The Complete CMMC 2.0 Guide for Defense Contractors in 2026

Quick Answer

CMMC 2.0 (Cybersecurity Maturity Model Certification) is a mandatory cybersecurity framework that defense contractors must achieve to bid on and maintain Department of Defense (DoD) contracts. As of 2026, CMMC requirements are actively being enforced in DoD solicitations and contracts, making compliance essential for any organization in the Defense Industrial Base (DIB).

Key Points:

• Three levels of certification (Level 1, 2, and 3)
• 300,000+ organizations in the DIB supply chain must comply
• Certification is mandatory for new DoD contracts starting November 2025
• Valid for 3 years (Levels 2-3) or annual self-assessment (Level 1)
• Non-compliance means contract disqualification and potential loss of existing contracts

Table of Contents

1. What is CMMC 2.0?
2. Why CMMC 2.0 Exists
3. Who Needs CMMC Compliance?
4. The Three CMMC Levels Explained
5. CMMC 2.0 vs CMMC 1.0: What Changed?
6. Understanding CUI and FCI
7. CMMC Assessment Types
8. The CMMC Compliance Process
9. How Long Does CMMC Compliance Take?
10. CMMC Implementation Timeline 2026
11. What Happens If You're Not Compliant?
12. Getting Started with CMMC Compliance
13. CMMC Resources and Support

What is CMMC 2.0?

CMMC 2.0 (Cybersecurity Maturity Model Certification 2.0) is a cybersecurity framework developed by the Department of Defense to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Defense Industrial Base supply chain.

The CMMC program was established to address the increasing cyber threats targeting defense contractors and ensure that all organizations handling sensitive government information implement appropriate cybersecurity measures.

Key Components of CMMC 2.0:

Standardized Requirements: CMMC 2.0 aligns with established cybersecurity standards, particularly NIST SP 800-171 and NIST SP 800-172.

Verified Compliance: Unlike previous self-certification approaches, CMMC requires independent third-party assessments for most Level 2 organizations and government-led assessments for Level 3.

Three-Tiered Model: Simplified from the original five-level model to three levels based on the type and sensitivity of information handled.

Mandatory Requirement: CMMC certification is a contractual requirement specified in DoD solicitations and contracts through DFARS clause 252.204-7021.

Why CMMC 2.0 Exists

The Department of Defense created CMMC 2.0 in response to significant cybersecurity challenges in the defense supply chain.

The Problem:

$600 billion annually: Estimated loss to the U.S. economy from intellectual property theft and cyber espionage.

Defense contractors as targets: Small and medium-sized businesses in the DIB are increasingly targeted because they often have weaker cybersecurity measures than prime contractors.

Self-certification gaps: The previous self-certification model under DFARS 7012 lacked verification, allowing organizations to attest compliance without actual implementation.

Supply chain vulnerabilities: Adversaries exploit weaknesses in subcontractors to gain access to sensitive DoD information.

The Solution:

CMMC 2.0 addresses these challenges by:

• Requiring independent verification of cybersecurity practices
• Establishing clear, measurable standards
• Creating accountability throughout the supply chain
• Ensuring consistent implementation across all DIB organizations

Who Needs CMMC Compliance?

CMMC compliance is required for all organizations within the Defense Industrial Base that handle Federal Contract Information or Controlled Unclassified Information.

You Need CMMC If:

✅ You are a prime contractor working directly with the DoD

✅ You are a subcontractor at any tier supporting DoD contracts

✅ You handle FCI (Federal Contract Information) - requires Level 1

✅ You handle CUI (Controlled Unclassified Information) - requires Level 2 or 3

✅ You provide services or products to organizations that meet the above criteria

CMMC Applies To:

• Defense manufacturers
• IT service providers supporting defense contracts
• Software developers creating systems for DoD
• Professional services firms (engineering, consulting, etc.)
• Research and development organizations
• Logistics and supply chain providers
• Any organization storing, processing, or transmitting FCI or CUI

Exemptions:

There are very few exemptions to CMMC. Even small businesses and organizations providing commercial off-the-shelf products may need CMMC certification if they handle FCI or CUI.

Note for Maryland, Virginia, and DMV-area contractors: The concentration of defense contractors in the National Capital Region means CMMC compliance is critical for maintaining your competitive position in government contracting.

The Three CMMC Levels Explained

CMMC 2.0 simplified the original five-level model into three levels based on information sensitivity and threat sophistication.

CMMC Level 1: Foundational

Purpose: Protects Federal Contract Information (FCI)

Requirements: 17 basic cybersecurity practices derived from FAR 52.204-21

Assessment Type: Annual self-assessment

Who Needs It: Organizations that handle only FCI, not CUI

Example Practices:

• Use of antivirus software
• Basic access controls
• Physical security for computing resources
• Regular system updates

Estimated Organizations: Over 60% of the DIB (approximately 180,000+ organizations)

CMMC Level 2: Advanced

Purpose: Protects Controlled Unclassified Information (CUI)

Requirements: 110 security requirements from NIST SP 800-171 Rev 2

Assessment Type:

• Triennial third-party assessment by a C3PAO (most common)
• Annual self-assessment for select programs (DoD discretion)

Who Needs It: Organizations that store, process, or transmit CUI

Example Practices:

• Multi-factor authentication (MFA)
• Encryption of CUI at rest and in transit
• Security incident monitoring and response
• Comprehensive access control policies
• Security awareness training

Estimated Organizations: Approximately 35% of the DIB (105,000+ organizations)

CMMC Level 3: Expert

Purpose: Protects CUI related to the highest-priority DoD programs against Advanced Persistent Threats (APTs)

Requirements: 110 NIST SP 800-171 requirements PLUS 24 additional practices from NIST SP 800-172

Assessment Type: Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

Who Needs It: Organizations supporting DoD's most critical and sensitive programs

Example Additional Practices:

• Advanced threat hunting
• Multi-factor authentication using hardware tokens
• Sophisticated anomaly detection
• Enhanced system monitoring

Estimated Organizations: Less than 5% of the DIB

CMMC 2.0 vs CMMC 1.0: What Changed?

The DoD significantly revised the CMMC program based on industry feedback. Here are the major changes:

Structural Changes:

CMMC 1.0	CMMC 2.0
5 levels	3 levels
171 practices	Level 1: 17 practices Level 2: 110 practices Level 3: 134 practices
All levels required C3PAO	Level 1: Self-assessment Level 2: Mostly C3PAO Level 3: Government assessment
Unique CMMC practices	Aligned with NIST standards
All assessments triennial	Level 1: Annual Levels 2-3: Triennial

Key Improvements:

Alignment with Standards: CMMC 2.0 fully aligns with NIST SP 800-171 and 800-172, eliminating unique CMMC practices that created confusion.

Cost Reduction: The simplified model significantly reduces compliance costs, particularly for smaller organizations.

Self-Assessment Option: Level 1 organizations can self-assess annually rather than requiring third-party assessment.

Clearer Requirements: The three-level model makes it easier to determine which level applies to your organization.

Plan of Action and Milestones (POA&M): Organizations can receive certification while addressing up to 20% of security requirements through a POA&M with specific timelines.

Understanding CUI and FCI

Determining whether you handle CUI or FCI is critical to knowing which CMMC level applies to your organization.

Federal Contract Information (FCI)

Definition: Information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service.

Examples of FCI:

• Contract terms and conditions
• Delivery schedules
• Contract pricing information
• Contract performance information
• Vendor information
• Technical specifications not marked as CUI

Protection Requirement: CMMC Level 1

Key Point: FCI is generally less sensitive than CUI and requires basic cybersecurity hygiene.

Controlled Unclassified Information (CUI)

Definition: Information that requires safeguarding or dissemination controls pursuant to laws, regulations, or government-wide policies.

Examples of CUI:

• Technical drawings and specifications
• Export-controlled technical data (ITAR/EAR)
• Critical infrastructure information
• Proprietary business information
• Sensitive but unclassified defense information
• Information marked with CUI banners or portion markings

Protection Requirement: CMMC Level 2 or Level 3

Key Point: If information is marked with CUI indicators (banners, portion markings), it must be protected according to NIST SP 800-171 requirements.

How to Identify CUI in Your Environment:

1. Check for CUI markings: Look for "CUI" banners on documents, emails, or files
2. Review your contracts: DoD contracts will specify if you'll receive CUI
3. Consult the CUI Registry: Visit https://www.archives.gov/cui for official categories
4. Ask your contracting officer: When in doubt, confirm with the DoD contracting officer
5. Conduct a data inventory: Map all information flows in your organization

Common Mistake: Many organizations underestimate the amount of CUI they handle. Email threads discussing technical details, meeting notes about programs, and even internal schedules can contain CUI if they relate to DoD programs.

CMMC Assessment Types

CMMC 2.0 uses different assessment approaches depending on the level.

Level 1 Assessment: Annual Self-Assessment

Process:

1. Organization completes self-assessment against 17 basic practices
2. Senior official attests to compliance in writing
3. Results entered into Supplier Performance Risk System (SPRS)
4. Must be renewed annually

Cost: Minimal (internal time only)

Timeline: Can be completed in days to weeks

Level 2 Assessment: Third-Party Assessment (C3PAO)

Most Common Scenario:

Process:

1. Organization prepares documentation and implements controls
2. Certified Third-Party Assessor Organization (C3PAO) conducts assessment
3. C3PAO verifies implementation of all 110 NIST SP 800-171 requirements
4. Results submitted to CMMC Accreditation Body and SPRS
5. Certification valid for 3 years

Cost: $30,000-$150,000+ depending on organization size and complexity

Timeline: 6-18 months for preparation, 1-2 weeks for assessment

Alternative Scenario - Level 2 Self-Assessment:

The DoD may designate certain Level 2 programs for annual self-assessment rather than C3PAO assessment. This is determined on a program-by-program basis.

Level 3 Assessment: Government Assessment

Process:

1. Organization implements NIST SP 800-171 + 800-172 requirements
2. Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts assessment
3. Government assessors perform comprehensive evaluation
4. Certification valid for 3 years

Cost: Assessment cost covered by government, but preparation costs are substantial

Timeline: 12-24+ months for preparation

The CMMC Compliance Process

Achieving CMMC compliance follows a structured process regardless of your target level.

Step 1: Determine Your CMMC Level

Actions:

• Review current and anticipated DoD contracts
• Identify if you handle FCI only or CUI
• Consult DoD solicitations for specified CMMC level
• Document your determination

Timeline: 1-2 weeks

Step 2: Conduct a Gap Assessment

Actions:

• Inventory current security controls
• Compare existing practices against CMMC requirements
• Identify gaps and deficiencies
• Prioritize remediation efforts
• Estimate costs and timeline

Who Can Help: CMMC Registered Practitioner Organizations (RPOs) like those in Columbia, Maryland can conduct professional gap assessments

Timeline: 2-4 weeks

Typical Findings:

• 40-60% of controls partially implemented
• 20-30% of controls not implemented
• Documentation gaps even where controls exist
• Scope boundary unclear

Step 3: Define Your Assessment Boundary

Actions:

• Identify all systems that process, store, or transmit CUI
• Create network diagrams showing CUI flow
• Establish an "enclave" if appropriate to limit scope
• Document what's in-scope vs. out-of-scope

Key Concept - The Enclave Approach:

You don't need to make your entire network CMMC compliant. Many organizations create a separate "enclave" - an isolated network segment where CUI is processed. This significantly reduces compliance scope and cost.

Timeline: 2-4 weeks

Step 4: Develop Required Documentation

Required Documents:

• System Security Plan (SSP)
• Policies and Procedures for each NIST control family
• Network diagrams and data flow diagrams
• Asset inventory
• Incident Response Plan
• Contingency/Backup Plan
• Configuration management documentation
• Access control lists and user management procedures

Timeline: 4-8 weeks

Step 5: Implement Technical Controls

Actions:

• Deploy required security technologies
• Configure systems according to NIST requirements
• Implement access controls and MFA
• Enable logging and monitoring
• Encrypt CUI at rest and in transit
• Establish backup and recovery capabilities

Common Technology Needs:

• Endpoint Detection and Response (EDR)
• Security Information and Event Management (SIEM)
• Privileged Access Management (PAM)
• FedRAMP-authorized cloud services (if using cloud)
• Email encryption
• Multi-factor authentication system

Timeline: 8-16 weeks

Step 6: Implement Administrative Controls

Actions:

• Conduct security awareness training
• Implement personnel screening procedures
• Establish change management processes
• Create security incident response procedures
• Document system maintenance activities
• Perform regular security assessments

Timeline: 4-8 weeks

Step 7: Conduct Internal Assessment

Actions:

• Test all implemented controls
• Identify any remaining gaps
• Remediate findings
• Update documentation
• Practice incident response procedures

Timeline: 2-4 weeks

Step 8: Prepare for Formal Assessment

Actions:

• Gather all evidence and documentation
• Brief personnel on assessment process
• Schedule with C3PAO (Level 2) or DIBCAC (Level 3)
• Confirm all systems are ready
• Ensure 3-6 months of evidence for maturity demonstration

Timeline: 2-4 weeks

Step 9: Undergo Formal Assessment

Process:

• Assessor reviews documentation
• Technical testing of controls
• Interviews with personnel
• Observation of processes
• Evidence collection and validation

Timeline: 1-2 weeks for assessment itself

Step 10: Address Findings and Achieve Certification

Actions:

• Review assessment findings
• Address any deficiencies
• Submit Plan of Action & Milestones (POA&M) if needed
• Receive certification
• Enter results in SPRS

Timeline: 2-8 weeks depending on findings

How Long Does CMMC Compliance Take?

The timeline for achieving CMMC compliance varies significantly based on multiple factors.

Typical Timeframes:

CMMC Level 1:

• Fast track: 1-2 months (well-prepared organizations)
• Standard: 3-4 months (most organizations)
• Extended: 6 months (organizations with significant gaps)

CMMC Level 2:

• Fast track: 6-9 months (mature security posture, good documentation)
• Standard: 12-18 months (typical starting point for most organizations)
• Extended: 18-24 months (significant remediation needed, complex environments)

CMMC Level 3:

• Minimum: 18-24 months
• Typical: 24-36 months

Factors Affecting Timeline:

Current Security Maturity:

• Organizations with existing NIST SP 800-171 implementation: 6-12 months
• Organizations starting from scratch: 12-18+ months

Organization Size and Complexity:

• Small businesses (<50 employees): Generally faster
• Medium businesses (50-500 employees): Standard timelines
• Large enterprises (500+ employees): May need extended timelines

Resource Availability:

• Dedicated compliance team: Faster progress
• Part-time attention: Extends timeline by 50-100%
• External consultants: Can accelerate by 30-50%

Technical Environment Complexity:

• Simple IT environment: Faster implementation
• Legacy systems: Require more time for remediation
• Multiple locations: Adds complexity and time
• Cloud migration: May add 3-6 months

Documentation State:

• Good existing documentation: Save 2-4 months
• Minimal documentation: Standard timeline
• No documentation: Add 2-4 months

Columbia, Maryland Advantage:

Organizations in the DMV region, including Columbia, Maryland, benefit from proximity to numerous CMMC consultants, assessors, and technology providers, which can help accelerate compliance timelines through better access to expertise and resources.

CMMC Implementation Timeline 2026

Understanding the official DoD rollout is critical for planning.

Official Implementation Schedule:

November 10, 2025: CMMC final rule (48 CFR 252.204-7021) became effective

Current State (January 2026): CMMC requirements are actively being included in new DoD solicitations and contracts

Rollout Phases:

Phase 1 (Current - Ongoing):

• New DoD solicitations include CMMC requirements
• Contracts specify required CMMC level (1, 2, or 3)
• Organizations must meet requirements before contract award
• Prime contractors flow down requirements to subcontractors

Phase 2 (12 months after Phase 1):

• Increased inclusion of CMMC in solicitations
• More contracts require demonstrated certification
• Enforcement mechanisms fully operational

Phase 3 (24 months after Phase 1):

• Widespread inclusion across DoD acquisition programs
• Option periods on existing contracts may require CMMC

Phase 4 (36 months after Phase 1):

• Full implementation
• All applicable DoD solicitations include CMMC requirements
• Option periods on existing contracts include CMMC requirements

What This Means for You:

If you're bidding on new contracts: CMMC compliance is required NOW for contract award

If you have existing contracts: Monitor contract modifications and option periods - CMMC may be required for renewal

If you're a subcontractor: Prime contractors are flowing down CMMC requirements immediately

Planning recommendation: Don't wait. Start your compliance journey now to avoid losing contract opportunities.

What Happens If You're Not Compliant?

The consequences of CMMC non-compliance are significant and far-reaching.

Immediate Consequences:

Contract Disqualification:

• Cannot bid on new DoD contracts requiring CMMC
• Immediate competitive disadvantage
• Loss of significant revenue opportunities

Existing Contract Risk:

• May lose contracts upon option period renewal
• Could face contract termination
• Prime contractors may replace non-compliant subcontractors

Supply Chain Exclusion:

• Prime contractors must use CMMC-compliant subcontractors
• Non-compliant organizations removed from approved vendor lists
• Long-term relationships may end

Financial Impact:

Direct Costs:

• Lost contract revenue (potentially millions)
• Missed bid opportunities
• Emergency compliance efforts cost 2-3x normal implementation

Indirect Costs:

• Damaged reputation in defense industry
• Loss of competitive position
• Staff layoffs if contracts lost
• Potential business closure for DoD-dependent firms

Legal and Regulatory Consequences:

False Claims Act Risk:

• Misrepresenting CMMC compliance status could trigger False Claims Act liability
• Potential for treble damages and penalties

Breach Response Costs:

• If a breach occurs due to non-compliance: $200,000+ average cost
• Forensic investigation requirements
• Notification obligations
• Potential litigation

Regulatory Scrutiny:

• Increased oversight from DoD
• Potential audits of other compliance areas
• Reputational damage

Real-World Example:

A Maryland-based defense subcontractor with $5M in annual DoD revenue delayed CMMC compliance, believing they had more time. When their prime contractor flowed down CMMC Level 2 requirements in Q4 2025, they had only 90 days to comply or lose the contract. Unable to achieve compliance in time, they lost the contract, which represented 40% of their revenue. Emergency compliance efforts cost them $180,000 vs. the estimated $80,000 if they had planned properly.

The Bottom Line: Non-compliance is not an option for organizations serious about defense contracting.

Getting Started with CMMC Compliance

Ready to begin your CMMC compliance journey? Follow this action plan.

Immediate Actions (This Week):

1. Assess your situation:
   • Review current and pipeline DoD contracts
   • Identify CMMC level requirements
   • Determine if you handle FCI or CUI
2. Secure leadership buy-in:
   • Present compliance requirements to executives
   • Obtain budget authorization
   • Assign a compliance project lead
3. Document your starting point:
   • List current security measures
   • Inventory IT systems and assets
   • Identify obvious gaps

Short-Term Actions (This Month):

1. Conduct a gap assessment:
   • Hire a CMMC Registered Practitioner Organization (RPO)
   • Get a professional evaluation of your readiness
   • Receive a prioritized remediation roadmap
2. Create your compliance plan:
   • Establish timeline and milestones
   • Identify resource needs (budget, personnel, technology)
   • Define assessment boundary/scope
3. Begin documentation:
   • Start your System Security Plan (SSP)
   • Draft initial policies and procedures
   • Create network diagrams

Medium-Term Actions (Next 3-6 Months):

1. Implement quick wins:
   • Deploy MFA across all systems
   • Enable audit logging
   • Conduct employee security awareness training
   • Update antivirus/anti-malware
2. Address infrastructure needs:
   • Evaluate and procure required security tools
   • Migrate to FedRAMP-authorized cloud services if needed
   • Establish backup and recovery capabilities
3. Build your documentation library:
   • Complete all required policies and procedures
   • Finalize System Security Plan
   • Document all technical configurations

Long-Term Actions (6-18 Months):

1. Complete implementation:
   • Deploy all required security controls
   • Finalize technical and administrative measures
   • Conduct internal testing and validation
2. Prepare for assessment:
   • Gather evidence of control implementation
   • Train staff on assessment procedures
   • Conduct mock assessments
3. Schedule formal assessment:
   • Engage a C3PAO (for Level 2)
   • Complete assessment
   • Address any findings
   • Achieve certification

Ongoing Actions:

• Continuous monitoring: Maintain security controls
• Regular training: Keep employees updated on security practices
• Documentation updates: Keep SSP and procedures current
• Re-assessment planning: Prepare for certification renewal

CMMC Resources and Support

You don't have to navigate CMMC compliance alone. Numerous resources are available.

Official Resources:

CMMC Accreditation Body (Cyber-AB):

• Website: https://cyberab.org
• Provides official CMMC information
• Maintains lists of certified assessors and practitioners

DoD CMMC Program:

• Website: https://dodcio.defense.gov/CMMC/
• Official program guidance and updates
• FAQs and implementation information

NIST SP 800-171:

• Website: https://csrc.nist.gov/publications/detail/sp/800-171/r3/final
• Complete security requirements for Level 2

CUI Registry:

• Website: https://www.archives.gov/cui
• Official list of CUI categories

Professional Support:

CMMC Registered Practitioner Organizations (RPOs):

• Provide gap assessments and readiness support
• Cannot perform your C3PAO assessment (conflict of interest)
• Help with implementation and preparation

CMMC Third-Party Assessor Organizations (C3PAOs):

• Conduct official CMMC Level 2 assessments
• Must be authorized by Cyber-AB
• Cannot provide implementation services to assessment clients

Managed Security Service Providers (MSSPs):

• Provide ongoing security monitoring and management
• Help maintain compliance after certification
• Offer co-managed or fully managed services

Finding Help in Your Area:

Maryland/DMV Region Resources:

The National Capital Region, including Columbia, Maryland, has a high concentration of CMMC expertise due to the large defense contractor presence. Benefits include:

• Access to multiple RPOs and C3PAOs
• Established MSSP providers with CMMC experience
• Active CMMC user communities and networking events
• Proximity to DoD contracting offices for questions
• Local technology providers familiar with compliance requirements

Huntsville, Alabama:

• Strong defense contractor community supporting Army aviation and missile programs
• Multiple RPOs and technology providers
• Active CMMC focus due to Redstone Arsenal presence

Other Regions:

• Kentucky: Growing defense contractor presence with expanding CMMC support
• Florida: Multiple military installations drive CMMC expertise, particularly in Central and Northwest Florida

Selecting a CMMC Partner:

Questions to Ask:

1. Are you a Cyber-AB Registered Practitioner Organization?
2. How many CMMC assessments/implementations have you supported?
3. Do you have experience in my industry/with my technology stack?
4. Can you provide references from similar organizations?
5. What is your timeline and cost estimate?
6. Do you offer ongoing support after certification?
7. What is your approach to documentation?
8. How do you handle the assessment boundary/scoping?

Red Flags:

• Promises of "quick" Level 2 certification (under 6 months)
• Guaranteed passing of assessment
• Offering both implementation AND assessment services
• Lack of specific CMMC experience
• Unable to provide references
• Vague or incomplete cost estimates

Conclusion: Your CMMC Compliance Journey Starts Now

CMMC 2.0 is no longer a future requirement—it's the current reality for defense contractors. With enforcement active as of November 2025, organizations that delay compliance risk losing contracts, revenue, and their place in the Defense Industrial Base supply chain.

Key Takeaways:

✅ CMMC is mandatory for new DoD contracts and will affect existing contracts at renewal

✅ Three levels exist based on information sensitivity (FCI requires Level 1, CUI requires Level 2 or 3)

✅ Timeline matters - expect 6-18 months for Level 2 compliance from start to finish

✅ Professional help accelerates success - RPOs, MSSPs, and technology providers can guide your journey

✅ Don't wait - Start your compliance efforts immediately to avoid contract disqualification

Your Next Steps:

1. Schedule a CMMC readiness assessment to understand your current state
2. Review your contracts to determine required CMMC levels
3. Secure budget and resources for your compliance program
4. Engage expert support to guide implementation and avoid costly mistakes

Ready to Begin?

Get Your Free CMMC Readiness Assessment

Our team of CMMC experts in Columbia, Maryland specializes in helping defense contractors throughout the DMV region, Huntsville, and beyond achieve CMMC compliance efficiently and cost-effectively. As a Cyber-AB Registered Practitioner Organization (RPO), we provide:

• Comprehensive gap assessments
• Roadmap and implementation planning
• Technical implementation support
• Documentation development
• Assessment preparation
• Ongoing compliance management

Contact us today to discuss your CMMC compliance needs:

• Phone: 443.213.0108
• Email: cmmc@cispoint.com

Serving defense contractors in:

• Columbia, Maryland
• Baltimore-Washington DC Metro Area
• Northern Virginia
• Huntsville, Alabama
• Kentucky
• Florida
• Nationwide remote support