We make CMMC clear, defensible, and contract-ready so contractors can get it right the first time, reduce rework, and stay prepared for award.
For a small OSC or OSA, the stress is not the control count alone. It is the pressure to define scope correctly, produce defensible evidence, keep SPRS affirmations current, and stay contract-ready without a large compliance team.
Can we afford all of this without it eating the margin on the contract it's supposed to protect?
We shrink the bill by shrinking the scope: smart CUI architecture, FedRAMP-authorized cloud where it actually fits, and a hard line on what truly needs to be in scope.
What's even in scope? We're not sure where our CUI lives or who really touches it.
We define your assessment scope precisely (CUI flow, external service providers, cloud services, and subcontractor flowdown) so nothing is missed and nothing is over-counted.
We don't have an SSP, an evidence package, or the time to build either one.
We build the artifacts that stall small teams (SSP, evidence package, asset inventories, and control narratives) to the standard an assessor will actually accept.
What if the C3PAO finds something we missed, once it's too late to fix it?
We run mock reviews, evidence checks, and interview prep before the assessment, so problems surface early, on your terms, not the assessor's.
What can we defer, and what absolutely has to be done before we're allowed to pass?
We draw the line clearly: what's POA&M-eligible, what isn't, and exactly how to close any allowed gaps inside the 180-day window.
How do we stay compliant after we certify, without standing up a security team?
We operationalize annual affirmation, keep your SPRS score current, and watch for the quiet lapses that cost contractors their status after certification.
How do we know our MSP, cloud, or assessor actually understands CMMC?
We vet MSPs, CSPs, and assessors alongside you, so you choose partners who genuinely know CMMC instead of adding cost and burden.
We help small OSCs and OSAs reduce scope, close readiness gaps, and stay compliant, so CMMC becomes manageable instead of overwhelming.
We size the work to your CUI footprint, keep the timeline and cost honest, and make sure every control a C3PAO will check is handled before they walk in.
We map every system, person, and data flow that touches Controlled Unclassified Information, and just as importantly, what we can keep out of scope.
Pre-audit baseline against all 110 NIST 800-171 R2 practices. Every existing process mapped to a control, every gap flagged, every priority set.
Policy & procedure work across all 17 control families. SSP, POA&M, MFA, SIEM, EDR, encryption, GCC migration. Mock assessment before the C3PAO walks in.
Post-certification managed security. Annual SSP/POA&M reviews, monthly vuln scans, quarterly phishing, IR tabletops, license & SOC management.
Every tier is scoped to your CUI footprint, not sold as a fixed package. Monthly payment options spread the upfront cost. Tell us where you are, and we'll point you to the right starting line.
CUI boundary scoping & gap analysis against all 110 NIST 800-171 R2 requirements.
Everything in Bronze, plus full documentation and technical remediation.
Everything in Silver, plus mock assessment and final C3PAO assessment support.
Everything in Gold, plus managed security services after certification.
From a five-port Navy ship-repair operation to a two-person calibration shop. Here's where each contractor started, and exactly what we delivered.
Decentralized IT, mixed physical-access systems, and a workforce of direct, contractor, and temporary labor spread across five active Navy ports on the East and West coasts. Starting SPRS: −203. We ran five parallel workstreams on a biweekly cadence with a co-managed MSP partner: standardized physical security across all locations, full hardware re-inventory with on-site validation, and migration to GCC High for CUI segregation.
Incumbent MSP could not produce the evidence assessors require: change logs, IR procedures, SIEM configurations. We onboarded a CMMC-capable partner mid-flight with SentinelOne EDR, RocketCyber SIEM, and ConnectWise change mgmt; mapped existing quality processes to NIST 800-171.
Active Navy contract, no prior cybersecurity program, no dedicated IT, tight budget. We right-sized to a lean CUI footprint: 2 encrypted laptops, segregated Wi-Fi, and a GCC subdomain, with milestone-based pricing tied to SPRS gates.
We work inside this ecosystem every week: DoD, Cyber-AB, the APEX Accelerators, MEPs, industry groups, and the vendors who actually build CMMC-ready stacks. That's how we know precisely what an assessor expects, for DIB and federal contractors alike.
Practitioners on staff with CISSP, CISM, CISA, and Cyber-AB credentials. Every engagement has SME oversight.
Same team from scoping through audit. You will not be handed off mid-program to someone who has not read your SSP.
GCC / GCC High, SentinelOne, RocketCyber, ConnectWise, Nessus, WatchGuard, IntelliGRC: pre-integrated stacks, not RFPs.
Fixed-fee, milestone-priced on SPRS gates, monthly retainer, or full MSSP, matched to the cash flow your business actually has.
Technical remediation, policy drafting, and staff training under one engagement. No juggling three vendors, three SOWs.
A self-assessment Level 1 program can ship in weeks. A multi-site Level 2 program takes a year. We size honestly.
InterSec helps lean defense contractors define what is truly in scope, organize the evidence that matters, and walk into the assessment with less rework and fewer surprises. You get clear CMMC direction, not generic compliance talk, so you stay ready for contract requirements and your annual affirmation in SPRS.
Level 1 (self-assessment, 15 practices) and Level 2 (C3PAO-assessed, 110 NIST SP 800-171 R2 practices). These are where the overwhelming majority of the Defense Industrial Base lives, and where our team is deepest.
Level 3 programs typically require dedicated red-team and continuous-monitoring teams beyond our SMB focus. If that's you, we'll be honest about it and refer you out.
6 to 18 months is the realistic range for Level 2, depending on starting SPRS score, CUI footprint, and number of sites. A Level 1 self-assessment program can ship in weeks. We baseline in week one and tell you straight what your honest timeline is.
Pricing is scoped to your CUI footprint, SPRS starting point, and tier (Bronze through Platinum). Fixed-fee, milestone-priced on SPRS gates, monthly retainer and full MSSP options are all on the table. The 30-minute consultation includes a rough order-of-magnitude estimate.
No. We are a Cyber-AB RPO (Registered Practitioner Organization). We get you ready for assessment. C3PAOs are the certified third-party assessment organizations who run the actual CMMC assessment. Keeping these roles separate is required by Cyber-AB and is also the right thing for you.
It is the most common situation we work with. Several of our case-study clients had zero in-house IT. We bring the technical stack (EDR, SIEM, MFA, GCC migration, vuln scanning) through partners we work with every week, and we transfer enough capability to your team so they can sustain the program after we leave.
GCC and GCC High are Microsoft 365 government-cloud tenants designed for federal data. GCC High is the standard answer for CUI; GCC works for many Level 1 / FCI-only environments. We scope this in the first two weeks. Over-buying GCC High when you don't need it is one of the most common avoidable expenses.
Yes. The 110 controls apply to a sole proprietor the same way they apply to a 200-person manufacturer, and the standard playbook breaks for very small teams. We redesign delivery for that scale (lean CUI architecture, milestone pricing, transferred capability) so an owner-operator can actually own, execute, and sustain the program alongside billable work.
30 minutes with one of our CMMC practitioners. We'll baseline where you are, where the assessor will look first, and what a realistic path to passing looks like for your business.
