What Is CMMC Compliance and What Louisiana Businesses Does It Affect?
- reece6550
- 5 hours ago
- 10 min read
A Complete Guide for Defense Contractors, Subcontractors, and Suppliers Across Louisiana
Introduction: Why CMMC Matters for Louisiana Businesses
If your business works with the Department of Defense in any capacity—whether as a prime contractor, subcontractor, or supplier—CMMC compliance is no longer optional. The Cybersecurity Maturity Model Certification (CMMC) program officially went into enforcement on November 10, 2025, and it fundamentally changes how the DoD evaluates the cybersecurity readiness of the companies it does business with.
For Louisiana, a state with a $17 billion military economic impact and over 4,500 defense contractors operating across all 64 parishes, the stakes are enormous. From Bollinger Shipyards in Lockport to aerospace operations at the Michoud Assembly Facility in New Orleans, from IT service providers supporting Barksdale Air Force Base in Bossier City to engineering firms working near Fort Johnson in Vernon Parish—Louisiana businesses across every region of the state need to understand what CMMC requires and whether it applies to them.
This guide breaks down exactly what CMMC is, who it affects in Louisiana, and what your business needs to do to remain eligible for DoD contracts.
What Is CMMC (Cybersecurity Maturity Model Certification)?
CMMC stands for Cybersecurity Maturity Model Certification. It is a unified cybersecurity framework created by the U.S. Department of Defense to assess and verify that defense contractors and subcontractors have adequate cybersecurity protections in place to safeguard sensitive government information.
Before CMMC, defense contractors were expected to self-attest their compliance with cybersecurity standards outlined in NIST SP 800-171. The problem was that many companies claimed compliance without actually implementing the required security controls—leaving critical defense information vulnerable to cyberattacks and data theft. CMMC 2.0 replaces this self-attestation model with a structured, verified assessment process.
CMMC protects two categories of sensitive government information:
Federal Contract Information (FCI): Information that is not intended for public release but is provided by or generated for the government under a contract.
Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls under federal law. CUI includes things like technical drawings, engineering data, operational plans, and personally identifiable information related to defense work.
The Three Levels of CMMC 2.0
CMMC 2.0 organizes cybersecurity requirements into three certification levels. The level your business needs depends on the type of information your systems process, store, or transmit.
CMMC Level | Who's it for | Requirements | Assessment Type |
Level 1 | Businesses handling FCI only | 15 security requirements from FAR 52.204-21 | Annual self-assessment + SPRS submission |
Level 2 | Businesses handling CUI | 110 security requirements from NIST SP 800-171 Rev 2 | Self-assessment OR C3PAO third-party assessment |
Level 3 | Businesses handling critical national security information | 110 NIST 800-171 controls + 24 enhanced requirements from NIST SP 800-172 | Government-led DIBCAC assessment |
Most Louisiana businesses in the defense supply chain will need either Level 1 or Level 2 certification. Level 2 is the most common requirement for companies that handle CUI—which includes the majority of defense manufacturing, engineering, IT, and professional services contractors.
CMMC Enforcement Timeline: Key Dates You Need to Know
CMMC is being implemented in four phases over three years. Understanding this timeline is critical for Louisiana businesses that want to maintain their eligibility for DoD work.
Phase | Effective Date | What Happens |
Phase 1 | November 10, 2025 (ACTIVE) | Level 1 and Level 2 self-assessments required in new DoD solicitations and contracts |
Phase 2 | November 10, 2026 | Level 2 C3PAO (third-party) assessments begin appearing in solicitations |
Phase 3 | November 10, 2027 | Level 2 C3PAO required for all applicable contracts; Level 3 requirements begin |
Phase 4 | November 10, 2028 | Full implementation—all DoD contracts require CMMC compliance at the appropriate level |
The bottom line: CMMC requirements are already live in DoD contracts as of November 2025. If your Louisiana business works with the DoD and you haven’t started your compliance journey, you are already at risk of losing contract eligibility.
Which Louisiana Businesses Are Affected by CMMC?
Louisiana has one of the most significant military and defense economies in the Gulf South. With five major military installations, billions of dollars in annual defense spending, and a diverse defense industrial base spanning shipbuilding, aerospace, IT, engineering, and logistics, CMMC has far-reaching implications across the state.
Shipbuilding and Maritime Defense (South Louisiana)
Louisiana is a major hub for military shipbuilding and maritime defense. Companies like Bollinger Shipyards, which was recently awarded a major U.S. Navy contract for Arctic Security Cutters at its Lockport facilities, are prime examples of businesses that handle CUI and will need CMMC Level 2 certification. Subcontractors and suppliers that provide parts, materials, or engineering services to these shipyards are also affected—CMMC requirements flow down to every tier of the supply chain.
Aerospace and Space Manufacturing (Greater New Orleans)
NASA’s Michoud Assembly Facility in eastern New Orleans is home to major aerospace contractors including Boeing, Lockheed Martin, and Northrop Grumman. These companies and their extensive networks of Louisiana-based subcontractors and suppliers work on programs like the Space Launch System and the Orion Crew Capsule. Any business in this supply chain that processes, stores, or transmits FCI or CUI must achieve CMMC certification.
Military Base Support Services (Statewide)
Louisiana is home to multiple major military installations, each of which generates significant contracting opportunities for local businesses:
Barksdale Air Force Base (Bossier City): Home to the 2nd Bomb Wing and B-52 operations. Local IT providers, maintenance contractors, and engineering firms supporting base operations will need CMMC compliance. VRC Metal Systems recently invested in a new maintenance facility here for B-52 repair capabilities.
Fort Johnson (Vernon Parish): Home to the Joint Readiness Training Center (JRTC). Fort Johnson contracts with private industry for approximately $441 million annually for services and construction. Local contractors in the Leesville, DeRidder, and Alexandria areas supporting these operations are directly affected.
Naval Air Station Joint Reserve Base New Orleans (Belle Chasse): Contractors providing support services, IT infrastructure, and logistics to this installation must meet applicable CMMC levels.
U.S. Army Corps of Engineers – New Orleans District: Engineering firms, environmental consultants, and construction companies working on Corps projects that involve FCI or CUI need CMMC certification.
IT and Managed Service Providers (MSPs) Across Louisiana
This is a critical category that many businesses overlook. If your IT company or MSP provides services to a defense contractor—managing their networks, hosting their email, handling their backups, or providing cybersecurity monitoring—your business may be within the CMMC compliance boundary. MSPs in Baton Rouge, Shreveport, New Orleans, Lafayette, Lake Charles, and other Louisiana cities that serve defense contractors need to evaluate whether they handle FCI or CUI as part of their service delivery.
Manufacturing and Industrial Suppliers
Louisiana’s manufacturing sector—particularly companies that produce components, materials, or specialized equipment for defense applications—is directly affected. This includes machine shops, fabrication companies, chemical suppliers, and electronics manufacturers throughout the state. Even if your company isn’t a prime contractor, if you’re part of the defense supply chain and handle FCI or CUI, CMMC applies to you.
Professional Services and Consulting Firms
Engineering firms, cybersecurity consultants, legal professionals, accountants, and other professional service providers that work under DoD contracts or support DoD contractors may need CMMC certification. Louisiana’s professional services sector, particularly in the Baton Rouge, New Orleans, and Shreveport metro areas, includes many firms that serve defense clients.
Who Is Exempt from CMMC?
Not every business that sells something to the DoD needs CMMC certification. Companies that exclusively sell Commercial Off-The-Shelf (COTS) products—such as standard office furniture, commercially available hardware, or basic consumables—are
currently exempt from CMMC requirements. However, if your COTS sales involve any customization, technical data exchange, or handling of FCI/CUI, the exemption likely does not apply.
What Does CMMC Compliance Actually Require?
Achieving CMMC compliance is not a one-time checklist—it’s an ongoing operational commitment. Here is what Louisiana businesses should expect:
For Level 1 (FCI Only)
Level 1 requires implementing 15 basic cybersecurity practices derived from FAR 52.204-21. These cover fundamental security hygiene like access controls, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Your business must conduct an annual self-assessment and submit the results to the Supplier Performance Risk System (SPRS). An affirming official at your company must annually certify continuous compliance.
For Level 2 (CUI)
Level 2 is significantly more rigorous. It requires implementing all 110 security controls from NIST SP 800-171 Revision 2, covering 14 domains including access control, audit and accountability, configuration management, incident response, risk assessment, and more. Depending on the sensitivity of the contract, your business will need either a self-assessment or a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). You must achieve a minimum score of 88 out of 110 to qualify for conditional certification, and you’ll need a Plan of Action and Milestones (POA&M) documenting how you’ll close any remaining gaps.
Key Documentation Requirements
System Security Plan (SSP): A comprehensive document describing your assessment scope, system components, and how each security control is implemented.
Plan of Action and Milestones (POA&M): A roadmap for addressing any security controls that are not yet fully implemented.
SPRS Score Submission: Your self-assessment or C3PAO assessment scores must be posted in the Supplier Performance Risk System to remain eligible for contract awards.
How Long Does CMMC Compliance Take and What Does It Cost?
For most small and mid-sized Louisiana businesses, achieving CMMC Level 2 compliance takes between 6 and 18 months, depending on your current cybersecurity posture. Companies that are already aligned with NIST 800-171 will have a shorter path, while those starting from scratch should plan for the longer end of that range.
Costs vary significantly based on company size, IT complexity, and the level of certification required. Expenses typically include gap assessments, technology upgrades (such as endpoint detection and response, multi-factor authentication, encrypted communications, and SIEM solutions), policy and documentation development, employee training, and the C3PAO assessment itself for Level 2.
Working with an experienced Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) that specializes in CMMC compliance can help Louisiana businesses streamline the process, reduce costs, and avoid common pitfalls.
How a Louisiana MSP Can Help Your Business Achieve CMMC Compliance
Many small and mid-sized defense contractors in Louisiana don’t have the in-house IT expertise to navigate CMMC on their own. That’s where a qualified Managed Service Provider comes in. A Louisiana-based MSP that understands CMMC can help your business in several critical ways:
Gap Analysis and Readiness Assessment: Evaluate your current cybersecurity posture against CMMC requirements and identify exactly what needs to change.
CUI Scoping and Enclave Design: Help you define and potentially limit your CMMC compliance boundary by isolating CUI into a secure enclave, which can significantly reduce the cost and complexity of compliance.
Security Control Implementation: Deploy and configure the technical safeguards required by NIST 800-171, including access controls, encryption, monitoring, and incident response capabilities.
Documentation and Policy Development: Create your System Security Plan, POA&M, incident response plan, and other required documentation.
Ongoing Compliance Monitoring: Provide continuous monitoring and managed security services to ensure your business maintains compliance between assessments.
C3PAO Assessment Preparation: Guide your team through pre-assessment readiness activities to maximize your chances of a successful certification assessment.
What Happens If Your Louisiana Business Doesn’t Comply?
The consequences of non-compliance are straightforward and severe: without CMMC certification at the required level, your business cannot bid on, win, or maintain DoD contracts. Given that CMMC requirements are already appearing in solicitations as of November 2025, businesses that delay their compliance efforts risk being shut out of the defense contracting market entirely.
Additionally, the Department of Justice’s Civil Cyber Fraud Initiative is actively pursuing enforcement actions against contractors that falsely claim cybersecurity compliance.
Making inaccurate representations about your CMMC status can expose your business to significant legal liability under the False Claims Act.
Take Action Now: CMMC Compliance for Louisiana Businesses
Whether your business is a prime defense contractor in New Orleans, a machine shop in Lake Charles that supplies components to Northrop Grumman, an IT company in Baton Rouge that manages networks for defense clients, or a professional services firm in Shreveport supporting Barksdale Air Force Base operations—CMMC compliance is not something you can afford to put off.
Here’s what you should do today:
Determine your required CMMC level by reviewing your DoD contracts for references to FCI and CUI handling requirements.
Conduct a gap analysis to understand where your current cybersecurity posture falls short of CMMC requirements.
Engage a qualified MSP or MSSP with CMMC expertise to develop your compliance roadmap and begin implementing required controls.
Budget for compliance costs and factor CMMC into your business planning for 2026 and beyond.
Start training your workforce on cybersecurity awareness and the specific practices required by your CMMC level.
Louisiana’s defense economy is growing—military spending in the state has increased 77% and now generates a $17 billion economic impact. For businesses that are prepared, CMMC compliance is not just a requirement—it’s a competitive advantage that positions you to capture more of this expanding market. The companies that get certified first will have a significant edge over competitors who are still scrambling to comply.
Frequently Asked Questions About CMMC Compliance in Louisiana
Q: Does CMMC apply to subcontractors, or only prime contractors?
A: CMMC applies to both prime contractors and subcontractors at every tier of the defense supply chain. Prime contractors are required to flow down CMMC requirements to their subcontractors, so even small Louisiana businesses deep in the supply chain may need certification.
Q: My company only provides IT services to a defense contractor. Do I need CMMC?
A: Potentially, yes. If your IT systems process, store, or transmit FCI or CUI on behalf of a defense contractor, your services may fall within the CMMC compliance boundary. This is especially relevant for MSPs and MSSPs in Louisiana that manage IT infrastructure for defense clients.
Q: What is the difference between CMMC and NIST 800-171?
A: NIST 800-171 defines the 110 security controls that form the basis of CMMC Level 2. The key difference is that CMMC adds a verified assessment and certification process on top of those controls. Previously, contractors only had to self-attest to NIST 800-171 compliance. CMMC introduces accountability through third-party assessments and formal certification.
Q: How much does CMMC compliance cost for a small Louisiana business?
A: Costs vary widely depending on your current security posture, company size, and required CMMC level. Small businesses pursuing Level 2 should budget for gap assessments, technology implementations, documentation, training, and the C3PAO assessment. Working with an experienced local MSP can help optimize these costs and avoid unnecessary spending.
Q: Is there a grace period for CMMC compliance?
A: There is no formal grace period. CMMC requirements are already appearing in DoD solicitations and contracts as of November 2025. If a contract requires CMMC certification, you must have it at the time of contract award. The phased rollout means requirements will progressively expand through 2028, but waiting is risky.
Need help navigating CMMC compliance for your Louisiana business? Contact us today for a free CMMC readiness consultation and find out exactly where your business stands and what steps you need to take to protect your DoD contract eligibility. Need IT support? Let us take care of your tech, so you can do what you do best!
Contact us to learn more!
S1 Technology is a Managed Service Provider (MSP) that provides a security-first approach to a full range of managed IT services and support for small to mid-sized businesses.
