Establishment of a Domestic CMMC Level 2 Compliance Support System
okicom Corporation and Ryukyu Cyber Initiative, LLC (RCI) have formed a business alliance to jointly provide support services for compliance with the US Department of War's cybersecurity standard, "CMMC Level 2," starting in May 2026. The partnership offers end-to-end support from consulting to operations entirely within Japan.
📋 Article Processing Timeline
- 📰 Published: May 19, 2026 at 01:25
- 🔍 Collected: May 18, 2026 at 17:01
- 🤖 AI Analyzed: May 18, 2026 at 17:04 (2 min after Collected)
okicom Corporation (Headquarters: Ginowan City, Okinawa / Representative Director: Kai Odo / hereafter "okicom") has concluded a business alliance agreement with Ryukyu Cyber Initiative, LLC (Headquarters: Yomitan Village, Nakagami District, Okinawa / Representative: Dr. Aaron M. Ramey / hereafter "RCI") to jointly provide support services for Level 2 compliance with the "Cybersecurity Maturity Model Certification (CMMC)," a cybersecurity procurement standard set by the US Department of War (DoW), starting in May 2026.
okicom will act as the customer contact and lead consultant for domestic businesses, collaborating with RCI, a Registered Practitioner Organization (RPO) registered with the US Cyber AB. The service will incorporate the specialized knowledge of Dr. Ramey, who holds a CCA (Certified CMMC Assessor) qualification, through architectural advice, SSP (System Security Plan) creation support, mock assessments, and knowledge transfer. This establishes a system to provide comprehensive support entirely within Japan, from consulting to the implementation of the security environment and continuous operation after acquiring certification.
■ Background
On November 10, 2025, an amendment to the US DFARS implemented CMMC as a formal procurement requirement for contracts with the DoW. In Phase 2, starting November 10, 2026, CMMC requirement levels will be raised in stages, and it is expected that DoW contracts requiring Level 2 compliance will expand. Preparation takes about 6 to 12 months depending on the scale and type of business, making early system development a realistic challenge for domestic businesses involved in US military-related procurement.
On the other hand, the standard documents (DFARS 252.204-7012 / NIST SP 800-171 Rev.2) are in English, and there is a limited number of CCAs and Certified Third-Party Assessor Organization (C3PAO) personnel in Japan who are intimately familiar with the CMMC assessment criteria. Until now, a system capable of completing everything from consulting to technical implementation and subsequent continuous operation domestically has not been sufficiently established. okicom and RCI will jointly provide this service to bridge this structural gap.
■ About CCA (Certified CMMC Assessor)
CCA is an individual qualification accredited by the US Cyber AB (CMMC Accreditation Body), representing the position to evaluate Level 2 controls as a member of a C3PAO assessment team in official CMMC assessments. They are the personnel closest to practical operations and most familiar with the assessment criteria within the CMMC ecosystem.
The number of CCAs registered in Japan remains limited at present, and one of them is Dr. Aaron M. Ramey, Representative of RCI (Qualifications held: CCA / CCP / CISSP / CompTIA Security+ / CMMC RPA / RP, PhD in Cybersecurity Management).
Quick Reference Guide for CMMC-related Terms
- Level 1: 15 requirements of FAR 52.204-21, annual self-assessment
- Level 2: 110 requirements of DFARS 252.204-7012, NIST SP 800-171 Rev.2, third-party assessment by C3PAO in principle
- C3PAO: Certified Third-Party Assessor Organization that conducts official CMMC evaluations
- CCA: Individual qualification to conduct Level 2 assessments as a member of a C3PAO assessment team
- CUI: Controlled Unclassified Information
- RPO: Organization registered with Cyber AB that provides advice and support regarding CMMC compliance, or services as an MSP, in the defense supply chain
okicom will act as the customer contact and lead consultant for domestic businesses, collaborating with RCI, a Registered Practitioner Organization (RPO) registered with the US Cyber AB. The service will incorporate the specialized knowledge of Dr. Ramey, who holds a CCA (Certified CMMC Assessor) qualification, through architectural advice, SSP (System Security Plan) creation support, mock assessments, and knowledge transfer. This establishes a system to provide comprehensive support entirely within Japan, from consulting to the implementation of the security environment and continuous operation after acquiring certification.
■ Background
On November 10, 2025, an amendment to the US DFARS implemented CMMC as a formal procurement requirement for contracts with the DoW. In Phase 2, starting November 10, 2026, CMMC requirement levels will be raised in stages, and it is expected that DoW contracts requiring Level 2 compliance will expand. Preparation takes about 6 to 12 months depending on the scale and type of business, making early system development a realistic challenge for domestic businesses involved in US military-related procurement.
On the other hand, the standard documents (DFARS 252.204-7012 / NIST SP 800-171 Rev.2) are in English, and there is a limited number of CCAs and Certified Third-Party Assessor Organization (C3PAO) personnel in Japan who are intimately familiar with the CMMC assessment criteria. Until now, a system capable of completing everything from consulting to technical implementation and subsequent continuous operation domestically has not been sufficiently established. okicom and RCI will jointly provide this service to bridge this structural gap.
■ About CCA (Certified CMMC Assessor)
CCA is an individual qualification accredited by the US Cyber AB (CMMC Accreditation Body), representing the position to evaluate Level 2 controls as a member of a C3PAO assessment team in official CMMC assessments. They are the personnel closest to practical operations and most familiar with the assessment criteria within the CMMC ecosystem.
The number of CCAs registered in Japan remains limited at present, and one of them is Dr. Aaron M. Ramey, Representative of RCI (Qualifications held: CCA / CCP / CISSP / CompTIA Security+ / CMMC RPA / RP, PhD in Cybersecurity Management).
Quick Reference Guide for CMMC-related Terms
- Level 1: 15 requirements of FAR 52.204-21, annual self-assessment
- Level 2: 110 requirements of DFARS 252.204-7012, NIST SP 800-171 Rev.2, third-party assessment by C3PAO in principle
- C3PAO: Certified Third-Party Assessor Organization that conducts official CMMC evaluations
- CCA: Individual qualification to conduct Level 2 assessments as a member of a C3PAO assessment team
- CUI: Controlled Unclassified Information
- RPO: Organization registered with Cyber AB that provides advice and support regarding CMMC compliance, or services as an MSP, in the defense supply chain
FAQ
What is the strength of okicom's CMMC support?
The ability to provide end-to-end support in Japan, from consulting to implementation in Japanese, through a partnership with RCI, which has a rare CCA-qualified expert.
How long does it take to prepare for CMMC Level 2?
While it depends on the size and type of business, it generally takes about 6 to 12 months.
By when is CMMC compliance required?
Early preparation is necessary in anticipation of Phase 2 starting on November 10, 2026, when requirements will be raised.