Services/CMMC Level 2 Readiness

From gap analysis to assessment-ready certification.

We take US defence contractors from wherever they are today to assessment-ready for CMMC Level 2 — first time. Scoping, documentation, remediation, mock assessment. Everything inside your environment.

110
controls assessed
6–12months
to assessment-ready
Nov 2026
enforcement deadline
Talk to us about your timeline →
Who this is for
If any of these sound familiar, we should talk.

CMMC Level 2 applies to every company in the defence supply chain that handles CUI. Here's what we hear on first calls.

Prime pressure

Your prime just asked about your CMMC status

Your honest answer is "we're working on it." You need a plan and a timeline you can share with confidence — not a vague commitment.

Competitive risk

You're bidding on work that requires Level 2

The solicitation references DFARS 252.204-7021. Without certification, you're not eligible to win. Your competitors are already preparing.

Score confusion

Your score is below 110 and you don't know why

You submitted a number, but you're not confident it's accurate, or you know there are gaps but haven't mapped them to specific controls.

No SSP

You don't have a System Security Plan

Or you have one but it's a template that was never finished. The SSP is what your assessor follows like a map. If it's wrong, they get lost.

Cloud gap

Your CUI is in the cloud and you're not sure it's compliant

You use AWS, Azure, or M365 for CUI work and you're not sure your setup meets DFARS, NIST, or FedRAMP requirements.

No compliance owner

Nobody does this full-time

30–300 person company. IT staff but no dedicated 800-171 compliance owner. You need someone who's done this before.

What we do
Four phases. One outcome: you pass.

Every engagement follows a structured methodology. We don't skip steps, because assessors don't skip controls.

01
Phase 1

Define the boundary

Which systems handle CUI, which don't, where the boundaries sit. This prevents the most expensive mistake in CMMC: assessing more than you need to.

CUI data flow diagram
Asset inventory & classification
FCI boundary definition
Scoping recommendations report

02
Phase 2

Find every gap

All 110 NIST SP 800-171 controls tested. Clear picture of what passes, what doesn't — with the evidence needed to know exactly the gap.

Gap assessment — all 110 controls
SPRS score calculation
Control-by-control findings
Prioritised remediation roadmap

03
Phase 3

Close the gaps

SSP, POA&M, policies, procedures, evidence mapping. Production-ready compliance documentation — not a slide deck.

System Security Plan (SSP)
Plan of Action & Milestones
Policy & procedure library
Evidence artefact pack

04
Phase 4

Walk in ready

Mock assessment, interview coaching, evidence preparation, presentation. Your team knows exactly what to expect.

Mock assessments
Interview preparation
Readiness score card
C3PAO selection questions

And you pass.

Typical timeline
6–12 months from start to assessment-ready

Companies with partial controls move faster. Starting from scratch needs the full runway.

Phase 1–2
Scope & Discover
CUI boundary, asset inventory, data flow mapping.
Phase 2–3
Gap Assessment
All 110 controls tested. SPRS score. Roadmap delivered.
Phase 3–4
Build & Remediate
SSP, POA&M, policies, evidence. Gaps closed. Config hardened.
Phase 4
Mock & Prepare
Simulation. Coaching. Evidence review. Ready.
Get started
Tell us about your CMMC timeline

Fill in what you can. We'll come back with a clear next step — no pitch deck, no 30-page proposal.

What happens next

We respond within one working day. If there's a fit, we suggest a 30-minute call to understand your environment and timeline. No obligation, no procurement pressure.

Most clients engage within two weeks of first contact.

Site security
No trackingNo cookiesNo third-party JSHSTS preloadedCSP enforced

Or email us directly: [email protected]

Also overspending on cloud? Cloud Cost Optimization →