CMMC Consulting
CMMC Readiness for DoD Contractors
CMMC is now a real requirement for DoD contractors that handle Controlled Unclassified Information. If you are in the Defense Industrial Base or trying to get there, you need to know where you stand before you bid on a contract.
We help you figure out what you actually have, what is missing, and how to close the gaps without turning your IT environment upside down.
What CMMC Actually Requires
CMMC 2.0 has three levels. Most contractors land at Level 2 and that is where the real work is.
CMMC Level 1 (17 practices)
Basic cyber hygiene for contractors handling Federal Contract Information. You self attest annually. Based on FAR 52.204-21. Straightforward for most companies if they are paying any attention to security.
CMMC Level 2 (110 practices)
Full alignment with NIST SP 800-171 for contractors that touch CUI. Depending on your contract, you will either need a third party C3PAO assessment or can self attest. This is where most contractors get stuck and where we spend most of our time.
CMMC Level 3 (110 plus practices)
Reserved for contractors on the most sensitive DoD programs. Based on NIST SP 800-172 with additional controls on top. Government led assessment. Most contractors will never need this.
DFARS 252.204-7012 and Your SPRS Score
If you already hold a DoD contract you likely have DFARS obligations right now. Your SPRS score in the Supplier Performance Risk System is based on your 800-171 self assessment. Contracting officers pull this score. It matters.
Where Contractors Fail CMMC Audits
These are not edge cases. They show up in almost every engagement.
No System Security Plan
NIST 800-171 requires a documented SSP. It is the most common finding in assessments and the one that signals to assessors that nothing else is going to go well either.
CUI Boundary Never Defined
You cannot protect what you have not scoped. Most small contractors have CUI spread across email, shared drives, laptops, and cloud tools with no formal boundary anywhere.
MFA Gaps
MFA is required for privileged and remote access. Many contractors have it partially deployed or have carve outs for specific users with no documented rationale or POA&M.
No Audit Logging
NIST 800-171 requires log generation, protection, and regular review. Most small contractors have no logging setup at all and scramble when it comes up in an assessment.
No Incident Response Plan
You need a documented IR plan and real evidence it has been tested. A template you downloaded and filed away does not cut it.
Patch and Config Management
Unmanaged endpoints, vendor default configurations, and missing patches are some of the first things assessors look at. They are also some of the easiest to fix.
How We Work Through This Together
Scoping and CUI Boundary
We start by defining exactly what systems, people, and data touch CUI. Getting scope right is the most important thing you can do. It determines everything else and a tighter scope means less work to get compliant.
Gap Assessment Against NIST SP 800-171
We go through all 110 practices together, domain by domain. For each one we call it: fully implemented, partially implemented, or not implemented. We score it honestly, not optimistically.
SSP and POA&M
We build out your System Security Plan documenting what controls you have, how they work, and who owns them. For anything not yet in place, we build a Plan of Action and Milestones with real timelines.
Remediation
We prioritize gaps by risk and how close your assessment timeline is. We work with your internal team or your MSP to close them correctly, not just well enough to check a box.
Final Review Before Assessment
Before you bring in a C3PAO we do a full walkthrough of your evidence, your SSP, and your artifact quality. You should not be finding surprises during the real assessment.
What You Get
Scored against every NIST SP 800-171 practice by domain. You will see exactly where you stand and what needs to happen before an assessment.
A real SSP covering your CUI environment, system boundaries, and implemented controls. Written to hold up under assessor scrutiny.
A POA&M with real owners and real timelines for every open gap. Required for your SPRS submission and your C3PAO assessment.
Your accurate NIST 800-171 self assessment score ready for SPRS submission. You should know your number before a contracting officer pulls it.
Organized policies, configurations, screenshots, and logs ready for assessor review. Not a pile of files but a structured package.
A prioritized list of what to fix and in what order based on risk and timeline. No guessing about where to start.
Who This Is For
Contractors pursuing CMMC Level 2 certification
You have a DoD contract or you are bidding on one that requires Level 2. You need to know where your gaps are and get a plan in place.
Small and mid size contractors with no internal security team
Most DIB companies are small. They do not have a CISO or a dedicated compliance person. You need someone who has done this before without the cost of a full time hire.
Contractors who already have a DFARS obligation
You submitted an SPRS score at some point. You want to know if it would actually survive scrutiny and what to do about the gaps before someone asks.
Companies getting CMMC added to existing contracts
You just got a contract modification or a new solicitation with CMMC language in it. You need to understand what that actually means for your environment and how long it will take to get there.
Know where you stand before your C3PAO does
A gap assessment is the starting point. Book a call and we will figure out where you are and what it takes to get ready.