Shield of Steel runs at CMMC Level 2 self-attestation, aligned to NIST SP 800-171 Rev 3, with triennial self-reassessment and a signed executive affirmation on file. For clients, the same team delivers gap assessments, NIST readiness, HIPAA, CJIS, PCI-DSS, and SOX ITGC advisory — written up the way an auditor expects to read it.
CMMC is the Department of Defense's way of answering one question consistently across 300,000 contractors — can this company be trusted with government information? It is not a product, not a certification badge, and not a substitute for ongoing security work. It is a published floor with published rules.
The Cybersecurity Maturity Model Certification Program is codified at 32 CFR Part 170 and became effective in December 2024. A companion rule under 48 CFR Part 204 — the "DFARS CMMC clause" — inserts the program's requirements into DoD solicitations and contracts. When a DoD contract names a CMMC level, every organization in the supply chain handling the relevant information class must meet that level before contract award, and must keep meeting it for the duration of the contract.
Two information classes drive the entire framework. Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not intended for public release — contract line items, schedules, performance data. Controlled Unclassified Information (CUI) is a higher category that includes technical drawings, source code, export-controlled designs, export-controlled research, personnel and law-enforcement-sensitive data, and similar. FCI triggers Level 1. CUI triggers Level 2. The top end — the most sensitive subset of CUI on priority programs — triggers Level 3.
CMMC does not invent new controls. It wraps two existing bodies of work and makes them auditable:
Because the DoD made the scoring visible and the affirmation personal. Under CMMC 2.0, a named company officer signs the affirmation in SPRS. That signature is a representation to the federal government — not a checkbox in a contracts-management tool. Misrepresentation exposes the firm and the affirming officer to False Claims Act risk. That is the real mechanism by which the program has teeth, and it is why the level of attention this framework gets in boardrooms has changed since 2023.
Level is a function of what information you touch, not how big you are. A ten-person machine shop handling CUI is Level 2. A thousand-person firm handling only FCI is Level 1. Scope the data first; the level follows.
Seventeen basic safeguarding practices — access control, identification, media protection, physical protection, system integrity. The hygiene floor for any contractor that handles federal contract information.
All 110 security requirements across fourteen control families. The bulk of DoD's CUI-handling contractor population lands here. Verification is bifurcated — most contracts require a C3PAO third-party assessment; a defined subset permits self-attestation with executive affirmation.
Level 2 in full plus selected enhanced security requirements from NIST SP 800-172 — built to resist advanced persistent threats. Applies to a narrow population of contractors on high-priority DoD programs. Verification is government-led through DIBCAC.
32 CFR Part 170 names a specific population of Level 2 acquisitions where the CUI involved is not identified as requiring C3PAO assessment. For that population the DoD permits self-assessment, a triennial cadence, and a signed executive affirmation in SPRS. The underlying 110 controls are the same. The verifier is internal. The False Claims Act exposure on the affirming officer is identical.
NIST SP 800-171 Revision 3 was published in May 2024. It restructures requirements, tightens organization-defined parameters, and adds explicit content on supply-chain risk and incident reporting. DoD has not yet mandated Rev 3 across every CMMC assessment, but we align new engagements to Rev 3 unless a contract specifically flows down Rev 2. Rev 3 today means less rework next year.
We are not a DoD prime or subcontractor. We hold CMMC Level 2 self-attestation because the control set is a reasonable baseline for any firm handling sensitive client data, and because our federal-adjacent clients expect the consultants they hire to live inside the same discipline they're paying us to implement.
Full 110-control implementation mapped to Rev 3 structure. Documented System Security Plan (SSP) maintained in version control; evidence package refreshed annually.
Assessment performed internally against NIST SP 800-171A procedures. Signed affirmation by managing officer. Score posted to internal register; produced on request under NDA.
Full reassessment every three years. Annual internal control testing between cycles. Any drift triggers a POA&M entry the quarter it's discovered.
Any control that cannot be placed on a POA&M under CMMC 2.0 must be fully implemented before attestation — we apply that rule internally even for items the framework would permit to carry.
CMMC is the deepest framework we work with, but it is not the only one. Regulated clients bring us the rest — healthcare, law enforcement, payments, public-company finance, state privacy laws. Every engagement produces the same artifact set: gap report, remediation roadmap, policy package, and an attestable evidence file.
Gap assessment against all 110 NIST SP 800-171 Rev 3 controls (or 17 FAR 52.204-21 practices for Level 1). SPRS-style scoring, draft System Security Plan, POA&M, and attestation evidence package. Optional C3PAO liaison for organizations pursuing third-party assessment.
Standalone NIST SP 800-171 Rev 3 readiness engagement for organizations that need the control baseline but are not pursuing CMMC specifically — research institutions, grant recipients, federal subcontractors in non-DoD agencies, commercial firms preparing for future flow-downs.
HIPAA Security Rule assessment for covered entities and business associates — administrative, physical, and technical safeguards. Risk analysis documented to HHS OCR expectations, breach-notification readiness, BAA template review, and incident-response tabletop.
CJIS Security Policy v5.9.1 readiness for law-enforcement contractors, MSPs, and vendors who touch criminal-justice information. Personnel security, advanced authentication, media handling, audit logging, and incident reporting — written to the state CJIS coordinator's expected audit.
PCI-DSS v4.0.1 readiness and advisory — scope definition, segmentation validation, the twelve requirements end-to-end, and the customized approach where warranted. SAQ selection guidance for merchants; ROC-preparation support for Level 1 firms ahead of a QSA engagement.
IT general-controls program for SOX Section 404 — access to programs and data, program changes, program development, and computer operations. Narrative drafting, control design, walkthroughs, and operating-effectiveness testing — aligned to external-auditor PCAOB expectations.
Also in scope for Tennessee and Mississippi clients: Tennessee Information Protection Act (TN ISPA) readiness for businesses that process personal information at scale, and Mississippi data-breach notification under § 75-24-29. We write the incident-response addenda, the notification-template language, and the record-of-processing both statutes implicitly require.
Three phases, fixed deliverables, fixed fees per phase. We do not sell perpetual retainers disguised as compliance work. If the engagement doesn't have an end state, it doesn't have a scope.
Control-by-control review of your current environment against the target framework. Document discovery, policy review, interviews with IT and business owners, a scoped technical walkthrough, and — where applicable — evidence sampling. We produce the SPRS-style score, a severity-ranked gap register, and a prioritized remediation roadmap with time and cost estimates.
We either run remediation directly, supervise your team, or hand off to your MSP — client's call. Typical workstreams: policy set creation, MFA rollout, logging and monitoring build-out, access-control tightening, incident-response playbook, data-classification rollout, and supply-chain attestations. Weekly burn-down tracked against the roadmap in Phase 01.
Evidence package assembly, draft System Security Plan, draft POA&M for the narrow residual items the framework permits to carry, and executive-affirmation package. For organizations going to C3PAO, we stand alongside during the third-party assessment. After attestation, an optional annual control-test retainer keeps the file current between reassessments.
Ten questions we get every week from contractors, compliance officers, and general counsel. The answers below are the same ones we write into engagement letters — no softening, no hedging.
The Cybersecurity Maturity Model Certification is the U.S. Department of Defense's framework for verifying that contractors handling federal contract information (FCI) or controlled unclassified information (CUI) meet minimum cybersecurity requirements. CMMC 2.0 is codified at 32 CFR Part 170 and became effective in December 2024. The companion DFARS clause that inserts CMMC requirements into DoD contracts lives at 48 CFR Part 204.
The DoD's Cyber Accreditation Body (Cyber AB) administers the ecosystem of C3PAO third-party assessors and credentials the assessors themselves. The Defense Contract Management Agency's DIBCAC handles Level 3 government-led assessments.
Level 1 (Foundational) applies to organizations handling only FCI and requires implementation of the 17 basic safeguarding practices from FAR 52.204-21, verified annually by self-assessment. Level 2 (Advanced) applies to organizations handling CUI and requires all 110 security requirements from NIST SP 800-171 Rev 2 (with Rev 3 rolling in), verified either by self-assessment or by a third-party C3PAO assessment depending on the contract. Level 3 (Expert) applies to a small subset of organizations handling the most sensitive CUI on high-priority DoD programs and requires Level 2 plus selected enhanced requirements from NIST SP 800-172, verified through a government-led DIBCAC assessment.
The level is driven by the information class named in the contract, not by company size. If you are not sure what information class you handle, that is itself a gap — the answer determines every downstream decision.
It is allowed, and it is written directly into the regulation. Under 32 CFR Part 170, the DoD permits Level 2 self-assessment for a specific subset of acquisitions — contracts where the CUI involved is not identified as requiring a C3PAO third-party assessment. Self-assessment at Level 2 requires a triennial assessment, an executive-officer affirmation posted in SPRS, and a POA&M that closes any open items within 180 days.
The majority of Level 2 contracts will require C3PAO certification — self-attestation is not a backdoor around the program. It is a documented option for a defined population of contracts, and the organization using it still carries full False Claims Act exposure on the affirmation.
Shield of Steel maintains CMMC Level 2 self-attestation aligned to the 110 security requirements in NIST SP 800-171 Revision 3. We operate a triennial self-reassessment cadence, keep a signed executive-officer affirmation on file, and run a POA&M with a 180-day maximum remediation window.
We are not currently a DoD prime or subcontractor. The posture exists because our federal-adjacent clients — defense suppliers, law-enforcement contractors, regulated healthcare firms — expect the consultants they hire to live inside the same discipline they are paying us to implement. Our current attestation was refreshed in Q1 2025 and is produced on request under NDA.
For a typical mid-market firm with a working IT function, the median engagement runs 4 to 6 months from kickoff to attestable state: roughly 3 weeks for gap assessment, 3 to 5 months for remediation across the 14 control families, and a 2-week evidence-package build. Firms starting from a weaker baseline — no documented information-security program, inconsistent MFA, scattered logging — should plan for 8 to 12 months.
The length is not driven by the control count. It is driven by how much of your environment needs to be rebuilt versus how much can be certified in place. We scope the answer in the first two weeks of the gap assessment and tell you before you commit to Phase 02.
Fixed-fee per phase. For a mid-market organization pursuing Level 2, gap assessment typically runs five figures; remediation is a function of what has to be built, usually mid-five to low-six figures for a firm starting from a reasonable baseline; attestation packaging is a smaller fixed fee in the low five figures. C3PAO assessment fees — if you go that route — are separate and paid to the C3PAO, not to us.
We will give you a real number after the first two weeks of the gap assessment. We will not quote a range sight-unseen, and we will not sell you a retainer that prices the work by the month instead of by the deliverable.
A Plan of Action and Milestones is the formal register of unmet controls, the remediation plan for each, and the target completion date. Under CMMC 2.0, a Level 2 organization may achieve conditional attestation with a POA&M open — but only for specific lower-weighted controls, only up to a defined score threshold, and only if every open item closes within 180 days.
Certain controls cannot be placed on a POA&M at all — they must be fully implemented before attestation. Those include, among others, the bulk of the identification-and-authentication family, the core access-control requirements, and anything tied to protecting stored and transmitted CUI. Treating the POA&M as a slack-bucket instead of a targeted remediation register is the single most common reason first-time self-attestations fail a subsequent C3PAO assessment.
Rev 2 was the operative baseline when CMMC 2.0 was drafted; Rev 3 was published in May 2024 and restructures the 110 requirements, tightens language around organization-defined parameters, adds explicit content on supply-chain risk and incident reporting, and modernizes several control families — most visibly identification and authentication.
DoD has not yet mandated Rev 3 across every CMMC assessment and there are transition provisions. Rev 3 is the direction of travel. We align new engagements to Rev 3 unless a specific contract flow-down names Rev 2. Rev 3 today is less rework later.
Yes. The CMMC control set is the deepest framework we work with, but the same team handles HIPAA Security Rule engagements for covered entities and business associates, CJIS Security Policy v5.9.1 for law-enforcement contractors and their vendors, PCI-DSS v4.0.1 for merchants and payment processors, SOX IT general controls for public-company finance functions, and state-level privacy and breach-notification obligations — including the Tennessee Information Protection Act and Mississippi's data-breach statute at § 75-24-29.
We do not run engagements in jurisdictions we cannot practically service; for out-of-region work we partner with local counsel and bring the technical program expertise.
A written report that maps every required control to its current state of implementation at your organization, flags the gaps, assigns each gap a severity, estimates remediation effort and cost, and produces a prioritized roadmap with milestones.
For CMMC Level 2, that means a control-by-control assessment across all 14 NIST SP 800-171 Rev 3 families, an initial SPRS-style self-assessment score, a draft System Security Plan (SSP), and a POA&M template you can carry into remediation. The deliverable goes to you as a PDF, a spreadsheet, and a set of policy-stub documents — not a vendor portal you lose access to when the engagement closes.
A senior consultant will spend an hour on the phone with you, review the contract or regulatory trigger, and send back a written scope-of-work and fixed gap-assessment fee within five business days. No cost, no obligation, no pitch — we'd rather pass on a bad fit than sell you work we can't finish.
