CMMC Compliance ReadinessLevel 1 · Level 2 · NIST 800-171 R3 · SPRS · POA&M · C3PAO Prep

CMMC compliance readiness is the program of mapping a defense contractor’s technical controls, written policies, and audit evidence to the Department of Defense’s Cybersecurity Maturity Model Certification 2.0, then proving that alignment to a contracting officer or a third-party assessor. The work is built on NIST SP 800-171 Rev 3 (with NIST SP 800-172 reinforcement at advanced levels) and tracks to DFARS 252.204-7012, 7019, 7020, and 7021. Readiness covers scoping, gap analysis, System Security Plan (SSP) authorship, Plan of Action and Milestones (POA&M) tracking, Evidence Vault buildout, SPRS score support, and rehearsal for a C3PAO assessment when required.

Level 1 covers Federal Contract Information (FCI) and requires 15 basic safeguarding practices with an annual self-assessment and a published SPRS score. Level 2 covers Controlled Unclassified Information (CUI), aligns to the 110 NIST SP 800-171 Rev 3 requirements, and moves to a triennial third-party assessment by a C3PAO for most contracts as the rollout progresses. Level 3 is reserved for the most sensitive CUI and adds NIST SP 800-172 enhanced controls assessed by DIBCAC. The level you need is set by the data type referenced in your contract, not by company size.

Yes. Subcontractors are in scope under DFARS flow-down. The prime contractor is responsible for verifying that every sub handling FCI or CUI meets the required CMMC level, and the same SPRS scoring obligations flow down through the supply chain. If you support a prime that handles CUI, you should expect the same Level 2 expectations the prime carries, even if your contract is small. Plan readiness on the prime’s timeline, not the eventual end-of-rollout date.

If you store, process, or transmit CUI in Microsoft 365, you almost certainly need Microsoft 365 GCC High or an equivalent FedRAMP Moderate / DoD Impact Level authorized environment. Commercial M365 does not meet the data sovereignty, FedRAMP authorization, and ITAR obligations that DFARS 252.204-7012 imposes when CUI is involved. We help defense contractors map data flows, scope what actually contains CUI, and decide between GCC High, Azure Government, or a CUI enclave architecture. Some contractors don’t need a full GCC High migration; they need a tightly scoped CUI enclave plus tenant restrictions on commercial M365.

Our fixed-price Level 2 Readiness engagement runs three to four weeks for the gap analysis, SSP draft, POA&M build, and Evidence Vault setup. Closing the gaps the readiness uncovers is a separate, longer phase that typically runs three to nine months depending on how mature your environment is when we start, how scoped your CUI footprint is, and how much GCC High or enclave work is involved. Contractors who haven’t yet enforced MFA, logging, backup, and least-privilege access should plan for the longer end of that range.

Pricing depends on environment size, CUI scope, and current control maturity. Our Level 1 and Level 2 Readiness engagements are fixed-price, scoped during a free Readiness Review. Continuous Compliance is a monthly retainer that scales with environment size and review cadence. The remediation work that follows readiness is project-priced based on the gaps uncovered, never a blank check. Send us a message through the form on this page and we’ll come back with a scoped estimate, not a pile of disclaimers.

SPRS is the DoD’s Supplier Performance Risk System, the contracting officer’s source of truth for your NIST SP 800-171 self-assessment score. Every defense contractor handling CUI is expected to maintain a current SPRS score (-203 to +110) calculated against the 110 NIST 800-171 controls. Publishing requires DoD-issued PIEE credentials and the documented self-assessment results. We guide the scoring methodology, build the supporting documentation, and walk you through the SPRS submission so contracting officers see a credible posture before award.

NIST SP 800-171 is the underlying control set: 110 requirements across 14 control families that any contractor handling CUI must meet under DFARS 252.204-7012. CMMC 2.0 is the certification program that proves you actually meet 800-171: it moves Level 2 contractors from self-attestation to third-party assessment by a C3PAO. You don’t pick one or the other. NIST 800-171 is the obligation; CMMC is the audit. Our cybersecurity compliance services page covers other framework-driven readiness programs (PCI DSS 4.0, SOC 2, ISO 27001, HIPAA); CMMC is its own dedicated program because the assessment regime, assessor body, and DoD-specific obligations don’t map cleanly to commercial frameworks.

A C3PAO is a Certified Third-Party Assessor Organization authorized by the Cyber AB (the CMMC accreditation body) to conduct CMMC Level 2 assessments. Most CMMC Level 2 contracts will require a C3PAO assessment every three years once the rollout matures. A POA&M (Plan of Action and Milestones) is the formal document that tracks open control gaps, owners, and remediation deadlines. CMMC permits a limited POA&M at award for specific lower-weight controls, but core controls cannot be on a POA&M to win the contract. They must be implemented before submission.

A failed assessment doesn’t end your eligibility immediately, but it blocks awards that require Level 2 certification until you remediate the failed controls and re-assess. If the failure is in a few discrete controls and the rest of the SSP is sound, the path back is typically faster than starting from zero. The bigger risk is misrepresenting readiness to a contracting officer: false attestations under DFARS have surfaced in multiple seven- and eight-figure DoJ Civil Cyber-Fraud Initiative settlements involving the False Claims Act. Pre-assessment rehearsal exists to surface gaps before a C3PAO does.

Yes. We frequently sit alongside an incumbent IT provider and focus only on the CMMC program: scoping, gap assessment, SSP, POA&M, evidence library, vendor risk, and assessment support. We coordinate with the IT provider on technical control changes (MFA, logging, backup, least-privilege, GCC High decisions) but don’t require them to be unseated. If a control gap is severe enough that the existing IT setup can’t close it under DoD timelines, we’ll say so directly and lay out the options, including taking on the IT-side remediation through our managed cybersecurity or managed IT services.

Yes. CMMC readiness is delivered 100% remotely. Discovery, gap assessment, SSP authorship, POA&M tracking, Evidence Vault buildout, and assessment rehearsal all happen over Microsoft Teams, screen-shares, secure document portals, and direct configuration access to your tenant. On-Site Technology is headquartered in New Jersey, with deepest engineering capacity in Northern NJ, the NYC metro, Pennsylvania, and South Florida, but that’s a capacity note, not a service boundary. If your business operates in the United States and supports the Department of Defense, we can run your CMMC program.