CMMC Level 2 Readiness The full path to certified.
Phase 01 / Diagnose Phase 02 / Build Phase 03 / Sustain
The full path to certified.
In three phases.
Gap Assessment, Implementation, Continuous Compliance. Sign for one phase or all three. Fixed fee at every phase. Your CUI never leaves your environment. We don't stop until your C3PAO signs off.
UK government cleared engineering team · Cyber AB Registered Practitioner registration in progress · RPO application to follow
CMMC Implementation
CMMC Continuous Compliance
Major C3PAOs are sequencing 2026 capacity now. The companies that start now get assessed. The rest wait.
Three phases. Nine service lines. No gaps.
Pick the phase that matches where you are. Each phase covers three service lines so nothing is left assumed — scoping through certificate, then maintained for the three years that follow.
CMMC Gap Assessment
Real SPRS score. Documented scope. Prioritized gaps. The defensible starting point most contractors skip — and pay for later.
- Discovery call and scoping interview
- CUI inventory and data flow diagrams
- SPRS score calculation against current state
- All 110 controls assessed against current
- Prioritized remediation roadmap with effort estimates
- Defensible starting point for next contractor or in-house team
CMMC Implementation
From gap to assessment-ready in one engagement. Technical remediation, full documentation suite, mock assessment, evidence package indexed to NIST 800-171A. Sprint methodology — fixed scope, fixed timeline, fixed fee.
- Technical remediation across all 14 NIST 800-171 domains
- System Security Plan (SSP) drafted and maintained
- Plan of Action & Milestones (POA&M) with closure plan
- Identity, encryption, network, and endpoint policies inside your environment
- Evidence package built to assessor expectations
- Mock assessment by partner Lead CCAs before C3PAO walks in
CMMC Continuous Compliance
Stay certified between three-year reassessments. SPRS affirmation support, evidence pack maintenance, control drift detection, regulatory change monitoring.
- Annual SPRS affirmation support
- Three-year reassessment preparation
- Vendor and supply-chain risk management
- Quarterly evidence package refresh
- Regulatory change monitoring (DFARS, 32 CFR Part 170)
- On-call senior practitioner for assessor questions
Fixed fee, by engagement type.
Every Ancitus engagement is fixed-fee, scoped on the Discovery Call, locked before SOW signature. Pricing depends on environment, headcount, and engagement type. Actual prices are published on each service detail page.
CMMC Gap Assessment
4–6 weeks · Fixed fee
Stands on its own. No commitment to Implementation. If you continue, the work feeds directly into your Implementation engagement.
CMMC Implementation
12–18 weeks · Milestone-billed (40 / 30 / 30)
Fixed fee through to certification day. If we miss the first assessment, we keep working at no extra charge.
CMMC Continuous Compliance
Annual retainer · Paid quarterly
Priced at 15–25% of original engagement value. Continuous senior-led oversight through your annual affirmations and your next triennial.
The fixed-fee promise
We don't bill by the hour. We don't have a "discovery" phase that quietly extends. The number on the SOW is the number you pay. If we underestimate the scope, that's our problem to manage — not yours to pay for.
Final pricing within one to three business days of the Discovery Call.
Discovery to certificate in five steps.
A typical full engagement runs four to six months from kickoff. Here's what each step looks like, what we do, and how long it takes.
01
Discovery Call
30 min · Free
We review your situation, prime requirements, and current state. Candid read on the work involved. Recommended path — even if that path isn't us.
02
Scope & SPRS
1–2 weeks
Gap Assessment kickoff. CUI inventory, scoping decisions, real SPRS score, prioritized remediation roadmap. Defensible starting point.
03
Implementation
12–18 weeks
Technical remediation inside your environment. Entra ID, Intune, Sentinel, encryption, network policies. Full documentation suite alongside.
04
Mock Assessment
2 weeks
Run to the same C3PAO rubric by partner Lead CCAs. All 320 assessment objectives evaluated. Gaps surfaced and closed before C3PAO walks in.
05
C3PAO & Certified
Assessment days
C3PAO assessment runs against your evidence package. We're present and prepared for every assessor question. If we miss the first time, we keep working at no extra charge.
After certification
Continuous Compliance keeps your evidence pack current through your annual affirmations and your next triennial reassessment. Optional. Most clients sign on.
1 in 3 contractors fail their first attempt. Here's what they get wrong.
We track assessor feedback patterns across failed CMMC L2 assessments. Each failure below is preventable — but only if someone on your team knows to look for it before the C3PAO does.
AC.L2-3.1.1 · Account management scope
Scope crept after the wall.
They added a new SaaS tool three months in, and it pulled five new users into CUI handling without anyone updating the scope. Assessor caught it. Assessment failed.
NIST 800-171A · Across the board
Evidence didn't match the question.
They had the policy. They had the screenshot. The assessor asked for the policy AND the screenshot AND the change log AND the approval record. NIST 800-171A has 320 assessment objectives — not 110.
IA.L2-3.5.3 · Multi-factor authentication
MFA missing on the accounts that mattered.
Workforce MFA was deployed. Privileged service accounts were not. Assessor walked the audit log and found three admin actions without MFA. Assessment failed.
AC.L2-3.1.5 · Privileged account separation
Admin accounts shared between people.
Three engineers shared one "sysadmin" account because it was easier. Assessor asked for individual attribution to each privileged action. There was none.
CRM · Customer Responsibility Matrix
Cloud responsibility — yours or theirs?
They assumed their cloud provider handled all 110 controls. The provider handles around 60. The other 50 — including some they assumed — are on the customer. The CRM document didn't exist.
AU.L2-3.3.5 · Audit log review
Logs collected, never read.
They had 90 days of logs. They had never reviewed them. Assessor asked when the last suspicious-activity review was. There hadn't been one.
"These mistakes happen because someone misses something — a wireless account, a log review cadence, a CSP boundary. Senior engineers know where to look for it. Junior teams don't, until the assessor finds it for them." — Senior assessor, anonymous, March 2026
Thirteen questions. Honest answers.
Same questions come up on every Discovery Call. Tap any question to read the answer. Candid, in writing, before you book.
Q01 What's the difference between you and a C3PAO?
A C3PAO conducts the formal CMMC Level 2 assessment. We don't. We're an implementation consultancy — we get you assessment-ready. Cyber AB rules prohibit a single firm from both implementing AND assessing the same client, so we don't carry CCA credentials by design. When you're ready to assess, we'll help you pick a C3PAO and prep you for what they'll ask.
Q02 What does it actually cost?
Fixed fee, scoped on the Discovery Call, locked before SOW signature. Pricing depends on your environment, headcount, and engagement type. Final pricing within one to three business days of the Discovery Call. We don't bill by the hour and we don't have a "discovery" phase that quietly extends.
Q03 Why a UK consultancy for a US DIB requirement?
Two reasons. First, we're senior-only — UK senior cybersecurity consultants run roughly 40 to 50 percent of US rates fully loaded, which makes senior-only delivery economically possible. Second, we never store your CUI on our systems. We work inside your environment, on your access. Our location is operationally irrelevant — your CUI never crosses a border because it never leaves your tenant.
Q04 How is your CUI exposure zero when you're working in our environment?
Because we're working in your environment, not ours. We use your authenticated access to your tools. Nothing gets copied to our laptops, our SharePoint, or our email. Our Customer Responsibility Matrix documents exactly what we touch and what stays on your side. If we get breached tomorrow, your CUI is unaffected.
Q05 What if we already started CMMC work with someone else?
Common situation. Phase 1 is the Gap Assessment — we audit where you are, what you have, and what's been done correctly. Often 30 to 50 percent of the work is reusable. We tell you what to keep, what to redo, and what's missing. No re-billing for work you've already paid for once.
Q06 How do we work with our existing MSP?
Side by side. Your MSP keeps running your IT. We add the CMMC-specific work — control implementation, documentation, evidence pack. We coordinate with your MSP, not compete with them. If your MSP is technically capable and bandwidth-constrained, we offload the CMMC stack and hand back a maintained system at the end.
Q07 What if we fail the C3PAO assessment?
We keep working. No second invoice. We agreed a fixed fee at the start. If you miss the first attempt, we're the ones absorbing the cost of going back in — that's the structural commitment, written into the SOW. We'd rather take the financial hit on a missed engagement than build a business that survives by billing more hours.
Q08 Will you sign an NDA before the Discovery Call?
Yes, on request. We use a standard mutual NDA. If you have a template you'd prefer, we'll work under that. The Discovery Call doesn't require an NDA in the typical case — we're listening, not extracting CUI — but we won't refuse one.
Q09 What documentation do you produce?
System Security Plan (SSP). Plan of Action & Milestones (POA&M). 14-domain policy pack. Evidence package indexed to NIST 800-171A. Network architecture and CUI flow diagrams. Asset inventory. Training records. Incident response playbook. Customer Responsibility Matrix. Every assessor-examined document, version-controlled, handed to you in a structured pack.
Q10 Are your credentials current?
Cyber AB Registered Practitioner registration is in progress. RPO application follows once RP is active. Cyber AB processing typically runs four to eight weeks. You can monitor our status directly on the Cyber AB Marketplace. We update this page the day each approval lands.
Q11 Do you have a preferred cloud platform?
No. We don't hold a Microsoft AOSG partnership and don't earn margin on your cloud licenses. We'll recommend what's right for your situation — GCC High, Azure Government, GCC plus an enclave, or AWS GovCloud — based on your contracts, CUI volume, and existing investments. Our income is your engagement fee, not your monthly cloud bill.
Q12 Can we sign for just one phase?
Yes. Gap Assessment stands on its own. Implementation stands on its own. Continuous Compliance stands on its own. Most contractors do all three over time; some come to us mid-stream after another consultancy. Either is fine.
Q13 What happens after we're certified?
Certification isn't the end. Annual affirmations are required, and your SPRS score has to stay accurate the whole time you hold a CUI contract. The MORSECORP $4.6 million False Claims Act settlement in March 2025 was about exactly this — a contractor whose SPRS score went stale after certification. Continuous Compliance keeps your evidence pack and SPRS posture current through your annual affirmations and your next triennial reassessment, so that isn't you.
Discovery call
Let's see where you stand.
Thirty minutes. No pitch. We'll review your situation, give you a candid read on the work involved, and recommend a path — even if that path isn't us.
Book a Discovery Call