1. Gap analysis
Systematic review of your current environment against the 110 NIST SP 800-171 controls (or the relevant CMMC level). Output: a prioritized gap list, effort estimate, and realistic timeline — before you commit to a larger engagement.
Federal Contracting Compliance
NIST SP 800-171 & CMMC readiness, scoped honestly
For small defense contractors and subcontractors in the DoD supply chain, CMMC and NIST SP 800-171 aren't optional — but neither is burning a year of your engineering capacity on compliance theater. We help you prepare real controls, real documentation, and a real path to a certified assessment, without the consulting markup.
The Landscape
What the requirements actually say
Two standards, one ecosystem. Knowing which one governs your contracts is the first step toward a right-sized program.
NIST SP 800-171
The National Institute of Standards and Technology Special Publication 800-171 defines 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. If your contract includes DFARS clause 252.204-7012, you're already contractually required to meet these controls and report cyber incidents to DoD within 72 hours.
CMMC (Cybersecurity Maturity Model Certification)
CMMC 2.0 is the DoD's unified certification framework. It takes the NIST SP 800-171 requirements and puts formal assessment and certification behind them:
- Level 1 — Foundational (17 practices). Required when handling Federal Contract Information (FCI). Self-assessed annually.
- Level 2 — Advanced (110 practices, aligned to NIST SP 800-171). Required for CUI. Most contracts require third-party assessment by a C3PAO.
- Level 3 — Expert (NIST SP 800-172 enhancements). Reserved for the most critical programs. Assessed by DoD.
CMMC is being phased into new DoD contracts progressively. The practical implication: readiness work should already be underway for contractors who plan to bid on CUI-handling awards.
Our Scope
What we actually do
Compliance readiness is a process with distinct phases. We work through them in order, with honest estimates at each gate — no month-12 surprise that you need another twelve months of work.
2. Control implementation
The actual work — deploying technical controls (access management, encryption, logging, incident response tooling), writing the procedural ones (policies, plans, registers), and getting evidence flowing into a system of record you can hand an assessor.
3. Documentation
System Security Plan (SSP), Plan of Action & Milestones (POA&M), policies, and evidence artifacts. This is where most small contractors struggle — we treat documentation as load-bearing, not a last-mile formality.
4. Pre-assessment readiness
A mock assessment against the specific level you're pursuing, with remediation sprints to close any gaps. When you engage a C3PAO, you're not finding out about problems in the assessment room.
Scope boundaries
What we don't do — and why that's a feature
CMMC's design intentionally separates the organizations that help you prepare from the ones that certify you. An honest preparer tells you that up front.
We are a preparation partner, not a certified assessor. CMMC Third-Party Assessment Organizations (C3PAOs) are authorized by the Cyber AB to perform formal Level 2 assessments. The two roles can't legitimately overlap — an assessor can't assess work they performed themselves. When your readiness work is complete, we help you engage a C3PAO for the formal assessment, and we stand behind the preparation we did.
We also won't inflate scope. If a discovery call reveals that your contracts don't actually require CMMC Level 2 — or that you're closer to ready than you thought — we'll say so, even if it means a smaller engagement.
Local relevance
Northern California's defense-adjacent economy
Travis AFB is fifteen minutes from our Vacaville HQ, and the Bay Area–Sacramento corridor is home to a deep bench of small subs serving aerospace, defense, and federal civilian programs.
If you're a small engineering, manufacturing, or specialty-services firm along I-80 or in the broader NorCal defense corridor and you've received DFARS flow-down language from a prime, this is the conversation to have. We can do most of the work on-site in Solano, Yolo, or Sacramento counties, which materially helps when control evidence needs hands-on validation.
Common questions
Honest answers
Are you a CMMC C3PAO or Registered Practitioner Organization?
No — and anyone small who claims certified assessor status is worth a careful look. Our work is preparation: gap analysis, control implementation, documentation, and readiness assessment. When it's time for a formal CMMC assessment, we help you select and work with a certified C3PAO. Separation of preparer and assessor is a feature of the CMMC ecosystem, not a gap.
What CMMC level should we target?
Level 1 (Foundational, 17 practices) applies to handling Federal Contract Information (FCI) — most small contractors. Level 2 (Advanced, 110 practices aligned to NIST SP 800-171) is required when Controlled Unclassified Information (CUI) is involved. Level 3 (Expert) is reserved for the most sensitive programs and is rare for SMBs. The right level is driven by the DFARS clauses in your contracts, not by preference.
How long does readiness typically take?
Depends entirely on your starting point. A small contractor with mature IT hygiene and documentation might reach Level 2 readiness in 4–6 months. A shop still on ad-hoc email archives and shared-password spreadsheets is more realistically 9–12 months of meaningful work. A free discovery call is the quickest way to get a real estimate for your situation.
What does this cost?
Compliance readiness is scoped as a project with a firm quote after discovery, separate from ongoing managed services. For context, our per-user managed services ranges are on the pricing page; compliance engagements are scoped on top and depend heavily on your current control maturity.
Do you work with prime or sub-tier contractors?
Both. Most of our federal-compliance work is with small subs in the DoD supply chain — engineering firms, component suppliers, specialty services — where the prime has flowed down DFARS 7012 / 7020 / 7021 clauses. The work is the same either way.
We're here to solve your IT challenges.
Optimize your operations, secure your assets, and grow your business with expert IT — delivered by real people who understand your business. Call us, email us, or send a message. We'll respond within one business day.