CMMC Readiness
for DoD Contractors
CMMC is now a contract requirement. If you handle Controlled Unclassified Information, you need to know where you stand before you bid.
We figure out what you actually have, what is missing, and how to close the gaps, without turning your IT environment upside down.
What CMMC Actually Requires
Three levels. Most contractors land at Level 2. That is where the real work is.
- →Annual self-attestation
- →Based on FAR 52.204-21
- →No third-party audit required
- →Achievable with basic hygiene
- →NIST SP 800-171 alignment
- →C3PAO or self-attestation per contract
- →SSP and POA&M required
- →SPRS score reported to DoD
- →Where most contractors get stuck
- →Based on NIST SP 800-172
- →Government-led assessment
- →Reserved for highest-priority programs
- →Most contractors will never need this
DFARS 252.204-7012: If you already hold a DoD contract you likely have DFARS obligations today. Your SPRS score is visible to contracting officers before you bid. It matters.
Where Contractors Fail CMMC Audits
These are not edge cases. They show up in almost every engagement.
No System Security Plan
NIST 800-171 requires a documented SSP. It is the most common finding and signals to assessors that nothing else is going to go well either.
CUI Boundary Never Defined
You cannot protect what you have not scoped. Most contractors have CUI spread across email, shared drives, laptops, and cloud tools with no formal boundary.
MFA Gaps
MFA is required for privileged and remote access. Many contractors have carve-outs for specific users with no documented rationale or POA&M.
No Audit Logging
NIST 800-171 requires log generation, protection, and regular review. Most small contractors have no logging setup and scramble when it comes up.
No Incident Response Plan
You need a documented IR plan with evidence it has been tested. A template you downloaded and filed away does not cut it.
Patch and Config Drift
Unmanaged endpoints, vendor default configurations, and missing patches are among the first things assessors look for and also the easiest to fix.
How We Work Through This
Five steps, no surprises. You will know exactly where you stand at the end of each one.
Scoping and CUI Boundary
We define exactly what systems, people, and data touch CUI. Getting scope right is the most important decision you will make. A tighter scope means less work to get compliant.
Gap Assessment Against NIST SP 800-171
We go through all 110 practices together, domain by domain. For each one we call it: fully implemented, partially implemented, or not implemented. Scored honestly, not optimistically.
SSP and POA&M
We build your System Security Plan documenting what controls you have, how they work, and who owns them. Gaps become a Plan of Action and Milestones with real timelines.
Remediation
We prioritize gaps by risk and assessment timeline and work with your team or MSP to close them correctly, not just well enough to check a box.
Final Review Before Assessment
Before you bring in a C3PAO we do a full walkthrough of your evidence, SSP, and artifact quality. You should not be finding surprises during the real assessment.
What You Get
Everything an assessor will ask for, organized and ready.
CMMC Gap Assessment Report
Scored against every NIST SP 800-171 practice by domain. You will see exactly where you stand.
System Security Plan
A real SSP covering your CUI environment, system boundaries, and controls. Written to hold up under assessor scrutiny.
Plan of Action and Milestones
A POA&M with real owners and timelines for every open gap. Required for your SPRS submission and C3PAO assessment.
SPRS Score
Your accurate NIST 800-171 self-assessment score ready for SPRS submission. Know your number before a contracting officer pulls it.
Evidence Package
Organized policies, configurations, screenshots, and logs for assessor review. Not a pile of files, a structured package.
Remediation Roadmap
A prioritized list of what to fix and in what order based on risk and timeline. No guessing about where to start.
CUI Commander
CUI Commander helps organizations handling CUI see where they stand before an assessment.
It can check a computer, discover assets on your network, and generate reports and evidence files that help you find gaps and understand what needs to be fixed first.
It is a readiness tool, not a certification. It helps you identify gaps and document findings, but it does not replace your SSP, POA&M, legal review, or assessment.
* Not for consulting, MSSP, C3PAO, SaaS, or other third-party or client facing use without a separate written license.
Who This Is For
Pursuing CMMC Level 2 certification
You have a DoD contract or are bidding on one that requires Level 2. You need to know where your gaps are and get a plan in place.
Small or mid-size contractors without an internal security team
Most DIB companies are small. They do not have a CISO or dedicated compliance person. You need someone who has done this without the cost of a full-time hire.
Contractors with an existing DFARS obligation
You submitted an SPRS score at some point. You want to know if it would survive scrutiny and what to do about the gaps before someone asks.
Companies getting CMMC added to an existing contract
You just received a contract modification or new solicitation with CMMC language. You need to understand what that means for your environment and timeline.
Know where you stand before your C3PAO does
A gap assessment is the starting point. Book a call and we will figure out where you are and what it takes to get ready.