Aligned to your CMMC affirmation cycle. Renews annually with no auto-extend.
Annual rhythm. Continuous evidence. Defensible affirmations.
Most managed-compliance offerings keep your environment running between assessments. Ours keeps your annual affirmation defensible — built around the senior official whose signature carries personal False Claims Act exposure. Evidence captured continuously, not retrospectively. Senior-only delivery. Not a managed-services bundle. Transferable on thirty days' notice.
UK government cleared engineering team · Cyber AB Registered Practitioner registration in progress · Refund-the-quarter guarantee written into every retainer SOW
Senior consultant audit every quarter. SSP, evidence, POA&M tracking, MSP review.
All NIST 800-171A assessment objectives evidence-backed continuously, not at year-end.
Seven DOJ cybersecurity-fraud settlements in 2025. The annual affirmation is where the personal exposure lives.
Eight deliverables. One defensible affirmation a year.
Not "ongoing monitoring." Specific deliverables in specific months, structured for the documentation defence an affirming official needs before signing under 32 CFR 170.22.
SSP kept current
Quarterly · Version controlledQuarterly SSP review for environment changes. Every modification documented and version-controlled. The SSP at affirmation time matches the environment at affirmation time — no drift, no surprises.
Continuous evidence repository
320 objectives · Indexed quarterlyEvidence captured every quarter across all 110 controls. Screenshots, logs, configurations, training records. Two evidence sources per control minimum, indexed and timestamped. Your next triennial samples directly from this pack.
POA&M closure tracking
180-day window · Active managementActive management of every POA&M item. Closure inside the 180-day window. No expired POA&M items inherited at affirmation time. Status reviewed quarterly with the affirming official.
Annual tabletop exercise
Scenario-based · DocumentedScenario-based exercise tailored to your environment. Tests incident response, evidence collection, and reporting workflows. Findings inform documentation updates before annual affirmation. Preparation, not check-the-box.
Pre-affirmation pack
30 days before signature30 days before each annual affirmation: complete documentation summary, evidence index, SSP currency confirmation, POA&M closure status. Built so the affirming official has what they need to sign defensibly — not what we hope they'll accept.
MSP/MSSP alignment review
Quarterly · Drift detectionQuarterly review of your MSP/MSSP CMMC alignment. Flag any change in their certification status, ownership, service scope, or offshoring posture. You find out from us before the assessor finds out from them.
Customer Responsibility Matrix maintained
CSP boundary · Refreshed quarterlyPer cloud platform in scope (GCC High, Azure Government, AWS GovCloud). Refreshed quarterly. Documents zero CUI exposure on Ancitus systems and the boundary of your tenant. Recognised by every C3PAO we've worked with.
Year-end defensibility report
Annual · Affirming-official readyAnnual summary: what changed, what was evidenced, what was tracked. Built for the affirming official, the board, and any future inquiry. One document that explains every decision the senior official signed off on.
Twelve months. Four quarterly cycles.
A standard engagement runs as a 12-month annual retainer aligned to your CMMC affirmation cycle. Each quarter has fixed deliverables — SSP currency, evidence audit, POA&M tracking. The principal runs every quarterly review remotely from the UK — no junior handoffs, no account-manager-by-month-three.
Q1
Months 1–3
Onboarding & baseline
Initial environment review, current SSP audit, evidence repository setup, Customer Responsibility Matrix refresh per cloud platform. Affirming official briefing on continuous compliance posture.
Q2
Months 4–6
Evidence cycle & SSP refresh
Quarterly evidence collection across all 110 controls. Configuration baseline review. SSP refresh for environment changes. POA&M tracking with closure inside the 180-day window.
Q3
Months 7–9
Tabletop & MSP review
Annual tabletop exercise scenario-based on your environment. MSP/MSSP CMMC alignment review. Pre-affirmation evidence collection. SSP delta documentation for any system changes since baseline.
Q4
Months 10–12
Affirmation & year-end review
Pre-affirmation pack: evidence summary, SSP currency confirmation, POA&M closure status. Affirming official briefing 30 days before signature deadline. SPRS submission support. Year-end report and renewal review.
After year one
The rhythm continues. Same cadence, same principal. Until your next triennial — when your three-year continuous evidence pack carries you through the C3PAO assessment as a sampling exercise, not a scramble. Renewal is opt-in, not auto.
Three things most managed-compliance offerings miss.
Most managed-compliance offerings respond to events. We work to a calendar — and to the senior official whose name is on the affirmation.
The affirming official signs personally. We sign with them.
Under the rule governing CMMC affirmations (32 CFR 170.22), the senior official who signs your annual affirmation carries personal False Claims Act exposure for material misrepresentation. DOJ recovered $52M across seven cybersecurity-fraud settlements in 2025 — five of them initiated by whistleblowers inside the contractor's own organisation. We work with the affirming official directly, brief them every quarter, and hand them a defensibility pack they can show to legal, the board, or a future inquiry.
Annual rhythm with fixed cadence.
Most managed-compliance offerings respond to events: the assessor calls, the prime asks for proof, the SOC alert fires. We work to a calendar — quarterly evidence cycle, annual tabletop, annual affirmation pack thirty days before signature. You know what's happening when. No surprises at year-end.
Senior-only, every quarter. Every year.
The principal runs every quarterly review. Every brief to your affirming official is the same person who scoped the engagement. No junior handoffs after year one. No "account manager" handoff to someone you've never met. The team is small by design — we don't scale by adding juniors.
Six post-cert pitfalls. All preventable.
Patterns we see when contractors come to us mid-cycle — usually after their first managed-compliance arrangement quietly stopped working. Each is preventable. Only if someone is watching for it.
Documentation drift between assessments.
Eighteen months since the C3PAO assessment. Three new SaaS tools, two team changes, one logging pipeline migration. The SSP describes the environment as it was certified — not as it is. The affirming official signs against a document that no longer matches reality.
Evidence pack one-and-done.
Evidence collected during the original assessment. Then nothing. By month nine, the contractor can't show evidence for any control change. The C3PAO at the next triennial finds twelve controls that weren't actively tracked. Pass becomes conditional.
POA&M closures missing the 180-day window.
Two POA&M items at certification. Both deferred for "next quarter." Quarter passes. Quarter passes. Suddenly it's day 181. Items still open. The affirmation now misrepresents your control posture — and the False Claims Act exposure is real.
Cadence collapses or never starts.
The contractor signed up for "continuous monitoring" with their MSP. The MSP runs a SIEM and sends a monthly report. That isn't continuous compliance. By month seven, evidence collection has lapsed. By month ten, the SSP hasn't been touched. Affirmation deadline arrives with nothing prepared.
MSP/MSSP changes that aren't re-scoped.
The MSP that handled identity at certification was acquired. The new owner offshored the NOC to an unfamiliar jurisdiction. Foreign-national access to systems handling CUI now exists. Nobody in the contractor's org knows. The CRM still describes the original architecture, with the original ownership, with no offshore exposure.
Senior official never briefed before sign-off.
The affirming official receives a one-page summary the day before the deadline. They sign because the deadline is tomorrow. They sign without understanding what changed in the environment, what evidence supports each control, or what's outstanding. The FCA standard is "knew or should have known" — signing without understanding doesn't escape liability. It establishes it.
"Most CMMC failures don't happen at the assessment. They happen on month seven, when the rhythm collapses and nobody notices." — Deepak Pal Singh, Founder & Principal
Annual retainer. Locked before SOW.
Continuous Compliance is an annual retainer, scoped on the Discovery Call, locked within one business day. Paid quarterly, monthly, or annually — your preference. Transferable on thirty days' notice.
Next step
A 30-minute Discovery Call.
No pitch. No slides. We review your current CMMC posture, scope the retainer, and give you a candid read on whether continuous compliance is right for you. Final retainer pricing within one business day of the call — before any SOW gets drafted.
Book a Discovery Call- ✓ Annual fee, locked before any work begins. The number on the SOW is the number you pay through to renewal review.
- ✓ Paid quarterly, monthly, or annually. Your choice. Quarterly is the most common — aligns with the cycle.
- ✓ Senior consultant on every quarterly review. Same person, year after year. No junior handoff after year one.
- ✓ Transferable on thirty days' notice. No lock-in. Operating Handover Pack travels with you to your next provider — including your in-house team.
The refund-the-quarter guarantee
Every annual affirmation backed by continuous evidence — or we refund the quarter.
If your affirming official signs and within thirty days finds material evidence missing, we refund the most recent quarter's retainer fee. No questions, no clawback fight. Written into every Continuous Compliance SOW. The financial incentive runs the right way: it's cheaper for us to do the work right than to absorb a refund.
Ten questions. Honest answers.
In rough order of how often they come up on Discovery Calls. The top group covers the five questions that determine whether the conversation should even happen — including the one most consultancies hide.
The basics — Where contractors get stuck
Q01 How does this differ from a managed-services bundle?
Managed-services providers run your IT environment — patching, monitoring, ticketing. We don't. We run your CMMC compliance posture inside an environment you (or your MSP) operate.
We're the discipline layer, not the service desk. If you need both, we work alongside your existing MSP — and we watch them, including for the ownership-change or offshoring drift that often breaks compliance silently.
Q02 Who actually does the work — senior consultants or juniors?
Senior consultants. Same principal year after year. Every quarterly review, every affirming-official brief, every annual tabletop is run by the same person.
No "account manager" handoff to someone you've never met. The team is small by design — we don't scale by adding juniors.
Q03 You're based in the UK. Does that work for US defense contractors?
Yes for most contractors handling FCI or standard CUI — IT services, software, professional services, training, admin support, cyber, data services. We work inside your tenant under your access; nothing leaves your environment.
The exception is ITAR or EAR-controlled technical data. State Department rules treat foreign-national access to those systems as a "deemed export" — even if no data ever moves. The 2022 UK Open General License covers some categories without prior approval; others still need formal licensing.
We work through this on the Discovery Call. If your environment is genuinely incompatible with non-US delivery, we'll say so and refer you to a US-based RP we trust — rather than take a retainer that becomes useless to you at the next triennial.
Q04 What's the actual personal exposure if I sign and something is wrong?
Under the False Claims Act, the standard is "knew or should have known." If the affirming official signs a CMMC affirmation that turns out to be materially wrong, and a court finds they had reason to know — through documentation gaps, missing evidence, an unreviewed POA&M, an unflagged MSP change — that is personal civil exposure. Treble damages and per-claim penalties under 31 U.S.C. § 3729. The penalty per false claim resets every contract invoice, not once per affirmation.
The 2025 numbers: DOJ recovered $52M across seven cybersecurity-fraud settlements — five initiated by whistleblowers inside the contractor's own organisation. The MORSECORP settlement that year ($4.6M) involved a contractor whose real SPRS score had dropped to negative 142 against a self-reported positive number. The whistleblower was an employee. Under the FCA's qui tam provisions, that employee gets a share of the recovery — which is why these cases keep arising from inside the contractor.
Acquisition risk runs the same way. Acquirers inherit FCA exposure for predecessor affirmations — the diligence question 'were the affirmations defensible?' is now a deal-stage filter. Holland & Knight, WilmerHale, and Fluet have all published client alerts in the last twelve months coining the phrase "CMMC Affirmation Trap" to describe the gap between what most contractors think they're signing and what their personal exposure actually is. The continuous-compliance discipline isn't theatre — it's the documentation defence the affirming official needs before signing, every year, for as long as the certification holds.
Q05 What if the affirming official isn't ready to sign?
Then they don't sign. We've designed the rhythm so that thirty days before the affirmation deadline, the official has a complete pre-affirmation pack — evidence summary, SSP currency confirmation, POA&M closure status — to review.
If they have questions, we answer them in writing. If something doesn't add up, we identify and close the gap before the deadline. The goal is informed consent, not deadline pressure. The False Claims Act exposure they take on personally deserves it.
The engagement — Cost, scope, and commitment
Q06 What does it cost?
Annual retainer, scoped on the Discovery Call, locked within one business day. Pricing depends on environment complexity, contractor headcount, number of locations, and whether you've come from our Implementation engagement (transition gets a price benefit). Paid quarterly, monthly, or annually.
No surprise invoices, no scope creep. The number on the SOW is the number you pay through to renewal review.
Q07 Do you need access to our CUI for this?
No. We work inside your environment using your authenticated access. Nothing gets copied to our systems. Same architecture as our Gap Assessment and Implementation engagements.
Customer Responsibility Matrix documents what we touch — and what stays untouched. If we get breached tomorrow, your CUI is unaffected.
Q08 Can you take over from another continuous-compliance provider?
Yes. We start with a brief audit of what's been done — what holds up, what's missing, what's been quietly skipped. Often we find that "continuous compliance" meant "a quarterly meeting plus a managed SIEM." Different thing.
We tell you what's salvageable and what needs rebuilding. Transition takes 30 to 60 days depending on the state of the existing program.
Q09 Do we have to start from your Implementation?
No. If your CMMC certification was achieved with another partner, we pick up from your current state. Q1 of the retainer becomes a baseline audit — what you have, what holds up, what needs work.
If your existing SSP, evidence pack, and POA&M are defensible, we work from them. If they're not, we'll tell you what needs rebuilding before the retainer makes financial sense. Sometimes the honest answer is to fix the foundation first.
Q10 What happens at the next triennial — do you handle the C3PAO assessment?
Yes. Continuous Compliance includes full C3PAO assessment support at your triennial — same principal, no separate engagement to scope, no separate fee. Built into the retainer.
The whole point of the retainer is that you arrive at your next assessment with three years of continuous evidence already indexed and ready. The assessment itself becomes a sampling exercise, not a scramble.
Discovery call
Let's see where you really stand.
Thirty minutes. No pitch. We'll review your current posture, scope the retainer, and give you a candid read on whether continuous compliance is the right next move — even if the answer is "not yet."
Book a Discovery Call