Government / Defense Contractors

CybertronIT is an RPO, not a C3PAO. We're a Registered Provider Organization under the CyberAB. We prepare you for assessment. The formal assessment itself is conducted by a separate independent organization (a C3PAO). We'll come back to why that distinction matters, but it needs to be on the table before anything else.

If a prime just flowed CMMC requirements down to you, or you're bidding on a federal contract that requires NIST 800-171 compliance, this page is for you. Our compliance work concentrates in Wichita's aerospace supply chain (the Tier 2 and Tier 3 suppliers to the major aerospace primes), but CMMC and the underlying NIST 800-171 control set are spreading beyond DoD into other federal agencies. We work with civilian-side contractors too. The framework is the same. The flowdown structure is the same. The readiness work looks similar across the board.

Where this usually starts

Most of our CMMC engagements start in one of four places.

The first is a flowdown notice. You got a notice from a customer telling you the contract clause now includes DFARS 252.204-7012 or a specific CMMC requirement. The clock started running the day you signed the contract. The first question is whether you're handling Federal Contract Information (FCI) only, Controlled Unclassified Information (CUI), or both, because that determines your level.

The second is a competitive bid. Increasingly, federal solicitations require CMMC certification or NIST 800-171 self-attestation in the bid itself, not after award. Getting started before the bid is the cheap option. Trying to get certified while the contract is in motion is the expensive one, and sometimes you run out of runway.

The third is upstream prime work. As a prime, you have an obligation to flow requirements down to your subcontractors and to verify they're meeting them. Some of our work is on that side, helping primes structure their flowdown clauses, build vendor risk programs, and verify supplier compliance.

The fourth is a supplier questionnaire. A prime or a larger customer sends a security questionnaire as a condition of staying on the approved vendor list, and you're suddenly attesting to controls you may not have in place. Answering it honestly without putting the relationship at risk starts with knowing where you actually stand.

In all four cases, the first conversation is the same. What do you actually handle, where does it live, who has access to it, and what does your current security posture look like against the standard.

Which level applies to you

Your level comes down to what you handle. If it's Federal Contract Information, you're at Level 1, a 15-control self-assessment. Controlled Unclassified Information moves you to Level 2, which aligns with the 110 controls of NIST SP 800-171 and, depending on the contract, is either an annual self-assessment or a triennial C3PAO assessment. The full framework breakdown lives on our CMMC Readiness Services page.

The expensive mistake is guessing. Some contractors over-build to Level 2 when the contract only calls for Level 1. The more common and more dangerous case is not realizing CUI has been in the environment until a contracting officer asks for evidence it's been protected. We settle the level in the first phase of every engagement, by reading your contract clauses and inventorying the data you actually receive and generate, because getting it wrong sets the cost of everything that follows.

What we do as an RPO

A Registered Provider Organization is the role specifically defined to help organizations prepare for CMMC assessment. The CyberAB created the role to distinguish advisory and preparation work from the formal certification assessment, which only a C3PAO can conduct. The roles are deliberately kept separate. A single organization cannot prepare you for an assessment and then conduct the assessment. That separation is what makes the certification meaningful.

Most engagements start with a gap analysis. We score your current state against the 110 NIST 800-171 controls (for Level 2 work) or the 15 Level 1 controls. The output is a clear picture of which controls you already meet, which you partially meet, and which you haven't addressed. The gap analysis becomes the baseline for everything else and the input to a real cost estimate for your engagement.

From there we build or refine the System Security Plan (SSP), the document that explains how each control is implemented in your environment. Most contractors either don't have one or have one that doesn't match what their systems actually do. When the C3PAO arrives, the SSP is the document they assess against. If the SSP is wrong, the assessment fails, even if your technical controls are fine.

For controls that aren't yet fully implemented, we build the Plan of Action and Milestones (POA&M). The POA&M documents what's missing, what the plan is to address it, and when it will be done. POA&Ms are acceptable for some controls and unacceptable for others under CMMC. Knowing which is which matters more than most contractors realize.

We trace where Controlled Unclassified Information (CUI) actually lives and moves in your business. The CUI flow determines the assessment boundary. Boundaries that are too tight miss systems that touch CUI, which becomes a finding during assessment. Going the other way is just as expensive: boundaries that are too broad pull every system in your environment into scope, which means every system has to meet the requirements. The scoping work is where significant time and money decisions get made, often quietly, before anyone realizes.

Many of the NIST 800-171 controls require documented policies and procedures, not just technical controls. We build or refine the policy set so it covers what the standard requires and what an assessor will look for in interviews.

Where controls aren't yet in place, we implement them. That includes the technical work (access controls, multi-factor authentication, logging, encryption, network segmentation, endpoint protection, configuration management) and the administrative work (security awareness training, incident response procedures, vendor management, asset inventory). Some of this work overlaps with day-to-day managed IT, which is why some of our CMMC engagements lead to broader IT relationships and some run alongside a contractor's existing MSP.

The pretest is what matters most

Before you pay a C3PAO to conduct the formal assessment, we run mock assessments using the same SSP, the same evidence package, and the same interview style a C3PAO will use.

This is where the value of having an RPO involved compounds. Once you engage a C3PAO, they can only assess, not remediate findings. If the assessor identifies a gap during the formal assessment, your options are limited to whatever the POA&M permits or paying for a re-test after remediation. Both options cost significantly more than catching the same gap during pretest, and the re-test option costs you time you may not have on your contract clock.

The pretest covers three layers.

Technical configuration testing verifies the systems against the documentation. Does the firewall actually do what the SSP claims? Are the logging settings working as documented? Are the access controls implemented or only described? Where the answer is "only described," we fix it.

Mock interviews prepare your team. During the formal assessment, the C3PAO will interview specific people about specific topics. The system administrator gets questions about access management. The training coordinator answers questions about training programs. The responsible person walks through incident response. We run those same interviews ourselves first, with the same questions and the same structure, so your team has practiced answering before the formal assessment.

Evidence package review preps the artifacts. The assessor will ask for specific evidence to support each control. Screenshots, log samples, policy documents, training records, system inventories. We build the evidence package, review it against what an assessor will want, and identify the gaps before the C3PAO walks in.

When the C3PAO arrives, nothing about the assessment should be a surprise to your team. That's what a successful CMMC engagement looks like from our side.

Who we work with

The largest segment of our compliance work is the Wichita aerospace supply chain, specifically Tier 2 and Tier 3 suppliers to the major aerospace primes. These are small and mid-sized manufacturing and engineering companies whose CMMC obligations flowed down through prime contracts. Many are also clients for Manufacturing IT, which gives us operational context that purely security-focused consultants don't bring.

We also work with federal civilian contractors facing CMMC or NIST 800-171 obligations from non-DoD agencies (DHS, GSA, and other federal customers). We work with primes preparing for their own flowdown and building vendor risk programs to verify supplier compliance. Manufacturers with mixed commercial and government work fall into our compliance practice when the government side requires CMMC. We work with engineering and professional services firms that handle CUI as part of their technical work for federal customers, and with first-time federal contractors encountering CMMC as a brand new obligation.

The work looks similar across these segments. The differences are in scoping (how much of your business is in the CMMC boundary) and in pace (what your contract deadlines look like).

Why we bundle MSP and CMMC readiness

We don't take on CMMC readiness without also running managed IT for the same client. CMMC isn't a one-time project, it's an ongoing state, and the SSP and POA&M are live documents that have to match what your systems actually do. They drift from reality within weeks if the team writing them isn't the team operating the systems. We keep them aligned by being both, so the hands documenting a control are the hands maintaining it, and nothing changes in your environment that the documentation doesn't catch.

If you already have an MSP you like, that's the honest conversation: whether the contract at stake justifies a switch, what the transition looks like, and what your timing allows. Sometimes the answer is to stay put and find a different path for CMMC, and we'd rather say that early than take work we can't deliver properly.

How a CMMC engagement typically goes

Engagement length varies based on starting posture, but the work moves through fairly consistent phases.

We start with discovery and scoping, which typically takes four to eight weeks. This is where the gap analysis happens, where we determine which level applies, where we map the CUI flow, and where we define the assessment boundary. The output is a clear picture of where you stand and what the path to assessment looks like, plus a realistic cost estimate for the remaining work.

Documentation and technical implementation is where the bulk of the engagement lives. We build or refine the SSP, build the POA&M, write or refine the policy and procedure set, and implement the technical controls that aren't in place. Depending on how much technical work is needed, this phase stretches from three months to twelve months or longer.

Once documentation and controls are in place, we run pretest. Mock assessments, technical config verification, mock interviews, evidence review. This typically surfaces findings, which we then remediate. The pretest and remediation phase runs from a few weeks to a few months depending on what comes up.

When pretest is clean, you're ready to engage a C3PAO for the formal Level 2 third-party assessment, or to self-attest to Level 2 if your contract permits a self-assessment. We don't conduct the assessment, but we support you through it and handle any post-assessment remediation if it's required.

For Level 1 work (FCI-only contracts), the engagement is shorter because the control set is smaller and the assessment is a self-attestation rather than a third-party audit.

Where to start

If you've been handed CMMC or NIST 800-171 requirements and you're not sure what to do first, schedule a 30-minute readiness conversation. We'll talk through your contract clauses, what level likely applies, what your starting posture looks like, and what a realistic timeline and budget look like for your business. No commitments. If your situation calls for a different kind of partner than us, we'll say so.

Frequently asked questions

1. Do I actually need to be CMMC certified?

The answer depends on your contract. If your contract requires CMMC certification at Level 2 with third-party assessment, you'll need to go through a C3PAO assessment to bid on or hold that contract. Contracts that require NIST 800-171 self-attestation, or that only handle FCI, may put you at Level 1 self-assessment or Level 2 self-assessment, depending on the specifics. The level and assessment type are determined by your contract clauses, not by us, not by you, and not by what other contractors are doing. The first step in every engagement is reading those clauses to determine what's actually required.

2. We just got the flowdown. How long does this take?

For Level 2 work, plan for six to eighteen months from "we got the flowdown" to "we're ready for a C3PAO assessment," with significant variation based on starting posture. Contractors with mature security programs and limited CUI handling can move faster, sometimes finishing in six months or less. Companies starting from scratch with broad CUI exposure typically need twelve to eighteen months, occasionally longer. The typical Tier 2 or Tier 3 aerospace supplier we work with falls into the nine-to-twelve-month range. Level 1 self-attestation work is faster, often three to six months.

3. How much does CMMC compliance cost?

It depends on the size of your operation, your starting posture, and how much hardware or software needs to be added or replaced. The honest answer we can give without seeing your business is that it's worth a 30-minute conversation to find out what your numbers actually look like. We'd rather walk through your specifics and give you a real estimate than publish a generic range that misses the work that matters.

What we can say up front: our pricing is structured per user in your business, which scales the engagement with the actual size of the work. The monthly fee covers all our labor on both the managed IT side and the CMMC readiness side. Hardware, software, the C3PAO assessment itself, and any legal review work are billed separately.

4. Can you guarantee we'll pass the assessment?

No. No legitimate RPO will guarantee a CMMC assessment outcome, because the assessment is conducted by an independent C3PAO and the assessor makes the determination. What we can do is significantly improve the odds. Our pretest catches the gaps that would cause findings in the formal assessment while there's still time to fix them. Contractors we work with who go into the formal assessment after our pretest typically pass on the first attempt, but we don't claim a guarantee. If someone is offering you one, ask hard questions.

5. We already have an MSP. Can you work alongside them?

No. We don't do CMMC readiness as a standalone engagement. The reason is in the "Why we bundle MSP and CMMC readiness" section above: the SSP and the live systems have to be operated by the same team or the documentation drifts from reality between writing it and the formal assessment.

If you already have an MSP you like, the honest conversation is about timing and whether the contract at stake justifies a switch. Sometimes the answer is to stay with your current MSP and find a different path for CMMC. We'd rather tell you that than take work we can't deliver properly.

6. What if we self-attest to NIST 800-171 today, but our contract eventually requires a C3PAO assessment?

This is increasingly common as DoD rolls out CMMC. If your self-attestation was rigorous and your SSP accurately reflects your environment, the move from self-attestation to third-party assessment is mostly about packaging the evidence and preparing for the interview process. If the self-attestation was a paper exercise that didn't reflect reality, the move is much more expensive. We can audit an existing self-attestation against what a C3PAO will actually look for, and tell you which scenario you're in.