What IT do I need in place before my first defense contract starts?

At minimum: a compliant cloud tenant (AWS GovCloud, Azure GCC High, or both), identity with MFA, managed endpoints with EDR, CUI-segmented network, centralized logging, documented policies, and trained personnel. The full stack typically takes 90-180 days to build; some contracts allow phased compliance where certain controls come online during the first 90 days of performance.

Can I start a defense contract before being CMMC-certified?

Whether you need CMMC certification at contract award depends on the specific contract's clauses and whether CMMC Phase 2 is in effect. Contracts with DFARS 252.204-7021 require certification at award. Contracts under the Phase 2 transition or older DFARS clauses may allow self-attestation against NIST 800-171 with certification scheduled during performance. Read your specific contract carefully.

Can I use commercial AWS or commercial Microsoft 365 for CUI work?

No. CUI requires one of the government cloud environments — AWS GovCloud (US) or Microsoft Azure GCC High / Office 365 GCC High. Commercial AWS and commercial Microsoft 365 do not meet FedRAMP Moderate or DoD IL4 requirements and cannot be the primary compute/productivity environment for CUI.

How much does first-contract IT cost to set up?

For a venture-backed defense startup with 10-50 people, typical first-contract IT buildout ranges from $200,000 to $1,000,000 plus ongoing operational costs. Cloud licensing, endpoint tooling, SIEM, identity, policy framework, and consulting fees combine; the specific mix depends on the stack choices. Budget 3-6 months of engineering time on top of the capital costs.

What is the minimum compliance bar for a first DoD subcontract handling CUI?

NIST SP 800-171 Rev 2 — 110 controls across 14 families — is the baseline technical requirement under DFARS 252.204-7012. For contracts with DFARS 252.204-7021, CMMC Level 2 certification adds third-party validation of the same controls. Level 3 applies to contracts handling particularly sensitive CUI. Most first contracts are Level 2.

First Defense Contract: IT & Security Checklist

The notification arrives on a Friday: you won the contract. The celebration lasts through the weekend. By Monday morning the contract clauses are under review and someone on the team — usually the CTO — is realizing that the compliance obligations start immediately, not after some grace period. The IT environment the team has been running on since the seed round is commercial AWS, personal Macs, Google Workspace, Slack. None of it is CUI-compliant. The contract performance begins in thirty days.

This is one of the most common situations we see in IT & Security Buildout engagements. The first defense contract is often the moment a venture-backed startup realizes their commercial-grade IT stack is incompatible with their new customer category. Most of the build decisions that shape the compliance posture get made in the first 30–60 days after contract award — and those decisions echo for years.

This article is the practitioner’s checklist. It is organized by priority phase, not by technical domain, because sequencing matters more than completeness in the first 90 days. If you are staring at a newly signed contract and wondering what to do first, the sections below are ordered the way we would attack it.

For background on a specific decision that usually comes up early, see AWS GovCloud vs Azure GCC High. For the deeper architectural question of what a CUI enclave looks like, see seven CUI enclave architectural mistakes.

Phase 0 — Week 1: Contract and compliance decoding

Before any IT work, read the contract. The compliance path depends on specific clauses and the program’s CUI handling requirements.

What to confirm in the contract:

Which DFARS clauses apply? 252.204-7012 is the baseline; 7019 and 7020 appear often; 7021 indicates CMMC Level 2 certification required at award or on a specified date.
What CUI categories are covered? CUI Basic vs CUI Specified. Specific subcategories (CUI//SP-PRIV, CUI//SP-PROP, CUI//TECH, etc.) if listed. The CUI category determines control specificity.
What is the CMMC Level required? Usually Level 2 for CUI contracts; Level 3 for sensitive CUI; Level 1 for FCI-only contracts.
Is the contract subject to the CMMC Phase 2 transition? Contracts awarded on or after November 10, 2026, are subject to the new rules. Earlier contracts may allow self-attestation with phased certification.
What is the performance start date? Compliance requirements typically align with the performance date, not the award date.
What flow-down exists? If you are a subcontractor, the prime’s requirements may exceed the DoD minimum. Get the prime’s specific requirement in writing.

This review usually takes 2–5 days with a security-literate lawyer or consultant. The output is a clear compliance target — what must be true by what date, what specific clauses drive it. Everything downstream flows from this document.

Phase 1 — Weeks 1–3: Foundation decisions

Decisions made in this window set the architecture for years. Move deliberately.

Cloud platform. Choose AWS GovCloud (US), Azure GCC High, or both. This is the dominant decision — see GovCloud vs GCC High. Most teams end up with both eventually; start with the one that matches your team’s culture and the workload you most urgently need to migrate.

Identity provider. Microsoft Entra ID (in the GCC High tenant) or a dedicated government-cloud identity system. If your current commercial stack is Google Workspace, plan a separate government identity — Google Workspace is not CUI-compliant, and connecting commercial Google to a GCC High environment creates a compliance gap.

Productivity suite. Microsoft 365 in GCC High for teams that will handle CUI in daily communications. Commercial Google Workspace or commercial Microsoft 365 for teams whose work is adjacent to but not directly CUI-bearing.

Endpoint platform. Microsoft Intune for Windows, JAMF for Mac — both configured to enforce the CUI-handling posture (disk encryption, EDR, application control). This runs alongside (not replacing) any existing commercial MDM.

Initial scope definition. Who handles CUI? Which systems? Which data? A scope document with specific CUI-handling roles and systems is the reference document for every future compliance decision. Err on the side of narrow scope — more CUI-handling people means more compliance overhead.

Facility Security Officer (FSO). Designate an FSO. This is a required role under DoD security regulations and becomes a key interface with the program security officer on the customer side. In most startups this is the CTO or Head of Security for the first year; hire a dedicated FSO as team size grows.

Point of contact for compliance. Named individual responsible for the CMMC / NIST 800-171 program. Usually the same person as the FSO at small scale.

Phase 2 — Weeks 2–6: Cloud tenant provisioning

Cloud tenants take time to provision. Start this in parallel with Phase 1.

AWS GovCloud account. Requires ITAR-compliant registration, verification of the account-owning entity, and sometimes an agency sponsor for expedited provisioning. Expect 2–6 weeks from application to usable account.

Azure GCC High tenant. Requires verification through Microsoft’s onboarding process. Typically 4–8 weeks, sometimes longer for smaller organizations. Start this immediately; provisioning is the long-tail dependency.

Network architecture. CUI-segmented VLANs, firewall rules, VPN access. If you have physical office space, low-voltage cabling might be needed. If you are fully remote, the VPN and network segmentation are the full network story.

Data migration plan. What data moves from commercial to GovCloud / GCC High? When? How is it cleaned up in the commercial environment after migration? This is the easy-to-overlook piece that causes compliance findings later — stale CUI data in commercial Slack or commercial SharePoint.

Phase 3 — Weeks 4–10: Identity, endpoints, productivity

With tenants provisioning in Phase 2, the identity and endpoint work begins.

Identity configuration. Conditional access policies, MFA enforcement, privileged access workflows, role-based access control for systems in scope. The identity infrastructure is the single most important technical control category for CMMC Level 2.

Endpoint deployment. Issuing and configuring devices for personnel who will handle CUI. Each endpoint gets Intune or JAMF enrollment, EDR, full-disk encryption, OS STIG hardening, and approved-application allowlisting. Budget one engineer for every 30–50 endpoints during the initial rollout.

Productivity tenant configuration. Microsoft 365 GCC High configured for CUI handling: SharePoint libraries with access controls, Teams channels with appropriate permissions, Outlook with encryption policies, OneDrive with retention and sharing controls. The default configuration is not CUI-ready; deliberate hardening is required.

Email migration. Existing email accounts migrate to GCC High Outlook. Legacy accounts in commercial Microsoft 365 or Google Workspace close. Email archiving and retention policies enforced.

Collaboration tool migration. Slack or Teams in commercial → Teams in GCC High for CUI-handling discussions. This is culturally disruptive — team members are accustomed to the commercial tool — and needs change management alongside the technical cutover.

Phase 4 — Weeks 6–12: Evidence pipeline and policies

Compliance is evidence. Evidence comes from operations. Operations need policies that define them.

Policy library. NIST 800-171 Rev 2 baseline policies: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity. Each gets a document scoped to your organization’s reality — not a template dump.

System Security Plan (SSP) first draft. The central compliance document describing how each of the 110 controls is implemented. Written as technical operations happen, not after. Expect 3–6 weeks of focused drafting for first version.

Centralized logging (SIEM). Cloud-native options (AWS CloudWatch, Azure Sentinel) or third-party (Datadog, Splunk). Log retention set to CMMC expectations (typically 90 days hot, one year warm, three years archive). Alerting rules configured for high-severity events.

Vulnerability management. Scanning cadence defined (monthly minimum), tool selected (Tenable, Qualys, or cloud-native), remediation workflow established.

Backup and disaster recovery. CUI data backed up to a CUI-compliant destination with documented recovery procedures and periodic recovery tests.

Incident response plan. DFARS 252.204-7012 requires 72-hour incident reporting — see the DFARS 252.204-7012 reporting gap. The plan defines detection, escalation, reporting paths, and documentation requirements.

Evidence pipeline. For each control, the operation that produces evidence and where the evidence lives. Access reviews generate a report; configuration baselines are documented in Infrastructure as Code; change approvals are captured in Git or a ticketing system. This is the evidence-as-byproduct discipline.

Phase 5 — Weeks 8–12: Personnel and training

Compliance requires trained people operating the controls.

Personnel security. Background investigations for personnel with CUI access, U.S. citizenship verification where required, documented role-based access. For most first-contract CMMC Level 2 engagements, this is standard corporate background checks plus a documented citizenship verification at onboarding.

Initial security training. All personnel handling CUI receive initial training covering the organization’s policies, their specific responsibilities, CUI handling procedures, and incident reporting. Training completion documented.

Specialized training. Privileged operators receive additional training on privileged access procedures, logging review, and audit trail integrity. Incident response team members receive tabletop training on the IR plan.

Onboarding and offboarding procedures. Updated to reflect CUI-handling processes. Onboarding captures clearance documentation; offboarding ensures all CUI access revoked, devices returned, data removed.

Annual refresher training program. Scheduled, documented, tracked. Auditors review completion rates; incomplete training is a common finding.

Phase 6 — Weeks 10–13: Physical security (if applicable)

If your organization has physical office space that will handle CUI:

Access control. Badge or PIN-based access to CUI-handling areas. Logs retained.

Visitor control. Documented visitor procedures, escort requirements, sign-in logs.

Environmental controls. Fire suppression, HVAC redundancy where systems are rack-mounted.

Secure storage. Lockable storage for physical media containing CUI (hard drives, removable media, printed documents).

Surveillance. CCTV on entry/exit points, retention of recordings per policy.

Clean desk policy. Documented and enforced. CUI documents locked when work area unattended.

For fully remote organizations, the physical security requirements are simpler — they apply primarily to personnel residences and the handling of any physical media. The policy should still exist; its scope is just narrower.

Phase 7 — Weeks 12–16: Readiness review and assessment planning

With the infrastructure in place, the focus shifts to validating readiness.

Internal assessment against NIST 800-171 Rev 2. Walk through every control with the implementer and confirm (a) the control is implemented, (b) evidence exists, (c) the evidence is discoverable. Findings are remediated.

C3PAO or self-assessment scheduling. If the contract requires CMMC Level 2 C3PAO certification, engage a C3PAO at this stage. Booking typical 4–8 weeks ahead of desired assessment window. If the contract allows self-assessment, schedule the internal assessment and plan SPRS score submission — see CMMC self-assessment vs C3PAO.

Pre-assessment dry run. Walk through the full evidence package end-to-end with someone who was not part of the implementation. Treat every gap as a real finding. This is the single highest-impact investment in the 90-day window.

Customer stakeholder briefing. Brief the customer’s security officer on the program status — what is implemented, what is still being built, what the assessment schedule looks like. Proactive communication preserves trust if anything slips.

What commonly goes wrong

Three recurring failure patterns in first-contract IT buildouts:

Commercial cloud legacy remains in scope. A startup migrates core workloads to GovCloud / GCC High but keeps some tools or processes in commercial cloud “for now.” Six months later the auditor finds CUI-tainted data in commercial Slack and the audit fails. The migration must be thorough and irreversible.

Endpoint deployment is incomplete. Remote team members work on personal devices during the transition and never fully onboard to the managed-endpoint program. Every non-managed device with CUI access is an audit finding.

Policies are templates without operational backing. The policy library looks complete, but the operations referenced in the policies do not actually happen. Auditors recognize this pattern instantly. Policies must describe what the organization actually does.

Timeline optimism. “We can get this done in 30 days” is almost never true for a first-time CUI-handling buildout. Realistic is 90–180 days from contract award to compliance posture ready for assessment. Building in buffer avoids crisis mode near the performance start date.

Cost and effort budget

For a venture-backed startup with 15–50 people, first-contract IT buildout typically budgets:

Cloud licensing and services: $50,000–$150,000 first year (GovCloud or GCC High + M365 GCC High + associated services)
Security tooling: $30,000–$100,000 first year (SIEM, EDR, vulnerability scanning, IAM, backup)
Consulting and advisory: $100,000–$400,000 depending on scope (end-to-end buildout through assessment readiness)
C3PAO assessment: $30,000–$80,000 (typical range for first assessment)
Internal engineering time: 3–6 months of 1.5–3 engineers’ time (cloud, infrastructure, identity, security)
FSO and compliance personnel: typically one dedicated FTE added within the first year

Total first-year investment: roughly $200,000 at the low end, $1,000,000+ at the high end for larger teams with more complex architecture.

This is significant capital for an early-stage company but is the foundation the contract revenue is built on. Undercapitalizing the first buildout consistently costs more than properly capitalizing it, because the rework cycle is expensive.

When to engage

The moment that pays back the most for outside IT advisory is the first two weeks after contract award. The foundational decisions — cloud platform, identity provider, scope boundaries, policy structure — are made in this window and cascade through the entire buildout. A scoping conversation during contract review is earlier still and can clarify compliance requirements before commitments are made.

Our IT & Security Buildout practice is built around this moment. We engage at contract review, design the stack for your specific workload and culture, build it with cleared practitioners, and hand off to your internal team or continue as a managed retainer. For CMMC Level 2 certification readiness alongside the buildout, the programs run in parallel — the same evidence pipeline serves both.

Your first defense contract: the IT checklist for the 90 days after award