Cybersecurity Maturity Model Certification 2.0

DoD certification required for all prime and sub-contractors handling CUI. Level 2 maps to NIST 800-171. Hardware controls are a key differentiator in assessments.

US defense industrial base, DoD prime and sub-contractors

14

control domains mapped

32

products applicable

6

other frameworks cross-mapped

Official doc

Cybersecurity Maturity Model Certification 2.0

IA.L2-3.5.3 Use of multi-factor authentication for local and network access

Phishing-resistant MFA using hardware security keys. Software TOTP and SMS are explicitly excluded from "phishing-resistant" in NIST 800-63B and most modern framework guidance.

SC.L2-3.13.3 Separate user functionality from system management functionality

VM-level compartmentalization means a compromise of one domain (e.g. browser) cannot reach another (e.g. keys, vault). No other consumer laptop provides this by default.

SC.L2-3.13.1 Monitor, control, and protect communications at external boundaries

Stateful firewall with IPS at the network perimeter. All inbound/outbound traffic inspected with Suricata rule sets. VPN gateway replaces consumer VPN dependency.

Products that satisfy this control:

CM.L2-3.4.6 Employ the principle of least functionality

Intel Management Engine disabled at the firmware level across every open-firmware machine we carry (NitroPad, NitroPC, PrivacyGuard, SecurityTitan); SecurityTitan models go further — camera and microphone physically removed, anti-tamper seals verified by Heads + Nitrokey attestation. Least functionality, enforced in hardware.

PE.L1-3.10.1 Limit physical access to CUI to authorized individuals

Rated safes and vaults protect physical assets, documents, and hardware backups with UL-certified burglary ratings — from UL 1037 RSC (residential) up to UL 687 TL-15/TL-30 vault-grade for insurance-mandated or enterprise specialty storage (the tier insurers and auditors recognize; see the ratings ladder on /safe). SecurityTitan laptops extend physical protection to devices in transit: glitter-sealed tamper-evident screws with photographic verification make case intrusion detectable.

MP.L2-3.8.1 Physically control and securely store media containing CUI

UL 72 fire-rated safes keep interiors under 350°F through 30-minute to 4-hour furnace exposure — plus explosion and 30-foot drop tests — so original records, storage media, seed-phrase plates, and offline backups survive a facility fire. Distinct from burglary protection: enterprises with records-retention or continuity obligations typically need BOTH ratings on one unit (dual-rated Gardall UL line or TL-rated composite safes — see /safe).

Products that satisfy this control:

IR.L2-3.6.1 Establish an operational incident-handling capability

Encrypted LoRa mesh radios (Meshtastic / MeshCore / Reticulum) move text and GPS with no cellular, WiFi, internet, or subscription — every node relays for every other, on FCC Part 15 unlicensed 915 MHz spectrum. The out-of-band channel for disaster response, incident communications when primary networks are down or untrusted, remote sites, and executive contingency plans.

Products that satisfy this control:

PE.L2-3.10.6 Enforce safeguarding measures for CUI at alternate work sites

MIL-STD 188-125 / IEEE 299-tested Faraday shielding (80+ dB) physically severs every radio — cellular/5G, WiFi, Bluetooth, GPS, RFID, NFC — so devices cannot be tracked, remotely wiped, or exfiltrated over RF. Covers executive travel through hostile networks, forensic chain-of-custody transport (a seized phone that must not phone home), and anti-relay protection for keyless-entry fobs.

Products that satisfy this control:

SC.L2-3.13.8 Implement cryptographic mechanisms to prevent disclosure during transmission

Verified boot ensures the TLS stack is unmodified before communication. VPN gateway encrypts all remote access traffic. Hardware-backed keys prevent interception even if endpoints are observed.