Free readiness self-check for Bay Area manufacturers

Check your own CMMC gaps, before a prime contractor checks them for you.

Use this plain-English self-check to answer focused readiness questions, spot priority gaps, and understand what deserves attention first, no login, no pressure, and no sales call required.

Check on your own Work through the readiness questions privately before a contractor, prime, or assessor asks.
Stay in control See the areas that may need attention without booking a call or speaking with sales first.
The next move Decide whether to self-review, gather evidence, or ask for help only when it makes sense.

Start the Free Self-Check See How It Works

No spam No surprise sales calls Plain-English guidance

Readiness snapshot

From questions to a clear starting point.

A few focused questions, a quick read on the areas that matter, and a clear picture of where to start. No jargon, no pressure.

Answer focused questions

Review the basics around contracts, FCI, CUI, documentation, and security practices.

See the areas that matter

Understand what may need attention before a prime contractor or assessor asks.

Know the next move

Decide whether to self-review, gather evidence, or ask Dicar Networks for help.

10–15 min Typical review time

Private No sales call required

Serving South Bay manufacturers and businesses with practical IT, cybersecurity, and compliance readiness support.

Local San Jose, Morgan Hill, Gilroy, Hollister, and Northern California

Practical Built for owners and operators, not only technical teams

Focused Cybersecurity readiness tied to uptime, contracts, and risk

How the self-check works

A clearer flow from readiness questions to the next move.

The page now explains the visitor journey up front: answer a few focused questions, review the areas that matter, see whether anything needs attention, and leave with a practical place to start.

Start

Answer readiness questions

Begin with practical questions around defense work, aerospace work, government contracts, FCI, and CUI responsibilities.

Review

Review readiness across 14 areas

Move through the security areas commonly tied to access control, training, audit logs, configuration, incident response, backups, and system protection.

Prioritize

See priority gaps

Separate what may already be handled from the items that could create contract risk, evidence issues, or remediation work later.

Practice

Practice the next steps

Use the result to think through documentation, evidence, policies, procedures, and the areas that may deserve attention first.

Decide

Decide the next move

Continue reviewing internally, prepare evidence, plan remediation, or speak with Dicar Networks only when you want help.

The Self-Check

A practical readiness worksheet for knowing where to start.

A few focused questions, a quick read on the areas that matter, and a clear picture of where to start. No jargon, no pressure.

What the questions cover About 15 minutes

Contract exposure

Defense work, aerospace work, government contracts, FCI, and CUI indicators.

Current safeguards

Access control, devices, backups, training, incident response, and everyday security practices.

Evidence readiness

Policies, procedures, records, and proof that may matter when someone asks for documentation.

Priority areas

The areas most worth reviewing first, based on your answers and business situation.

What you receive

A plain-English readiness view you can act on.

The result is not a pass or fail audit. It gives you a practical review map before a prime contractor, customer, or contract requirement asks for proof.

Needs Attention

Areas worth reviewing before a contract requires evidence.

Review

Action Recommended

A clear place to start, without turning the result into a pressure tactic.

Useful next step after the result

Gather contract language, current security policies, access records, backup records, device details, and training notes so your review has real context.

Start the Free Self-Check

Why this matters right now

The calmest path is to understand readiness before the requirement feels urgent.

CMMC Level 2 timeline

CMMC Level 2 requirements begin appearing broadly in Department of Defense contracts on November 10, 2026. Readiness can take months, and your real clock is whenever the next contract you want to bid lands, which can be sooner.

“We’re too small for this to matter.”

If you touch defense or aerospace work at any tier, size alone does not remove the need to understand your responsibilities. The self-check helps you start clearly.

“Compliance sounds expensive.”

Many readiness items are good security practices you may already have in place. The self-check helps separate what is handled from what needs attention.

“There’s still plenty of time.”

November 10, 2026 gives shops a clear date to work backward from. Readiness work is easier when it is calm, planned, and started before a contract requires proof.

Built for Northern California manufacturers

Designed for owners who want clarity before a contract conversation gets complicated.

The page is focused on the businesses most likely to need a practical CMMC and NIST 800-171 readiness starting point.

Manufacturers with 5 to 100 employees

Especially shops in San Jose, Morgan Hill, Gilroy, Hollister, and across Northern California.

Defense, aerospace, or government suppliers

For businesses that already supply, or want to supply, work connected to regulated contracts.

Operators who want to get ahead

For owners who would rather understand gaps early than scramble when a contract is on the line.

We won’t blow up your inbox. Run the self-check on your own, and reach out only if you’d like a hand making sense of your results.

Q1 Do we even need CMMC? We’re a small shop.

If your company processes, stores, or transmits federal contract information (FCI) or controlled unclassified information (CUI) under any DoD contract or subcontract, then yes. Company size doesn’t exempt you, the majority of the defense industrial base is small businesses. The level you need depends on the information you handle, not your headcount.

Q2 What’s the difference between FCI and CUI, and which level do we need?

FCI is non-public information provided or generated under a contract to deliver a product or service to the government. CUI is more sensitive government information that requires safeguarding, think technical drawings, specifications, and controlled technical data. Handling only FCI points to Level 1; handling CUI points to Level 2.

Q3 What happens if we’re not certified by the deadline?

You become ineligible to be awarded, or to keep, contracts that require your CMMC level. There is no partial eligibility: no valid status means no contract. Phase 2 (November 10, 2026) is when third-party Level 2 certification becomes mandatory for most CUI work, so your practical deadline is before the solicitations you want to bid on.

Q4 Can we self-assess, or do we have to pay for a third-party audit?

Level 1 is always a self-assessment. Some Level 2 contracts allow a self-assessment, but many, and increasingly so from Phase 2 onward, require a certified third-party assessment by a C3PAO. The contract language tells you which path applies, so confirm it early.

Q5 How long does it take to get ready?

Commonly a year or more from an initial gap assessment to audit-ready, depending on your current security posture. Assessor capacity is limited and demand is rising, so both booking and preparation take time. Starting now is the single best way to protect your eligibility.

Q6 What does it really cost?

For a small business: Level 1 typically runs $5K to $20K; Level 2 commonly runs $50K to $130K+ for the first cycle, plus roughly $17K to $50K+ per year to maintain. Notably, the C3PAO assessment itself is only about a quarter of the total, most of the cost is remediation and documentation. Figures are illustrative and vary with scope and starting posture; West Coast assessments often run 10 to 25% above national averages.

Q7 We already have good IT, firewalls, and antivirus, aren’t we basically there?

Technology alone doesn’t equal compliance. Many of the 110 controls require written policies, repeatable procedures, documented evidence, and even physical and personnel safeguards, not just tools. Be cautious of “compliance-in-a-box” claims; an assessor checks whether each requirement is implemented, documented, and provable.

Q8 What’s a POA&M, can we use it to buy time?

A Plan of Action & Milestones lets you defer a limited set of lower-point gaps to earn a conditional status, but the rules are strict. You must score at least 88 of 110, close the items within 180 days, and certain controls can never be placed on a POA&M. It’s a short, accountable runway, not a “fix it later” loophole.

Q9 Who signs off, and what’s the personal risk?

A senior company official affirms your compliance annually in SPRS, the government’s reporting system. That affirmation carries legal exposure under the False Claims Act, so it should be backed by real evidence, not optimism. It’s a genuine accountability for leadership.

Q10 Is this a one-time project or ongoing?

Ongoing. Certification lasts three years, but it’s sustained by continuous monitoring, living documentation, and an annual senior-official affirmation, then a full reassessment every three years. It’s best budgeted as a recurring operating cost, much like insurance.

Q11 Does this apply to us if we only supply a prime, not the DoD directly?

Yes. CMMC requirements flow down the supply chain. If you handle FCI or CUI as a subcontractor, your prime contractor must verify your CMMC status before relying on you.

Q12 Which version of NIST 800-171 applies, Rev 2 or Rev 3?

CMMC is currently locked to NIST SP 800-171 Revision 2, the 110 controls and 320 assessment objectives referenced throughout. Although Revision 3 has been published, C3PAOs assess against Revision 2 today.

Start before it becomes urgent

Don’t let a compliance gap cost you a contract.

Start with the free self-check, understand where the business stands before CMMC becomes urgent, and decide whether Dicar Networks should help turn the result into a practical roadmap.