CMMC Level 1 and Level 2 network compliance for Ohio defense contractors. CUI segmentation, access control, MFA, audit logging, and encrypted communications. Free gap assessment from Buckeye Telecom.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now being phased into DoD contracts. If your Ohio company handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) — or works as a subcontractor to someone who does — you need to understand your compliance obligations before your next contract is at risk.
Ohio's defense industrial base is concentrated in the Dayton area (Wright-Patterson AFB), Columbus, and Northeast Ohio — but CMMC requirements apply to any company in the DoD supply chain, regardless of location or contract size. The common mistake: assuming that because you're a subcontractor to a prime, the prime's CMMC certification covers you. It doesn't. Each company in the supply chain that handles CUI must be independently compliant.
The network and communications infrastructure requirements — access control, audit logging, system and communications protection, and configuration management — are where most small defense contractors have gaps. These are exactly the controls we implement and manage for Ohio defense industrial base companies.
CMMC 2.0 is now flowing into DoD contracts across the supply chain. If your Ohio company handles CUI — as a prime or subcontractor — you need the network controls to match. We implement them.
CMMC 2.0 — What Ohio Defense Contractors Need to Know
Basic cyber hygiene required for all DoD contractors. Self-assessment allowed. Covers access control, identification, media protection, physical protection, and systems and communications protection basics.
Required for contractors handling CUI. Based on NIST SP 800-171. Third-party assessment required for prioritized acquisitions. Annual self-assessment for non-prioritized. This is where most Ohio defense contractors need to focus.
Required for highest-priority DoD programs. Based on NIST SP 800-172. Government-led assessment. Applicable to a relatively small number of contractors working on the most sensitive programs.
CMMC Level 2 includes 110 practices across 14 domains. Our focus is the network infrastructure, communications, and access control practices — the technical foundation that everything else sits on.
We design and implement network segmentation that creates a distinct CUI boundary — isolating systems that process, store, or transmit Controlled Unclassified Information from corporate IT and external networks.
Role-based access controls limiting CUI access to authorized personnel, session termination policies, remote access controls, and wireless access restrictions — covering all 22 AC domain practices in NIST 800-171.
Comprehensive audit logging of all access to CUI systems, log integrity protection, log retention, and alert configuration — the documentation your assessor needs to verify compliance.
Encrypted communications for all CUI transmission (TLS 1.2+, FIPS-validated cryptography where required), network boundary protection, session authenticity, and denial-of-service protection.
Multi-factor authentication for all access to organizational systems and CUI — including remote access, privileged accounts, and non-local maintenance connections. MFA is one of the most-assessed CMMC practices.
Baseline configurations for network devices and systems, documented configuration change control, and security configuration settings documented for your SSP (System Security Plan).
Domains covered — we focus on the 6 network & communications domains
Active in Dayton, Columbus, Cleveland, and surrounding areas
We handle the network and communications infrastructure piece of CMMC readiness — the technical foundation that supports your broader compliance program.
We review your current network architecture, access controls, audit logging, and communications security against the 110 practices in NIST SP 800-171. You get a written gap report scored against each practice — the same format your C3PAO assessor will use.
We define and document your CUI boundary — the systems, networks, and users that are in scope for CMMC. This is the foundation of your System Security Plan (SSP) and the starting point for all other technical controls.
We implement the network segmentation, access controls, MFA, audit logging, and communications encryption required for CMMC Level 2. We work with your existing IT team and provide all implementation documentation for your SSP.
We maintain your Plan of Action and Milestones (POA&M), provide ongoing monitoring of your CUI environment, and keep your documentation current — so you're assessment-ready on any given day, not just at renewal time.
Yes, if you handle CUI or FCI. CMMC requirements flow down through the supply chain — your prime contractor's certification does not cover your systems. If you receive, store, process, or transmit CUI in connection with a DoD contract, you must be independently compliant at the appropriate CMMC level. This is one of the most common misunderstandings among Ohio subcontractors.
Level 1 has 17 basic practices — essentially fundamental access control, identification, and media protection. Level 2 adds 93 more practices from NIST 800-171, including comprehensive audit and accountability requirements, configuration management, incident response, and much more rigorous system and communications protection requirements. Most Ohio defense contractors handling CUI need Level 2.
The self-assessment path is available for CMMC Level 1 and some Level 2 scenarios, but the documentation burden is significant — you need an SSP, a POA&M, and documented evidence for each practice. Most small contractors lack the internal resources to build and maintain this. We provide the technical implementation and documentation support that makes self-assessment achievable, or prepare you for a third-party C3PAO assessment.
VoIP and communication systems that process or transmit CUI must meet CMMC communications protection requirements — encrypted transport, access logging, and network segmentation from non-CUI systems. If your phone system isn't currently segmented and encrypted, it's a likely gap in your CMMC assessment. We configure VoIP systems specifically for CMMC compliance.
We contribute the network infrastructure and communications security documentation to your SSP — the technical architecture diagrams, control implementation descriptions, and evidence documentation for the practices we implement and manage. Your CMMC consultant or GRC team typically handles the full SSP compilation, but we provide the technical sections that cover our scope.
Whether you own the P&L, the technology roadmap, or the day-to-day tickets — you get a partner aligned with you, not a product line.
We don’t carry products or take product margin. We compare 100+ carriers and recommend only what fits — the advice is yours, not a vendor’s.
Jonathan has led Buckeye for 23 years and is personally involved in every engagement. You’re never handed to a junior rep after you sign.
We design, source, and manage voice, internet, security, and IT for your locations as one standardized system — not a patchwork.
Talk to the Buckeye team — the owner is involved in every engagement, and there’s no advisory fee.
Prefer to talk now? Call or text 614-224-2003.