30+
Years in IT
2002
Cybersecurity Since
Registered Practitioner Advanced
Most of the CMMC help available today is remote, templated, and sold on volume. It does not survive contact with a real manufacturing floor, a real network, or a real C3PAO. I am a CyberAB Registered Practitioner Advanced who travels onsite to do the readiness work that cannot be done over a screenshare.
Phase 1 self-reporting is already enforced. The C3PAO certification requirement takes effect November 10, 2026. Readiness work typically takes 12 to 18 months, and the assessment pipeline is already filling. Contractors who wait until the deadline will not find available assessors.
Most small and midsize contractors need 12 to 18 months of readiness work before a C3PAO can successfully assess them. If your clock says November 2026 matters to you, the honest read is that the work should have started already, and that it still can.
Discuss Your Position →CMMC Level 2 requires 110 security practices operationally implemented in your environment and evidenced with artifacts generated over time. An SSP written by someone who has never been to your facility will not describe your actual environment, which means it will not survive assessment. A software tool cannot segregate controlled unclassified information from commercial traffic if your network was not designed to do that. No vendor can short-circuit the work of identifying where CUI actually lives in your operation and building defensible controls around it.
Templates and tools have their place. They are inputs to the work, not substitutes for it. Most first-time Level 2 assessments fail in the gap between a policy document and an operational control that matches what the document claims.
CMMC Level 2 is 110 security practices applied to controlled unclassified information in a real operating environment. Most of those practices cannot be verified or built from a distance. Four examples of what that means in practice.
Reducing your assessment boundary is the single largest cost lever in CMMC preparation. To do it, I need to see where your engineering files actually move: through which email accounts, to which print queues, onto which file shares, into which CAD workstations, across which shop floor terminals. Walking the environment is the only reliable way to map that, and it is not something a form or a screenshare can produce.
The assessor expects evidence that each practice is operationally implemented, not just documented. That means signed procedures, log samples, training records, change control tickets, visitor logs, media sanitization records. Building that record is a structured conversation with the people who actually do the work: the IT lead, the operations lead, the quality manager, the contracts person. The real environment is almost never exactly what the org chart or the network diagram says it is, and finding that out early is how assessment surprises get avoided.
A significant share of the 110 practices cover the physical protection of CUI, and much of it is quietly overlooked by contractors working only with remote advisors. The assessor will want to see the security cameras and their retention periods, the badge system and door locking access, who holds the keys and who does not, the visitor logs, where servers and networking equipment physically sit, how printed CUI is stored and destroyed, the locked filing cabinets and approved shred bins, and whether engineering workstations are segregated from the receiving dock. None of that is verifiable by video call.
The CMMC awareness and training family cannot be satisfied with a generic online course. The assessor wants to see role based training that reflects your actual workforce: who handles CUI, who does not, who has elevated access, and who approves new users. I work directly with your HR lead and your internal corporate trainer to design a program that satisfies the controls and fits how your people actually learn. A remote MSP or a GRC tool cannot do that, because neither is in the room with the people who will deliver the training or with the people who will take it.
Every contractor starts from a different position, so every engagement is sequenced around the specific gaps. That said, most Level 2 readiness engagements follow the same three phase rhythm.
A short introductory call to confirm fit, followed by two to three days onsite. I walk your facility, meet your IT lead, operations lead, quality lead, and whoever handles contracts. I map how CUI enters, moves through, and leaves your environment, and I identify where scope reduction is available.
Full gap analysis against the 110 practices of NIST SP 800-171 Rev 2. A prioritized remediation plan sequenced by risk and business impact, not alphabetically by control family. Ongoing advisory while your team implements. Periodic onsite visits for control verification and artifact review.
Final artifact review, SSP validation, and a structured walkthrough of each control family before you schedule the C3PAO. This is the moment to catch the things that will not survive scrutiny, while there is still time to fix them.
The CyberAB issues two practitioner credentials for CMMC consulting work. Registered Practitioner (RP) is the base credential. Registered Practitioner Advanced (RPA) is the advanced credential. Both are held by individuals, not firms, and both are subject to the CyberAB Code of Professional Conduct.
An RPA is trained in CMMC Level 2 assessment methodology, familiar with NIST SP 800-171 Rev 2, and has demonstrated competence across the CMMC Assessment Process (CAP). The training covers how a formal certification assessment is actually conducted, what evidence the assessor expects, and where first-time assessments most commonly fail.
An RPA is not a C3PAO. The formal certification assessment itself is performed by an accredited third party assessor organization. The RPA role is readiness, enablement, and implementation. My job is to prepare the contractor so that when the C3PAO arrives, the controls and artifacts are in order. Keeping those two roles separate is required by the Code of Professional Conduct and is a core part of how independent readiness work is supposed to function.
Anyone who holds an RP or RPA credential is listed in the CyberAB Marketplace. Before engaging any CMMC consultant, looking up their status there is a reasonable first step. The lookup returns one of three clear answers: a current credential, a lapsed credential, or no listing at all.
The full path. Onsite discovery, scoping, gap analysis, prioritized remediation plan, and ongoing advisory through the pre-assessment review. Most clients retain me for this from start to finish.
A focused engagement to identify where controlled unclassified information actually lives in your environment and to reduce the assessment boundary. A smaller boundary means fewer controls to maintain, a lighter artifact load at every three year reassessment, and a lower C3PAO assessment fee, since third party assessment costs scale with in-scope assets, users, and locations. Typically the highest leverage work a contractor can do before remediation begins.
Developing or rebuilding a System Security Plan and the supporting policies so they describe your actual environment, not a generic template. Includes critical review of existing SSPs that feel like they were not written for your operation.
For legal counsel and prime contractors. Independent onsite verification of a supplier's CMMC readiness before a contract is signed. Produces a structured findings record suitable for legal review and contract negotiation.
A short, focused engagement. I review an existing SSP against your actual environment and identify where the document and the operation diverge before a C3PAO does.
Private briefings for leadership that translate CMMC obligations into business terms: contract exposure, remediation cost, realistic timeline, and the decisions leadership needs to own rather than delegate.
How a readiness engagement is sequenced week by week, what deliverables you take away, the contractor profiles this practice supports, and common questions contractors ask before a first call. Written for the IT director, CFO, or legal counsel who needs to understand what they are buying before the first conversation.
A portion of my practice supports attorneys advising defense contractors on M&A, subcontracting, and pre-award risk. Before your client executes a contract that flows CUI obligations downstream, you need an independent answer to one question: does the counterparty actually comply.
I provide structured, onsite technical verification and produce a findings memorandum suitable for inclusion in the legal record.
Discuss a Verification Engagement →A practitioner guide written for CEOs and senior executives of small and midsize defense contractors trying to decide how to approach compliance. Covers False Claims Act exposure, SPRS scoring, assessment preparation, and the decisions that determine whether a program succeeds. Free to download.
Read More →Published white papers on topics including C3PAO assessment capacity, CUI scope reduction, artifact integrity, supply chain compliance, MSP and ESP obligations, the training mandate, and pre-award verification. Each paper cites its sources and is available as a free PDF.
View All Publications →I am a CyberAB Registered Practitioner Advanced and the founder of an independent CMMC practice built to serve defense aerospace manufacturers and the legal counsel who support them. I work onsite in the specific environment where the controls have to live, and I stay engaged with clients through the three year reassessment cycle that CMMC requires.
My background is more than 30 years in information technology with a cybersecurity specialization dating to 2002. I have worked inside manufacturing environments, inside regulated financial operations, and alongside law firms on technical and regulatory matters.
I am the author of The CMMC Decision, now in its second edition, and I have published a library of practitioner white papers addressing topics from assessment capacity and artifact integrity to scope reduction and supply chain compliance. The work reflects a consistent commitment to substance over salesmanship: ground truth documentation, defensible findings, and guidance that holds up under scrutiny.
What I offer clients is my time, my attention, and a willingness to travel to their facility and do the work there. I am not a reseller, not a software vendor, and not a template library. If that fits what you need, we should talk.
Call, email, or send a note. I respond personally to every inquiry, usually within one business day. No commitment and no pitch.
Whether you are ready to engage, looking for a second opinion, or still trying to understand what CMMC means for your organization, I would like to hear from you.
Send a Message →