Valtik Studios
CMMC 2.0 · NIST 800-171 · DFARS 252.204-7012

CMMC 2.0 Readiness Assessment

Gap analysis, remediation, and pre-audit preparation for CMMC Level 2 and Level 3. Built by operators who have tested defense-industrial-base environments and know what the C3PAO will find.

Get a Free Security CheckSee Pricing

CMMC 2.0 is enforceable. Contracts are being lost to it.

CMMC 2.0 became final rule on December 16, 2024 under 32 CFR Part 170. The DoD began phasing CMMC requirements into contracts in 2025 with full rollout through 2028. Contracts now reference minimum CMMC levels at bid time. Subcontractors need to match the prime's level when CUI flows down. The days of self-attestation satisfying DFARS 252.204-7012 are ending.

Valtik runs CMMC readiness engagements for defense primes, subcontractors, and DIB suppliers in Connecticut, Texas, and nationwide. Our operators hold or have held security clearances, have worked across classified and CUI environments, and know the controls the C3PAO actually checks during assessment versus the ones that exist only in the documentation.

If your company ships anything to the DoD — hardware, software, services, or data — CMMC applies. Subcontractors downstream of a DoD prime are also in scope if CUI or FCI reaches their environment.

CMMC 2.0 levels and scope

LevelInformation typePracticesAssessment
Level 1Federal Contract Information (FCI)17 practices (FAR 52.204-21)Annual self-assessment
Level 2Controlled Unclassified Information (CUI)110 practices (NIST 800-171 Rev. 2)Triennial C3PAO assessment
Level 3CUI in higher-threat programs110+ additional practices (NIST 800-172)Government-led assessment

What we cover in a Level 2 readiness

Scope determination

The first decision that determines your engagement size: what is your CUI boundary? We inventory systems, data flows, and personnel roles to determine which assets fall inside the assessment scope. A tight, well-documented CUI enclave is the single biggest cost reduction lever.

Gap analysis across 110 NIST 800-171 controls

  • Access Control (AC) — 22 requirements
  • Awareness and Training (AT) — 3 requirements
  • Audit and Accountability (AU) — 9 requirements
  • Configuration Management (CM) — 9 requirements
  • Identification and Authentication (IA) — 11 requirements
  • Incident Response (IR) — 3 requirements
  • Maintenance (MA) — 6 requirements
  • Media Protection (MP) — 9 requirements
  • Personnel Security (PS) — 2 requirements
  • Physical Protection (PE) — 6 requirements
  • Risk Assessment (RA) — 3 requirements
  • Security Assessment (CA) — 4 requirements
  • System and Communications Protection (SC) — 16 requirements
  • System and Information Integrity (SI) — 7 requirements

System Security Plan (SSP) development

The SSP is the foundational document the C3PAO will read first. We build or update your SSP to match your environment and map every practice to implemented controls with evidence references. The SSP is not a template document — it is an accurate narrative of how your environment meets each requirement.

Plan of Action and Milestones (POA&M)

CMMC 2.0 allows limited POA&M items at Level 2 (not all requirements can be plan items). We help you structure a POA&M that passes C3PAO scrutiny and aligns with your remediation capacity.

Penetration testing against CUI-handling systems

Although CMMC 2.0 Level 2 does not explicitly require penetration testing, most C3PAOs expect evidence of active security validation beyond vulnerability scanning. Our penetration test covers CUI-handling systems, boundary protection, and identity infrastructure.

C3PAO engagement preparation

  • Assessment Readiness Report summarizing control implementation status
  • Evidence package organization per CMMC Assessment Process (CAP)
  • Personnel interview preparation
  • C3PAO selection advisory (we work with several authorized C3PAOs)
  • Ongoing support during the formal C3PAO audit

The FedRAMP / CMMC overlap for cloud-based CUI

If your CUI touches cloud services, DFARS 252.204-7012 requires those services meet FedRAMP Moderate or equivalent. Microsoft 365 GCC High, AWS GovCloud, and Google Workspace for Government are the typical compliant cloud choices. We assess your cloud posture against FedRAMP Moderate requirements where applicable and guide tenancy decisions that reduce scope.

Timeline

Starting postureTypical timeline
No existing NIST 800-171 program9-15 months to C3PAO-ready
Existing DFARS self-attestation, realistic6-9 months
Strong existing program, tight CUI boundary3-5 months
Level 3 uplift from Level 26-12 months additional

Common questions

Is Valtik a C3PAO?

No. We perform readiness work, which is separate from and cannot overlap with C3PAO assessment. The Cyber AB rules prohibit the same firm from advising and certifying the same organization.

Can we use our existing SOC 2 work to satisfy CMMC?

Partially. There is substantial control overlap between SOC 2 Security TSC and NIST 800-171. Your SOC 2 evidence can accelerate CMMC readiness, but CMMC has specific requirements (CUI marking, personnel screening, supply chain protection) that SOC 2 does not address.

What about the CMMC Level 2 self-assessment option?

Some Level 2 scenarios allow self-assessment (non-prioritized acquisitions, lower-risk CUI). Most defense primes are requiring C3PAO-certified Level 2 for subs regardless of DoD self-assessment allowances. Check your contract language.

Related reading

Ready to start?

Free website security check — no obligation, no sales pitch. Delivered as a plain-English findings report in 48 hours.

Request Free Check