CMMC readiness.
The Final Rule is in effect. Florida defense contractors who handle FCI or CUI now need CMMC certification at the level their contracts demand. We build the SSP, drive remediation against NIST 800-171, and walk you through the C3PAO assessment.
Level 1 vs Level 2
Level 1 covers contractors handling Federal Contract Information (FCI) only. 17 controls drawn from FAR 52.204-21. Annual self-assessment, attested by a senior official.
Level 2 covers contractors handling Controlled Unclassified Information (CUI). 110 controls from NIST SP 800-171 r2. Triennial third-party assessment by a C3PAO.
What's included
- Scoping: which systems, networks, and personnel are inside the assessment boundary
- System Security Plan (SSP) authorship, the central document the assessor reads first
- Plan of Action & Milestones (POA&M) for remaining gaps
- Control implementation guidance for the 110 NIST 800-171 controls (Level 2)
- Policy and procedure library aligned to 800-171 control families
- Evidence collection runbook
- C3PAO recommendation and assessment liaison
- Annual self-assessment support (Level 1)
Engagement tiers
- Level 1 self-attestation. 17 controls, FCI-only contractors. 4 to 6 weeks.
- Level 2 readiness. 110 controls, SSP, POA&M, evidence runbook. 4 to 6 months.
- Level 2 full. Readiness plus C3PAO liaison through assessment. 6 to 9 months.
Common questions
How is CMMC different from NIST 800-171 self-attestation?
CMMC adds a third-party assessment requirement to Level 2. Until CMMC, contractors self-attested to NIST 800-171. Now a C3PAO assessor verifies it on a three-year cycle.
Can we still bid on contracts during readiness?
Yes, with caveats. Many DoD contracts already include DFARS 252.204-7012 and SPRS scoring requirements. We can work with your contracts office to position your current SPRS score honestly while remediation is underway.
Do you handle the C3PAO assessment?
No. C3PAOs are independent and bill separately. We recommend C3PAOs we have worked with and pre-negotiate scope.