CMMC Level 2 Compliance
for Small Defense Contractors
From current state to assessment-ready in 6 weeks. All 110 NIST SP 800-171 practices evaluated, documented, and mapped — so you can pass your C3PAO assessment and keep your DoD contracts.
⏰ The Clock Is Ticking
Phase 2 of CMMC starts November 10, 2026. That's when DoD begins requiring Level 2 C3PAO certification in contract solicitations — not self-attestation, third-party assessment. Lockheed Martin is already requiring suppliers to document their CMMC status in SPRS. Boeing is strongly encouraging Level 2 certification now.
For small defense subcontractors, the math is simple:
The ClearanceReady Readiness Program
A 6-week engagement that takes your company from wherever you are today to assessment-ready for CMMC Level 2. We evaluate all 110 NIST SP 800-171 Rev 2 security requirements, produce all required documentation, and give you a clear remediation roadmap for any gaps.
Baseline SPRS Score
A hands-on gap assessment of all 110 practices, not a self-assessment questionnaire. You'll know exactly where you stand.
System Security Plan (SSP)
All 14 control families with implementation statements specific to your environment. Written by someone who has been on the DoD side of these assessments.
Plan of Action & Milestones (POA&M)
Prioritized remediation entries with risk ratings, timelines, and milestone tracking for every gap identified.
Evidence Artifact Inventory
Every MET practice mapped to its supporting evidence — screenshots, policy docs, configuration exports.
C3PAO Readiness Briefing
A final working session walking your leadership through exactly what the assessment will look like, what the assessor will ask, and where your risk areas are.
90-Day Remediation Support
Post-Sprint access for questions, remediation progress review, and guidance as you work through your POA&M.
6 Weeks from Kickoff to Assessment-Ready
Client completes Compass Intake Questionnaire. NDA executed. Kickoff call scheduled.
Kickoff call. Network topology review. CUI flow mapping. Asset inventory. Key personnel interviews.
Walk all 110 practices against your environment. Collect evidence. Document gaps. Score SPRS baseline.
Draft SSP and POA&M. Write implementation statements. Map evidence artifacts.
Client review. Remediation prioritization. Quick-win implementation guidance.
Leadership briefing. Assessment simulation. Final document handoff. 90-day support begins.
Total client time commitment: approximately 15–20 hours across the 6 weeks. All heavy lifting is done by Solas AI.
Simple, Fixed-Price Packages
No hourly billing. No scope creep surcharges.
Recon
Companies who want to know where they stand before committing.
- ✓ Full 110-practice gap assessment
- ✓ SPRS score calculation
- ✓ High-level remediation priorities
- ✓ Summary evidence review
Readiness Program
Companies ready to prepare for a C3PAO assessment.
- ✓ Everything in Recon, plus:
- ✓ Complete System Security Plan (SSP)
- ✓ Full POA&M with risk ratings
- ✓ Detailed evidence artifact mapping
- ✓ Remediation roadmap
- ✓ C3PAO readiness briefing
- ✓ 90 days advisory support
Readiness + Remediation
Companies who need hands-on help closing the gaps.
- ✓ Everything in Readiness Program, plus:
- ✓ 12 weeks hands-on remediation guidance
- ✓ Implementation prioritization
- ✓ Vendor and tool recommendations
- ✓ Progress reviews every 2 weeks
Payment: 50% at kickoff, 50% at documentation delivery.
🛡 Built by Someone Who's Been on the DoD Side
Your ClearanceReady engagement isn't run by a generalist IT consultant who added CMMC to a service menu. I've held ISSM roles inside the Department of Defense, managing the same kind of systems C3PAOs will be assessing. I hold CISSP and CISM certifications, and I'm a Cyber AB Registered Practitioner (RP) — authorized by the CMMC Accreditation Body to deliver CMMC consulting services. I know what assessors look for because I've been in the room.
The difference shows up in the documentation. An SSP written by someone who has lived the DoD security environment reads differently than one written by someone who studied the NIST framework. Assessors can tell.
Add-Ons
| Service | Price |
|---|---|
| On-Site Assessment Day | $2,500/day + travel |
| Annual SSP/POA&M Refresh | $3,500/year |
| SPRS Submission Assistance | $750 |
| Incident Response Plan Build | $2,000 |
| Policy Document Package (12 policies) | $3,500 |
| Mock C3PAO Assessment | $4,000 |
Frequently Asked Questions
Do I actually need CMMC?
If your contracts include DFARS 252.204-7012 or you handle Controlled Unclassified Information (CUI) for a DoD prime or the government directly, yes. Search your active contracts for that clause — if it's there, CMMC applies.
What's the difference between self-attestation and C3PAO certification?
Phase 1 (through November 2026) allows self-attestation for most Level 2 contracts. Phase 2 starts requiring third-party C3PAO assessments. Some contracts already require C3PAO certification now, and major primes like Lockheed and Boeing are pushing suppliers to certify ahead of schedule.
Can my MSP/IT provider do this instead?
Your MSP can handle technical controls — firewall rules, MFA, patching. Where MSPs typically fall short is the documentation: writing the SSP, building the POA&M, mapping CUI boundaries, and preparing evidence for the assessor. Those require someone who understands how C3PAO assessments work. We recommend keeping your MSP for implementation and bringing us in for documentation and assessment prep.
What if my SPRS score is really low?
That's actually valuable information. A Recon assessment that tells you your score is 37 with 43 NOT MET practices gives you a clear remediation roadmap. Most small defense subs are doing 60–70% of the practices already — they just can't prove it because nothing is documented.
Is Solas AI a C3PAO?
No. We are a consulting firm that helps you prepare for your C3PAO assessment. We do not conduct official CMMC assessments and have no financial relationship with any C3PAO. This independence is important — the entity that prepares you should never be the entity that assesses you.
Do you work remotely?
Yes. All ClearanceReady engagements are delivered remotely via secure video conference and encrypted file sharing. On-site visits are available as an add-on for companies requiring physical security assessment or classified environment reviews.
Ready to Find Out Where You Stand?
Book a free 20-minute call. I'll tell you whether your contracts require CMMC Level 1 or Level 2, what the timeline looks like for your situation, and whether a Recon assessment or full Readiness Program makes sense. No pitch, no pressure — just a straight answer from someone who knows the framework.
No commitment required · david.moline@solasai.net · (619) 648-8050