Your DoW contract is at risk.
CMMC 2.0 enforcement is already here.
CMMC 2.0 enforcement is already showing up in active DoW solicitations. Contractors who can't prove compliance are getting cut from the supply chain, quietly and without appeal. If you haven't started yet, you're behind.
Miss this and you lose the contract.
The Department of War is enforcing CMMC across its entire supply chain. There's no grace period and no waiver for being unprepared, just a straight in-or-out decision.
Contracts are being awarded without you
CMMC Level 2 requirements are already embedded in active DoW solicitations. If you can't demonstrate compliance, you don't make it to evaluation, and no one calls to tell you why.
Your SPRS score is visible to every contracting officer
Your Supplier Performance Risk System score is visible to DoW buyers before they even open your proposal. A low score, or no score at all, gets you passed over before anyone reads a word of your bid.
110 controls, all of them, no exceptions
CMMC Level 2 requires every one of the 110 NIST SP 800-171 controls to be implemented, not most of them and not just the easy ones. Partial compliance is non-compliance.
We get you compliant, fast.
From your first gap assessment to C3PAO audit readiness, we run the compliance programme so your team doesn't have to figure it out from scratch.
CMMC gap assessment
We assess your current posture against all 110 NIST SP 800-171 controls and calculate your SPRS score, so you know exactly where you stand and what needs to change.
Remediation roadmap
We build a prioritised, costed action plan around your actual systems, team, and contract deadlines, not a generic checklist. A plan you can actually execute.
System Security Plan (SSP)
We write the SSP, POA&M, and all required documentation so you arrive at your C3PAO assessment with everything in order instead of scrambling the week before.
DFARS clause compliance
DFARS 252.204-7012 through -7021 carry obligations most contractors don't discover until they're already in breach, including 72-hour incident reporting requirements. We make sure you're covered.
ISO 27001 to CMMC bridge
Already ISO 27001 certified? You're not starting from zero. We map your existing controls to CMMC requirements, document what's covered, and close what isn't, without duplicating work you've already done.
Ongoing compliance
CMMC certification isn't a one-time event. We keep your programme current through annual affirmations, control monitoring, and readiness checks as requirements evolve.
We've done this before, and we know where it goes wrong.
We are auditors and implementers, not advisors who hand you a report and disappear. Our team has decades of experience in quantitative compliance and audit programmes across defence and financial services.
A team that lives inside controls
We work across multiple compliance frameworks every day: cybersecurity, AI governance, privacy, financial regulation. We understand how controls are built, tested, documented, and defended under audit scrutiny.
We measure, we don't guess
Our background is in quantitative measurement and data, so our compliance programmes are built on evidence rather than assumptions. That's exactly what a C3PAO assessor wants to see.
No bloat, no bureaucracy
You get a senior practitioner, not a junior consultant supervised from a distance. Organisations with real budget constraints get real help.
We know both sides of the Atlantic
We understand GDPR, NIS2, and NATO obligations alongside US DoW requirements, which matters if you're a European contractor or a US prime with international subcontractors.
European defence firm? You still have to comply.
CMMC applies to the entire DoW supply chain, including UK, EU, and NATO-aligned contractors handling Controlled Unclassified Information on US defence programmes. Most European firms are significantly behind. That gap is closeable, but not if you wait.
UK defence contractors
UK suppliers to US DoW programmes face the same CMMC requirements as US firms, and the same consequences for missing them. We help UK contractors navigate CMMC alongside existing UK MOD cyber obligations.
EU & NATO suppliers
European firms in the NATO supply chain are increasingly subject to CMMC conditions in contract renewals. The window to get ahead of this is now, not when the next solicitation lands.
Free gap review — written summary delivered within 5 business days.
Tell us about your organisation and your DoW contract situation. We'll come back to you with a written gap review summary within 5 business days — no spin, no upsell, just a clear picture of where you stand and what needs to change.
Questions we get asked every week
What is CMMC 2.0 and who does it apply to?
CMMC 2.0 is the Department of War's cybersecurity framework for its supply chain. It applies to any organisation, US or non-US, that handles Federal Contract Information or Controlled Unclassified Information under a DoW contract. If your contract touches CUI, CMMC Level 2 applies to you.
What is the difference between CMMC Level 1 and Level 2?
Level 1 covers 17 basic practices for organisations handling FCI only. Level 2 requires full implementation of all 110 NIST SP 800-171 controls and applies to anyone handling CUI. Level 2 typically requires a third-party assessment by a C3PAO; you cannot self-certify.
What is an SPRS score and why does it matter?
Your SPRS score is a number between -203 and +110 representing your self-assessed compliance with NIST SP 800-171. DoW contracting officers see this score before they read your proposal. A missing or very low score is enough to get you eliminated before evaluation starts.
Do European defence contractors need CMMC certification?
Yes. CMMC applies to the entire DoW supply chain regardless of where you're headquartered. UK, EU, and NATO-aligned organisations handling CUI under US defence contracts face the same requirements as US contractors, and the same consequences for non-compliance.
How does ISO 27001 help with CMMC compliance?
ISO 27001 and NIST SP 800-171 share significant overlap. You're not automatically compliant, but you're not starting from zero either. A proper gap assessment maps your existing controls to CMMC requirements, so you close real gaps instead of rebuilding what you already have.
What is a System Security Plan and do I need one?
A System Security Plan documents how your organisation implements each of the 110 NIST SP 800-171 controls. It is a mandatory artefact for CMMC Level 2 assessment. Without a complete, accurate SSP, you cannot pass a C3PAO assessment.