Skip to content
FUNCSHUN Cybersecurity
CMMC Compliance

Win the contract. Keep it.

If you handle Federal Contract Information or CUI, your next DoD award depends on CMMC. We take you from gap to assessment-ready — NIST SP 800-171 controls, a defensible SPRS score, and the documentation a C3PAO actually wants to see.

Book your strategy callTalk to an engineer

15-minute call · senior engineer · no obligation

L1 + L2
Levels covered
Self-assessment through C3PAO.
110
Controls mapped
NIST SP 800-171 Rev 2.
SPRS
Score, submitted
Defensible and evidence-backed.
01What's included

Everything your assessment needs.

  • 01FCI and CUI data-flow scoping and enclave design
  • 02NIST SP 800-171 control implementation — all 110
  • 03System Security Plan (SSP) and POA&M authoring
  • 04SPRS score calculation and submission support
  • 05GCC High / Microsoft 365 Government tenant guidance
  • 06C3PAO Level 2 assessment preparation and liaison
  • 07Continuous evidence collection between assessments
02How we work

From gap to go-ahead.

01
Scope

Map where FCI and CUI live, then draw the smallest defensible boundary.

02
Assess

Gap-assess against all 110 NIST 800-171 controls and score in SPRS.

03
Remediate

Close technical and policy gaps — MFA, logging, encryption, training.

04
Validate

Level 1 self-attestation or a fully prepped C3PAO Level 2 assessment.

03FAQ

Questions, answered.

Do we actually need CMMC?+

If you're in the DoD supply chain and touch Federal Contract Information or CUI, yes. Level 1 covers FCI; Level 2 is required for CUI and is verified by a C3PAO. Primes are flowing these requirements down to subcontractors now, so it rarely stops at the top tier.

What's the difference between Level 1 and Level 2?+

Level 1 is 15 basic safeguards for FCI, self-assessed annually. Level 2 maps to the 110 controls in NIST SP 800-171 and, for most CUI, requires a third-party (C3PAO) assessment every three years.

What is an SPRS score?+

It's the Supplier Performance Risk System score the DoD uses to gauge your NIST 800-171 posture. We calculate it honestly, build a POA&M for any open items, and support submission — overstating it is a False Claims Act risk we help you avoid.

How long does readiness take?+

Most small and mid-sized contractors reach Level 2 readiness in three to six months, depending on starting posture and whether you need a CUI enclave. We sequence the work so contract deadlines aren't at risk.

Get started

Ready when you are.

Book a 15-minute introduction call. Walk away with a clear next step — whether you work with us or not.

Book your strategy callTalk to an engineer

15-minute call · senior engineer · no obligation