For most small DoD contractors the Firewalla Purple SE is the best firewall to start with — it segments, logs, and hands you the boundary evidence an assessor asks for, with no monthly fee. If you want total control over the rules, run pfSense/OPNsense on a Protectli Vault. If you're scaling past 10 seats, standardize on the UniFi Dream Machine Pro. None of these are FIPS-validated, and for most shops that's fine — more on that below.
Almost every small contractor I talk to asks the firewall question backwards. They want to know which box "makes them CMMC compliant." No box does. A firewall satisfies a specific set of controls — segmentation, boundary protection, logging — and those are real, gradeable controls. But the right way to shop is to match the firewall to the size of your shop and the boundary you're actually defending, then document what it does honestly. Do that and you skip the part where a consultant charges you $30,000 to pick a router.
I've stood up these boundaries for shops running 6 people and shops running 60. The firewall is where compliance gets physical — it's the thing that enforces the line between your Controlled Unclassified Information and everything else. Get it right and the rest of your assessment gets smaller, because a clean, segmented boundary is what lets you scope CUI down instead of hardening your whole company. That scoping move is the single biggest cost lever you have, and I break it down in The CUI Enclave Method.
Below: what a CMMC firewall actually has to do, the three boxes I deploy and who each one is for, the remote-access piece nobody sells you until it's too late, and the honest limit on all of it.
CMMC Level 2 rests on the 110 controls in NIST SP 800-171. A firewall doesn't touch all of them — it touches a handful, and it touches them hard. If you know which ones, you know what to buy.
The firewall's job lives mostly in two control families. The first is SC — System and Communications Protection: monitor and control communications at the boundary of your network, and separate the systems that handle CUI from the ones that don't. That's segmentation. The second is AU — Audit and Accountability: create and keep logs of what crosses that boundary, so you can show an assessor who talked to what and when. Your ISP's combo modem can't do either of those honestly. That's the whole reason a real firewall is the first box on the list.
So the buying criteria come down to three things: can it carve a separate VLAN or physical segment for your CUI machines, can it enforce rules on traffic in and out of that segment, and can it produce a log you can export and hand over. Every box below clears that bar. What separates them is how much control you want, how much you want to manage, and how many seats you're growing into.
For a 2 to 10 person shop standing up its first CUI boundary, this is the box I reach for. The reason is simple: it does the compliance-relevant work — VLAN segmentation, intrusion detection, exportable activity logs — without demanding that you become a network engineer to run it. You configure it from a phone app, wall off the machines that touch CUI onto their own segment, and export the logs when the assessor asks. No monthly subscription, no cloud dependency you have to explain.
The fastest route to a real, segmented, logged boundary for a small enclave. VLAN segmentation to isolate CUI machines, built-in IDS/IPS, and exportable logs that give you the SC (System & Communications Protection) and AU (Audit & Accountability) evidence an assessor expects — managed from an app, with no monthly fee. For most small contractors this is the single highest-leverage box on the page.
Where it fits: the shop that wants the control satisfied without a project. If your team is small and nobody wants to babysit firewall rules, the Purple SE gets you a defensible boundary in an afternoon. The trade-off is that you're working inside Firewalla's interface and feature set — which is plenty for a small enclave, but it isn't the bare-metal control some technical shops want. For them, the next box.
When you want zero black boxes in your boundary and someone on the team is comfortable in a firewall interface, you run open-source pfSense or OPNsense on a dedicated appliance. The Protectli Vault VP2410 is the fanless little box I put it on. You define every rule yourself, tag VLANs exactly how you want them, and keep logs as verbose as your assessor could ever want to see.
A fanless mini-appliance built to run open-source pfSense or OPNsense — full control over firewall rules, VLAN tagging, and logging, with nothing proprietary sitting in your boundary. The pick for a shop with someone technical who wants to write the enclave rules explicitly and keep detailed logs for the SC and AU control families. More setup than the Firewalla; far more control once it's dialed in.
Where it fits: the shop that already has an IT-minded person and wants to own the boundary end to end. The upside is total transparency — you can document exactly what every rule does because you wrote it. The cost is time and skill. If nobody on your team enjoys reading firewall logs, the Protectli will feel like homework and the Firewalla is the smarter buy. But for a technical two-person shop, pfSense on a Protectli is a genuinely excellent, cheap, auditable boundary.
Once you're past a handful of seats — say 10 to 50 people, multiple VLANs, your own switching to manage — you want one platform that ties it together. The UDM Pro puts firewall, network controller, and central logging in a single rack unit with a management console your team can actually run day to day. It's the platform bigger contractors standardize on precisely because it documents cleanly as the environment grows.
Firewall, network controller, and logging in one rack unit for a larger, multi-VLAN environment. As you add seats and switches, the UDM Pro keeps segmentation documented cleanly across the whole network from a single console — the reason growing contractors standardize on it. Gives you the same SC and AU boundary evidence, at a scale the app-managed boxes aren't built for.
Where it fits: the shop that's outgrowing a single-box setup and needs one console the whole team can manage. If you're still six people around a couple of laptops, this is more platform than you need and the Firewalla wins on simplicity. But if you're adding people, adding switches, and the network is starting to sprawl, the UDM Pro keeps the boundary organized and the logs centralized — which is exactly what makes the assessment go smoothly.
Here's the gap I watch shops fall into. They buy a good firewall, segment the office beautifully — and then someone opens a CUI file from a hotel, a job site, or their kitchen table, and the whole boundary they just built doesn't reach that connection. The firewall protects the enclave. It does nothing for the laptop three states away.
That off-network connection still has to satisfy the same ideas: encrypt CUI in transit (SC family again) and control who's allowed in (AC — Access Control). The clean way to do that for a small shop is a business VPN with zero-trust access — and the one I recommend is NordLayer.
Encrypts every connection off your network — hotels, job sites, home offices — and gates access by identity with zero-trust rules, so a remote user reaches CUI through a controlled, encrypted tunnel instead of the open internet. This is the transmission-protection and access-control layer for anyone touching controlled data away from the office. Dedicated IPs, centralized policy, and a rollout a small team can actually manage make it the practical ZTNA pick for a contractor without an enterprise network group. Genuinely the piece I'd add the day a firewall goes in for any shop with remote workers.
If your whole team works from one building and CUI never leaves it, you may not need this yet. But the moment one person works remotely — and in most small contracts, someone does — the firewall alone leaves a hole an assessor will ask about. NordLayer closes it without you standing up your own VPN infrastructure.
I'll be straight with you, because writing this wrong in your SSP is how you fail an assessment while thinking you passed.
The good news: a lot of small shops don't need a FIPS-validated firewall at all. Whether an assessor expects FIPS-validated cryptography depends on how you scope CUI and how you protect it — and it's often cheaper and cleaner to satisfy the encryption boundary with FIPS-validated software than to buy an enterprise firewall. That's a whole decision on its own, and I lay out the honest answer in Do You Need a FIPS-Validated Firewall for CMMC? — read it before you spend a dollar on a Fortinet you may not need.
Strip away the spec sheets and it's a three-line decision:
Then, if anyone works off-site, add NordLayer so the boundary follows them. And before you spend anything, get your baseline: the free SPRS score estimator shows where you stand against the 110 controls in about two minutes, so you buy the boundary you actually need — not the one a consultant wants to sell you.
Picking the box is the easy half. The half that passes the assessment is the paperwork: a System Security Plan that describes your boundary, the 20 required policies, a POA&M template, and the per-control SPRS scorer. The CMMC Level 2 DIY Compliance Kit is all of it, editable, built for a small shop doing this itself.
For most small DoD contractors the Firewalla Purple SE is the best starting firewall: it delivers VLAN segmentation, intrusion detection, and exportable logs with no monthly fee, which covers the boundary-protection and audit evidence an assessor looks for. Shops that want full control over rules run Protectli/pfSense, and shops scaling past 10 seats standardize on the UniFi Dream Machine Pro.
No. A firewall satisfies specific controls — network segmentation, boundary protection, and logging in the SC and AU families — but CMMC Level 2 requires meeting all 110 NIST 800-171 controls, documenting them in a System Security Plan, and passing an assessment. The firewall builds and enforces your boundary. It is one piece of the picture, not the whole thing.
Not necessarily. Firewalla, UniFi, and pfSense are not FIPS 140-2 or 140-3 validated cryptographic modules — that's Fortinet, SonicWall, and WatchGuard territory. Whether an assessor expects FIPS-validated crypto depends on how you scope and encrypt CUI, and many small shops handle the encryption boundary with FIPS-validated software instead of a FIPS firewall. Read the full answer in our FIPS firewall guide.
Off-network access to CUI needs encrypted transmission and controlled access, which is where a business VPN or ZTNA service like NordLayer comes in. It encrypts every connection from a hotel, job site, or home office and gates access by identity, supporting the transmission-protection and access-control controls. The on-site firewall protects the enclave; the VPN extends that protection to anyone working off it.
Yes. Running pfSense or OPNsense on an appliance like the Protectli Vault gives you full control over firewall rules, VLAN tagging, and verbose logging — everything you need to build and evidence a segmented CUI boundary. It requires more setup and someone comfortable in the interface, but it puts zero black boxes in your boundary and keeps the logs the SC and AU control families ask for.
November 10, 2026 starts Phase 2, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts. Self-assessment and affirmation language is already appearing in solicitations now, so building your boundary and documentation should be underway well before that date.