Schedule
Questions, answered
Straight answers to the questions defense contractors and regulated teams ask most about CMMC, NIST 800-171, and fractional security leadership.
CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense program that verifies a contractor's cybersecurity. Companies in the defense supply chain that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) need to meet it - most CUI handlers at Level 2.
Level 1 covers basic safeguarding of FCI (17 practices, annual self-assessment). Level 2 aligns to the 110 controls of NIST SP 800-171 for protecting CUI - and many contracts require a third-party (C3PAO) assessment, not just a self-assessment.
NIST SP 800-171 is the 110-control standard for protecting CUI in non-federal systems. CMMC Level 2 assesses how well you have implemented those controls; your SPRS score reflects how many you meet.
The System Security Plan (SSP) documents how you meet each control; the Plan of Action & Milestones (POA&M) tracks the gaps you are closing, with owners and due dates. Both are core CMMC artifacts - we help produce and maintain them.
It depends on your starting posture and CUI footprint. A readiness assessment scopes the work; remediation timelines are typically months, not weeks, and continuous compliance keeps you there afterward.
Both. You assess to certify, but the controls have to operate continuously - evidence and posture are maintained on a cadence, not only before an audit. That is what our continuous-compliance program covers.
A virtual CISO gives you executive security leadership without a full-time hire: security strategy, risk and vendor management, incident readiness, board-ready reporting, and - with our AI line - governed AI-workflow adoption.
No. Your CUI stays in your own secure enclave (or a CMMC L2 enclave licensed in your name). Our client portal shows only high-level program status and links into your enclave; it never holds CUI.
With a short discovery call to scope your goals, contracts, and CUI footprint. From there we propose the right program - readiness, remediation, continuous compliance, vCISO, or a combination.