Rio Router on a workbench in a small manufacturing shop.

CMMC Level 2 certification becomes mandatory in 155 days.
Are you ready?

Rio is a $249 cybersecurity router that addresses the network-layer controls in NIST 800-171. No IT staff required. No Chinese components. Deploys in under an hour.

Get Rio See the NIST 800-171 control mapping

Designed in USA. Manufactured in Taiwan. No Chinese backdoor risk.

“Having the Rio Cybersecurity Router has reduced the workload of complying with the many differing cybersecurity requirements I must meet as a government subcontractor. I thank you for the commitment to cybersecurity, and keeping the pricing within a small business’s budget.”

Defense Subcontractor Government Prime Supplier
CMMC enforcement timeline: Phase 1 active Nov 10 2025, Phase 2 third-party cert required Nov 10 2026, Phase 3 and 4 follow.

The deadline isn't coming. It's already here.

  • Phase 1 is active now. CMMC clauses are appearing in new DoD solicitations as of November 10, 2025.
  • Phase 2 lands November 10, 2026. Third-party Level 2 certification becomes mandatory for most CUI contracts.
  • C3PAO assessments take 6-12 months. Contractors who wait until 2026 to start will not be ready.
  • In scope: Anyone handling CUI (drawings, specs, contract data, supplier details). Including subs on a prime's network.
See how Rio maps to NIST 800-171 →

CMMC was not written for small shops.

NIST 800-171 has 110 controls across 14 families. The guidance assumes you have an IT team, a SIEM, and a six-figure compliance budget. Most small DIB contractors have none of those things.

$50,000 - $400,000
Industry estimate: full Level 2 certification cost for a small business
$249
Rio

A significant portion of certification cost is network infrastructure.
Rio handles that layer for $249.

Get Rio
Defense supply chain pyramid: Prime contractor at top, Tier 1 subcontractor in the middle, Tier 2 subcontractor at the base — CMMC requirements flow down to every tier.

"My prime handles it" is not a strategy.

Under 32 CFR 170.23, primes must flow down CMMC requirements to every subcontractor tier that handles FCI or CUI. Primes are legally responsible for verifying sub compliance before sharing covered data.

No marketing fluff

What Rio actually covers.

CMMC Level 2 has 110 controls. A router can only address the network-layer ones. Here are the controls Rio addresses, what they typically cost to satisfy without Rio, and how Rio handles each. The full mapping is downloadable below.

NIST 800-171 Control What it requires Typical cost / effort How Rio handles it
3.13.1
Boundary protection		 Monitor and control communications at the network boundary. $5K-$15K firewall + integrator Stateful firewall configured out of the box.
3.13.5
Subnet segmentation		 Separate publicly accessible systems from internal CUI networks. Managed switch + VLAN engineer SecureRoom creates up to 16 isolated VLANs.
3.13.6
Deny by default		 Network traffic denied by default, allowed only by exception. Manual firewall ruleset by consultant Zero-Trust allowlisting enabled by default.
3.13.7
No split tunneling		 Remote devices can't bypass the protected network path. Enterprise VPN + endpoint config Always-on VPN routes 100% of traffic.
3.1.14
Managed access point		 Remote access routed through a single managed gateway. SD-WAN appliance + managed service Rio is the single managed access control point.
3.1.16
Wireless authorization		 Authorize wireless access before allowing connection. Enterprise Wi-Fi controller + RADIUS Admin approves every device in the app.
3.1.17
Wireless encryption + auth		 Protect wireless via authentication and encryption. Enterprise AP refresh ($2K+/AP) WPA3 + allowlisting + always-on VPN.
3.1.18
Mobile device control		 Control connection of mobile devices. MDM seat licenses ($5-$10/user/mo) Phones and laptops blocked until approved.
3.1.20
External connections		 Verify and control connections to external systems. Outbound proxy + monitoring service Deny-by-default + monitored VPN egress.

Rio addresses 9 of the 110 NIST 800-171 controls — the network-layer ones. You still need policy, training, endpoint, identity, and physical controls for the rest. We tell you exactly which controls remain so you don't get blindsided in an audit. Download the full mapping below.

Download full control mapping (PDF) See pricing

Rio is the network layer of your CMMC plan.

Rio is a cybersecurity router built for small businesses that cannot afford an enterprise security stack. It ships with the controls turned on.

Smartphone showing Rio VPN status: all 14 devices tunneled, beside a Rio Router on a desk.

Always-on VPN

Every device tunneled by default. Supports encryption-in-transit requirements without per-device config.

Rio admin app showing a new unrecognized device requesting access, with approve and deny options.

Zero-Trust Isolation

Each device treated as untrusted until verified. Supports access control and system integrity requirements.

Workshop with network segmented into CUI zone, office zone, and guest zone, centered on a Rio Router.

SecureRoom Segmentation

Separate CUI-handling machines from the office printer and guest wifi. No managed switches required.

$249 per unit.
Get Rio
Before and after network topology: a flat consumer-router network with CUI exposed beside guest devices, versus a Rio network with isolated CUI, office, and guest segments.

From a flat network to a segmented one.

  • Rio replaces your existing router. It sits behind your ISP's modem in the same spot.
  • Your existing devices keep working. Printers, phones, tablets, wifi: no rewiring.
  • Segmentation is automatic. SecureRoom handles it. No VLAN setup, no managed switches.
  • One Rio per site for typical small-business deployments. Multi-site uses one per location.
  • Setup under an hour. You or your MSP can install it. Free setup support available for contractor orders.
Rio configuration dashboard annotated with mapped NIST 800-171 controls.

Rio produces the artifacts your C3PAO will ask for.

A CMMC assessor asks for evidence that controls are implemented. Rio outputs configuration reports and network segmentation documentation you hand directly to your assessor. The public control mapping shows which artifacts Rio produces for each control.

A product that addresses a control but can't produce evidence of it will still cost you time during the audit. Rio is designed so your assessor can verify the network layer from documentation alone.

Why not a Meraki or a Ubiquiti?

Enterprise mesh systems are capable products. If you have a network engineer on staff and budget for licensed controllers, they're reasonable choices. Most small DIB contractors don't.

Consumer Router Enterprise Mesh Rio
CMMC controls pre-configured No Requires setup Yes
Network engineer required Not capable Required Not required
Recurring license cost None Yes None
Verifiable supply chain Often Chinese-owned Varies US company, Taiwan manufacturing
Cost $50 - $300 $1,000s + licensing $249

If you already have enterprise gear and a team to configure it, you may not need Rio. If you don't, Rio is the shorter path.

Supply chain comparison: Rio path (US Company → Taiwan manufacturing → Your shop, no PRC risk) versus typical consumer router path (Chinese parent subject to PRC Intelligence Law → China manufacturing → Your shop, supply chain risk).

Made where it matters.

  • Rio is a US company. Hardware manufactured in Taiwan. No Chinese entity in ownership, supply chain, or firmware.
  • This is structural, not marketing. Chinese-headquartered companies are subject to the PRC National Intelligence Law. US companies are not.
  • If your CUI touches a Chinese-owned router, you have supply chain risk. Most consumer and small-business routers cannot make Rio's claim.
Why this matters for CMMC

The PRC National Intelligence Law (2017) requires any Chinese citizen or organization to support, assist, and cooperate with national intelligence work. For a Chinese-headquartered electronics company, this creates a legal obligation that cannot be contracted around. A router made by a Chinese-owned company cannot guarantee the absence of state-directed access, because the guarantee itself would violate PRC law. For a DIB contractor handling CUI, this is not a marketing comparison. It's a supply chain risk that Rio's corporate and manufacturing structure avoids by design.

John Hui, Founder and CEO of Rio Router.

John Hui, Founder & CEO

Former CSO, Foxconn. Former CEO, eMachines and Packard-Bell. Rio was built because the small-business router market was delivering enterprise risks on consumer hardware.

Learn more about Rio →

FROM THE FIELD

Already running in defense supply chains.

Short reports from early Rio deployments. Identities withheld until named case studies are approved for release.

Aerospace Tier 2 machining shop with Rio Router on steel worktable, CNC mill and CMM in background.
Case 01

Aerospace Tier 2 subcontractor

Kept a prime contract they were about to lose.

Prime's compliance team flagged their flat network as a Level 2 blocker. They deployed Rio the same week. CUI machines moved into a dedicated SecureRoom. Network documentation handed to the C3PAO at pre-assessment.

DoD Tier 2 . CMMC Level 2 scope

Precision finishing operation with QC checklist monitor and Rio Router near a plating line.
Case 02

Precision finishing operation

Solved encryption-in-transit in one afternoon.

They needed SC-8 handled before their C3PAO visit. Rio's always-on VPN became the baseline control in their System Security Plan. No per-device agents, no MSP engagement required.

CMMC Level 2 . single-site SMB

Compliance consultant's home office with laptop, NIST 800-171 document, and Rio Router on bookshelf.
Case 03

Former federal cybersecurity professional

Deploys Rio for every DIB client she takes on.

Career federal cybersecurity professional turned compliance consultant. Won't recommend infrastructure she hasn't verified. Runs Rio in her own practice and installs it as the network baseline for every small-DIB client.

Independent practitioner . Multi-client deployments

Named case studies in development. Contact us to speak directly with a current customer about their deployment.

Is Rio right for your role?

Small machine-shop owner in Carhartt jacket at his workbench with a Rio Router on the bench.

Small manufacturer or subcontractor

You run a shop. A DoD prime is one of your customers. You've been getting CMMC emails for two years. Rio handles the network layer. One purchase, one setup, one documented line item in your compliance file.

IT staffer at a multi-monitor workstation in a defense manufacturing facility with a Rio Router on her shelf.

IT-responsible staff at mid-size DIB

Rio deploys per-site without a controller, segments networks without layered VLANs, and gives you a consistent baseline across locations you can't always visit. Control mapping shows your assessor exactly what Rio covers.

MSP technician at a service van with a rugged laptop and a row of Rio Routers ready for client installs.

MSPs and IT service providers

Your manufacturing clients are asking about CMMC. Rio is a product you can deploy, bill for, and support. Not a service line you have to staff. MSP partner pricing available.

Compliance consultant in a client meeting with a Rio Router on the credenza as a reference unit.

Compliance consultants and RPOs

Rio is a product your clients can purchase as part of their network infrastructure. The public control mapping makes assessment scoping easier. Designed to remove the "what router should we buy" question from your engagements.

Frequently asked questions

Is Rio CMMC certified?

Products don't get CMMC certified. Organizations do. Rio addresses specific NIST 800-171 controls your organization will be assessed against. The control mapping shows which ones.

Does Rio replace my MSP or my compliance consultant?

No. Rio is network infrastructure. You still need policy, documentation, training, and an assessor. Rio makes the network section of your NIST 800-171 work straightforward.

Will Rio replace my existing router?

Yes. Rio sits behind your ISP's modem in the same spot your current router occupies. Your existing devices continue to work.

How many Rios do I need?

One per site for most small-business deployments. Contact us if your location is unusually large or has specific network requirements.

What if my assessor rejects Rio?

If your C3PAO assessor determines that Rio, properly configured, does not address the controls we've mapped in the NIST 800-171 control mapping document, contact us within 90 days of your assessment with the assessor's written finding. We'll work with you and your assessor to resolve the gap, and if we can't, we'll refund your purchase.

What if I already have a router?

If your current router is from a Chinese-owned company, it's a supply chain risk regardless of its features. If it's from a US or allied-country company but doesn't support segmentation, always-on VPN, or device-level isolation, you will likely need to upgrade to meet Level 2 requirements.

What about FedRAMP, FIPS 140-2, or other certifications?

Ask us directly. Requirements vary by contract and the type of CUI you handle. We will tell you honestly whether Rio fits.

Start with the network.

Rio is $249. Ships in days. Deploys in under an hour. One line item off a workload of dozens.

Get Rio Download the control mapping