Phase 1 Active — CMMC 2.0 Implementation Underway

CMMC Compliance,
Simplified.

CMMC Companion is an end-to-end compliance management platform built by IT administrators for IT administrators — the people who carry the actual burden of implementing controls and producing the authorization evidence that gets you certified.

Request a Demo Explore Features
Veteran-Owned · Herndon, VA · 20+ Years DoD & IC Experience
3
CMMC Levels Covered
134
Max Requirements Tracked
20+
Years DoD & IC Experience
2025
Phase 1 Implementation Active
CMMC 2.0

The Compliance
Imperative

The DoD's Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now being phased into all defense contracts. Every contractor and subcontractor in the Defense Industrial Base that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must achieve CMMC certification as a condition of contract award.

With up to 134 security requirements spanning access control, incident response, risk management, configuration management, and supply chain security — achieving and maintaining compliance is complex, time-consuming, and directly tied to contract eligibility.

Implementation is underway. Phase 1 began November 10, 2025, requiring Level 1 and Level 2 self-assessments in applicable solicitations. Level 2 C3PAO certification requirements begin Phase 2 (November 2026). Full implementation completes by November 2028.

Implementation Timeline
Phase 1 — Active Now
Initial Implementation

Nov 2025 – Nov 2026. Level 1 and Level 2 self-assessments required in applicable solicitations. Annual affirmations submitted to SPRS.

Phase 2
Level 2 Certification

Begins Nov 2026. Level 2 C3PAO certification assessments required. Organizations must engage an authorized third-party assessor.

Phase 3
Level 3 Certification

Begins Nov 2027. Level 3 DIBCAC assessments required for programs handling the most sensitive CUI against advanced persistent threats.

Phase 4
Full Implementation

Begins Nov 2028. All CMMC requirements fully enforced across the Defense Industrial Base with no phased exceptions.

Level 1
15
Requirements

Basic Safeguarding of FCI

Annual self-assessment aligned with FAR clause 52.204-21. Protects Federal Contract Information through foundational access, identification, and system protection controls.

Level 2
110
Requirements

Broad Protection of CUI

Aligned with NIST SP 800-171 Revision 2. Requires annual self-assessment or triennial certification by an authorized C3PAO, plus annual affirmation submitted to SPRS.

Level 3
134
Requirements

Advanced Protection Against APTs

Incorporates 24 additional requirements from NIST SP 800-172. Requires DIBCAC assessment every three years. Addresses Advanced Persistent Threats targeting high-value CUI.

CMMC Companion

One Platform.
Every Requirement.

CMMC Companion was built by IT administrators who know exactly what it takes to implement 110+ security controls, configure every system, and produce the evidence an assessor will review. Not another policy template — a real operational tool.

Request Early Access

Compliance Gap Analysis

Automatically map your current security controls against all CMMC Level 1, 2, and 3 requirements to surface and prioritize gaps before your assessment window.

Remediation Roadmap

Prioritized, actionable remediation steps organized by domain, practice, and risk level. Work efficiently toward compliance with clear milestones and progress tracking.

Evidence Management

Centralized, structured repository for all compliance artifacts, policies, procedures, and audit documentation. Organized for rapid review by C3PAO assessors and DIBCAC.

POA&M Tracking

Manage Plans of Action & Milestones with automated deadline tracking, 180-day closeout monitoring, and SPRS-ready reporting to meet CMMC post-assessment requirements.

Assessment Readiness

Structured preparation tools and domain-level readiness scorecards for C3PAO certification and DIBCAC reviews. Know your compliance posture before the assessor does.

Continuous Monitoring

Ongoing visibility into your compliance posture across all CMMC domains and practices, with real-time alerts when controls drift or require annual affirmation renewal.

New Guide

Starting Greenfield?
Build It Compliant.

Standing up a net-new defense environment? Learn how to deploy Microsoft Azure GCC-High and Windows 365 Government from day one with CMMC compliance built in — not bolted on afterward. Every step mapped to the controls your assessor will verify.

Read the GCC-High Guide
Azure GCC-High
FedRAMP High · CUI authorized
Windows 365 Government
Cloud PC · GCC-High tenant
Entra ID & Intune
Identity · Device management
Microsoft Defender XDR
Endpoint · SIEM · SOC
About TYIN

Built by IT Admins
Who Know the Burden

TYIN is a veteran-owned small business headquartered in Herndon, Virginia. Our founders are IT administrators and engineers with over 20 years of hands-on experience in the U.S. Intelligence Community and Department of Defense — not consultants. People who have actually configured the systems, pulled the audit logs, and written the SSP narratives.

We built CMMC Companion because the IT administrator carries the bulk of the compliance burden: implementing every control, documenting every configuration, and producing every piece of authorization evidence an assessor will ever touch. We have lived that work. CMMC Companion is the tool we wished we had.

Veteran-Owned Small Business US Intelligence Community Department of Defense Federal Civilian Agencies NIST SP 800-171 & 800-172 Herndon, Virginia
20+
Years in DoD & Intelligence Community
VOSB
Verified Veteran-Owned Small Business
DIB
Defense Industrial Base Specialists
NIST
SP 800-171 & SP 800-172 Expertise
Contact

Start Your CMMC Journey

Whether you are just beginning to map your CMMC requirements or preparing for an imminent C3PAO assessment, we are here to help. Reach out for a no-obligation conversation.

info@tyinllc.com
Herndon, Virginia 20170
Veteran-Owned Small Business CMMC Focused