Compliance Framework

CMMC Compliance

CMMC is the US Department of Defense Cybersecurity Maturity Model Certification program, built on NIST SP 800-171, required to handle federal contract and controlled unclassified information.

Talk to us about CMMC CPCSC / 800-171 Readiness

CMMC for Canadian startups · CMMC cost in CAD

Who needs CMMC

US defense industrial base contractors and subcontractors handling FCI or CUI on DoD contracts.

Key CMMC requirements

The core of what CMMC asks you to put in place.

  • Scope the systems that handle FCI and CUI
  • Implement the NIST SP 800-171 security requirements (Level 2)
  • A System Security Plan and a Plan of Action and Milestones
  • A Level 1 self-assessment for FCI; a Level 2 assessment (self or C3PAO) for CUI
  • Continuous monitoring and annual affirmation
  • Evidence mapped to the 110 NIST SP 800-171 controls at Level 2

Typical timeline

A Level 1 self-assessment can be done in a few months. Level 2 with a C3PAO depends on remediation and assessor availability and typically takes longer.

How we help with CMMC

We scope FCI and CUI, run the NIST SP 800-171 gap assessment, build your SSP and POA&M, and prepare you for the right CMMC level — leveraging the same control base as Canadian CPCSC work.

See CPCSC / 800-171 Readiness, or compare estimated CMMC cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.

Start the CMMC readiness →

CMMC questions

What is CMMC?

The US DoD Cybersecurity Maturity Model Certification program, built on NIST SP 800-171, for contractors handling federal contract or controlled unclassified information.

What are the CMMC levels?

Level 1 for FCI is self-assessed. Level 2 for CUI is self or C3PAO-assessed against 110 NIST SP 800-171 controls. Level 3 covers the most sensitive programs.

How does CMMC relate to CPCSC?

Both are built on NIST SP 800-171, so a company that does one has most of the work done for the other, which helps firms selling to both governments.

Do we need a C3PAO?

Level 1 and some Level 2 contracts allow self-assessment. Higher-assurance Level 2 requires a certified third-party assessor organization (C3PAO).

What is CUI?

Controlled Unclassified Information, sensitive government information that is not classified but requires safeguarding under NIST SP 800-171.

Move on CMMC with a team that has done it

Book a free discovery call. We will tell you whether CMMC fits, what it would take, and roughly what it would cost.

Book a call Contact us