CMMC Level 1 & 2 consulting

Know what CMMC will ask of you.

Scope the contract, find the gaps, and prepare evidence before a prime, renewal, or DoD solicitation puts CMMC on the clock.

Canadian suppliers pursuing U.S. DoD work can get Level 1 and Level 2 readiness support, from FAR 52.204-21 and NIST SP 800-171 scoping to SSP support, evidence preparation, and C3PAO handoff planning.

Get the Level 1 guide

Free 30-minute call, directly with Nelson Ford, CMMC CCP. No obligation. Official assessment decisions stay with your independent C3PAO.

What you walk away with

The pieces that make CMMC work easier to defend.

A scope you can defend

What is in and out of CMMC before you spend on remediation.

A ranked gap list

Quick fixes separated from the deeper remediation work.

Evidence your team can maintain

Policies, records, and documentation you can keep current.

Founder-led readiness

A clearer path before assessment pressure.

CMMC readiness work should leave your team able to explain scope, controls, documents, and evidence. Pilotcore helps prepare that ground before the official assessment path.

Nelson Ford

Nelson Ford

Founder and principal consultant. CPCSC preparation support for technical teams that need practical implementation and evidence they can maintain.

CMMC CCP CISSP Cloud expertise

Readiness sequence

What Pilotcore helps you sort out.

The work starts with scope. Then controls, documents, and evidence become easier to sequence.

  1. Applicability and scope Map the contract trigger, FCI or CUI path, systems, users, vendors, cloud services, and supporting records.
  2. Gap report and roadmap Compare your current posture against FAR 52.204-21 or NIST SP 800-171 and separate quick fixes from deeper remediation.
  3. Implementation and evidence Support practical controls, policies, diagrams, SSP materials, POA&M support where allowed, and evidence records your team can maintain.
  4. Readiness review Check whether the story your documents tell matches the controls and evidence that actually exist.

Level 1 vs Level 2

Different levels, different work.

The right path depends on contract language, information type, supplier role, and current control maturity.

Area Level 1 Level 2
Typical trigger Federal Contract Information and baseline safeguarding. Controlled Unclassified Information and deeper NIST SP 800-171 preparation.
Assessment model Self-assessment and annual affirmation. C3PAO assessment for many contracts, annual affirmation, and a three-year cycle.
Readiness focus Scope, basic safeguards, policy records, evidence, and affirmation support. CUI boundary, SSP, allowed POA&M support, technical remediation, and assessment preparation.
Pilotcore role Help your team understand gaps and prepare the evidence path. Help your team prepare controls, documentation, evidence, and the handoff to an independent C3PAO.
Timeline

Timelines vary by scope and maturity. The right sequence depends on how much evidence already exists and how fast your team can access it.

  • 1-2 weeks Initial scope review and gap analysis for a focused environment.
  • 2-6 weeks Level 1 readiness improvements for a smaller team with mature Microsoft 365 or cloud controls and limited documentation gaps.
  • 6-12+ weeks Larger environments, missing policies, weak identity controls, unclear asset scope, or deeper technical remediation.
  • Longer roadmap Level 2 readiness, CUI boundary definition, multi-site environments, or heavy cloud and on-premises integration.
Cost factors

Scope CMMC readiness around the specific gaps that could block your contract timeline.

  • Number of users, devices, systems, and locations
  • Whether cloud, Microsoft 365, endpoint, backup, and logging controls are already mature
  • Existing SOC 2, ISO 27001, CPCSC, NIST 800-171, or security-program documentation
  • Clarity of FCI, CUI, systems, and subcontractor responsibilities
  • Amount of missing policy, SSP, procedure, and evidence documentation
  • Whether your team needs advisory support only or hands-on technical implementation
  • Level 1 self-assessment versus Level 2 C3PAO preparation
Deliverables
  • CMMC applicability and scope notes
  • FAR 52.204-21 or NIST SP 800-171 control gap report
  • Prioritised remediation roadmap
  • Evidence checklist and evidence tracker
  • SSP and POA&M support materials where allowed
  • Policy and procedure recommendations
  • System and security-boundary diagram recommendations
  • Cloud, endpoint, logging, and backup control recommendations
  • Executive summary for leadership or bid/no-bid planning
  • Control and evidence review notes for self-assessment or C3PAO preparation

Still researching?

Start with the CMMC Level 1 guide.

Use the guide if you are still sorting out FAR 52.204-21 practices, FCI scope, and the evidence your team may need before a readiness call.

One email with the guide. No spam.

Common buyer questions

Frequently asked questions about CMMC compliance

Short answers for contractor teams checking fit before a guide request or CMMC readiness call.

What is CMMC Level 1 and who needs it?

CMMC Level 1 is the baseline safeguarding path for contractors that handle Federal Contract Information under U.S. DoD contract requirements. It focuses on the 15 FAR 52.204-21 safeguarding requirements, self-assessment, and annual affirmation. Always confirm the clause, data type, and flow-down language in the contract or prime instructions.

What changes for CMMC Level 2?

CMMC Level 2 applies when the contract involves Controlled Unclassified Information. It is built around the 110 NIST SP 800-171 requirements. Many Level 2 contracts require assessment by an accredited C3PAO, annual affirmation, and a three-year certification cycle under the CMMC program.

How long does CMMC readiness take?

Timelines vary by scope, starting maturity, documentation quality, and whether the work is Level 1 baseline readiness or Level 2 preparation. A focused scope and gap review can take 1-2 weeks. Larger Level 2 preparation often needs 6-12+ weeks or a longer roadmap when identity, endpoint, logging, supplier, or SSP gaps are material.

What affects CMMC readiness cost?

Cost depends on the number of systems, users, locations, cloud services, devices, vendors, and evidence records in scope. Existing SOC 2, ISO 27001, CPCSC, NIST SP 800-171, or security-program documentation can help, but CMMC still needs CMMC-specific scoping, documentation, and evidence.

Is Pilotcore a C3PAO that can certify us?

No. Pilotcore is not a C3PAO and does not conduct official CMMC assessments or issue certifications. Pilotcore helps with readiness planning, implementation guidance, SSP and POA&M support where allowed, evidence preparation, and pre-assessment control review. The independent C3PAO makes the assessment decision.

Related CMMC reading

Next step

Ready to pressure-test your CMMC plan?

Book a 30-minute readiness call to discuss scope, timeline, evidence, and whether you need a full engagement, a narrow remediation sprint, documentation cleanup, or no consultant yet.

Free 30-minute call, directly with Nelson Ford, CMMC CCP. No obligation.