About · Ancitus LLC

Built around one constraint.

Senior judgment on every meeting. No juniors learning on client systems, ever. Every other decision flows from that.

Twenty years in regulated environments — financial services, energy, telecoms. Compliance under scrutiny is what we've done our whole careers. CMMC is the latest framework, not the first one.

Why Ancitus exists

Twenty years of compliance theater.

I've seen the same pattern in every regulated environment I've worked in. A program gets built to pass an audit. The audit passes. Then the program decays — slowly at first, then all at once — because nobody architected it to survive the people who built it.

Big bank programs built around point-in-time controls drifting within months. Government programs documented by consultants who never came back. Energy and telco compliance teams running parallel realities — what the documentation said, versus what the systems actually did. Most of those programs eventually got rebuilt, away from public scrutiny. Internally embarrassing. Externally invisible.

The cost of rebuilding compliance is always higher than the cost of building it right.

CMMC changes the math. The annual affirmation under 32 CFR 170.22 makes the rebuild visible — every year, the senior official who signs has to attest to continuous compliance under penalty of law. The gap between the program that was certified and the program that exists today becomes a personal liability. That's new. That's why Ancitus exists.

Twenty years, four regulated industries

The work that shaped this consultancy.

Ancitus has been operating since 2023. The CMMC pivot — and the positioning around senior-only delivery, zero CUI on Ancitus systems, and the affirming-official frame — followed the program going live in November 2025. What twenty years of regulated work taught me is the operating discipline. The framework changes. The discipline doesn't.

20
Years across
regulated work
13
Engagements across
regulated industries
4
Regulated
industries
3 clouds
Production-scale
AWS · Azure · GCP
Financial Services
PCI-DSS, regulator-supervised environments
Energy
Critical infrastructure
Telecommunications
Telco-grade scale

Cloud security, infrastructure architecture, and compliance documentation across financial services, energy, and telecoms. The frameworks differ — PCI-DSS, energy-sector regulatory, financial-conduct supervisory — but the operating discipline is the same. Version-controlled documentation, continuous evidence, calendared reviews, senior accountability. CMMC formalizes a discipline we've been running for two decades.

Technical depth

The work that maps directly onto CMMC.

Most CMMC consultants started doing CMMC in 2024. The technical work it requires has been our full-time work for twenty years.

Frameworks
Frameworks & standards
  • NIST Cybersecurity Framework — implementation across AWS, Azure, GCP
  • NIST 800-171 — control framework underlying CMMC; equivalent regimes implemented across global financial services and regulated industries
  • PCI-DSS — global financial services environments
Authored
Compliance documentation
  • Big Data Security Standards — tier-1 financial services (the standards a global bank's data infrastructure was built against)
  • Cloud Security Roadmap — greenfield fintech
  • Reference architectures — multiple regulated environments, version-controlled and operationally maintained
  • System Security Plans, evidence packs, runbooks — twenty years
Control families
CMMC L2 control families
  • Access Control + Identification: IAM, CyberArk, Active Directory at scale
  • Audit and Accountability: Splunk, ELK, continuous monitoring at production scale across regulated environments
  • Configuration Management: Terraform, Ansible, version-controlled infrastructure
  • System Communications and Integrity: container security, DLP, vulnerability management, SCA/SAST/DAST
Platforms
Cloud infrastructure
  • AWS — Landing Zones, EKS, Security Hub, GuardDuty, IAM, encryption
  • Azure — AKS, Sentinel, Defender, Active Directory, Key Vault (maps onto GCC High)
  • Google Cloud — DevSecOps and security implementation
  • Kubernetes / Openshift / Docker — production at scale

Competitor consultancies sell team scale or C3PAO authorization. Senior practitioners with named control-family work and operational evidence from regulated environments is what actually does the CMMC engagement.

Credential in progress

Cyber AB Registered Practitioner application submitted.

Fees paid. International background check underway, expected to complete during 2026. The formal credential the Cyber AB recognizes for CMMC practitioners. Going through the standard process, not claiming it before it's awarded.

How we work

Three operating principles.

These aren't marketing lines. They're how we built Ancitus — the things we'd want from a CMMC consultancy if we were the senior official who had to sign the affirmation. If a client engagement compromises any of the three, we don't take it.

01 / Delivery

Senior-only, every meeting.

Three senior delivery engineers — that's the firm. Each is SC-cleared with substantial regulated-industry experience. No junior consultants learning on your systems. Every kickoff, every assessor walkthrough, every discovery call runs with senior people. Most consulting firms scale by adding juniors. The DIB needs the opposite.

02 / Methodology

Documentation as operating system.

Every artifact under version control. Every policy tied to the SSP via cross-reference. The handover is operable from day one. Annual affirmations write themselves because the documentation is current — not because someone reconstructs it under deadline. Compliance done well isn't a project. It's a permanent operating discipline.

03 / Boundary

Zero CUI on Ancitus systems.

We work inside your tenant under your access. CUI never leaves your environment, never touches Ancitus systems. The Customer Responsibility Matrix documents this explicitly. Your assessor doesn't need to assess us — we're not in your boundary. Every C3PAO we've worked with recognizes this as the strongest model for consultancy boundary management.

Negative space

What we don't do.

The shape of the firm comes from what's intentionally excluded. Each of the four below is a deliberate constraint.

We don't run C3PAO assessments. We're an RP, advising and preparing — that boundary keeps us honest about your readiness.
We don't scale by adding juniors. Three seniors is the firm. Capacity caps mean some quarters we're full.
We don't take CUI on our systems. Documented in every Customer Responsibility Matrix we author.
We don't sell unlimited-scope engagements. Fixed-fee, fixed-scope. If it grows, we re-scope. Honestly.
Frequently asked

Four questions. Honest answers.

The objections that come up in discovery calls, surfaced here so you don't have to ask.

The basics — Who we are, who we work with

Q01

Are you taking on new clients?

Yes, with structural limits. Senior-only delivery caps the firm at roughly twelve active engagements at a time across three senior engineers. Discovery calls don't commit either side; they're how we both check whether there's a fit and capacity in your timeline. If there isn't capacity in your window, we'll tell you what the queue looks like — and we'll point you to other senior practitioners we trust.

The engagement — Cost, timing, and fit

Q02

What does this actually cost?

Engagements scale by complexity, not user count. A small contractor with simple infrastructure costs significantly less than a mid-tier contractor with complex hybrid environments and inherited compliance debt. After the discovery call, you get a fixed-fee proposal — not time-and-materials, no surprise invoices.

If the proposal exceeds your budget, we'll tell you why and what could be descoped to fit. Sometimes the right answer is a smaller engagement now plus a larger one later. Sometimes the right answer is a different consultancy. Both are more honest than a stretched proposal.

Q03

What if we already have a CMMC consultant who isn't working out?

Common situation. The first engagement is usually a triage — what's been done, what's documented, what's salvageable, what needs to be redone. Rebuilding selectively is almost always cheaper than starting over, but sometimes starting over is the right call.

The triage itself is fixed-fee and short — typically two weeks. You walk away with a clear read on where you actually are and what the path forward looks like, regardless of whether we're the ones building it.

Q04

What's the typical engagement length?

Gap Assessment is 4–6 weeks. Implementation is 4–6 months depending on scope. Continuous Compliance is an annual retainer with quarterly cadence and the annual affirmation cycle.

The total path from "we should probably look at CMMC" to "certified, affirmed, evidence stack documented" is typically 6–9 months for contractors who've already been thinking about it, longer for those starting cold. The Phase 2 enforcement deadline (November 10, 2026) means contractors starting now are inside the realistic timeline; contractors starting in mid-2026 likely aren't.

Discovery call

If this sounds like the kind of firm you want to work with.

Thirty minutes. No pitch. We'll review your situation, give you a candid read on the work involved, and recommend a path — even if that path isn't us.

Book a Discovery Call

We respond within one business day · Senior-only delivery · No CUI on Ancitus systems