CMMC Readiness
Control auditing and evidence gathering for defense contractors preparing for CMMC Level 2 certification against NIST SP 800-171.
Overview
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for verifying that contractors in the Defense Industrial Base (DIB) adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC Level 2 maps directly to all 110 security requirements in NIST SP 800-171. The difference between Level 2 and what most organizations currently have is not usually the controls themselves. It is the documentation, the evidence, and the ability to demonstrate compliance to an independent assessor.
We conduct a structured audit of your controls against each of the 110 NIST 800-171 requirements, identify gaps, and build the evidence package a C3PAO assessor will expect. If you are heading toward a CMMC assessment and want to know exactly where you stand before the assessor does, this engagement is the right starting point.
A defense subcontractor came to us eight months before their prime contractor required CMMC documentation. They had been operating under DFARS 7012 self-attestation for years and assumed they were close. The gap inventory revealed 23 open findings across access control, audit and accountability, and configuration management. Eight months was enough time. Three months would not have been.
NIST 800-171 Control Audit
We assess your current implementation of all 110 NIST SP 800-171 requirements across all 14 control families. Each requirement is evaluated against documented policy, observed practice, and available evidence. You receive a scored gap inventory that identifies what is fully implemented, partially implemented, and not implemented.
Evidence Gathering & Organization
Knowing that a control is in place is not the same as being able to prove it. We identify, collect, and organize the evidence artifacts that demonstrate each implemented control: configuration exports, access control lists, audit logs, vulnerability scan results, training records, and system documentation. Evidence is organized by control family in a format assessors can work through efficiently.
SSP & POA&M Development
We produce or review your System Security Plan (SSP), which documents your system boundary, CUI flows, and control implementation for each requirement. For gaps, we build a Plan of Action and Milestones (POA&M) with realistic timelines and remediation owners. Both documents are written to hold up under C3PAO scrutiny.
Assessment Preparation
We prepare your team for the assessor interview process, walk through likely lines of questioning for each control domain, and conduct a pre-assessment dry run against the evidence package. Organizations that arrive at CMMC assessments prepared consistently encounter fewer findings and shorter remediation timelines.
CMMC requirements are being phased into DoD contracts starting in 2025. If you are a defense contractor or subcontractor that handles CUI, your prime contractor's timeline is not the only one that matters. Your assessor's availability is often the binding constraint.
What You Can Expect
- Full audit of all 110 NIST SP 800-171 requirements across 14 control families
- Scored gap inventory with findings categorized by severity and control family
- Evidence collection and organization aligned to C3PAO assessment expectations
- System Security Plan (SSP) development or review
- Plan of Action and Milestones (POA&M) with remediation timelines
- Pre-assessment dry run and team preparation
- Executive summary suitable for contract officer and leadership reporting
Need the policy foundation first? Our Policy & Procedure Development service builds the governance documentation that NIST 800-171 requires organizations to have in place before an SSP can be accurately completed.
Engagement Fee
Engagement fees are based on the size of your organization, the complexity of your CUI environment, and the current state of your existing documentation. Contact us for a scoped quote.
* Following initial discovery call, agreement, and deposit.
Who This Is For
- Defense contractors and subcontractors that handle Controlled Unclassified Information (CUI) and are required to demonstrate CMMC Level 2 compliance
- Organizations currently operating under DFARS 252.204-7012 self-attestation that need to prepare for C3PAO assessment
- Prime contractors who need to verify that subcontractors in their supply chain meet CMMC requirements
- Organizations that completed a NIST 800-171 self-assessment but have never stress-tested their evidence package against what an assessor actually expects
- Companies with an upcoming CMMC assessment date and insufficient time to close every gap without a prioritized, structured approach
Common Questions
What is CMMC and who needs to comply?
The Cybersecurity Maturity Model Certification (CMMC) is a DoD requirement for defense contractors and subcontractors in the Defense Industrial Base (DIB) that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0 has three levels:
- Level 1: Organizations handling FCI. Annual self-assessment against 17 basic safeguarding practices.
- Level 2: Organizations handling CUI. Assessment against all 110 NIST SP 800-171 practices, via annual self-assessment or triennial C3PAO assessment depending on program criticality.
- Level 3: Organizations on the highest-priority DoD programs. Government-led assessment against NIST SP 800-172.
If your organization is party to a DoD contract or subcontract involving CUI, CMMC requirements will eventually apply to you. The phase-in began with new contracts in 2025.
What is the relationship between CMMC and NIST SP 800-171?
CMMC Level 2 is built entirely on NIST SP 800-171, which defines 110 security requirements across 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
CMMC adds the certification layer. Instead of self-attesting to NIST 800-171 compliance (as DFARS 252.204-7012 required), many contracts now require a C3PAO to independently verify it. If you can demonstrate full implementation of all 110 requirements and produce the evidence to support that claim, you are positioned for Level 2 certification.
What is a System Security Plan and why does it matter for CMMC?
A System Security Plan (SSP) is a required artifact under NIST SP 800-171 that documents how your organization implements each of the 110 security requirements. It describes your system boundary, the CUI that flows through it, the controls in place, and where gaps exist. The SSP is the primary document a C3PAO assessor will use to evaluate your compliance posture.
A missing, incomplete, or inconsistent SSP is one of the most common reasons organizations fail or score poorly in CMMC assessments. The SSP is not a checkbox document. It needs to be accurate, current, and defensible against the evidence you can produce.
What does a C3PAO assessor actually look at during a CMMC Level 2 assessment?
A C3PAO assessor will review your System Security Plan, your POA&M for any open gaps, and the evidence artifacts that demonstrate each of the 110 controls is implemented. Evidence artifacts typically include:
- Configuration screenshots and exported settings
- Access control lists and role assignments
- Audit log samples and retention documentation
- Vulnerability scan results with remediation tracking
- Security awareness training completion records
- Incident response plan and exercise documentation
- Media handling, disposal, and sanitization records
The assessor also conducts interviews with key personnel and may request live demonstrations of specific controls. Organizations without organized, current evidence consistently encounter more findings and longer remediation timelines.
What is a POA&M and when is it acceptable under CMMC?
A Plan of Action and Milestones (POA&M) documents requirements that are not yet fully implemented, along with the timeline and resources committed to closing each gap. Under CMMC 2.0, a limited POA&M is acceptable at the time of assessment for Level 2, but only for requirements that are not among the 24 practices DoD has designated as non-deferrable. Those 24 must be fully implemented before a conditional certification can be issued.
POA&M items must have realistic milestones and must be closed within 180 days of a conditional certification. A POA&M is a mechanism for handling minor, residual gaps with a credible remediation plan. It is not a strategy for deferring significant control gaps.