By ProTelesis Corporation  |  ProTelesis Blog

Davis County, Utah is the operational backyard of Hill Air Force Base — and that proximity sets a higher bar for IT. The contractor base supporting Hill AFB’s F-35 sustainment, intercontinental ballistic missile programs, depot operations, and Air Logistics Complex doesn’t just need fast networks and reliable email. It needs CMMC-aligned cybersecurity, CUI-grade network segmentation, audit-ready managed IT, and a local partner that understands the difference between a commercial environment and a federally-adjacent one.

ProTelesis serves Davis County companies across Layton, Bountiful, Farmington, Clearfield, Syracuse, and Kaysville with a portfolio purpose-built for organizations whose buyers, auditors, or contracts ultimately trace back to the Department of Defense. Below is a regional view of how the work breaks down — and how to get ready for the compliance deadlines reshaping defense contracting through 2028.

Why Davis County’s IT Stakes Are Higher Than Most

Hill Air Force Base sits at the geographic and economic center of Davis County. It is home to the 75th Air Base Wing and the Ogden Air Logistics Complex (OO-ALC), one of three Air Logistics Complexes in the U.S. Air Force Materiel Command. Hill performs depot maintenance and sustainment for the F-35 Lightning II, F-22 Raptor, A-10 Thunderbolt II, and the U.S. ICBM force (Minuteman III, transitioning to the LGM-35A Sentinel). It employs more than 25,000 military, civilian, and contractor personnel, and is consistently ranked among Utah’s largest single-site employers.

That anchor pulls a dense ecosystem of defense primes, subcontractors, and aerospace suppliers into Davis County’s industrial corridors — Falcon Hill National Aerospace Research Park inside the base footprint, Freeport Center and the TechRidge office park in Clearfield, the I-15 industrial spine from Layton through Farmington, and the rapidly expanding manufacturing belt in Syracuse and West Layton.

For a non-defense business, “good IT” means uptime, decent backups, and a help desk. For a Hill AFB contractor — or any business in that supply chain — “good IT” includes:

• Demonstrable compliance with CMMC 2.0, NIST SP 800-171, and DFARS 252.204-7012
• Controlled Unclassified Information (CUI) handling and segmentation across endpoints, file shares, email, and collaboration tools
• Hardened identity, logging, and incident response capable of producing audit artifacts on demand
• Network architectures that segment defense work from commercial work, often across multiple buildings and field sites
• A managed-services partner that won’t disappear when a 72-hour cyber-incident reporting window starts ticking

The Compliance Frameworks Driving Local IT Investment

If you contract — directly or indirectly — for the DoD, three acronyms now drive the majority of IT budget conversations in Davis County.

CMMC 2.0 (Cybersecurity Maturity Model Certification)

CMMC 2.0 was codified in the DoD’s final rule at 32 CFR Part 170, which took effect on December 16, 2024. It establishes three certification levels:

• Level 1 (Foundational) — 17 basic safeguarding practices, annual self-assessment. Applies to contractors who only handle Federal Contract Information (FCI).
• Level 2 (Advanced) — Implementation of all 110 NIST SP 800-171 Rev 2 practices. Most CUI-handling contractors land here. Triennial third-party assessment by a C3PAO for prioritized programs; annual self-assessment for select others.
• Level 3 (Expert) — All Level 2 practices plus a subset of NIST SP 800-172 enhanced controls. Triennial government-led assessment. Reserved for the highest-priority programs.

The companion DFARS rule (48 CFR) phases CMMC requirements into new and existing contracts across roughly three years, with Level 2 self-assessment requirements appearing first and third-party certifications ramping through 2028. Translation: if your shop has any CUI on its network today, the clock is already running.

NIST SP 800-171

NIST SP 800-171 is the underlying control framework that defines how non-federal organizations must protect CUI. Revision 2 (110 controls) is the version mapped into CMMC Level 2. Revision 3, published May 14, 2024, restructured the catalog and added explicit organization-defined parameters — assessments are migrating to it on a phased timeline. ProTelesis architects environments against the version your contract specifies, not just the latest publication.

DFARS 252.204-7012 and 7019/7020/7021

DFARS 252.204-7012 is the contract clause that has required NIST 800-171 implementation since 2017, along with a 72-hour cyber-incident reporting obligation. The 7019 and 7020 clauses added Supplier Performance Risk System (SPRS) self-assessment scoring; 7021 implements the CMMC certification requirement itself. Most Davis County subcontractors first see compliance language flow down from a prime — not from the DoD directly.

Adjacent frameworks also routinely show up depending on the contract: ITAR for export-controlled technical data, FedRAMP Moderate for cloud services touching CUI, and FIPS 140-3-validated encryption for data at rest and in transit.

How ProTelesis Maps Services to the Mission

ProTelesis is a managed services provider, systems integrator, and carrier-class voice + network specialist. For defense-adjacent organizations in Davis County, our portfolio aligns to the threats, controls, and audit obligations that come with the work.

Managed Cybersecurity (24×7 SOC, MDR, SIEM)

The mandate: NIST 800-171 families AC, AU, IR, SI — Access Control, Audit & Accountability, Incident Response, System & Information Integrity. CMMC Level 2 explicitly requires continuous monitoring and documented incident-response.

What we deliver:

• 24×7 Managed Detection & Response (MDR) with EDR coverage across endpoints, servers, and identity
• SIEM ingestion + log retention to satisfy AU.3.045 and AU.3.046 control evidence
• Incident-response playbooks aligned to the 72-hour DoD Cyber Crime Center (DC3) reporting window
• Vulnerability management and continuous monitoring against NIST 800-171 control families RA and CA
• User awareness training and phishing simulations (AT family) — practical and audit-documented

Network Engineering for CUI Environments

The mandate: Logical and physical separation between CUI and non-CUI environments, hardened boundary protection (SC family), and FIPS-validated cryptography wherever CUI moves.

What we deliver:

• Segmented LAN/VLAN architectures isolating defense-program workstations, file shares, and printers from commercial traffic
• Next-generation firewalls with deep packet inspection, IDS/IPS, and DNS-layer filtering at every site
• SD-WAN with FIPS 140-3 validated tunnels between Layton HQs, Clearfield manufacturing floors, Syracuse warehousing, and remote field offices
• Zero Trust Network Access (ZTNA) for engineers and contractors connecting from outside the trusted enclave
• Wireless segmentation with WPA3-Enterprise and certificate-based device authentication

Compliance-Ready Managed IT

The mandate: A System Security Plan (SSP) and Plan of Action & Milestones (POA&M) that an assessor can actually trace to your environment — not a binder of policies that don’t match reality.

What we deliver:

• Managed Microsoft 365 GCC / GCC High deployments with conditional access, MFA enforcement, and DLP for CUI
• Hardened endpoint baselines (CIS Benchmarks, Microsoft Security Baselines) with documented configuration management
• Patch management, asset inventory, and configuration drift detection (CM and SI families)
• SSP authoring and ongoing POA&M maintenance — the documents your prime, your auditor, and your contracting officer will all ask for
• SPRS score advisory and assessment readiness coaching ahead of C3PAO engagements

Secure Communications & Collaboration

The mandate: Voice, video, and messaging that can carry sensitive program discussion without leaking it through consumer apps or unsecured carriers.

What we deliver:

• Hosted UC and SIP trunking with carrier diversity and survivability for mission-critical voice
• Teams / Webex deployments aligned to GCC High where CUI is in scope
• Conference room AV (Crestron + Shure) with AES-256 Dante audio, 802.1x authentication, and audit-friendly device management — see our deep-dive on enterprise AV for security-conscious environments
• E911 + emergency notification compliant with Kari’s Law and RAY BAUM’s Act, with location accuracy across multi-floor and multi-building campuses

Structured Cabling, Infrastructure & Field Services

The mandate: The physical layer that’s still the most common single point of failure on a manufacturing or depot-adjacent site.

What we deliver:

• BICSI-aligned Cat 6A / fiber backbone design, install, and certification
• Industrial wireless and DAS for high-bay manufacturing in Clearfield and Syracuse
• Physical security network design — IP video surveillance, access control, and intrusion — that doesn’t compromise the data network it sits on
• Pre-construction consulting and IT scoping for build-outs across the Falcon Hill, Freeport Center, and Station Park corridors

Built Around Davis County’s Six Cities

The defense ecosystem in Davis County isn’t monolithic. Each city carries a different concentration of work, and our delivery teams plan engagements accordingly.

Layton — The Closest Contractor Cluster

Layton borders Hill AFB on the south and hosts the highest density of defense-adjacent engineering, software, and systems integration firms in the county. Most of our Layton engagements involve CUI-segmented Microsoft 365 GCC High migrations, hardened endpoint baselines for engineering laptops, and SD-WAN that connects Layton offices to remote depot, manufacturing, or test sites.

Clearfield — Falcon Hill, Freeport Center & TechRidge

Clearfield’s industrial footprint is built around Freeport Center (one of the largest industrial parks in the western U.S.) and the TechRidge aerospace office park, with additional tenants spilling out of Hill’s Falcon Hill EUL. Our Clearfield work tends toward industrial wireless, manufacturing-floor network segmentation, and physical security integration on top of CMMC-aligned IT.

Syracuse — Rapid Expansion Along the West Side

Syracuse is one of the fastest-growing cities in the county, with new manufacturing and logistics builds along the west I-15 corridor. ProTelesis is regularly engaged at the pre-construction phase for these sites — scoping cabling, wireless, and security infrastructure before slabs are poured — so CMMC-ready architectures are baked in rather than retrofitted.

Kaysville — Mid-Market Professional & Subcontractor Density

Kaysville hosts a deep bench of professional services firms, second- and third-tier subcontractors, and family-owned suppliers feeding the larger contractor base. Engagements here often start with a SPRS self-assessment readiness review and grow into managed cybersecurity + compliance documentation as flow-down language tightens.

Farmington — County Seat & Government Adjacencies

As the Davis County seat, Farmington combines government IT requirements (county agencies, courts, public safety) with a healthy retail and hospitality base around Station Park. Our Farmington engagements span government-grade network and surveillance, audit-ready managed services, and unified communications across multi-site campuses.

Bountiful — Healthcare, Education & Small-Business Density

Bountiful’s mix skews toward healthcare networks, K-12 systems, and small-to-mid business density — many of which serve Hill AFB personnel and their families. Cybersecurity engagements here often blend HIPAA and NIST 800-171 requirements when a clinic or supplier also has a defense customer, plus K-12 cybersecurity work aligned to CISA’s K-12 guidance.

What “Cyber-Ready” Looks Like Six Months In

Use-case spotlight — a representative Davis County engagement.

The challenge: A 75-person engineering subcontractor in Layton receives a flow-down from a prime requiring CMMC Level 2 self-assessment by end of fiscal year, with a third-party C3PAO assessment expected within 24 months. Current state: a flat network, Microsoft 365 Business Standard, no documented SSP, no SIEM, no 24×7 monitoring, and a part-time IT person who is great at desktop support but has never touched 800-171.

The first 90 days: Asset inventory and CUI data-flow mapping. Migration to Microsoft 365 GCC High. Endpoint hardening to CIS Level 1 baseline, with EDR deployed to every device. Network re-architecture into segmented enclaves with a next-generation firewall and IDS/IPS at the perimeter. MFA enforcement everywhere, with conditional access blocking legacy authentication.

By month six: 24×7 MDR live with SIEM log retention exceeding the 90-day NIST minimum. SSP authored against all 110 NIST 800-171 controls, with POA&M tracking the open items. SPRS score posted. Tabletop incident-response exercise completed and documented. The client walks into the prime’s vendor review with artifacts in hand — not promises.

The outcome: The contract isn’t lost to the prime’s “trusted supplier” preference, and the subcontractor is positioned to bid on additional CUI-handling work without scrambling.

Why Local Matters for Federal-Adjacent Work

Defense work runs on relationships, response time, and the ability to be on-site when something breaks. ProTelesis maintains regional engineering and field-services presence covering Davis, Weber, and Salt Lake counties, with response windows measured in hours — not next-business-day. Our teams are familiar with the building rosters at Falcon Hill, the dock schedules at Freeport Center, and the badge requirements that come with depot-adjacent engagements.

For the parts of the work that need to be off-site — 24×7 SOC monitoring, after-hours patching, weekend cutover work — we operate the platforms ourselves rather than reselling someone else’s NOC. That matters when a 72-hour incident report is on the line.

Schedule a CMMC Readiness Conversation

If you’re a Davis County contractor — in Layton, Clearfield, Syracuse, Kaysville, Farmington, or Bountiful — and the flow-down language in your latest contract has you reaching for a definition of CUI, this is exactly the conversation we have every week.Schedule a Consultation

ProTelesis is a managed services provider, systems integrator, and carrier-class communications partner serving organizations across California, Arizona, Utah, and the broader western United States. Our Utah team supports the Hill Air Force Base defense contractor base and the broader Davis County industrial and government economy with managed cybersecurity, network engineering, structured cabling, unified communications, and compliance-ready managed IT.

---

Frequently Asked Questions: IT & Cybersecurity for Hill AFB Contractors in Davis County

What is CMMC 2.0 and which Hill AFB contractors need it?

CMMC 2.0 (Cybersecurity Maturity Model Certification, version 2.0) is the U.S. Department of Defense’s framework for verifying that contractors safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It was codified in DoD’s final rule at 32 CFR Part 170, effective December 16, 2024, with companion DFARS contract clauses phasing in over roughly three years. Any contractor or subcontractor at Hill Air Force Base that handles CUI — whether they support F-35 sustainment, the Sentinel ICBM program, depot maintenance, or any program flow-down — will be required to meet at least CMMC Level 2 once it appears in their contract. ProTelesis helps Davis County contractors map their environment to the 110 NIST SP 800-171 controls underpinning Level 2.

What is the difference between CMMC Level 1, Level 2, and Level 3?

CMMC 2.0 has three certification levels. Level 1 (Foundational) requires 17 basic safeguarding practices and is verified by annual self-assessment — it applies to contractors that only handle Federal Contract Information. Level 2 (Advanced) requires implementation of all 110 practices in NIST SP 800-171 Rev 2, with most CUI-handling contractors needing a triennial third-party assessment by a Certified Third-Party Assessor Organization (C3PAO). Level 3 (Expert) requires Level 2 plus a subset of NIST SP 800-172 enhanced controls, assessed triennially by the DoD itself, and is reserved for the highest-priority programs. ProTelesis scopes engagements to the level your contract actually requires.

What IT and cybersecurity services do Hill AFB defense contractors typically need?

Defense contractors supporting Hill Air Force Base typically need a layered IT and cybersecurity portfolio that satisfies NIST SP 800-171 and CMMC 2.0 requirements. This includes 24×7 Managed Detection & Response (MDR) with endpoint detection, SIEM log retention for audit evidence, segmented network architectures isolating CUI environments, FIPS 140-3 validated encryption for data in transit and at rest, multi-factor authentication and conditional access on all identities, documented System Security Plans (SSPs) and Plans of Action & Milestones (POA&Ms), and incident-response playbooks aligned to DoD’s 72-hour reporting window. ProTelesis delivers these as a single managed-services portfolio across Davis County, Utah.

What is NIST SP 800-171 and how does it relate to defense contracts?

NIST SP 800-171 is the U.S. National Institute of Standards and Technology publication that defines the security controls non-federal organizations must implement to protect Controlled Unclassified Information (CUI). Revision 2 contains 110 controls across 14 control families and is the basis for CMMC 2.0 Level 2. Revision 3, published May 14, 2024, restructured the control catalog and added explicit organization-defined parameters. NIST 800-171 has been required of DoD contractors handling CUI since 2017 via DFARS 252.204-7012, but CMMC 2.0 adds independent assessment and certification to verify implementation. ProTelesis architects environments to whichever revision your contract specifies.

What is DFARS 252.204-7012 and what does it require?

DFARS 252.204-7012, the “Safeguarding Covered Defense Information and Cyber Incident Reporting” clause, is the U.S. Defense Federal Acquisition Regulation Supplement clause that has required DoD contractors handling Covered Defense Information to implement NIST SP 800-171 since 2017. It also obligates contractors to report any cyber incident affecting that information to the DoD Cyber Crime Center (DC3) within 72 hours of discovery. Companion clauses DFARS 252.204-7019 and 7020 added SPRS self-assessment scoring, and 7021 implements the CMMC certification requirement. ProTelesis builds incident-response capabilities specifically tuned to the 72-hour DC3 reporting window.

Does ProTelesis serve businesses in Layton, Clearfield, Syracuse, Kaysville, Farmington, and Bountiful?

Yes. ProTelesis serves businesses across all six Davis County, Utah cities — Layton, Clearfield, Syracuse, Kaysville, Farmington, and Bountiful — with managed IT, cybersecurity, network engineering, structured cabling, and unified communications. Engagements span Hill Air Force Base defense contractors and subcontractors, county and municipal government, healthcare networks, K-12 and higher-education institutions, multi-site retail, and manufacturing across the Freeport Center, Falcon Hill, TechRidge, and Station Park corridors. Regional engineering and field-services teams maintain response windows measured in hours.

When does CMMC become mandatory in DoD contracts?

The CMMC program rule (32 CFR Part 170) took effect December 16, 2024, and the companion DFARS rule phases the contract requirements in over roughly three years. Phase 1 begins when the DFARS rule appears in new contracts and initially requires Level 1 or Level 2 self-assessment in applicable solicitations. Phases 2 through 4 introduce third-party Level 2 certifications, Level 3 government-led assessments, and full coverage of all applicable contracts. Most Hill AFB-related contractors are seeing CMMC language flow down from their primes well ahead of the contract requirement, which means many Davis County companies are effectively on a 12-to-24-month preparation runway today. ProTelesis sequences engagements to align with both your prime’s timeline and the DFARS phase-in.

What is Controlled Unclassified Information (CUI), and why does it matter for Hill AFB contractors?

Controlled Unclassified Information (CUI) is information the U.S. Government creates or owns that is not classified but still requires safeguarding under law, regulation, or government-wide policy. Examples relevant to Hill Air Force Base contractors include technical data on weapon-system components, depot procedures, specifications, drawings, and program-management documents. CUI handling is the trigger for most NIST SP 800-171 and CMMC Level 2 requirements — once CUI lands on a contractor’s network, that network is in scope. ProTelesis begins most Davis County defense engagements with a CUI data-flow assessment to determine exactly which systems, users, and locations are in scope.

What is a managed cybersecurity provider, and why do defense contractors hire one?

A managed cybersecurity provider operates the people, processes, and platforms required to detect, respond to, and document cyber threats on a client’s behalf — including 24×7 Managed Detection & Response (MDR), SIEM log collection and retention, vulnerability management, identity and access governance, and incident-response playbooks. Defense contractors hire one because NIST SP 800-171 and CMMC 2.0 require continuous monitoring, audit-grade logging, and rapid incident response — capabilities that are operationally expensive for a small or mid-sized contractor to build internally. ProTelesis delivers managed cybersecurity as part of a single regional portfolio for Davis County, Utah businesses.

How does Hill Air Force Base influence the IT economy in Davis County, Utah?

Hill Air Force Base is the economic anchor of Davis County, Utah, employing more than 25,000 military, civilian, and contractor personnel and driving billions of dollars in regional economic activity each year. It hosts the 75th Air Base Wing and the Ogden Air Logistics Complex (OO-ALC), which performs depot maintenance and sustainment for the F-35, F-22, A-10, and ICBM programs. That mission pulls a dense ecosystem of defense primes, subcontractors, and aerospace suppliers into Layton, Clearfield, Syracuse, Kaysville, Farmington, and Bountiful — creating regional demand for compliance-grade managed IT, cybersecurity, network engineering, and secure communications that is materially different from a typical commercial market. ProTelesis serves that demand directly.