Control and Function

CMMC Level 2 · NIST 800-171 · SOC 2

Compliance readiness for the small shops the big firms overlook.

Assessment-grade documentation in weeks, not months.

On November 10, 2026, CMMC Level 2 certification becomes a condition of award for applicable DoD contracts. We get small defense manufacturers ready for it, and SaaS companies ready for SOC 2, with AI-accelerated delivery and fixed pricing.

Nov 10, 2026
CMMC Phase 2: Level 2 becomes a condition of award
~80,000
Defense contractors needing Level 2 certification
~100
Authorized C3PAOs to assess them all
6 to 18 mo
Typical readiness lead time. Start now.
Built for sub-50-employee shops · AI-accelerated documentation, human-reviewed · Fixed scope, fixed price · Advisory only, never the assessor · Defense background, we speak CUI

CMMC · NIST SP 800-171

The readiness ladder

Start where you are. Every engagement is remote, fixed-scope, and priced for shops without a compliance department.

Diagnose

NIST 800-171 Gap Assessment

From $7.5K

2 to 4 weeks · fixed price

All 110 controls scored against your environment. You get a prioritized remediation roadmap, your current SPRS score, and a clear picture of the distance to Level 2. No obligation to continue.

Most Popular

CMMC Level 2 Readiness Sprint

From $18K

8 to 16 weeks · fixed price

The full documentation mountain, delivered: System Security Plan, POA&M, policies across all 14 control families, evidence mapping, and SPRS submission support. AI-drafted, human-reviewed, assessment-grade.

Retainer

Managed Compliance

$1.5 to $4K / mo

Rolling · after readiness

Compliance is annual, not one-time. Affirmations, evidence upkeep, SPRS maintenance, change reviews, and assessment prep support when your C3PAO date arrives. The discipline that fades after the sprint, kept alive.

We are not a C3PAO and do not perform certification assessments. Readiness and advisory only, by design: nobody should assess their own work.

Want proof before a call?

We will send you a watermarked sample gap diagnostic, the same document format your engagement would produce, so you can judge the output quality before spending a dollar.

Request the sample diagnostic

Also from the practice

SOC 2 readiness for SaaS

The practice was built on operator experience: we led a SOC 2 Type I program end to end with no outside MSP and no compliance platform. That same motion now serves SaaS companies preparing for their first audit or expanding into HIPAA and ISO 27001.

Readiness Coaching

From $8K

4 to 8 weeks · founders own the work

Office hours, document review, control guidance, and auditor liaison support while your team drives the program.

Full SOC 2 Readiness

From $15K

12 to 16 weeks · we drive end to end

Policies, controls, evidence collection, vendor reviews, pre-audit walkthrough, and an audit firm referral when you are ready.

Dual Framework

Scoped

SOC 2 + HIPAA · SOC 2 + ISO 27001

SaaS companies serving regulated buyers usually need a second framework. One engagement, one firm, no handoffs.

Engagement Timeline

What the Readiness Sprint actually looks like.

Four phases, explicit deliverables, an end-of-phase checkpoint every time. No floating timeline, no scope creep.

01

Weeks 1 to 3

Scope and gap

  • · CUI data flow mapping
  • · System boundary definition
  • · 110-control gap assessment
  • · SPRS baseline score
02

Weeks 4 to 8

Documentation built

  • · System Security Plan drafted
  • · POA&M for every gap
  • · Policies, all 14 families
  • · Human review on every artifact
03

Weeks 9 to 14

Remediate and evidence

  • · Control remediation support
  • · Evidence mapped to controls
  • · Vendor and flow-down review
  • · Updated SPRS score
04

Weeks 15 to 16

Assessment prep

  • · SPRS submission support
  • · C3PAO selection guidance
  • · Mock assessment walkthrough
  • · Final readiness package

"Contract deadlines are award criteria now, not aspirations. We treat them that way."

Why Control and Function

Most readiness firms write documents. We deliver readiness.

01

Built for the shops the big firms overlook

Sub-50-employee machine shops and manufacturers with CUI and no compliance staff. The compliance SaaS platforms assume you have a dedicated compliance manager. You do not, and you should not need one. We deliver done-for-you readiness at a price built for your size.

02

AI-accelerated, human-reviewed

A System Security Plan commonly takes 50 to 200 consultant hours drafted by hand, and firms bill accordingly. Our AI-assisted documentation pipeline compresses that to days, with a human reviewing every artifact before it carries our name. You get assessment-grade work at a fraction of the market's hours.

03

Operational, not advisory

The practice was built on running compliance programs as the operator, not observing them as a consultant. We led a SOC 2 Type I program end to end with no outside MSP and no compliance platform. We know what an assessor will press on and where companies waste cycles.

04

Defense background, native CUI fluency

Founded by a serving Air National Guard member with a defense background. We speak contractor, flow-down, and CUI natively, so you do not spend billable hours translating your world to your consultant.

05

IT, security, and compliance under one roof

Most readiness firms are pure GRC writers who cannot configure SSO or speak to engineers in their own language. We can. Faster engagements, fewer escalations, and a delivery cadence technical teams respect.

06

Never the assessor

We prepare you for assessment and hand you off cleanly to the C3PAO or CPA firm that performs it. We never assess our own work. That separation is by design and it protects your certification.

Contact

Start the conversation.

A 30-minute readiness call costs nothing and tells you exactly where you stand, whether the deadline in front of you is CMMC Level 2 or your first SOC 2. No sales pressure. If we are not the right fit, we will say so and point you to someone who is.

Denver, Colorado · Available for engagements across the United States