Service / Compliance Advisory

CMMC Level 1 Readiness.

Get the seventeen practices that protect Federal Contract Information in place before they cost you a contract. Fixed fee. Two to four weeks. Built for small teams, not enterprises.

Request a quote Book intro call

01 / The requirement

What CMMC Level 1 actually is.

CMMC Level 1 is the baseline cybersecurity requirement for any company that handles Federal Contract Information. It covers seventeen practices derived from FAR 52.204-21. The Department of Defense and an expanding set of federal agencies are making it a prerequisite to bid, win, or keep work.

Level 1 is the entry tier. It does not require an external assessor. You self-attest annually that your controls are in place. That sounds simple until you sit down with the practice list and realize most of it is documentation, access control hygiene, and incident handling that nobody got around to writing down.

02 / Who needs it

If you fit one of these, you need Level 1 in place.

VC-backed defense tech startups before their first agency contract
Existing federal vendors hit with flow-down clauses from prime contractors
Engineering, manufacturing, and services firms entering federal markets
Any company storing or transmitting Federal Contract Information on its systems

The timeline is usually set by a contract deadline, not your readiness. For new contractors, Level 1 is required before the first DoD-adjacent contract closes. For existing federal vendors, flow-down clauses from prime contractors arrive faster than expected. Either way, the cost of being unready shows up in revenue, not just paperwork.

03 / Engagement

What is included.

Fixed scope, fixed fee. Typical engagements run two to four weeks depending on scope and current maturity.

Gap assessment against all 17 CMMC Level 1 practices
Current control inventory
Prioritized remediation roadmap
System Security Plan (SSP) starter
Plain-language explanation of each practice and what satisfies it
Readout for leadership and investors
Optional ongoing advisory at fractional CISO rates

04 / Timeline

Two to four weeks from kickoff to delivery.

Scope, environment complexity, and current maturity drive the range. Most small contractor engagements land in the middle of that window.

05 / Pricing

Fixed fee, scoped to your environment.

Pricing depends on the size of your in-scope environment, your current documentation maturity, and how many stakeholders need to be in the working sessions. Send a short note about your context and you will get a number back within one business day.

Request a quote →

06 / Process

How the engagement runs.

Five steps, no surprises, no wasted meetings.

Discovery call

Thirty minutes to confirm scope, fit, and what environment we are looking at. No commitment.

Pre-engagement questionnaire

Sent in advance. Captures the basics so working sessions stay focused on real questions.

Working sessions

Structured reviews with whoever runs your IT, security, and operations. Usually two or three sessions across a couple of weeks.

Findings and roadmap

Written report with the gap assessment, prioritized remediation, and SSP starter. Executive readout to walk leadership and investors through it.

Optional follow-on

Ongoing advisory at fractional CISO rates to close gaps before assessment or your next contract cycle.

Ready to scope this out?

Send your context and timeline. You will hear back within one business day with a number and the next step.