For Defense Contractors

The CMMC requirement is real. The deadline is real.
The path forward doesn't have to be a mystery.

We do CMMC implementation for the businesses that need it but aren't compliance shops — small and mid-sized defense contractors and subs whose prime sent them a clause and a calendar.

Schedule a CMMC readiness call See what we actually do
Built forL1, L2, L3
OutputC3PAO-ready posture
IncludedSPRS submission support
Where most contractors are

Three places we usually find people.

If one of these sounds familiar, you're not behind. You're somewhere along the path most defense contractors are walking right now.

01

Your prime sent you the requirement. You have a year, maybe less.

A flow-down clause showed up in your last contract. The prime is asking when you'll be ready. You've read enough to know it's a real thing — and that "compliant" isn't a checkbox. You don't need to be sold on it. You need to know what to do Monday.

02

You started the self-assessment and got buried in 110 controls.

A spreadsheet from someone's cousin. A consultant who left. A POA&M with 47 items on it that hasn't been touched in six months. You know it's not done. You're not sure what "done" even looks like.

03

Your SPRS score isn't what you thought it was.

Maybe a partner ran the math. Maybe an auditor walked through. Either way, the number you reported isn't the number that holds up. You need to fix it before it becomes a False Claims problem — and the path is a lot less dramatic than it sounds.

What we actually do

Six concrete pieces of work. Done in plain language.

Compliance vendors love acronyms. Auditors love evidence. We translate between the two.

Boundary scoping.

What's actually in your CUI environment? Most subs scope wrong, and the wrong scope is the most expensive mistake in the program. We map it tight, defend it clearly, and shrink the audit surface to the work that matters.

System Security Plan (SSP).

The document the auditor reads first. Get it right or pay for it later. Our SSPs are written by people who've watched assessors read them — they're specific, defensible, and don't read like a template someone forgot to fill in.

POA&M and remediation plan.

What's broken, what you'll fix, in what order, by when. Defensible to an assessor. Followable by your team. Not a 47-item spreadsheet that's been stale for six months.

GCC High decision.

Most don't need it. Some absolutely do. We'll tell you which one you are before you spend the money — and if you do need it, we'll handle the migration without losing six months of productivity.

SPRS submission support.

The score that determines whether you can bid. We help you submit a number you can defend, not a number you wish were true — and rebuild it cleanly if your last submission won't survive scrutiny.

Pre-assessment audit.

The mock C3PAO before the real C3PAO. Find the gaps when they're cheap to fix, not when an assessor is on the clock. You don't fail an audit you've already taken.

How we work

Three things you won't get from a checkbox vendor.

01

We've built the SSPs that auditors approve.

Not templates someone forgot to fill in. Not 80-page Word documents written for the auditor's eye but useless to your operations team. Real System Security Plans, written by people who've watched assessors read them line by line, asked the questions, and watched the answers hold up.

02

We bid against the right scope, not your last invoice.

Most CMMC budgets are wrong because the scope is wrong. We size to the work, not the wallet — which sometimes means we tell you it's bigger than your last vendor said, and sometimes means we tell you it's smaller. Either way, you get a number you can actually plan against.

03

We sit in the C3PAO calls with you.

The assessment isn't an interrogation when your partner is in the room with the answers ready. We've defended controls in real assessments. We know which questions get asked. We know which evidence the assessor wants to see, and we know how to translate "we have backups" into the form they're looking for.

Questions we get every week

The questions defense contractors actually ask us.

Bring better questions to the readiness call and we'll go further. These are the starters.

Do I really need GCC High?+
Most subs don't, despite what their primes sometimes claim. GCC High is required when you handle ITAR-controlled CUI or specific export-controlled data. For garden-variety CUI under DFARS 252.204-7012, properly configured Microsoft 365 Commercial with GCC add-ons can be enough. The real question is what kind of CUI you actually handle — and most subs are surprised to find their primes can't tell them. We figure that out before you spend $50–200k on a migration you may not need.
What's the difference between Level 1 and Level 2?+
Level 1 covers basic safeguarding of FCI (Federal Contract Information) — 17 controls, self-attested annually. Level 2 covers protection of CUI (Controlled Unclassified Information) — 110 controls based on NIST SP 800-171, assessed by a third-party C3PAO every three years. If your contract has DFARS 252.204-7012 or any clause referencing CUI, you're L2. Most subcontractors discover they're L2 the moment they actually read the clauses in their existing contracts.
Can I prep for the audit myself?+
You can. We don't recommend it for L2. A 110-control assessment is a 6–12 month internal project that pulls your senior IT and operations people away from revenue-generating work. The math rarely favors it for businesses under 500 employees — by the time you've spent the internal hours, you've spent more than the engagement would've cost, and you still have to hire a C3PAO. For L1 self-assessment, sure, you can run it yourself. We can help you make it defensible.
What's the realistic timeline?+
For L2: six to eighteen months from a standing start to assessment-ready. The variance is mostly remediation, not documentation. If your environment is mostly cloud-based and reasonably well-managed, six months is real. If you've never properly tackled identity management, MDM, backup, or logging, plan on twelve to eighteen. Add another two to four months if you decide to migrate to GCC High mid-stream.
What does this actually cost?+
Implementation typically runs $50–300k for L2 in a small or mid-sized environment, including remediation. The C3PAO assessment itself runs $30–100k depending on scope. Annual maintenance after certification is usually $20–80k/year. Migrating to GCC High adds $50–200k+ on top, which is why the GCC High decision matters so much. We quote our piece on the call so you have real numbers before committing.
What happens if I just don't comply?+
You lose the contract, eventually. The phased rollout means you might have a year before a specific contract requires a clean assessment. But the moment a DFARS 7021 (or its successor) clause is in your contract, you've committed to be assessed. Non-compliance is a contract violation — and increasingly, a False Claims Act exposure if your SPRS score doesn't match reality. This isn't an audit you can fail and try again next year. It's a bid you lose.
How to start

Three ways in. Pick what fits.

No qualifying call before the qualifying call. Each path is real, each one's free or fixed-fee, each ends with you having a better answer than you walked in with.

01
30 MIN · NO FEE

CMMC readiness call.

Bring your DFARS clauses, your last SPRS score, your prime's deadline, your questions. We'll tell you what level you're really at, what's likely to be missing, and roughly what it'll cost to get to assessment-ready.

Schedule the call
02
90 SECONDS · FREE

Take the AI Readiness Scorecard.

AI is becoming a CMMC topic faster than most people think. Twelve questions, a real grade, no email gate. Useful even if you're not asking AI questions yet — your prime probably is.

Start the Scorecard
03
5 DAYS · FIXED-FEE

Read about the Exposure Report.

Same engagement style we'd run for a CMMC pre-assessment, applied to AI exposure. Worth a look if you want to see how we run paid diagnostics — and to gauge fit before the call.

See deliverables