CMMC 2.0 done by people with actual defense industrial base experience

We run end-to-end CMMC 2.0 readiness for defense contractors and subs — Level 1 self- attestation, Level 2 C3PAO assessment readiness, and the SSP / POA&M / SPRS scoring machinery that contracting officers actually look at. NIST 800-171 aligned, scoped tightly to keep the budget defensible, and built to survive the assessor walk-through.

For the framework overview, see our blog: CMMC 2.0 Explained — what defense contractors need to know.

Who we work with

Prime contractors with direct DoD contracts requiring CMMC Level 2 or 3.
Sub-contractors with flowdown obligations from primes — often at Level 2 with a 110-control NIST 800-171 footprint.
Manufacturing and aerospace SMBs handling CUI for the first time and trying not to scope their entire IT estate into the assessment.
Software and engineering firms serving the defense industrial base who need CMMC alongside ITAR and DFARS obligations.
MSPs and IT consultancies who refer or sub-contract CMMC work for their DIB clients.

What we deliver

Scoping workshop. The single most expensive mistake at CMMC is over-scoping. We map where CUI actually lives, where it could leak, and what enclave architecture reduces the assessment footprint by 60-90%.
Gap analysis against NIST 800-171. 110 controls, current implementation status, evidence inventory, and a documented remediation roadmap with cost estimates.
System Security Plan (SSP). Not a template — your actual systems, your actual control implementations, written so an assessor reading it understands your environment within an hour. The SSP is the document.
Plan of Action & Milestones (POA&M). Every gap, with a realistic remediation plan, owner, and target date. Under CMMC 2.0 only certain POA&M items are allowed at assessment time and must be closed within 180 days — we know which.
SPRS scoring submission. Calculated against the 110-control deduction model, posted with a credible POA&M attached. Negative scores are a discriminator, not a disqualifier — but only with the right context.
Control implementation. We don't just write the SSP — we stand up the actual controls. Access management, audit logging, configuration management, incident response, FIPS-validated cryptography where required.
Pre-assessment dry-run. Internal walkthrough before a C3PAO walks in. We rehearse the assessment, identify weak evidence, and shore it up before the formal engagement.
C3PAO coordination. We have working relationships with C3PAOs across price points. We help you select, schedule, and run the assessment day-of.

The three levels — who needs which

Level 1 (Foundational). 17 basic safeguards from FAR 52.204-21. For contractors handling only FCI. Self-attested annually by a senior company official. The attestation carries personal liability.
Level 2 (Advanced). 110 controls from NIST 800-171. For contractors handling CUI. Most contracts require triennial C3PAO assessment.
Level 3 (Expert). Level 2 + a subset of NIST 800-172. For the highest-priority CUI. Triennial DIBCAC assessment.

Where contractors burn cash unnecessarily

Scoping too broadly. If CUI is processed in one segmented enclave, assess the enclave — not your entire IT estate. Scope discipline cuts budget more than any other lever.
Buying "CMMC-in-a-box" SaaS. Tools help; tools do not produce a working SSP, a credible POA&M, or assessor-ready evidence. The work is the work.
Confusing FCI scope with CUI scope. Level 1 covers a much larger footprint with much cheaper controls. Level 2 covers a tightly-scoped enclave with expensive controls. Mixing them blows up the budget.
Skipping the dry-run. The first time a C3PAO walks in should not be the first time anyone outside the company has audited the SSP.
FIPS-validated crypto. "We use AES-256" is not the same as "we use FIPS 140-2/3 validated AES-256." Assessors check.

Engagement structures

Level 2 readiness, full build-out. 16-26 weeks. Scoping, gap analysis, SSP, POA&M, control implementation, dry-run, C3PAO coordination. Fee: $80K–$280K depending on starting maturity and enclave architecture.
Level 1 self-attestation prep. 4-6 weeks. SSP, evidence binder, attestation guidance. Fee: $15K–$35K.
Annual SPRS refresh + POA&M management. Monthly retainer keeping your score current and POA&M items moving toward closure.
Pre-assessment dry-run only. 3-4 weeks. For contractors who built their program internally and want a third-party walkthrough before the C3PAO. Fee: $25K–$55K.
Sub-flowdown advisory. When your prime is asking for evidence of your CMMC posture and you need to respond credibly without overcommitting.

What we will not do

Help you scope around CUI you actually have
Sell you "CMMC tooling" as a substitute for the work
Write an SSP that does not describe your actual environment
Sign attestation language as a senior official — that's yours

Available as referral or white-label

We deliver CMMC programs directly to defense contractors, sub-contract for IT service providers and MSPs whose clients have flowdown obligations, and partner with defense- focused law firms on contract review and remediation. Compensation negotiable per relationship; non-circumvention language standard.