In partnership with Defense Cyber Solutions 248·848·8500  ·  info@pilotsi.com
CMMC Level 2 Compliance

Defense contracts now require cybersecurity certification.
We get you there.

Beginning November 10, 2026, every contractor in the Defense Industrial Base handling Controlled Unclassified Information must achieve CMMC Level 2 certification. Pilot Systems, in partnership with Defense Cyber Solutions, guides you from gap analysis to certification-ready in a fraction of the time it takes most firms to figure it out alone.

Request a Consultation See Our Process
Why Now

The compliance window is closing.

CMMC 2.0 is being phased into DoD contracts on a published schedule. For most prime contractors and subcontractors handling Controlled Unclassified Information, certification will be a contract award requirement rather than a recommendation.

Nov 10, 2026
Phase 2 begins

CMMC Level 2 certification by an authorized C3PAO becomes a condition of contract award for solicitations involving CUI.

2027 — 2028
Phases 3 & 4

Requirement expands to all applicable DoD solicitations and contract options. By the end of phase-in, certification is universally required across affected programs.

Today
Time is the constraint

Most assessments take 6 to 12 months from kickoff to certification. Companies that wait are running out of runway.

Why Pilot Systems

Forty years of regulatory compliance.
CMMC is the newest discipline.

Pilot Systems has guided automotive OEMs, Tier 1 suppliers, and startups through some of the most demanding compliance regimes on earth — EPA emissions certification, CARB approval, NHTSA safety standards, ISO 26262 functional safety, and ISO/SAE 21434 automotive cybersecurity.

CMMC is a different acronym, but the discipline is the same: interpret a complex government framework, gap-analyze your current state, build the documentation, execute remediation, and survive a third-party audit. We have done this for forty years in the automotive sector. Through our partnership with Defense Cyber Solutions, we now bring that same approach to the Defense Industrial Base.

  • A regulatory mindset, not a checklist mindset. We have spent four decades reading between the lines of federal regulation. CMMC's 110 NIST 800-171 practices reward that experience.
  • Defense Cyber Solutions has worked with NIST 800-171 since before CMMC was mandated by the DoD. They bring the technical cybersecurity depth; Pilot brings the program management and audit-readiness rigor.
  • A team that knows how to translate engineering reality into regulatory documentation — and how to negotiate with auditors when the framework's intent collides with your operational reality.
40
years guiding manufacturers through federal compliance regimes
10+
years of CMMC-related cybersecurity compliance work
110
NIST SP 800-171 practices across 14 security domains
Our Process

Five steps to CMMC 2.0 certification.

Every CMMC Level 2 engagement follows the same arc. Pilot performs the first four; the final step is, by federal mandate, an independent third-party audit. We prepare you so thoroughly that the C3PAO assessment is a confirmation, not a discovery.

1

Scope Assessment

We identify every system, process, and person handling Controlled Unclassified Information. The scope determines everything that follows. Get this wrong and you either over-certify (expensive) or under-certify (audit failure).

Pilot
2

Gap Analysis

We evaluate your current state against all 110 NIST SP 800-171 practices across 14 security domains. You receive a detailed report showing which practices are met, which are partial, and which require remediation — with specific evidence for each finding.

Pilot
3

Remediation Plan

We build a Plan of Action & Milestones (POA&M) that turns every gap into a specific task with an owner, a deadline, and a priority. Pilot can execute the remediation directly, work alongside your IT team, or hand off the plan for in-house execution — whichever fits your structure.

Pilot
4

Documentation

We produce the System Security Plan, evidence package, and supporting artifacts a C3PAO will demand on audit day. This is the deliverable that determines whether you pass or fail. Our automotive regulatory background shows here.

Pilot
5

C3PAO Assessment

An independent Certified Third-Party Assessment Organization conducts the formal certification audit. By federal mandate, this step cannot be performed by your preparation team. Pilot stays engaged through the assessment to support evidence requests and respond to assessor questions.

Third Party
Who We Work With

If you bid on DoD contracts,
this applies to you.

CMMC Level 2 affects approximately 80,000 companies in the Defense Industrial Base. Pilot's CMMC service is built for three audiences in particular.

T1

Tier 1 & Tier 2 DoD Suppliers

If you handle CUI as part of a prime contractor relationship, your prime is already asking when you will be certified. We have decades of experience working alongside Tier 1 and Tier 2 organizations and understand how compliance work fits into a busy supplier operation.

A→D

Automotive Suppliers Pivoting Into Defense

Many of our long-standing automotive clients are exploring or actively bidding on DoD contracts as defense electrification, ground vehicle modernization, and autonomous systems programs expand. We can guide companies we have known for years through this new regulatory regime.

M

Mid-Sized Engineering & Manufacturing

Companies with 50 to 500 employees often have the technical capability to comply but lack the dedicated compliance staff to execute. We provide that staff for the duration of your CMMC project — and only for the duration of your CMMC project.

Our Partnership

Pilot Systems
+ Defense Cyber Solutions

Pilot's CMMC practice is delivered in partnership with Defense Cyber Solutions, a cybersecurity firm focused on the Defense Industrial Base. The partnership combines Pilot's forty years of regulatory program management with Defense Cyber Solutions' deep NIST 800-171 expertise. You work with one engagement team. We coordinate the rest.

Frequently Asked

Common questions.

How long does a typical CMMC Level 2 engagement take?
Six to twelve months from kickoff to a passed C3PAO assessment, depending on your starting security posture. Companies with mature IT security programs and existing NIST 800-171 alignment can move faster. Companies starting from scratch should plan on the full twelve months.
What does it cost?
CMMC Level 2 engagements vary based on company size, system complexity, and remediation scope. Engagements typically range from $40,000 to $250,000 in consulting fees, separate from the cost of the C3PAO assessment itself. We provide a fixed-fee scope after the initial scoping conversation, so you know what you are committing to before signing anything.
Can Pilot perform the certification audit?
No — by federal mandate, certification audits must be performed by an independent Certified Third-Party Assessment Organization (C3PAO). We prepare you for that audit. We can recommend C3PAOs we have worked with successfully and stay engaged through the audit itself to support evidence requests.
What happens if we fail the assessment?
We work to ensure that does not happen. Our process is built around preparing you so thoroughly that the C3PAO audit is a confirmation, not a discovery. If a finding does emerge during assessment, we help you build a corrective action plan and retest. With proper preparation, this is rare.
We aren't currently bidding on DoD contracts. Should we still pursue CMMC?
If there is any possibility your business may bid on DoD contracts in the next three years — directly or as a subcontractor to a prime — the answer is almost certainly yes. CMMC certification takes months, not weeks, and most companies discover the certification requirement too late to act on it before a specific bid window. Companies that get certified early have the optionality to pursue defense work without rushing.
Let's Talk

The sooner we start,
the more time you have.

A 30-minute scoping call is the fastest way to understand where your organization stands against CMMC Level 2 and what the path to certification looks like. There is no charge for the scoping conversation, and no commitment beyond the call itself.

Schedule a Scoping Call
Or contact Roger D. Berry directly:
rberry@pilotsi.com  ·  248·848·8500