Service

CMMC Boundary Snapshot

DoD contract on the line. CMMC required. But what data do you actually have? Where does your CUI boundary end? We sort it out, draw the lines, and show you every gap against NIST 800-171.

10 business days
110 NIST 800-171 controls
SPRS score estimate
Get Started — $2,990

This is for you if:

  • You have a DoD contract that requires CMMC compliance
  • You're bidding on defense work and need to prove readiness
  • You're not sure what CUI you have or where your boundary is
  • You need to know your SPRS score before submitting it
110
Controls assessed
10
Days delivery
L2
CMMC ready
SPRS
Score included

What you get

Each deliverable builds on the previous one, giving you a complete picture of your CMMC readiness.

1

FCI/CUI Classification

Which data you have, where it lives, and what protection level it needs. No more confusion about what counts.

2

System Boundary Diagram

Visual map of your CUI environment. What's in scope, what's out, and where the boundaries are.

3

NIST 800-171 Gap Analysis

All 110 controls assessed. What you meet, what you don't, and what needs work before your C3PAO shows up.

4

SPRS Score Estimate

Your estimated Supplier Performance Risk System score based on current state. Required for DoD contracts.

CMMC Levels explained

CMMC has three levels. Most contractors need Level 1 or Level 2. Level 3 is for the most sensitive work.

Level 1
Foundational

Basic cyber hygiene. 17 practices. Self-assessment allowed. For contracts with FCI only.

~15% of defense contractors
Level 2
Advanced

NIST 800-171 aligned. 110 practices. Third-party assessment required for most. For contracts with CUI.

~80% of defense contractors
Level 3
Expert

NIST 800-172 based. Government-led assessment. For highest-priority programs and critical assets.

~5% of defense contractors

Common questions

What's the difference between FCI and CUI?

FCI (Federal Contract Information) is info the government gives you or you create for them. CUI (Controlled Unclassified Information) is more sensitive and has specific handling requirements. CMMC Level 1 covers FCI, Level 2 covers CUI.

Do I need CMMC Level 1 or Level 2?

Depends on your contract. If you handle CUI, you need Level 2. If it's just FCI, Level 1 might be enough. We'll help you figure out which applies based on your actual contract requirements.

What if I don't know if I have CUI?

Most companies aren't sure. That's why data classification is the first thing we do. We'll look at your contracts and data flows to figure out exactly what you have.

When does CMMC become mandatory?

It's being phased in. Some contracts already require it, others are coming soon. If you're bidding on DoD work, you should be preparing now.

Can you help us get certified?

This package is assessment only—showing you where you stand and what needs work. For certification, you'll need a C3PAO (certified assessor). But this gets you ready for that conversation.

Get your CMMC situation sorted.

We classify your data, draw your boundary, assess against NIST 800-171, and give you a clear picture of where you stand. 10 days, $2,990.

Get Started