our services

“We take clients from zero to 110.”™

CMMC Readiness Assessments

Readiness assessments (also known as gap assessments or pre-assessments) identify your weaknesses before you subject your company to the unforgiving CMMC assessment process. When your bottom line rests on compliance, “maybe” does not suffice. We take your “maybes” to “mets.”

CMMC Level 2 assessments require strict compliance with the 110 controls set forth in NIST SP 800-171. A passing score is a perfect score. Is your company already at 110? Would you bet your government contracts on it? Allow our CMMC-trained experts to guide you there.

Unlike our competition, our readiness assessments don’t stop at “here are your problems.” We give you guidance on every control that could be deemed deficient, and we give you a path forward via a Plan of Action & Milestones (POAM).

Finally, we treat your compliance as if it were ours. We discuss all of your options, and we don’t coincidentally “sell the solution.” We are unbiased professionals, offering simply the best advice your company can retain.

CMMC Preparation and Remediation

On your path from zero to 110, our CMMC professionals help you convert every CMMC control from “maybe” to “met.” Our team of CMMC experts guides you there with our Remediation and Preparation services.

Not only do we go through every control, we log and categorize evidence of every aspect of your compliance, so your future assessment is smooth sailing. We also leave you with the most important item you could offer your future C3PAO assessor: a complete Compliance Package filled with the evidential artifacts your assessor will need. Created by an assessor, for an assessor. 

SPRS Scores

Supplier Performance Risk System (SPRS) scores are already required under DFARS 252.204-7019 and under many existing contracts with the DoD. They also happen to be closely aligned with the CMMC framework. We can guide you in your SPRS score submissions. 

Strategy

Not only do we perform assessments of government contractors, we have been company executives and government contractors ourselves. We know your challenges. Engage us to strategize your pursuit of business before the government. 

top questions

CMMC is an acronym for the Cybersecurity Maturity Model Certification framework that the Department of Defense has implemented for all contractors. The intention of the CMMC framework is to enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that may be possessed by contractors in performance of their work for the DoD.

More information can be found at the DoD site: https://dodcio.defense.gov/CMMC/ 

A Defense Industrial Base contractor that handles CUI will most likely require a Level 2 certification. In order to pass a Level 2 certification, a contractor must demonstrate that it is compliant with 110 controls that are laid out in NIST Special Publication (SP) 800-171. 

All 110 controls need to be “Met” — or considered Not Applicable — to receive a CMMC Level 2 Certification. However, under the current framework (CMMC 2.0), a Plan of Action & Milestones (POAM) is permitted for certain controls, allowing companies an additional 180 days to achieve compliance IF they at least met 80% of the controls at the time of the assessment. 

CUI stands for Controlled Unclassified Information — information that requires safeguarding or dissemination controls by law, regulations, and government-wide policies. CUI is not classified information, but is considered sensitive and therefore needing protection. An example of CUI could be an engineering drawing or the specifications for a portion of a warplane. 

More information on CUI can be found at the National Archives and Records Administration, which was designated as the Executive Agent of CUI by Executive Order 13556

Each control under the CMMC framework has at least one objective. It is the specific requirement that is to be achieved by the contractor being assessed. A total of 320 Objectives are found throughout the 110 controls in a Level 2 Assessment.

For example, one of the six objectives found in AC.L1-3.1.1 – Authorized Access Control is “Determine if authorized users are identified.” An assessor must confirm that a contractor satisfies this objective in order to pass a CMMC Level 2 assessment.

This is one of the most frequently asked questions, and the answer is a firm “it depends.” The national average is currently 12-18 months. However, we know that we can do our part far faster, and we work with some extremely competent partners that can speed up compliance to just a few months. Let’s discuss your unique situation and see how fast we can get you there.