CMMC Phase 2 third-party assessments suspended (July 13). Your NIST 800-171 obligations under DFARS 7012 are unchanged. Read our analysis →

CMMC Readiness

From wherever you are to assessment-ready.

CUI scoping, gap analysis against all 110 NIST 800-171 controls, full implementation of policies and procedures, and the technical work assessors will evaluate. We work weekly alongside your team from kickoff through assessment-ready, whether the assessor is government-led, a prime's supply chain office, or a C3PAO where a contract still requires one. Built for organizations starting from scratch, and for those with technology already in place.

CCA or CCP on every engagement.
What CMMC Readiness Is

The work that gets you from where you are to a defensible posture.

CMMC Readiness is the engagement most defense contractors come to Stehrling for. It's how you get from your current state, whatever that looks like, to a defensible CMMC Level 2 posture that stands up to any assessor.

A note on the current environment: in July 2026, the Department of War suspended third-party certification requirements pending a program review. What did not change is the substance. DFARS 252.204-7012 remains in your contracts, NIST SP 800-171 remains the standard, your SPRS score must be accurate, and an executive at your company signs an annual affirmation of compliance that carries False Claims Act exposure. The Department has said it will verify through self-assessments and select government-led assessments. The certificate was suspended. The work was not.

The work covers everything an assessor will evaluate. CUI scoping and assessment boundary definition. All 110 NIST 800-171 controls implemented and validated. Documentation written to assessor standards. Technical architecture aligned with the policies that describe it. Evidence collected and organized. Your team trained and ready to answer interview questions.

This is not a checklist exercise. CMMC Readiness rebuilds your compliance program from the ground up where needed, refines what's already working, and produces an organization that isn't just ready for an assessment but ready to operate under its obligations year after year, whatever shape the verification regime takes.

110
Controls implemented
and validated
15+
Years inside
the DIB
CCA / CCP
Every Readiness
engagement
Both Halves of CMMC

Technology gets you halfway. We deliver the rest.

CMMC Level 2 has 110 controls. Roughly half are technical, configurations and platform decisions your IT team or MSP can handle. The other half are organizational, the policies, procedures, training, and program work that no technology delivers. Stehrling does both, and integrates them.

The Technical Half

Architecture, configuration, and validation of the technical controls assessors evaluate. We design what's needed, recommend what to deploy, and validate what's in place.

  • CUI scoping and assessment boundary design
  • Enclave architecture and segmentation strategy
  • Identity, access, and conditional access design
  • Encryption, logging, and monitoring architecture
  • Vendor and platform selection guidance
  • Technical control validation against NIST 800-171A

The Organizational Half

The policies, procedures, training, and program work that defines how your organization actually operates under CMMC. This is where most compliance programs stall.

  • System Security Plan (SSP) development
  • Policy and procedure authoring across all 17 domains
  • Plan of Action & Milestones (POA&M) creation
  • Security awareness training program build
  • Incident response planning and documentation
  • Asset management, change control, and governance design
How the Engagement Runs

A defined sequence, with you every week.

CMMC Readiness engagements move through four phases. Each phase has defined deliverables, a clear duration, and a working cadence with your team. The same practitioners stay with you from kickoff to assessment-ready.

01
Scoping & Gap Assessment
We map your CUI flows, define your assessment boundary, and assess your current state against all 110 NIST 800-171 controls. The output is a complete picture of where you stand and what's required to close the gap.
Deliverables CUI flow documentation, assessment boundary definition, gap analysis report, remediation roadmap with priorities, scoped engagement plan
2 to 4 weeks
Weekly
02
Documentation & Program Build
We author your System Security Plan, policies, procedures, and POA&M. We design the technical architecture decisions ahead, build the security awareness training program, and put the governance framework in place.
Deliverables Complete SSP, policy library, procedure documentation, POA&M, training materials, incident response plan, governance framework
8 to 16 weeks
Weekly
03
Technical Implementation & Validation
Technical controls are implemented against the architectural decisions made in Phase 1. Configurations are validated. Evidence is captured. We work directly with your IT team, your MSP, or our partner network depending on the scope.
Deliverables Implemented technical controls, validation testing results, evidence repository, configuration baselines, control-to-evidence mapping
6 to 12 weeks
Weekly
04
Assessment Readiness
Final validation that your posture stands up in front of any assessor, and behind any signature. Interview preparation with your team. Evidence package finalized. Outstanding POA&M items closed or formally documented. Your SPRS score supported by evidence, and your annual affirmation defensible. Where a contract or prime still requires third-party certification, we guide the C3PAO path as well.
Deliverables Readiness validation, interview preparation, finalized evidence package, SPRS score and affirmation support, assessment path guidance
2 to 4 weeks
Weekly
Who It's For

CMMC Readiness fits most situations.

The engagement scales to where you actually are. Starting from scratch with no formal program looks different than coming in mid-stream with partial implementation. Both work. The engagement shapes to your situation, not the other way around.

Starting from scratch

You have technology and operations, but no formal compliance program. No SSP. No documented procedures. No assessment boundary. Engagement runs the full Readiness sequence, building the program from the ground up.

Partial implementation

You've started, maybe with an internal team or another firm. Some documentation exists. Some controls are in place. The engagement begins with a focused gap assessment and remediates from there, working with what's already done.

Stalled or struggling

You've been at this for months and aren't making progress. The work has bogged down, the team has lost momentum, or the previous approach hasn't worked. We assess where you actually are and build a path forward from there.

Contract- or prime-driven requirement

A contract, a prime, or your own affirmation deadline requires demonstrated compliance by a specific date. The engagement compresses to fit your timeline, with focused effort on the controls and evidence that matter most for the requirement in front of you.

Why Stehrling

The team that prepares you is the team that knows what assessors find.

Most CMMC consulting firms have never sat on the assessor side of the table. They learned CMMC from documentation and training programs, then started selling readiness services. Their guidance is theoretical, and it shows up in assessments where their clients get findings they didn't expect.

Stehrling is different. Every Readiness engagement is led by a CCA or CCP credentialed practitioner. Our CCAs have conducted formal CMMC assessments. They know exactly what evidence assessors accept, what documentation gets challenged, and where organizations consistently get tripped up. That experience shapes every decision in your Readiness engagement.

This is why our clients walk into any assessment prepared. Not because we have a better template or a fancier methodology. Because the people preparing you know what an assessment actually looks like from the other side of the table.

"You shouldn't be surprised by anything an assessor finds. The work we do upfront makes sure you aren't."

After Readiness

The work doesn't end at assessment-ready. Neither do we.

Most Readiness clients move into one or both of these engagements. Each one is built to continue the work seamlessly, with the same team you already know.

Mock Assessment

A full CMMC assessment conducted by our CCAs and CCPs, with the same rigor a government or third-party assessor will apply. Every control reviewed, every piece of evidence checked, every interview rehearsed. We tell you what an assessor will find before the assessor does.

Learn about Mock Assessment

Continuous Compliance

Ongoing program ownership after Readiness. Quarterly SSP reviews, POA&M management, regulatory monitoring, and support for the annual affirmation your leadership signs. The work that keeps your posture defensible year over year, whatever the verification regime becomes.

Learn about Continuous Compliance
Get Started

Ready to start, or just need a conversation?

Talk to a CMMC practitioner directly. We'll tell you exactly where you stand, what your situation actually requires, and whether Readiness is the right starting point. No sales pitch, response within 24 hours.

Talk to a Practitioner →

An independent firm focused exclusively on CMMC compliance for defense contractors and the DIB.

Fredericksburg, VA