Kickoff to C3PAO assessment day. Senior-only execution from week one.
From SPRS gap to clean C3PAO pass. Twelve to eighteen weeks.
CMMC Implementation runs twelve to eighteen weeks from kickoff to your C3PAO assessment day. Senior-only execution, fixed fee, milestone-billed (40 / 30 / 30). Every artifact delivered under version control. Your CUI never leaves your environment. We don't stop until your C3PAO signs off.
UK government cleared engineering team · Cyber AB Registered Practitioner registration in progress · Pass guarantee written into every Implementation SOW
All 110 NIST 800-171 controls implemented in your environment, not on paper.
Every NIST 800-171A objective documented and evidence-backed before week eighteen.
Major C3PAOs are sequencing 2026 capacity now. The companies that start now get assessed. The rest wait.
Eight deliverables. Engineered for assessment day.
Not a deliverables list. Each artifact is structured around what the C3PAO will actually examine — and what your team needs to operate the program after we hand over.
System Security Plan
SSP · 110 controlsComplete SSP covering all 110 controls and 320 assessment objectives. The document the C3PAO reads first. Maintained as a living artifact through the engagement, not a one-time deliverable. Every other deliverable references it.
Plan of Action & Milestones
POA&M · Closure planPOA&M for any deferred items, scoped to specific assessment objectives for assessor sign-off. Closure timelines that fit the 180-day conditional window. No critical controls deferred.
Technical Control Implementation
14 domains · ConfiguredIdentity, access control, MFA, encryption, logging, endpoint hardening — configured in your tenant, against the 320 assessment objectives. Built defensibly from week one, not retrofitted at week eighteen.
Evidence Artifact Pack
320 objectives · IndexedPer-objective evidence captured as work happens, not collected at the end. Screenshots, logs, configurations, change records, training records. Two evidence sources per control minimum, indexed by assessment objective so the C3PAO samples directly.
Policy & Procedure Suite
14 families · Drafted to environmentEvery policy required by the 14 control families. Drafted to match your environment, not copy-pasted from a template library. Reviewed against assessment objectives, not just against control text. Signed, versioned, and tied back to the SSP.
Customer Responsibility Matrix
CSP boundary · Inherited & sharedPer cloud platform in your scope (GCC High, Azure Government, AWS GovCloud). Documents which controls inherit from your CSP, which are shared, and which are entirely on you. Documents zero CUI exposure on Ancitus systems — recognized by every C3PAO we've worked with.
Mock Assessment Report
Lead CCA · Pre-C3PAOFull dry-run findings document, evidence-by-evidence, against the C3PAO methodology. Run by a senior practitioner in week 14 — leaving a clear two-week window to close anything before the real assessor walks in. You enter assessment day having already passed once.
Operating Handover Package
Post-cert · Maintenance readyRunbooks, change-management procedures, ongoing affirmation plan, and the artifacts your team needs to maintain the program post-certification. Built for transfer, not lock-in — whether you continue with us, hand to your in-house team, or move to another consultancy.
Five phases. Twelve to eighteen weeks.
Sprint methodology — fixed scope, fixed timeline, fixed fee. Standard engagements run twelve to fifteen weeks. Multi-site or hybrid-cloud environments use the full eighteen. The principal runs every meeting remotely from the UK — no junior handoffs after SOW signature, no travel charges anywhere in the pricing.
01
2 weeks
Foundations
CUI scoping refinement, asset inventory by category, baseline SSP framework. Working inside your tenant under your access from day one.
02
5–7 weeks
Technical Implementation
Identity, access control, MFA, encryption, logging, endpoint hardening. All 14 NIST 800-171 domains configured against the 320 assessment objectives — not the 110 controls.
03
2–3 weeks
Documentation
Complete SSP, prioritized POA&M with closure timelines, evidence artifacts captured per objective. Every document version-controlled and transferable.
04
2–3 weeks
Mock Assessment
End-to-end mock against the C3PAO methodology. Lead CCA partner runs the rehearsal. Evidence challenge. Issues identified and closed before assessment day.
05
1–2 weeks
C3PAO Coordination
Principal runs the full C3PAO assessment alongside your team — remotely, as we have from week one. Evidence presentation, interview support, real-time clarification. Through to certification day.
After certification
Operating Handover Package transfers everything to your team. Optional Continuous Compliance retainer keeps your evidence current through annual affirmations and your next triennial. No lock-in.
Three things most implementations miss.
Most CMMC implementations fail at the same three points. We engineer each of them away from the start — not at week sixteen when the C3PAO finds them.
Working in your tenant. Not on a checklist.
Most CMMC consultancies hand you a remediation list and walk away. We're inside your tenant configuring identity, encryption, network policies, endpoint hardening — under your access, on your tools. Configuration happens for real, not on paper.
Built for 320 objectives. Not 110 controls.
The C3PAO assesses at the 320-objective level. NIST 800-171A — the assessment companion — examines, interviews, and tests each objective separately. We bake that discipline in from week one. Most implementations realize this at week 16, when the assessor finds the gap.
Pass guarantee written into the SOW.
If we miss the first assessment, we keep working at no extra charge. That's not a marketing promise — it's a structural commitment. Written into every Implementation SOW. The financial incentive: we'd rather over-deliver in week 14 than absorb the cost of a second engagement at week 22.
Six implementation-stage pitfalls. All preventable.
Patterns we see when contractors come to us mid-stream — usually after their first implementation partner has missed something foundational. Each is preventable, but only if someone on your team knows what to watch for.
Documentation lagging implementation.
Technical controls go in early week 4. Documentation gets pushed to weeks 13–17. By the time the SSP is finalized, the assessor finds three controls the SSP describes differently than how they're actually configured. Pass becomes conditional.
Evidence created at the end, not as work happens.
Twelve weeks of work, three weeks of frantic screenshot collection at the end. Assessor finds gaps where the timestamps don't match the implementation dates. The integrity of the entire evidence pack collapses.
Template policies copied from a library.
Generic policy templates that don't match the actual environment. Incident response plans referencing systems the contractor doesn't have. Assessor reads it and asks one operator to walk through the actual workflow. The mismatch is immediate.
Cloud responsibility unclear or work happens outside it.
The contractor assumed inheritance for controls the CSP doesn't actually cover. Or the team performs work in shadow tools outside the documented CUI boundary. Either way, scope drifts and the SSP stops matching reality.
SSP that lives but isn't maintained.
The SSP describes the environment from week 4. The environment changes in weeks 7–12 (new SaaS tool, new IAM provider, new logging pipeline). The SSP doesn't update. When the C3PAO walks in at week 18, the SSP describes a system that no longer exists.
Mock assessment too late to fix anything.
Mock scheduled at week 17 — same week as the C3PAO arrival. Real findings surface in mock. Zero time to fix before the actual assessor walks in. Mock becomes a check-the-box exercise, not a fix-things one.
"Implementation fails because someone documented at week 6 what should have been documented at week 2." — Deepak Pal Singh, Founder & Principal
Fixed fee. Milestone billed.
Every CMMC Implementation is fixed-fee, scoped on the Discovery Call, locked within one business day. Milestone-billed at 40 / 30 / 30 — kickoff, mid-point checkpoint, certification day. No hourly billing, no scope creep.
Next step
A 30-minute Discovery Call.
No pitch. No slides. We review your situation, scope the engagement, and give you a candid read on the work involved. Final pricing within one business day of the call — before any SOW gets drafted.
Book a Discovery Call- ✓ Fixed fee, locked before any work begins. The number on the SOW is the number you pay through to certification day.
- ✓ Milestone-billed: 40 / 30 / 30. 40% at kickoff, 30% at mid-point checkpoint, 30% at certification day. Aligns our cash flow with your delivery milestones.
- ✓ Discovery Call is free. If we're not the right fit, we'll tell you on the call and recommend a path that is.
The pass guarantee
If we miss the first C3PAO assessment, we keep working until you pass.
No second invoice. No re-scoped engagement. We agreed a fixed fee at kickoff. If you miss the first attempt, we're absorbing the cost of going back in — written into every Implementation SOW. The financial incentive runs the right way: we'd rather over-deliver in week 14 than rebuild a failed assessment at week 22.
Nine questions. Honest answers.
In rough order of how often they come up on Discovery Calls. The top group covers the four questions that determine whether an engagement is even possible — including the one most consultancies hide.
The basics — Where contractors get stuck
Q01 How long will this actually take?
Twelve to eighteen weeks from kickoff to your C3PAO assessment day. Most engagements land between fourteen and sixteen weeks. Multi-site or hybrid-cloud environments use the full eighteen.
Industry average is six to twelve months. Senior-only execution removes the junior-handoff drag that adds three to four months in traditional consulting models. The fee is fixed; the timeline isn't padded.
Q02 Who actually does the work — senior consultants or juniors?
Senior consultants. Zero juniors. Principal runs every kickoff, every interview, every walkthrough. Senior engineers with active UK government clearance handle every technical evaluation and every configuration in your tenant.
This is the core economic argument for our pricing. UK senior cybersecurity consultants run roughly 40 to 50 percent of US senior rates fully loaded — which makes senior-only delivery economically possible without a 50% premium.
Q03 You're based in the UK. Does that work for US defense contractors?
Yes for most contractors handling FCI or standard CUI — IT services, software, professional services, training, admin support, cyber, data services. We work inside your tenant under your access; nothing leaves your environment.
The exception is ITAR or EAR-controlled technical data. State Department rules treat foreign-national access to those systems as a "deemed export" — even if no data ever moves. The 2022 UK Open General License covers some categories without prior approval; others still need formal licensing.
We work through this on the Discovery Call. If your environment is genuinely incompatible with non-US delivery, we'll say so and refer you to a US-based RP we trust — rather than build an engagement that collapses on an export-control finding.
Q04 What if you miss the first C3PAO attempt?
We keep working. No second invoice. We agreed a fixed fee at kickoff. If you miss the first attempt, we're absorbing the cost of going back in — written into every Implementation SOW.
That's the structural commitment. The financial incentive runs the right way: it's cheaper for us to over-deliver in weeks 13–14 than rebuild a failed assessment at week 22. We'd rather take the financial hit on a missed first attempt than build a business that survives by selling rework.
The engagement — Cost, scope, and commitment
Q05 What does it cost?
Fixed fee, scoped on the Discovery Call, locked within one business day. Pricing depends on environment complexity, contractor headcount, number of locations, and whether you've already done a Gap Assessment. Milestone-billed at 40 / 30 / 30.
Every engagement we've quoted has come in within the scoped fee — no surprise invoices, no scope creep. We don't bill by the hour and we don't have a "discovery" phase that quietly extends.
Q06 Do you need access to our CUI to do the work?
No. We work inside your environment using your authenticated access to your tools. Nothing gets copied to our laptops, our SharePoint, or our email. Our Customer Responsibility Matrix documents exactly what we touch — and what stays on your side, untouched.
Implementation work is configuration and policy authoring inside your tenant. None of it requires us to read or extract your CUI. If we get breached tomorrow, your CUI is unaffected.
Q07 What if we already started CMMC work elsewhere — can you pick up mid-stream?
Common situation. We start with a brief audit of what's been done — what holds up against the assessment objectives, what doesn't, and what's missing. Often 30 to 50 percent of the existing work is reusable. We tell you what to keep, what to redo, and what to add. The remaining engagement gets scoped accordingly.
If your prior partner produced documentation that won't survive the C3PAO, we'll tell you why — specifically. Then you decide whether to rebuild from existing assets or start clean.
Q08 Do we have to start with your gap assessment first?
No. If you have a recent, defensible Gap Assessment from another partner — or your in-house team — we work from that. We'll review it on the Discovery Call. If the gaps and SPRS scoring hold up to a quick sanity check, we go straight into Implementation.
If your existing gap assessment is a checklist exercise rather than an objective-level evaluation, we'll tell you on the call. Implementation built on a weak gap assessment doesn't pass. In that case, the cleanest path is starting with our Gap Assessment first.
Q09 Can you handle our environment if it's unusual — multi-site, foreign-owned, or hybrid cloud?
Yes. Multi-site uses the full eighteen weeks and a coordinated remediation pattern across locations. Foreign-owned (FOCI) adds a CFIUS-aware boundary review to scoping; we've worked through this pattern before. Hybrid cloud — GCC High plus AWS GovCloud, or Azure Government plus an on-premises enclave — is handled with one Customer Responsibility Matrix per platform.
If your environment is genuinely unusual and we don't think we're the right fit, we'll say so on the Discovery Call. We'd rather refer you to a specialist than take an engagement we can't deliver well.
Discovery call
Let's see where you really stand.
Thirty minutes. No pitch. We'll review your situation, give you a candid read on the work involved, and recommend a path — even if that path isn't us.
Book a Discovery Call