CMMC compliance for the Pacific defense
supply chain.

Yes — and this is the most important thing a prime contractor needs to understand. Under the False Claims Act (FCA), submitting a contract invoice while a known compliance requirement is unmet can constitute a false claim. You don't have to know about the non-compliance to be at risk — the standard is what you reasonably should have known. Prime contractors who fail to verify subcontractor compliance are exposed to treble damages, contract termination, and potential debarment. The FCA has no cap on liability, and DoD is actively pursuing cases. Your sub's compliance is your problem.

The white-label program gives you everything you need to run CMMC Level 1 compliance across your entire sub supply chain — without hiring a consultant for each sub. It includes: a plain-English sub onboarding packet (cover letter, self-assessment workbook, SPRS submission guide, policy templates, and a 5 quick habits reference card), a Sub Compliance Tracker spreadsheet to monitor status across all subs, a Prime Rollout Playbook with a 60-day timeline and communication templates, and the Sub Compliance Confirmation Form that subs return to you as evidence. Everything is branded to PCC and ready to distribute the day you close.

Unlimited. The PCC program is a flat-fee deployment — there is no per-sub charge and no cap on the number of subs you can onboard. Whether you have 5 subs or 50, the program cost is the same. This is a fundamental difference from CMMC consultants, who typically charge $3,000–$8,000 per subcontractor assessment. A prime with 20 subs using a consultant could spend $60,000–$160,000. The PCC program covers all 20 at a flat rate.

The PCC program creates a documented compliance record — the Sub Compliance Confirmation Form and the evidence gathered during the assessment. This documentation demonstrates that you, as the prime, exercised reasonable oversight of your supply chain. A documented compliance effort with identified gaps and a remediation plan is a materially different legal position than no compliance effort at all. We are not lawyers and this is not legal advice — if you have specific FCA exposure concerns, consult a federal contracts attorney. What we can tell you is that documented oversight is the foundation of any defensible compliance posture.

Almost certainly yes — but your level depends on the type of information you handle. If you handle Federal Contract Information (FCI) only, you need Level 1 (15 practices, annual self-assessment). If you handle Controlled Unclassified Information (CUI), you need Level 2 (110 practices, third-party assessment through a C3PAO). Most prime contractors on military construction projects handle CUI — plans, specifications, and site information frequently carry CUI markings. PCC focuses on Level 1 compliance for trade subcontractors. If you need Level 2 assistance, we can refer you to the appropriate resources in the Pacific region.

If you work on any DoD-funded project — directly or through a prime contractor — and you receive, process, or store any Federal Contract Information, yes. This includes most trade work on military construction projects: electrical, HVAC, roofing, welding, fencing, mechanical, and similar trades. The requirement comes from FAR 52.204-21, which applies to any contract that involves FCI. Your prime contractor is required to flow this down to you. If you're unsure whether your work triggers the requirement, the FCI Scope Map tool on this site can help you assess it in about 10 minutes.

Level 1 covers 15 basic cybersecurity practices from FAR 52.204-21. Most of them are things a small business should already be doing: using strong passwords, limiting who has access to contract-related files, keeping software updated, and not sharing login credentials. You don't need specialized IT equipment or a dedicated security team. The CMMCComply assessment tool walks you through all 15 practices in plain English, generates your System Security Plan (SSP) automatically, and tells you exactly what you need to fix before submitting your score to the SPRS database.

Most small businesses complete the CMMCComply self-assessment in 60–90 minutes on the first pass. If you identify gaps that require remediation — a software update, a password policy, removing a shared login — fixing those items before submitting your SPRS score may take additional time depending on what needs to change. The assessment itself is not the hard part. The hard part is actually making the changes. Our sub onboarding packet includes a plain-English action plan that walks you through each gap step by step, written for a business owner without IT staff.

Yes. Pacific Cyber Compliance provides compliance programs to prime contractors, who then distribute them to their subcontractors. If your prime sent you a PCC onboarding packet, they are using the PCC program to manage supply chain compliance across their sub base. You should complete the assessment using the CMMCComply tool referenced in the packet, return the Sub Compliance Confirmation Form to your prime, and keep a copy of your completed SSP for your own records. If you have questions about the process, you can contact PCC directly at matt@pacificcybercompliance.com.

Level 1 applies to contractors handling Federal Contract Information (FCI) — basic contract data, project files, invoices. It requires 15 practices from FAR 52.204-21 and an annual self-assessment. No third-party auditor is required.

Level 2 applies to contractors handling Controlled Unclassified Information (CUI) — sensitive technical data, specifications, and information that requires protection under federal law. It requires 110 practices from NIST SP 800-171 and, in most cases, a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO). Level 2 is significantly more complex and expensive than Level 1.

Most trade subcontractors on military construction projects qualify for Level 1. PCC specializes in Level 1 compliance for the Pacific defense supply chain.

SPRS (Supplier Performance Risk System) is the DoD database where contractors self-report their CMMC Level 1 compliance score. Your score ranges from -203 to +110. A score of +110 means all 15 practices are fully implemented. Negative scores reflect unimplemented practices. Prime contractors and contracting officers can look up your SPRS score as part of their vendor vetting process. A missing or negative score can disqualify you from contract awards. Submitting your score requires a SAM.gov registration, a CAGE code, and access to the PIEE portal — the PCC SPRS Submission Guide walks you through each step.

CMMC 2.0 was codified in 32 C.F.R. Part 170, which became effective December 16, 2024. CMMC clauses began appearing in DoD solicitations in early 2025 and will be required across all applicable contracts in a phased rollout: Phase 1 (now through October 2025) for new contracts, Phase 2 (November 2025–October 2026) for contract renewals, Phase 3 (November 2026–October 2027) for remaining contracts. If you are bidding on any DoD-funded work or renewing an existing contract, CMMC requirements may already apply to you. Waiting until your next contract renewal to start is not a safe strategy — the self-assessment process and SPRS submission take time, and your prime may require proof of compliance before award.

Yes. Level 1 requires an annual self-assessment and affirmation. You must re-assess your practices every 12 months and resubmit your SPRS score. Your score can change — if you've made improvements, your score goes up; if practices have lapsed, it goes down. The PCC annual re-assessment package (included in all prime programs) is distributed to subs at month 10–11 of their compliance cycle, so they're renewed before their anniversary date. Missing your annual renewal creates a compliance gap that your prime contractor is responsible for catching — which is exactly why the PCC tracker includes automatic renewal calendar alerts.

Yes. CMMC requirements apply to all DoD contracts regardless of location. Contractors working on NAVFAC Marianas, USACE Pacific Ocean Division, and Joint Region Marianas projects in Guam and throughout the Pacific Islands are subject to the same FAR and DFARS requirements as Hawaii or mainland contractors. The compliance requirement doesn't change because you're in a remote Pacific location — but the support available to help you meet it has historically been nonexistent. PCC is the only CMMC compliance program with an active presence in Hawaii, Guam, and the Pacific Islands.

There are several cybersecurity firms in Hawaii with CMMC credentials, including CyberAB-listed practitioners. Most of them focus on IT-managed services bundled with compliance consulting — their solution typically requires an ongoing IT relationship at MSP pricing. None of them operate a prime-mediated white-label compliance program designed specifically for trade subcontractors. PCC is not a managed IT provider — it is a compliance program operator. A trade subcontractor using PCC does not need to change their IT setup or hire a consultant. They complete a self-assessment, implement any required fixes, and submit their SPRS score — all without outside help.

This is one of the most common misconceptions. CMMC Level 1 is not about protecting classified information — it's about protecting Federal Contract Information, which includes contract numbers, project names, schedules, bid documents, invoices, and any other information provided by or generated for a federal agency under a contract. If your company receives a purchase order from a prime contractor on a military project, stores a PDF of the contract, or sends an invoice for work on a DoD facility — you have FCI. The 15 Level 1 practices are designed to protect exactly this kind of everyday business information, not classified data. Most of them are basic digital hygiene practices your business should have regardless of CMMC.