CMMC.
Done before your next DoD contract lands.
We prep your business for CMMC Level 1 — 15 basic safeguarding practices under FAR 52.204-21, senior-officer self-attestation, and SPRS submission. We map your scope, write your System Security Plan, run the gap-close, and hand you the signed package. Typical engagement is 30 to 90 days.
Past Level 1? Level 2 readiness uses the same engine →
The CMMC clause is showing up in DoD awards.
The CMMC clause starts appearing in DoD contract awards from Phase 2 onward — initially at Level 1 across the Defense Industrial Base. Contractors handling Federal Contract Information (FCI) need their L1 self-attestation on file when the clause lands.
A senior officer signs the affirmation annually. False or careless attestation creates False Claims Act exposure — this is not a check-the-box exercise. Whoever signs is the one accountable, which is why an accountable practitioner on your side matters.
That's the DoD's estimate for the number of prime and subcontractors that touch FCI and fall under Level 1. Most haven't started. The window between contract award and the affirmation due date is not generous.
SPRS scores and senior-officer affirmations are annual. Once we set you up, the engagement renews — we don't disappear after the first sign-off. The same vault, audit chain, and reports carry forward.
For CMMC Level 1, the Mission Brief is the package.
One diagnostic engagement with Tammie and a practitioner produces every artifact your senior officer needs to sign the annual affirmation — and that survives a future contract dispute or DoD spot-check. Renew each year for the next affirmation cycle, or move into a Fortress subscription if your scope grows to CUI/L2.
We identify which of your systems touch FCI, document the boundary, and produce a signed SSP that satisfies FAR 52.204-21. No template fill-in — the SSP reflects your actual environment.
Each practice you don't yet meet — access control, identification + authentication, audit + accountability, physical protection, system + communications protection — gets a written remediation step, owner, and target date. POAM-style tracker that satisfies DoD's evidence expectations.
The signature is your senior officer's, never ours. But the Mission Brief produces the affirmation document end-to-end: 17 FAR practices × YES/NO/N/A, score math, supporting evidence package, and the affirmation PDF in your vault ready for SPRS submission. Hash-anchored to the same audit chain as every other Key 102 deliverable.
L1 affirmations are annual. Come back next year for another Mission Brief at $674, and we refresh the SSP, re-verify control coverage, and produce the new year's affirmation packet. No retainer, no surprise true-up — pay only when it's time to re-affirm.
Level 2 readiness uses the same engine.
Level 2 covers the 110 practices under NIST SP 800-171 Rev. 2 and handles Controlled Unclassified Information (CUI). It requires a C3PAO assessment for high-priority programs and is the path Defense Industrial Base primes typically need. Typical Fortress L2 engagement runs 6 to 9 months and produces an assessment-ready package the C3PAO walks against.
Same vault, same audit chain, same practitioner. Different engagement depth.
The same backbone every Key 102 engagement runs on.
Every quarterly readiness report is signed by a named, accountable practitioner — name on the page, not an AI byline.
Every file fingerprinted at upload. If a byte changes, we can prove it.
Every action chains to the previous one. Nobody can rewrite history without breaking the chain.
Reports are sealed by an independent timestamping authority. Your assessor can verify the date themselves.
Get your Level 1 done.
For Level 1, the Mission Brief is the package. $674for the SSP, the 15-practice gap analysis, and your SPRS affirmation packet — signed by your senior officer, hash-anchored in your vault, ready for the file. Renew annually.