Built for the
Defense Industrial Base.

01

CMMC Readiness

Project-based

CMMC compliance is a contractual requirement for organizations in the Defense Industrial Base handling Controlled Unclassified Information. We guide you from initial gap assessment through remediation, evidence collection, and C3PAO audit readiness — with a program designed to satisfy assessors and actually improve your security posture. We have direct experience with the self-assessment and third-party assessment pathways.

Scope Includes

• ›CMMC Level 2 & Level 3 gap assessment and scoring
• ›System Security Plan (SSP) development and review
• ›POA&M development and milestone tracking
• ›CUI boundary scoping and data flow mapping
• ›Evidence collection and documentation packages
• ›C3PAO assessment preparation and mock assessments
• ›SPRS score calculation and submission guidance

02

NIST SP 800-171 Compliance

Project-based

NIST SP 800-171 forms the foundation of CMMC Level 2 and is a direct contractual requirement under DFARS for any organization handling Controlled Unclassified Information. We help organizations understand their current compliance posture, develop a credible remediation plan, and build the documentation infrastructure required by assessors and the DoD.

Scope Includes

• ›Full 110-control gap assessment across all 14 domains
• ›System Security Plan (SSP) development
• ›Plan of Action & Milestones (POA&M) management
• ›CUI identification, scoping, and handling procedures
• ›Configuration management and access control implementation support
• ›Audit and accountability log coverage mapping
• ›SPRS self-assessment scoring and submission

03

ITAR / DFARS Compliance

Project-based

ITAR and EAR compliance is a legal obligation for companies that manufacture, export, or broker defense articles and services. Non-compliance carries criminal liability, debarment risk, and potential loss of export privileges. We help organizations understand their ITAR obligations, implement compliant processes, and integrate export control requirements with their broader cybersecurity program.

Scope Includes

• ›ITAR applicability assessment and commodity jurisdiction analysis
• ›Technical data control program design
• ›Foreign national access controls and visitor procedures
• ›DFARS cybersecurity clause gap assessment
• ›Integration of ITAR controls with CMMC/800-171 programs
• ›Employee training program design for export compliance
• ›Voluntary self-disclosure preparation support

04

Defense Security Assessments

Project-based

Security assessments for defense contractors require understanding the unique threat landscape, classification requirements, and regulatory obligations of the DIB. Our defense assessments go beyond standard commercial frameworks to account for nation-state threat actors, supply chain integrity requirements, and the intersection of physical and cyber security common in defense environments.

Scope Includes

• ›DIB-specific threat modeling and risk assessment
• ›NIST SP 800-53 control assessments for federal suppliers
• ›Supply chain risk management (SCRM) program design
• ›Defense subcontractor flow-down requirements review
• ›Insider threat program assessment
• ›Physical and cyber security convergence review