CMMC 2.0 readiness, assessed, remediated, and audit-ready.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the US Department of Defense's mandatory cybersecurity framework for the Defense Industrial Base. Level 1 requires 17 basic controls, Level 2 requires 110 NIST 800-171 controls, Level 3 adds 35 NIST 800-172 controls. GR IT Services runs CMMC readiness assessments, closes the gaps, and prepares C3PAO-ready evidence packs.
- Level 1-3All tiers
- 110+35Controls covered
- C3PAOAudit-ready
- GCC HighMicrosoft alignment
CMMC engagements built for the Defense Industrial Base.
Scoping & boundary definition
Identify CUI and FCI in your environment, draw the assessment boundary, document data flows, and right-size the scope so the certification covers what the contract demands — and nothing more.
Readiness gap assessment
Map your current state against all 110 NIST 800-171 Level-2 controls (or 17 Level-1 / 145 Level-3). Output: written gap report, remediation plan, and cost-to-close estimate.
System Security Plan (SSP)
Author and maintain the SSP — the central CMMC document covering control implementation, system boundaries, and responsibility assignments. Updated through every control change.
Plan of Action & Milestones (POAM)
POAM tracking with weekly stand-ups, owned remediation tasks, and evidence collection. Visible, accountable, audit-ready progress against every gap.
Technical control remediation
Endpoint hardening (CIS Benchmarks), Entra MFA enforcement, Defender deployment, encryption at rest and in transit, network segmentation, FIPS 140-validated cryptography.
CUI environment build (GCC High)
Migrate CUI workloads to Microsoft 365 GCC High when contract requirements call for it. Tenant provisioning, identity migration, eDiscovery handover, audit-log retention.
Incident-response programme
Written IR plan aligned to NIST SP 800-61, tabletop exercises, on-call rotation, DoD reporting workflow under DFARS 252.204-7012 (72-hour incident notification).
Continuous-monitoring stack
Microsoft Sentinel SIEM or Splunk integration, audit-log retention beyond CMMC defaults, vulnerability scanning, and configuration-drift detection on the in-scope environment.
C3PAO pre-audit dry run
Full-scope dress rehearsal against the CMMC assessment guide before the C3PAO walks in. Closes residual findings; no surprises on assessment day.
Four reasons DoD contractors pick us for the readiness journey.
NIST 800-171 fluency
Every consultant on our CMMC bench has run a NIST 800-171 self-assessment to completion. We know which controls auditors actually probe and which evidence formats they accept.
Microsoft GCC High partner
Verified GCC High deployment experience. We handle Microsoft eligibility validation, tenant provisioning, and the migration of CUI workloads from commercial M365.
US delivery, cleared engineers where required
On-site engagements across the US Defense Industrial Base corridor (DC metro, Huntsville, Boulder, San Diego, Boston). Cleared personnel available for classified-adjacent scopes.
Evidence pack as a deliverable
We do not just close the gaps. We deliver the binder: SSP, POAM, control evidence index, IR runbook, training records, vulnerability scan history. Hand it to the C3PAO unedited.
CMMC engagements across the Defense Industrial Base.
Defense manufacturers
Tier-2 and Tier-3 prime suppliers handling CUI on engineering drawings, ITAR-controlled data, and quality records. Typical scope: 50-300 engineering endpoints.
Aerospace & component suppliers
Avionics, propulsion, and component vendors with CMMC Level 2 requirements flowing down from primes like Lockheed, Boeing, RTX, Northrop. Mixed cleared/uncleared environments.
DoD professional services
Federal consultancies, integrators, and SaaS vendors handling FCI in DoD engagements. CMMC Level 1 baselines through Level 2 readiness as contracts ramp up.
Logistics & supply chain
DoD-supplying logistics firms, freight forwarders, and supply-chain vendors handling shipment data, inventory feeds, and routing information classified as CUI.
Higher-ed research & federally funded R&D
University labs and FFRDC-affiliated researchers handling CUI in DoD-funded research projects. CMMC Level 2 with NIST SP 800-171 baselines tuned for academic environments.
Federal SaaS / cloud-services vendors
SaaS vendors selling into DoD where CMMC certification or FedRAMP authorisation is a contracting prerequisite. Often paired with our FedRAMP-readiness engagements.
Level 1 vs Level 2 vs Level 3 — what each requires.
| Feature | CMMC Level 1 FCI only | CMMC Level 2 CUI (most contracts) | CMMC Level 3 CUI + APT defence |
|---|---|---|---|
Controls required | 17 (FAR 52.204-21) | 110 (NIST 800-171) | 110 + 35 (800-172) |
Data covered | Federal Contract Info (FCI) | Controlled Unclassified Info (CUI) | CUI with APT threat |
Assessment type | Self-assessment annual | C3PAO third-party every 3 yrs | DIBCAC government assessment |
Affirmation cadence | Annual | Annual | Annual |
POAM allowed at assessment? | No (controls in place) | Limited (180-day close) | No (all controls in place) |
GCC High typically required? | Often | ||
Typical readiness cost | $15-40k | $80-250k | $250-600k+ |
Typical engagement length | 2-4 months | 6-12 months | 12-18 months |
From scoping to C3PAO-ready in five phases.
- 1
Scoping & boundary
2-3 weeks
Identify CUI and FCI, document data flows, define the assessment boundary, and right-size scope. Output: scoping memo, asset inventory, written boundary diagram.
- 2
Gap assessment
3-4 weeks
Map current-state controls against the level (17 / 110 / 145). Output: written gap report, prioritised remediation backlog, cost-to-close estimate.
- 3
Remediation
3-9 months
Close technical gaps (MFA, encryption, segmentation, Defender, SIEM), policy gaps (SSP, IR plan, training programme), and organisational gaps (governance, vendor risk).
- 4
Pre-audit dry run
2-3 weeks
Full-scope mock assessment using the CMMC Assessment Guide. Close residual findings, finalise the evidence binder, brief the leadership team on auditor expectations.
- 5
C3PAO audit support
2-4 weeks
On-site or remote support during the C3PAO assessment. We sit with your team, answer auditor questions, and handle evidence presentation. Post-audit: remediation if findings, affirmation packet preparation.
“We had three months until a Level 2 CMMC contract milestone and a 51-out-of-110 NIST 800-171 self-score. GR IT brought the team that had run CMMC readiness for three other DoD subs — they scoped the boundary, ran remediation in sprints, and shipped the evidence pack two weeks before the C3PAO walked in. We passed first time with two minor POAM items closed in 30 days.”
CMMC 2.0, frequently asked.
CMMC and DoD compliance resources.
Cybersecurity audit & compliance services
The general-purpose audit pillar covering HIPAA, SOC 2, NYDFS, NIST CSF, ISO 27001, and PCI.
Learn moreMicrosoft 365 for GCC and GCC High
Our Microsoft 365 pillar including the GCC and GCC High deployment paths for federal/DoD customers.
Learn moreMicrosoft Sentinel SIEM
Continuous-monitoring SIEM platform that satisfies CMMC audit-log retention and SIEM control families.
Learn moreBook a CMMC readiness review.
Sixty-minute discovery call with a senior consultant. Output: a written first-cut gap estimate, level recommendation, and engagement scope. No obligation.