CMMC Readiness
For Federal Contractors
If your firm holds Federal Contract Information or Controlled Unclassified Information, CMMC is a contract requirement, not a recommendation. Most small contractors discover the gap when a prime requests evidence and the bid clock is already running.
If You Touch FCI or CUI, This Applies to You
CMMC obligations flow down. Primes are required to verify the cybersecurity posture of every subcontractor in their supply chain, including IT and managed service vendors. The model applies regardless of size.
DoD Prime Contractors
Firms holding direct Department of Defense contracts that involve Federal Contract Information or Controlled Unclassified Information.
Subcontractors
Tier-two and tier-three suppliers in the defense industrial base. CMMC requirements flow down with every contract that involves FCI or CUI.
IT and MSP Vendors
Managed service providers, hosting platforms, and IT vendors that store, process, or transmit FCI or CUI on behalf of a covered contractor.
SDVOSB and Small Set-Asides
Small business federal contractors competing for SDVOSB, 8(a), HUBZone, or WOSB set-aside work that involves FCI or CUI.
What Happens If You Skip It
The Department of Justice has made cyber-fraud enforcement under the False Claims Act a stated priority. Misrepresenting cybersecurity compliance on a federal bid can trigger contract termination, treble damages, suspension or debarment, and personal liability for officers who certified the bid.
Beyond enforcement, contracts are increasingly being awarded only to firms that can demonstrate readiness. A clean SSP and POA&M is becoming a price-of-entry requirement, not a differentiator.
How a Readiness Engagement Works
A structured five-phase process aligned to NIST SP 800-171A assessment objectives. The output is a defensible System Security Plan, a Plan of Action and Milestones, and a remediation roadmap.
Discovery Call
Free thirty-minute call to confirm contract scope, FCI versus CUI handling, target CMMC level, and timeline.
Scoping
Identify the assessment boundary, in-scope assets, and the people, processes, and technology that handle FCI or CUI.
Control Review
Walk every applicable NIST SP 800-171 control. Evidence is collected, gaps are documented, and partial implementations are scored.
SSP and POA&M
Drafted System Security Plan and Plan of Action and Milestones, both written to withstand a C3PAO or DCMA review.
Remediation Roadmap
Prioritized remediation plan with cost and effort estimates, plus a debrief call to confirm next steps before closeout.
What the Assessment Covers
NIST SP 800-171 Rev. 2 organizes one hundred ten security requirements into fourteen control families. Every applicable family is reviewed, scored, and documented.
Access and Identity
- Access Control (AC)
- Identification and Authentication (IA)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Personnel Security (PS)
Operations and Resilience
- Configuration Management (CM)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical Protection (PE)
Assessment and Protection
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Your Deliverables
Every engagement produces the documentation a C3PAO, prime contractor, or contracting officer will request. Each artifact is written to be reusable across future bids.
System Security Plan (SSP)
Drafted to NIST SP 800-171 Rev. 2 format. Documents how every applicable control is implemented, by whom, and where evidence lives.
Plan of Action and Milestones (POA&M)
Tracks every gap with a target completion date, owner, and remediation cost estimate. Ready to share with primes or assessors.
SPRS Score Worksheet
Calculated Supplier Performance Risk System score using the DoD Assessment Methodology, ready to upload to SPRS.
Remediation Roadmap
Plain-language remediation plan written for owners and operators. Each gap is prioritized and sequenced for the budget reality of a small contractor.
Findings Debrief Call
One-hour call to walk every finding, answer questions, and confirm next steps before the engagement closes.
30-Day Follow-Up
A check-in thirty days after delivery to answer implementation questions and confirm progress on the highest-risk POA&M items.
Scoped to Your Contract Footprint
CMMC engagements are quoted after a discovery call, because scope depends on FCI versus CUI handling, the assessment boundary, and the number of in-scope systems. The tiers below describe what most small federal contractors need.
Level 1 Self-Assessment
FCI only · Single environment
- Annual Level 1 self-assessment workshop
- Review of all seventeen Level 1 practices
- SPRS submission guidance
- Affirmation language for senior official
- Findings debrief call
- 30-day follow-up check-in
Level 2 Readiness
CUI handling · Single enclave
- Full review of all 110 NIST SP 800-171 controls
- Drafted System Security Plan
- Plan of Action and Milestones
- SPRS score worksheet
- Remediation roadmap with effort estimates
- Findings debrief call
- 30-day follow-up check-in
Multi-Enclave or Cloud
Multiple environments or cloud platforms
- Everything in Level 2 Readiness
- Multi-enclave boundary documentation
- Cloud Service Provider inheritance review
- Shared Responsibility Matrix mapping
- Estimated hours provided before start
- No-surprise billing
- 30-day follow-up check-in
Frequently Asked Questions
What is CMMC and who must comply?
Cybersecurity Maturity Model Certification is a Department of Defense framework that requires contractors and subcontractors to meet specific cybersecurity controls before being awarded contracts that involve Federal Contract Information or Controlled Unclassified Information. It applies across the entire defense industrial base, including primes, subs, and IT vendors who touch FCI or CUI.
What is the difference between CMMC Level 1 and Level 2?
Level 1 covers seventeen basic safeguarding practices for Federal Contract Information and is verified by annual self-assessment. Level 2 aligns with the one hundred ten controls in NIST SP 800-171 Rev. 2 and applies to organizations that handle Controlled Unclassified Information. Most Level 2 engagements require a third-party assessment by a Certified Third-Party Assessor Organization.
Do I need a System Security Plan to bid on federal work?
Yes. DFARS 252.204-7012 has required a documented System Security Plan and Plan of Action and Milestones since 2017. Under CMMC, the SSP and POA&M are also the foundation of any Level 2 assessment. Contractors without a current SSP are out of compliance regardless of which CMMC level applies.
How long does a CMMC Level 2 readiness engagement take?
For a small contractor with a single environment, a typical readiness engagement runs four to eight weeks from kickoff to a delivered SSP, POA&M, and gap remediation roadmap. Complex environments with multiple enclaves or cloud platforms take longer and are scoped before work begins.
Can I self-assess for Level 2?
A subset of Level 2 contracts permits self-assessment, but the majority require a C3PAO assessment under the final CMMC rule. Even when self-assessment is permitted, the underlying NIST SP 800-171 documentation requirements are identical. The practical difference is who certifies the result.
What happens if I bid without being CMMC-ready?
Submitting a bid that misrepresents your cybersecurity posture can trigger False Claims Act exposure, contract termination, and suspension or debarment from future federal work. Recent settlements have run into the millions of dollars for misrepresented compliance, and the Department of Justice has made cyber-fraud enforcement a stated priority.
Ready to Get CMMC Ready?
Start with a free thirty-minute consultation. Bring your contract language and we will tell you which CMMC level applies, what the realistic timeline looks like, and what an engagement would involve.
Where Does Your Firm Stand on CMMC?
Under five minutes. Thabiti reviews every submission personally and replies within one business day with a tailored next-step plan. Your information is never sold or shared.
Thanks. Submission received.
Thabiti will review your CMMC self-assessment and respond within one business day with the next steps tailored to your target level.