What services does Thorium LLC offer?

Thorium LLC offers comprehensive digital services including custom web development, e-commerce solutions, SEO and digital marketing, graphic design, brand identity, UI/UX design, cybersecurity consulting, and AI automation solutions for businesses in Washington DC and the DMV area.

Where is Thorium LLC located?

Thorium LLC is a digital agency based in Washington DC, serving clients throughout the DMV area including Maryland and Virginia. We also work with clients nationwide.

How can I contact Thorium LLC?

You can reach Thorium LLC by phone at +1-227-249-7257, by email at hello@thoriumdc.com, or through our contact form at https://thoriumdc.com/contact. Our team is available Monday through Friday, 9 AM to 6 PM EST.

What industries does Thorium LLC work with?

Thorium LLC works with businesses across various industries including technology, healthcare, finance, e-commerce, professional services, and government contractors in the Washington DC area.

Does Thorium LLC offer free consultations?

Yes, Thorium LLC offers free initial consultations to discuss your project requirements, goals, and how our digital services can help grow your business. Contact us to schedule a consultation.

Cybersecurity / GovCon

CMMC 2.0 Compliance Guide for DC Federal Contractors (2026)

CMMC 2.0 is now fully embedded in DoD contracts. If you're a Washington, DC federal contractor handling Controlled Unclassified Information (CUI), this guide explains exactly what's required, when, and how to get compliant without overspending.

January 2026 11 min readBy Thorium LLC

What is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is the DoD's framework for ensuring defense contractors adequately protect Controlled Unclassified Information (CUI). Version 2.0, finalized in late 2024 and now contractually required, streamlined the original 5-level model to 3 levels aligned with NIST SP 800-171.

CMMC replaces the honor system of self-attestation that allowed contractors to claim compliance without independent verification. Under CMMC 2.0, Level 2 and 3 contractors must pass third-party assessments from Certified Third-Party Assessment Organizations (C3PAOs) — not just check their own boxes.

The Three CMMC 2.0 Levels

Level 1 — Foundational

Practices:

17 practices from FAR 52.204-21

Assessment:

Annual self-attestation

Applies to:

Contractors handling Federal Contract Information (FCI) but not CUI

Level 2 — Advanced

Practices:

110 practices from NIST SP 800-171

Assessment:

Triennial C3PAO assessment (or annual self-assessment for non-prioritized programs)

Applies to:

Contractors handling Controlled Unclassified Information (CUI)

Level 3 — Expert

Practices:

110+ practices (NIST 800-171 + NIST 800-172 subset)

Assessment:

Government-led assessment (DCSA)

Applies to:

Contractors on highest-priority, highest-risk DoD programs

Who Needs CMMC in the DC Area?

Any contractor that:

→ Holds or is pursuing a DoD contract or subcontract
→ Handles Controlled Unclassified Information (CUI) — this includes technical data, research, engineering drawings, and personally identifiable information (PII) on DoD personnel
→ Works as a subcontractor to a prime that handles CUI — CUI flows down
→ Provides IT, consulting, logistics, or support services to DoD agencies

In the DC metro area, this covers a significant portion of the contracting community — from small 8(a) firms to large Beltway contractors.

Timeline & Contract Deadlines

Late 2024

CMMC 2.0 final rule effective. CMMC requirements begin appearing in DoD solicitations.

2025

Phased implementation accelerates. Level 2 self-attestation contracts increasingly common.

2026 (Now)

Full enforcement. C3PAO assessments required for Level 2 prioritized acquisitions. Contractors without CMMC status risk being excluded from bids.

2026–2027

Expected full rollout across all DoD contracts requiring CUI handling.

CMMC Level 2: The 14 Domain Areas

Level 2 requires 110 security practices across 14 domains from NIST SP 800-171. Here's an overview of each:

Access Control (AC)22 practices

Awareness & Training (AT)3 practices

Audit & Accountability (AU)9 practices

Configuration Management (CM)9 practices

Identification & Authentication (IA)11 practices

Incident Response (IR)3 practices

Maintenance (MA)6 practices

Media Protection (MP)9 practices

Personnel Security (PS)2 practices

Physical Protection (PE)6 practices

Risk Assessment (RA)3 practices

Security Assessment (CA)4 practices

System & Comm. Protection (SC)16 practices

System & Info. Integrity (SI)7 practices

How to Prepare for Your C3PAO Assessment

Conduct a gap assessment

Map your current security practices against all 110 NIST 800-171 controls. Identify every gap. This is the foundation of your entire CMMC journey.

Create your System Security Plan (SSP)

The SSP documents how you meet (or plan to meet) each requirement. It must cover every system, user, and process that touches CUI.

Build a Plan of Action & Milestones (POA&M)

For every gap identified, document a specific remediation plan with timelines, resources, and responsible parties. The C3PAO will review this.

Remediate critical gaps

Address the highest-risk gaps first — especially Access Control, Incident Response, and Audit & Accountability. Don't leave open vulnerabilities for the assessment.

Conduct an internal pre-assessment

Simulate the C3PAO assessment internally. Identify any remaining gaps before money is on the line.

Select a C3PAO and schedule assessment

Find a certified C3PAO through the CMMC-AB marketplace. Schedule 6–12 months in advance — wait times are long.

What CMMC Compliance Costs

Costs vary widely based on your current security maturity, size, and IT environment. Realistic ranges for DC contractors:

Gap assessment & SSP development$8,000 – $25,000

Technical remediation (tools, configuration)$15,000 – $75,000

C3PAO assessment fee (Level 2)$20,000 – $50,000

Managed security services (ongoing)$2,000 – $8,000/month

Total first-year investment (typical Level 2)$50,000 – $150,000

These costs are an investment in contract eligibility. Contracts requiring CMMC are often worth millions — the compliance cost is a small fraction of contract value.

Get Expert CMMC Guidance

Our DC-based cybersecurity team has guided multiple contractors through CMMC Level 2 assessments. We offer gap assessments, SSP development, and remediation support.

View Cybersecurity Services