Plan CMMC preparation before your next DoD solicitation.

CMMC Level 1 & 2 Consulting

Plan CMMC preparation before your next DoD solicitation.

Pilotcore supports Canadian defense, aerospace, manufacturing, cloud, and software suppliers with CMMC Level 1 and Level 2 preparation, including practical NIST SP 800-171 gap analysis, working technical controls, assessor-readable documentation, evidence preparation, and control review. We support readiness work; the C3PAO handles the official assessment and determines the outcome.

Get the CMMC Level 1 Guide

Next available: 7-10 business days | 30-minute technical discussion | No obligation

  • CISSP and CMMC CCP-led readiness support
  • NIST SP 800-171 gap analysis
  • SSP, POA&M, and evidence preparation
  • Control and evidence review before assessment pressure
  • CISSP
  • CMMC CCP
  • AWS Solutions Architect Pro
  • Ottawa-based

CMMC Level 1 Guide

Need the CMMC Level 1 guide first?

Start with the guide if you want to sort out FAR 52.204-21 practices, FCI scoping questions, and the evidence your team may need before a call. Educational guide only. Pilotcore prepares your team; assessment decisions stay with your independent C3PAO, and legal advice stays with your counsel.

Get the CMMC Level 1 Guide
Pilotcore CMMC Level 1 readiness guide book cover

CMMC and CPCSC

Comparing CMMC with Canadian CPCSC requirements?

Read the comparison before you book a call. It helps you separate U.S. DoD CMMC obligations from Canadian CPCSC readiness and plan the evidence path for each contract.

Compare CMMC and CPCSC

Applicability

Does CMMC apply to your organization?

CMMC may apply if your Canadian organization bids on, supports, or subcontracts into U.S. DoD work where Federal Contract Information or Controlled Unclassified Information must be protected under the contract.

You may need CMMC readiness support if you:

  • Bid on or support U.S. DoD contracts from Canada.
  • Handle Federal Contract Information or Controlled Unclassified Information.
  • Operate as a Canadian subcontractor in a U.S. defense supply chain.
  • Provide IT, MSP, cloud, software, engineering, or manufacturing services to defense suppliers.
  • Need to answer CMMC questions in an RFP, renewal, supplier questionnaire, or SPRS record.
  • Are unsure whether Level 1, Level 2, or a future contract clause applies to your environment.

Unsure where you fit? Book a readiness call before you commit to major remediation spend.

Canadian contractor context

What changes when the DoD opportunity is cross-border?

For Canadian suppliers, the conversion point is not just CMMC awareness. It is knowing which U.S. requirement applies, which Canadian obligations still sit beside it, and which evidence can support both conversations.

Contract language still comes first.

A Canadian company may see CMMC through a direct DoD solicitation, a U.S. prime flow-down, or a supplier questionnaire. The clause, data type, and prime instructions decide whether Level 1, Level 2, or another readiness path matters.

Canadian defence obligations can sit beside CMMC.

Controlled Goods Program registration, Joint Certification Program access to military technical data, PSPC contract security, or CPCSC readiness may still matter for Canadian work. They do not replace CMMC when a U.S. DoD contract requires it.

Evidence should be reusable where the rules overlap.

Identity, endpoint, logging, backup, access review, supplier, and policy records can often support more than one defence customer conversation. We separate shared evidence from U.S.-specific CMMC requirements so your team does not build duplicate control packages.

Program details should be checked against current DoD, CMMC Program, PSPC, Controlled Goods Program, Joint Certification Program, and contract-specific guidance.

Level 1 vs Level 2

CMMC Level 1 vs Level 2: what changes?

CMMC requirements enter DoD contracts through phased adoption. The right readiness path depends on your clause, data type, supplier role, and current control maturity.

Area Level 1 Level 2
Typical use case Baseline safeguarding for contractors that handle Federal Contract Information. Protection for contractors that handle Controlled Unclassified Information.
Assessment model Annual self-assessment and affirmation for the 15 FAR 52.204-21 safeguarding requirements. C3PAO assessment for many contracts, with annual affirmation and a three-year certification cycle under the CMMC program.
Readiness focus Scope, baseline safeguards, policies, evidence, and affirmation records. 110 NIST SP 800-171 requirements, SSP materials, allowed POA&M support, deeper evidence, and assessment preparation.
Common blockers Unclear FCI scope, missing policies, weak access control, weak device protection, or incomplete evidence records. Complex CUI boundaries, inherited cloud responsibilities, supplier flowdown, SSP gaps, and technical remediation across identity, endpoints, logging, and response.
How Pilotcore helps Applicability review, practice gap report, remediation roadmap, evidence checklist, and control review. Readiness roadmap, SSP and POA&M support where allowed, implementation guidance, evidence preparation, and pre-assessment control review.

Program details and timing should be confirmed against current DoD, CMMC Program, FAR, SPRS, and solicitation-specific guidance.

Our Process

How Pilotcore can prepare you for CMMC assessment.

  1. Assess

    Gap analysis against NIST SP 800-171.

    The first deliverable is a leadership-ready NIST SP 800-171 gap report, prioritised remediation roadmap, and budget concrete enough to brief decision-makers before major spend. Actual technical evaluation of your systems, policies, and procedures, not a generic questionnaire.

    • Prioritised roadmap of missing CMMC practices
    • Implementation complexity and realistic timeline
    • Budget estimate based on your current scope

  2. Implement

    Technical control implementation.

    We implement the technical controls required for CMMC readiness: network segmentation, MFA, encryption, logging, monitoring, and incident response capabilities your team can operate after the engagement.

    • Working configurations your team can maintain
    • Architecture diagrams and runbooks
    • Evidence collection workflows

  3. Document

    System Security Plan and documentation.

    We help your team create your CMMC System Security Plan (SSP), POA&M support materials where allowed, policies, procedures, and evidence artifacts aligned to your implemented controls. Customised documentation, not templates.

    • SSP mapped to your actual CUI environment
    • Policies and procedures your team can explain
    • Evidence artifacts organised for assessor review

  4. Review

    Control and evidence review.

    A Pilotcore-run readiness review checks whether implemented controls, SSP materials, allowed POA&M support, and evidence match the CMMC assessment scope before the official evaluation. We help your team understand what exists, what is missing, and what it must maintain. Pilotcore is not a C3PAO; the official assessment is run by an accredited C3PAO, which must stay independent from the consulting team that prepared you.

    • Control and evidence gap notes
    • Team preparation for C3PAO questions
    • Preparation materials for your C3PAO engagement

No Black Box CMMC Prep

Before any official CMMC assessment, you will know what is missing, what changed, what evidence exists, and what your team still owns. If our agreed preparation work is not clear enough for your team to maintain or explain, we keep working until it is. Conditions: timely access to systems and staff, agreed staffing on your side throughout the engagement, no material scope change beyond the documented baseline, and decisions made within agreed review windows. Pilotcore prepares your team; only an independent authorised assessor can conduct the official assessment or determine the outcome.

Deliverables

What you can expect from a CMMC readiness engagement

Every environment is different, but a practical CMMC readiness project should leave your team with usable outputs, not just generic advice.

Typical deliverables may include:

  • CMMC applicability and scope notes
  • FAR 52.204-21 or NIST SP 800-171 control gap report
  • Prioritised remediation roadmap
  • Evidence checklist and evidence tracker
  • SSP and POA&M support materials where allowed
  • Policy and procedure recommendations
  • System and security-boundary diagram recommendations
  • Microsoft 365, cloud, endpoint, logging, and backup control recommendations
  • Executive summary for leadership or bid/no-bid planning
  • Control and evidence review notes for self-assessment or C3PAO preparation

Timeline

How long does CMMC readiness take?

Readiness timelines depend on your scope, existing security maturity, documentation quality, and whether the work is Level 1 baseline readiness or Level 2 preparation.

1-2 weeks
Initial scope review and gap analysis for a focused environment.
2-6 weeks
Level 1 readiness improvements for a smaller team with mature Microsoft 365/cloud controls and limited documentation gaps.
6-12+ weeks
Larger environments, missing policies, weak identity controls, unclear asset scope, or deeper technical remediation.
Longer roadmap
Level 2 readiness, CUI boundary definition, multi-site environments, or heavy cloud and on-premises integration.

These are planning ranges, not guarantees. Contract language and official program guidance should drive final readiness timing.

Cost factors

What affects CMMC readiness cost?

Rather than starting with a generic package, scope CMMC readiness around the specific gaps that could block your contract timeline.

  • Number of users, devices, systems, and locations
  • Whether cloud, Microsoft 365, endpoint, backup, and logging controls are already mature
  • Existing SOC 2, ISO 27001, CPCSC, NIST 800-171, or security-program documentation
  • Clarity of FCI, CUI, systems, and subcontractor responsibilities
  • Amount of missing policy, SSP, procedure, and evidence documentation
  • Whether your team needs advisory support only or hands-on technical implementation
  • Level 1 self-assessment versus Level 2 C3PAO preparation

Why Pilotcore for CMMC

Cross-border expertise your C3PAO will recognise.

Canadian contractors pursuing DoD work face a dual compliance burden most consultants ignore. We bridge CPCSC and CMMC to design shared control evidence that can reduce duplicate effort across both obligations.

  • CCP-certified lead.

    Led by credentialed practitioners with publicly verifiable certifications and implementation experience.

  • Infrastructure as Code.

    Terraform modules, not spreadsheets. Controls you can version, audit, and redeploy across environments.

  • Dual-track CPCSC + CMMC.

    Shared control implementation can reduce duplicate effort across PSPC and DoD programs, depending on contract scope and assessor interpretation.

  • Knowledge transfer, not lock-in.

    Your team owns the runbooks, playbooks, and IaC modules after delivery. We coach, not gatekeep.

Defence contractor cybersecurity compliance assessment

Book a CMMC Readiness Call

Use this call to sort out scope, timeline, and the next decision before you spend on remediation.

Common buyer questions

Frequently asked questions about CMMC compliance.

The five questions defence-supplier engineering leads ask most often before scoping a CMMC engagement.

How long does CMMC Level 2 implementation take?

CMMC (Cybersecurity Maturity Model Certification) Level 2 implementation commonly takes 12-18 months or more from gap analysis to C3PAO (CMMC Third-Party Assessment Organization) assessment for many defense contractors, though actual timelines vary significantly based on starting security posture and available resources. This timeline reflects the work needed to properly implement 110 NIST SP 800-171 practices, develop required documentation including SSP (System Security Plan), train staff, establish processes, and prepare for assessment. Smaller organizations with simpler environments might achieve certification sooner, while larger organizations with complex networks may need more time. Starting early gives flexibility and avoids deadline pressure when CMMC becomes mandatory in your contracts.

How much does CMMC Level 2 certification cost?

CMMC Level 2 certification costs vary significantly based on organisation size, existing security posture, and scope. Key cost areas include: technical infrastructure investments (network equipment, security tools, MFA, SIEM), professional services for gap analysis, implementation guidance, and SSP development, C3PAO assessment fees depending on OSC (Organizational Scope of Certification) complexity and contractor size, and internal labour (project management, IT implementation, documentation). Annual maintenance costs cover tool subscriptions, security monitoring, and continuous compliance monitoring. Assessment is valid for 3 years. Book a consultation for a personalised estimate based on your environment.

Can't we just implement NIST SP 800-171 ourselves?

Defense contractors can implement NIST SP 800-171 themselves if they have: senior security architecture expertise familiar with NIST SP 800-171 Rev 2 (110 practices), understanding of CMMC (Cybersecurity Maturity Model Certification) assessment process and C3PAO (CMMC Third-Party Assessment Organization) requirements, and significant spare engineering capacity for implementation. Many contractors attempting DIY discover gaps during their first C3PAO assessment--gaps requiring rework and timeline delays. A structured approach can help reduce the learning curve by providing clear guidance, tested patterns, and pre-configured templates so your internal team can implement more effectively.

We already have ISO 27001 or SOC 2 - doesn't that cover CMMC?

Not automatically. While ISO 27001 and SOC 2 demonstrate strong security practices, CMMC (Cybersecurity Maturity Model Certification) Level 2 has specific requirements from NIST SP 800-171 that these frameworks don't fully cover. For example, CMMC requires specific technical controls for CUI (Controlled Unclassified Information) protection that go beyond general security frameworks. If you have ISO 27001 or SOC 2, you've built strong security foundations--Pilotcore helps you address the CMMC-specific requirements and documentation differences. Implementation timeline can potentially be reduced when starting with ISO 27001 or SOC 2, though actual timelines vary based on your specific circumstances. Faster than starting from zero, but not automatic compliance.

Is Pilotcore a C3PAO that can certify us?

No. Pilotcore is not a C3PAO and does not conduct official CMMC (Cybersecurity Maturity Model Certification) assessments or issue certifications. C3PAOs must stay independent from the company helping you implement and prepare, so a readiness partner like Pilotcore can help before your assessment. We help implement controls, create SSP (System Security Plan) documentation, prepare evidence, and coordinate with your chosen C3PAO so your team knows what exists before the official evaluation.

Related CMMC reading

Ready to talk about your CMMC plan?

Book a 30-minute readiness call to pressure-test your current NIST SP 800-171 posture, realistic timeline, and whether you need a full engagement, a narrow remediation sprint, documentation cleanup, or no consultant yet. Pilotcore prepares your team; assessment decisions stay with your independent C3PAO, and legal advice stays with your counsel.