Skip to searchSkip to main content
APT Security Management

CMMC Compliance Prep for DoD Contractors and Subcontractors

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's required framework for any company that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). APT Security Management, based in North Charleston, SC, helps defense contractors and subcontractors across the United States prepare for CMMC Level 1 self-attestation and Level 2 third-party assessment using a prepaid token model with no long-term contract. APT serves as your advisory and prep partner under a Registered Practitioner (RP) credential. APT does not perform the official CMMC assessment, that work is done by a separate Certified Third Party Assessment Organization (C3PAO).

Who Needs CMMC Compliance Prep

If your company is in the Department of Defense supply chain and your contracts include the FAR 52.204-21 clause, the DFARS 252.204-7012 clause, or any flow-down requirement from a prime, CMMC affects you.

The Two Most Common Situations

You handle FCI but not CUI

Federal Contract Information is information provided by or generated for the government that is not intended for public release. If this describes your work, you most likely need CMMC Level 1. Level 1 is satisfied through annual self-attestation against 17 practices.

You handle CUI

Controlled Unclassified Information is sensitive government information that requires safeguarding under federal law. If you store, process, or transmit CUI, you most likely need CMMC Level 2. Level 2 requires a third-party assessment against all 110 controls in NIST SP 800-171.

CMMC also applies to subcontractors and suppliers when prime contractors pass the requirement down the chain. If you are unsure whether your contracts flow CMMC obligations to you, the first step is a quick scoping conversation. APT does this at no cost as part of the initial consultation.

​Level 1 Prep Track

Level 1 is the entry point for small and mid-size DoD subcontractors that handle FCI only. It is satisfied by annual self-attestation, signed by a senior company official and submitted through the Supplier Performance Risk System (SPRS).

What APT Delivers for Level 1 Prep

A scoping review to confirm your contracts and data flows fall within Level 1

A practice-by-practice gap check against all 17 Level 1 practices

Implementation help to close any gaps before you sign the affirmation, including endpoint protection, multi-factor authentication, and email filtering through APT's partner stack

A pre-attestation review so the executive signing the affirmation has confidence in what they are certifying

A written readiness report with current status, gaps, and remediation steps

Documentation support so your policies and procedures actually back up the self-attestation

Level 1 engagements are faster and lighter than Level 2. Most small subcontractors can move from kickoff to a signed attestation in a matter of weeks once any gaps are closed. All Level 1 work is priced in tokens.

​Level 2 Prep Track

Level 2 is the standard for contractors that handle CUI. It requires demonstrated compliance with all 110 controls in NIST SP 800-171 and a successful assessment by a C3PAO. The bar is higher, the documentation requirements are more involved, and the prep cycle is longer.

What APT Delivers for Level 2 Prep

A full gap assessment against all 110 NIST 800-171 controls

A control-by-control status report with severity-ranked findings

Evidence collection support so you can show an assessor what they need to see

A System Security Plan (SSP) drafted or refined to reflect your actual environment

A Plan of Action and Milestones (POA&M) document with realistic timelines for any gaps

A remediation roadmap that separates documentation work from technical control work

Technology integration to close real gaps, not just identify them. APT deploys and tunes Sophos for endpoint protection and audit logging, Fortinet for network segmentation and boundary controls, and Proofpoint for email security and phishing defense

A pre-assessment readiness check before your C3PAO arrives

APT does not perform the official Level 2 assessment. That role belongs to a C3PAO authorized by the Cyber AB. APT helps you select a C3PAO when you are ready and stays available during the assessment to answer questions and provide evidence. All Level 2 work is priced in tokens, drawn down as the engagement progresses.

How It Works

Step 1: Book a Free Consultation

Book a free 30-minute consultation. APT confirms your level, your scope, and your timeline pressures.

Step 2: Quotes and Contracting

APT issues a token estimate and a written Statement of Work covering the agreed scope.

Step 3: Token Purchase

You purchase tokens and the engagement begins. Tokens are valid for 12 months.

Step 4: Testing and Assessment

Gap assessment is performed against either the 17 Level 1 practices or the 110 NIST 800-171 controls.

Step 5: Report and Project Delivery

APT delivers your written report, SSP (Level 2), POA&M (Level 2), and remediation roadmap.

Step 6: Remediation Phase

Remediation begins. APT handles documentation work, configuration changes, and partner technology deployment as needed.

Step 7: Final Pre-Flight Check

For Level 1, APT performs a pre-attestation review and you submit through SPRS. For Level 2, APT performs a readiness check and supports you through the C3PAO assessment.

Why APT for CMMC Prep

Registered Practitioner Credential

APT has a credentialed Registered Practitioner on staff. The RP designation, issued under the Cyber AB ecosystem, means you are working with someone trained specifically on CMMC requirements and the assessment process.

One Partner for Advisory and Remediation

Many CMMC consultants tell you what is wrong and then leave you to find tools and integrators. APT closes gaps. The same team that identifies your boundary protection problem can deploy and tune Fortinet to fix it. The same team that flags your email security gap can implement Proofpoint.

Token-Based Engagement

You pay for the work you need, when you need it. No 12-month retainer to start a gap assessment. No commitment to keep paying after remediation wraps. Tokens carry across services, so if you need Managed Detection and Response after your CUI environment is segmented, the same tokens cover it.

Vendor-Neutral Recommendations

APT does not earn commissions on partner tool sales. Recommendations are based on what closes your gap most efficiently, not what pays the best.

Senior Staff with Named Credentials

APT's team holds certifications including OSCP, CISSP, CEH, and GPEN. The person scoping your engagement is the same person reviewing your findings.

Choose Your Engagement Model

Every APT service is delivered through one of three engagement models. Pick the one that fits how your team works.

ravenWing

Email-based updates and scheduled reporting. Ideal for small Level 1 subcontractors that want low-maintenance security oversight.

ravenGuard

Secure client portal access, role-specific reports for technical and non-technical staff, and scheduled status meetings. Ideal for mid-market contractors going through Level 2 prep.

ravenSentinel

Custom dashboards, collaborative strategy sessions, and direct coordination with your IT team. Ideal for larger contractors that want CMMC prep tightly integrated with their internal program.

Not sure which fits? Talk to a strategist.

Frequently Asked Questions

What is CMMC and who has to comply?

CMMC, the Cybersecurity Maturity Model Certification, is the Department of Defense's framework for protecting Federal Contract Information and Controlled Unclassified Information across the defense supply chain. It applies to any company holding a DoD contract or subcontract that includes the FAR 52.204-21 clause, the DFARS 252.204-7012 clause, or flow-down CMMC requirements from a prime contractor. There are three levels. Most contractors fall into Level 1 (FCI only) or Level 2 (CUI handling).

Is APT a C3PAO? Will you perform our actual CMMC assessment?

No. APT is an advisory and prep partner with a Registered Practitioner on staff. The official CMMC Level 2 assessment is performed by a Certified Third Party Assessment Organization (C3PAO) authorized by the Cyber AB. APT prepares your environment, documentation, and evidence so the C3PAO assessment goes smoothly. We stay available during the assessment to answer questions and produce evidence.

How much does CMMC prep cost in tokens?

Cost depends on your level, the size of your environment, your current state, and how much remediation is needed. Level 1 engagements are smaller. Level 2 engagements vary widely, especially when SSP drafting, segmentation work, or tool deployment is involved. Contact us for a token quote scoped to your situation.

How long does CMMC prep take?

Level 1 prep typically runs a few weeks from kickoff to signed attestation, assuming gaps are limited. Level 2 prep usually runs several months because of the documentation depth, technical remediation, and the time needed to operate controls before an assessor will accept them as evidence. APT gives you a realistic timeline as part of your scoping call.

What is the difference between Level 1 and Level 2?

Level 1 covers 17 practices, is satisfied by annual self-attestation in SPRS, and applies to companies that handle FCI but not CUI. Level 2 covers all 110 NIST SP 800-171 controls, requires a third-party assessment by a C3PAO, and applies to companies that handle CUI. Most small subcontractors land at Level 1. Most mid-market contractors handling CUI land at Level 2.

What do I receive at the end of the engagement?

For Level 1, you receive a written readiness report, supporting policies and procedures, and a pre-attestation review. For Level 2, you receive a full gap assessment report, a System Security Plan, a Plan of Action and Milestones, a remediation roadmap, evidence collection guidance, and a pre-assessment readiness check. Both tracks include hands-on remediation support where needed.

Do you offer ongoing support after CMMC prep is complete?

Yes. APT can support annual Level 1 affirmation cycles, continuous monitoring obligations, periodic reassessment work, and any defensive services your CMMC scope requires, including Managed Detection and Response. Because tokens can be applied across services, the same engagement can cover prep, remediation, and ongoing operations.

Ready to Start Your CMMC Prep?

Book a free 30-minute consultation. We will confirm your level, review your contracts and environment, and give you a clear token estimate with no obligation. If you already know you need a gap assessment, request a custom quote and we will scope it directly.

  • Tell us a bit about the specific security needs you're reaching out to solve. All submitted data is encrypted.