CMMC is the US Department of Defense Cybersecurity Maturity Model Certification program, built on NIST SP 800-171, required to handle federal contract and controlled unclassified information.
US defense industrial base contractors and subcontractors handling FCI or CUI on DoD contracts.
The core of what CMMC asks you to put in place.
A Level 1 self-assessment can be done in a few months. Level 2 with a C3PAO depends on remediation and assessor availability and typically takes longer.
We scope FCI and CUI, run the NIST SP 800-171 gap assessment, build your SSP and POA&M, and prepare you for the right CMMC level — leveraging the same control base as Canadian CPCSC work.
See CPCSC / 800-171 Readiness, or compare estimated CMMC cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.
The US DoD Cybersecurity Maturity Model Certification program, built on NIST SP 800-171, for contractors handling federal contract or controlled unclassified information.
Level 1 for FCI is self-assessed. Level 2 for CUI is self or C3PAO-assessed against 110 NIST SP 800-171 controls. Level 3 covers the most sensitive programs.
Both are built on NIST SP 800-171, so a company that does one has most of the work done for the other, which helps firms selling to both governments.
Level 1 and some Level 2 contracts allow self-assessment. Higher-assurance Level 2 requires a certified third-party assessor organization (C3PAO).
Controlled Unclassified Information, sensitive government information that is not classified but requires safeguarding under NIST SP 800-171.
Book a free discovery call. We will tell you whether CMMC fits, what it would take, and roughly what it would cost.