Keekco
Cyber & Compliance

CMMC Level 2 readiness for UK suppliers

The US Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) reaches UK manufacturers through the defence supply chain. If you handle information that originates from a US defence programme, you can be required to hold CMMC certification to keep the work, even though you are a UK business. Keekco prepares you for that assessment: we map your scope, close the gaps against NIST 800-171, and get you assessment-ready before the formal C3PAO step.

Book a discovery callTake the two-minute readiness check

What CMMC Level 2 actually requires

Level 2 is built on the 110 security controls of NIST SP 800-171, the standard for protecting Controlled Unclassified Information. To certify at Level 2 you need those controls implemented and evidenced, a System Security Plan that documents them, a Plan of Action and Milestones for anything outstanding, a score recorded in the US Supplier Performance Risk System (SPRS), and, for most contracts, a passing assessment by an accredited third party known as a C3PAO.

Does it apply to a UK business?

Often, yes. The DFARS contract clause that brings these obligations applies based on the data you handle, not the country you operate in. If a US-origin defence programme flows information down to you through a prime such as BAE Systems or Lockheed Martin, the requirement can reach you. The first task of any engagement is to establish definitively whether CMMC applies and at what level, because the answer shapes everything that follows.

Why starting early matters more than usual

CMMC introduces a hard constraint that ordinary compliance projects do not: the number of accredited assessors is small relative to the number of suppliers who need them. Readiness work, remediation and the assessment itself all take time, and you cannot compress the assessor’s availability. Suppliers who begin early protect both their certification and the contracts that depend on it. Those who wait risk a queue at the worst possible moment.

How Keekco prepares you

Scope

We define the boundary: which systems, people and data are in scope for CMMC, so you protect what must be protected without re-engineering your whole estate. A tight scope is the single biggest lever on cost.

Gap assessment

We baseline you against all 110 controls, produce the System Security Plan, and build the Plan of Action and Milestones that prioritises the work.

Remediation

We lead the implementation: multi-factor authentication and access control, endpoint detection and response, centralised logging, network segmentation or an enclave for in-scope systems, secure handling of customer technical data, the policy set, incident response and staff training. Where the controls point to a compliant cloud platform, we guide that decision rather than assume it.

Mock assessment

Before the formal step we run a mock C3PAO assessment so there are no surprises on the day.

A readiness partner, not your assessor

Certification has to come from an accredited C3PAO, never from the people who prepared you. We stay on your side of that line on purpose: our role is to get you ready and to keep our advice impartial. We hold the methodology and the programme; your team keeps ownership of the systems they run day to day.

Work with Keekco

Book a discovery call to confirm whether CMMC applies to you and what readiness would involve.

Book a discovery callTake the readiness check

Frequently asked questions

What is CMMC Level 2?
CMMC Level 2 is the US Department of Defense certification level for suppliers handling Controlled Unclassified Information. It requires the 110 controls of NIST 800-171, supporting documentation, and, for most contracts, a passing assessment by an accredited third party (a C3PAO).
Do UK companies need CMMC?
They can. The requirement follows the data, not the geography. If you handle information originating from a US defence programme, including through a UK prime, CMMC can apply to you regardless of where you do the work.
What is the difference between NIST 800-171 and CMMC?
NIST 800-171 is the control standard, the 110 requirements themselves. CMMC is the certification programme that verifies you have implemented them, including the third-party assessment.
Can Keekco certify our CMMC?
No. Certification must come from an accredited C3PAO. We prepare you to pass, which keeps our role independent of the assessment.
How long does CMMC readiness take?
It depends on your scope and starting maturity, but expect several months from gap assessment to assessment-ready, plus assessor lead time. The earlier you start, the more of that timeline is within your control.
What does it cost?
It varies with scope, your current maturity and the tooling you already have. A short discovery phase gives you a firm range before you commit to the larger programme.