitoring alerts, incident reports), your assessment will fail.
Mistake 4: Neglecting the POA&M. The DoD requires a Plan of Action and Milestones for every unmitigated risk. This is not optional. UK firms often produce vague documents. Submit a detailed POA&M with owner, timeline, cost, and evidence of progress. The DoD’s rule (FAR 52.204-21) allows conditional award if POA&Ms are credible.
Worked Example: A UK Engineering Firm Winning a US Defence Contract
A UK engineering firm, designing components for a US-armoured vehicle, received a subcontract from a US prime. The contract value was £1.8 million over three years. The prime demanded CMMC 2.0 Level 2 certification within 120 days. The firm had ISO 27001, but no NIST SP 800-171 alignment.
Week 1: We conducted a gap assessment using our CloudAuditX platform. Results showed 42 gaps out of 110 controls, primarily in system monitoring (AU family) and incident response (IR family).
Week 2-6: Our consultants (via fractional vCISO) developed a remediation plan. We updated incident response procedures, deployed continuous monitoring across their Azure tenant, and documented all cloud data flows. The POA&M for remaining gaps was created.
Week 7-10: We hired a DoD-approved C3PAO. The assessment took three days onsite and two days remotely. The firm passed with one condition (a minor media protection gap on removable media). The POA&M satisfied the condition.
Week 11: SPRS score updated. Contract awarded.
This is achievable for any UK firm with a focused, structured approach. Without it, that £1.8 million contract would have gone to a competitor.
How Pyralink Supports Your CMMC 2.0 Journey
Pyralink Innovation Ltd is a UK-based cybersecurity firm, led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). We hold £5 million professional indemnity insurance. Our team has implemented CMMC 2.0 readiness for UK defence contractors across multiple sectors — aerospace, maritime, and advanced manufacturing.
We offer three specific services for UK firms targeting US defence contracts:
- CloudAuditX: Our multi-cloud auditing platform maps data flows to NIST SP 800-171 controls. It supports continuous compliance monitoring for AWS, Azure, and GCP environments. Free trial available. Run a free CloudAuditX scan →
- Fractional vCISO: From £497 per month, you get a dedicated CISO who leads your CMMC 2.0 programme, builds POA&Ms, and interfaces with primes. No permanent hire required. Learn more about our fractional vCISO service →
- ISO 27001 to NIST SP 800-171 bridging: If you have ISO 27001, we map your ISMS to NIST SP 800-171r3 and prepare the documentation for C3PAO assessment. Our ISO 27001 certification services →
We also provide a free compliance scanner to identify your NIST alignment gaps in under 10 minutes.
Your Next Steps
The DoD is not extending deadlines. UK firms that want US defence contracts must act now. Start with a self-assessment. Map your cloud data flows. Close the gaps between ISO 27001 and NIST SP 800-171. The cost of preparation is tiny compared to the revenue lost when a prime moves on to the next vendor.
We help UK firms win these contracts. Book a free security review → to discuss your CMMC 2.0 readiness. No pressure. Just a practical conversation about where you are and what your target contract requires.
Run a free CloudAuditX scan today: https://cloudauditx.pyralink.co.uk/signup/free →
Book a free security review: https://pyralink.co.uk/book/ →
Pyralink Innovation Ltd. Protecting your data. Winning your contracts.