From Level 1 self-assessment to Level 3 C3PAO engagement, AltiriOS provides the vCISO leadership, gap assessment, and evidence management infrastructure that defense contractors need to certify and stay certified.
CMMC has three levels — each building on the last. Understanding your required level is the first decision in any compliance program.
| Level 1 | Level 2 | Level 3 | |
|---|---|---|---|
| Controls | 17 controls (NIST 800-171 rev 1) | 110 controls (NIST 800-171 rev 2) | All Level 2 + 20+ additional controls |
| Assessment Type | Annual self-assessment | Third-party C3PAO assessment | Government-led assessment (DIBCAC) |
| Frequency | Annual | Every 3 years (with annual self-assessment) | Annual + continuous monitoring |
| Who It Applies To | Contractors handling Federal Contract Information (FCI) | Contractors processing, storing, or transmitting CUI on DoD programs | Programs with highest sensitivity — weapons systems, classified, critical infrastructure |
| Est. Timeline | 3–6 months | 12–18 months | 18–36 months |
| Est. Cost Range | $15K–$40K | $100K–$280K | $250K–$700K+ |
Every CMMC engagement follows the same three-phase model — from initial gap assessment through evidence collection and remediation, to full C3PAO coordination.
NIST 800-171 gap assessment against all in-scope controls. Maturity scoring, evidence gap analysis, and a prioritized POA&M — your roadmap from current state to assessment-ready.
Technical control implementation, SSP development, evidence artifact collection, and POA&M closure. We manage the documentation infrastructure so your team can focus on operations.
Full C3PAO coordination, assessor interface management, remediation of findings, and DCSA certification support. Binary pass/fail — we make sure you land on the right side.
CMMC affects contractors across the defense industrial base and beyond. We focus on the organizations where certification is a contract requirement — not a nice-to-have.
Every engagement produces concrete documentation, infrastructure, and coordination — not just recommendations.
Full control-by-control scoring across all 110 requirements. Maturity model, evidence gap analysis, and prioritized POA&M.
Complete SSP covering all 14 domains, network architecture diagrams, access control documentation, and incident response procedures.
Organized, assessor-accessible evidence management system — eliminating the 3–4x evidence underestimate that kills assessments.
Remediation roadmap management, progress tracking, and formal closure documentation for every gap identified in the gap assessment.
Registered Practitioner Organization support, assessor scheduling, documentation package preparation, and findings remediation management.
Embedded fractional vCISO with CMMC-specific experience — program management, board reporting, and ongoing compliance posture ownership.
CMMC is not a general security engagement. It requires specific methodology, documentation discipline, and assessor-side experience.