CMMC Level 2 NIST SP 800-171 Washington DC Metro

CMMC compliance, proven in production — not PowerPoint.

We implemented all 110 NIST SP 800-171 controls, authored the SSP and POA&M, and posted a Level 2 self-assessment score to SPRS — in six months, zero shortcuts. Now we get DIB suppliers and security-conscious businesses assessment-ready the same way.

110
Controls implemented
6 mo
To self-assessment
14
Control families
0
Shortcuts
01 / Why now

The rule is live. The runway is short.

Verified · 48 CFR / SPRS

CMMC stopped being a future framework on November 10, 2025 — the 48 CFR rule put it directly into DoD contracts. Eligibility now depends on your compliance status, and the assessment pipeline is already congested.

Live

It's a contract requirement

DFARS 252.204-7021 is in force. Contracting officers check your CMMC status in SPRS before award — and before exercising option years.

// 48 CFR · since Nov 10, 2025
2026

Phase 2 raises the bar

From Nov 10, 2026, most CUI contracts require a third-party C3PAO Level 2 certification — self-assessment alone no longer clears you.

// Phase 2 · C3PAO required
~0.5%

The DIB isn't ready

Of the ~80,000 firms that need Level 2, only a few hundred are certified. Under half have even produced an SSP or POA&M.

// CyberAB / industry reporting
6–18 mo

Preparation takes time

Implementing 110 controls, building evidence, and securing a scarce assessor slot is a multi-month effort. Starting late means missing bids.

// Typical readiness timeline
02 / Method

From practitioner to guide.

The path we walked

GuardNix was born from necessity. Facing Level 2 ourselves, we couldn't find practical help — just theoretical frameworks and expensive consultants who'd never implemented compliance firsthand. So we did it ourselves, then turned the playbook into a service.

01
SCOPE & GAP

Map all 110 controls

Define the CUI boundary, then assess every NIST 800-171 control. Separate true technical gaps from documentation gaps — and prioritize.

02
IMPLEMENT

Harden the environment

Network segmentation, encrypted comms (VPN/TLS), access control and MFA, centralized logging, and incident response — built to be defensible under assessment.

03
DOCUMENT

SSP, POA&M, evidence

Author the System Security Plan and Plan of Action & Milestones, plus the policies and evidence that prove each control to an assessor.

04
ASSESS & SUSTAIN

Score, submit, monitor

Run the self-assessment, post the SPRS score, prepare for the C3PAO assessment, and stand up continuous monitoring to stay compliant.

What actually matters vs. checkbox theater. Doing the work firsthand taught us which controls demand real technical investment and which are solved with proper documentation and process. You pay for judgment — not billable hours spent rediscovering it.

03 / Services

Practical compliance & security.

Built on real implementation

Engagements scoped to your environment and your contract requirements — Linux and Windows, on-prem and cloud. Take the whole path or the piece you're stuck on.

CMMC Gap Assessment

A full evaluation of your posture against Level 2, with a prioritized remediation roadmap.
  • 110 NIST 800-171 control review
  • Technical & procedural gap analysis
  • Prioritized remediation plan
  • SPRS scoring guidance

Compliance Documentation

The required artifacts — written for your environment, not copied from a template pack.
  • System Security Plan (SSP)
  • Plan of Action & Milestones
  • Policies & procedures
  • Evidence collection templates

Infrastructure Hardening

Technical control implementation across your stack, with defensibility as the goal.
  • Network segmentation & firewall rules
  • Encrypted comms (VPN, TLS)
  • Centralized logging & monitoring
  • Access control & MFA

Continuous Monitoring

Stay audit-ready after remediation — compliance is a state, not a one-time project.
  • Monthly compliance status reviews
  • Vulnerability scanning & remediation
  • Log review & alerting
  • Affirmation & SPRS upkeep

Security Assessments

Technical evaluations that surface real risk, mapped back to control requirements.
  • Vulnerability scanning & analysis
  • Configuration security review
  • Network architecture assessment
  • Findings tied to 800-171 controls

Training & Awareness

Your team is in scope too. Practical CUI and security training that satisfies the requirement.
  • Security awareness training
  • CMMC requirements education
  • Technical staff skill development
  • Incident response drills
04 / Coverage

The whole framework — and the tools behind it.

14 families · 110 controls

Level 2 spans all fourteen NIST SP 800-171 control families. We've implemented every one — so nothing in your assessment is unfamiliar territory.

ACAccess Control
ATAwareness & Training
AUAudit & Accountability
CMConfiguration Management
IAIdentification & Auth
IRIncident Response
MAMaintenance
MPMedia Protection
PSPersonnel Security
PEPhysical Protection
RARisk Assessment
CASecurity Assessment
SCSystem & Comms Protection
SISystem & Info Integrity

Hardened with proven, defensible tooling

Real controls, implemented with battle-tested open and enterprise tools — chosen for auditability, not novelty.

WireGuard
OpenVPN
iptables
Fail2ban
Wazuh
Graylog
UptimeKuma
Keycloak
Let's Encrypt
Pi-hole
GCC High
NIST 800-171
ZR

Zachary Ross

Founder & Principal Consultant
Experience15+ years
SectorsGov · Defense · Private
FocusCMMC L2 · 800-171
BasedDC Metro Area

Over 15+ years in enterprise IT and cybersecurity, I've built and secured infrastructure across government, defense, and private sectors. My path through CMMC Level 2 wasn't theoretical — I implemented every control, wrote every policy, and built the evidence to back all 110.

Compliance shouldn't require a small fortune or an army of consultants. It requires clear guidance, technical expertise, and someone who's actually done the work.

I work directly with clients — no handoffs to junior staff — to navigate CMMC requirements, harden infrastructure, and build security programs that hold up in production, not just on paper.

Ready to start your CMMC journey?

Let's talk through your contract requirements and where you stand. The first conversation — a scoping and gap discussion — is free.

Request a free gap assessment →
CMMC Gap AssessmentCompliance DocumentationInfrastructure HardeningContinuous MonitoringSecurity AssessmentTraining
All consultations are confidential