Stonegate Compliance

Get ready for your CMMC assessment

Stonegate Compliance helps Department of Defense (DoD) contractors prepare for the Cybersecurity Maturity Model Certification (CMMC). We simplify the rules so you can protect your data and keep your government contracts.

Request a consultation

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a security program required by the Department of Defense. Its goal is to protect sensitive government information from cyber attacks.

If you are a DoD contractor or subcontractor, you must prove you meet specific cybersecurity standards to bid on or keep your contracts.

The program has three security levels, based on the type of information you handle:

Level 1:Foundational

For companies handling basic Federal Contract Information (FCI).

You must follow 17 basic security practices, such as limiting system access and using strong passwords.

Level 2:Advanced

For companies handling more sensitive Controlled Unclassified Information (CUI).

You must follow 110 strict security practices based on national standards.

Level 3:Expert

For companies working on highly sensitive programs facing advanced cyber threats.

You must meet all Level 2 requirements plus extra security controls.

For the full program details, you can read the official Department of Defense CMMC website (opens in a new tab).

Starting November 10, 2026, many new DoD contract awards will require an independent CMMC assessment. You need to meet your level before you bid, not after.

How we help you prepare

Getting ready for a government security audit can be confusing and time-consuming. We guide you through the entire process so you are ready to pass. We work with you to:

  • Identify your target level. We determine whether you handle FCI or CUI and confirm exactly which CMMC level your contracts require, so you do not over-invest or fall short.
  • Find security gaps. We assess your current IT systems and practices against every control at your level and hand you a clear, prioritized list of what needs to change.
  • Build your plan and write your documentation. We create the documentation CMMC requires: your System Security Plan (SSP), your Plan of Action and Milestones (POA&M), and the supporting security policies, so your whole program is documented for the assessor.
  • Prepare for your audit. We help you close the gaps, gather your evidence, and ready your team so you walk into the official assessment prepared to pass.

Packages

How we package the work depends on the information you handle and the level you need.

Level 1 Self-Assessment Package

For contractors handling Federal Contract Information (FCI) who must complete the annual Level 1 self-assessment.

  • System Security Plan (SSP)
  • The security policies Level 1 requires
  • Level 1 self-assessment documentation
  • Guidance to complete your annual affirmation

Level 2 Readiness Package

For contractors handling Controlled Unclassified Information (CUI) working toward Level 2, ahead of a third-party (C3PAO) assessment.

  • Full System Security Plan (SSP)
  • Plan of Action and Milestones (POA&M)
  • All 110 controls reviewed, control by control
  • Supporting security policies, tailored to your operation
  • Remediation guidance and assessment preparation

Scope and pricing depend on environment and business needs. Request a consultation for a quote.

Contact us

Don't wait until your contract is at risk to start preparing. Fill out the form below and we will reach out to discuss your CMMC needs.

Tell us your contract type or target level. Please don't include sensitive security details here.