Founder-led CMMC readiness review
Built by Nelson Ford, CMMC CCP and CISSP
Led by Pilotcore's founder and principal consultant
CMMC readiness for Levels 1 and 2
Get a defensible CMMC readiness map before evidence requests pile up
Independent readiness support for Canadian defense, aerospace, manufacturing, cloud, and software suppliers that need to turn Level 1 and Level 2 uncertainty into a scope boundary, evidence gap list, and next-step plan before self-assessment or external assessment planning turns into rework.
- Download the CMMC Level 1 guide
- Map what changes between Level 1 and Level 2
- Book a consultation when a prime, RFP, or internal review creates pressure
Use this page to pick your next step. The guide is the Level 1 research path. The consultation is for Canadian contractor teams that need help interpreting CMMC Level 1 or Level 2 against their own systems and records.
Still learning
Start with the guide
Use the Level 1 guide to understand FAR 52.204-21 scope, evidence, and documentation questions before you decide whether you need outside help.
Get the CMMC Level 1 guideAlready under pressure
Talk through your readiness gaps
Book a consultation if a prime, contract team, or internal review is asking what Level 1 or Level 2 evidence you have and what is missing.
Pilotcore provides independent cybersecurity and compliance-readiness support. For CMMC, Pilotcore supports readiness, implementation planning, evidence preparation, and self-assessment preparation only. Certification and assessment decisions stay with your contract requirements, SPRS record, and independent assessment path.
Founder-led readiness consultations are capacity-limited each week. The best time to ask is before a prime questionnaire, RFP response, or internal review deadline turns uncertainty into rushed remediation.
The readiness problem
CMMC readiness often stalls on evidence, not intent
Level 1 has 15 practices. Level 2 maps to 110 NIST SP 800-171 requirements and a more formal assessment path. The hard part is proving what applies, what exists, and what needs to be closed before the next requirement lands.
- Which systems, users, vendors, and workflows may be in scope?
- Which records already support your answers?
- Where are policies disconnected from daily operations?
- Which gaps should be fixed before self-assessment or assessment preparation goes further?
Canadian contractor checks
Cross-border readiness has more than one source of pressure
Canadian suppliers pursuing DoD work often need to keep U.S. CMMC evidence separate from Canadian defence, contract-security, and controlled-goods obligations, even when the same technical controls support more than one conversation.
Flow-down source
Is the pressure coming from a DoD solicitation, a U.S. prime, a reseller agreement, or a customer questionnaire? The source affects what evidence matters first.
Parallel Canadian obligations
Do Controlled Goods Program, Joint Certification Program, PSPC contract security, or CPCSC expectations also apply? Those streams need their own decisions, even when evidence overlaps.
Reusable evidence
Which identity, endpoint, access, visitor, backup, logging, incident, and supplier records can support both U.S. and Canadian defence conversations without overstating equivalence?
What the review checks
A focused look at scope, evidence, documentation, and priorities
The readiness review is meant to make the next decision easier. It does not replace a self-assessment, audit, legal review, or certification process.
Scope
Clarify the people, systems, vendors, and workflows that may matter for CMMC Level 1 or Level 2 preparation.
Evidence
Check whether records such as MFA settings, backup notes, incident procedures, training records, and access-change history are available.
Documentation
Find policies, procedures, and operating records that are missing, stale, or disconnected from how the team works.
Priorities
Separate quick evidence fixes from larger remediation work so your team can act in the right order.
What you leave with
A concrete readiness package, not a vague opinion
The review gives contractor, security, and IT owners a shared action path they can use after the call.
Scope boundary map
A practical read on the systems, users, vendors, and workflows most likely to shape your CMMC path.
Evidence gap list
A plain list of records you have, records you may need, and areas where policy does not yet match operations.
Level 1 and Level 2 readiness path
A clear distinction between the 15-practice Level 1 baseline and the larger 110-requirement Level 2 planning path.
90-day action sequence
A prioritized next-step sequence for owners, evidence, documentation, and larger remediation work.
How it works
-
Context call
Bring your contract trigger, prime questionnaire, current policies, and a rough system list if you have them. We use the call to confirm whether the guide, a readiness review, or a larger planning path fits.
-
Evidence review
If a review is the right next step, we look at available records, responsibilities, and documentation against the likely Level 1 self-assessment or Level 2 planning work.
-
Action summary
You leave with the practical next actions your team can sequence before self-assessment or future assessment planning goes further.
Reviewer background
- CISSP, CMMC CCP, and AWS Solutions Architect Professional credentials
- Security and cloud delivery experience since 2017
- Platform-neutral review across cloud, SaaS, endpoint, identity, and operations evidence
Fit promise
If the first call shows you are not ready for paid readiness support, we will say so and point you to the right next step instead of selling the engagement.
Guide download
Get the CMMC Level 1 guide first
If you are still checking fit, download the Level 1 guide to begin your CMMC readiness journey. It gives you a practical starting point for scope, evidence, and documentation. If Level 2 is on your horizon, use the guide to get your Level 1 evidence baseline in order, then book a consultation to map the larger 110-requirement path.
15
Level 1 practices
110
Level 2 requirements
- A practical CMMC Level 1 readiness guide
- Scoping questions for contractor and IT teams
- Evidence prompts for common control areas
- Clear boundary language so the guide is not mistaken for official certification guidance
Email me the guide
Enter your work email and we will send the CMMC Level 1 guide.
Check your inbox
We've received your request. We'll email the guide link to the address you entered.
Request email:
Most requests are handled within 1 business day. Check your spam folder or contact us at info@pilotcore.io if you need help.
Ready to apply it
Talk through your CMMC Level 1 or Level 2 readiness questions
Bring your contractor context, current systems, and the evidence you already have. Pilotcore can help you identify what is clear for Level 1, what changes for Level 2, and what should happen next. If the first call shows the guide is the better next step, we will tell you.
Looking for the broader service overview? See CMMC compliance consulting.
Frequently asked
CMMC readiness review FAQ
Short answers for contractor teams checking fit before a guide request or consultation.
Does Pilotcore certify contractors or act as a CMMC assessor?
No. Pilotcore offers readiness support only: scope, evidence, documentation, implementation planning, and preparation for self-assessment or C3PAO assessment. We do not issue certifications or represent a C3PAO. Nelson Ford is a CMMC Certified Professional.
Is this only for companies that already have a defense contract?
No. It also helps contractors preparing to sell into defense or government supply chains who want to understand what readiness work may be required before a contract is on the table.
What if we already have cybersecurity policies?
That is a good starting point. The review looks at whether policies are supported by practical evidence, operating procedures, and implementation records, not just written documents.
Do we need to be using a specific cloud platform?
No. The readiness review is platform-neutral. We can review cloud, SaaS, endpoint, identity, and operational evidence based on your actual environment.
Can you help us fix the gaps?
Yes. The readiness review identifies gaps and priorities. If you want help after the review, Pilotcore can support documentation, evidence collection, and implementation planning.
Is this the same as a full compliance audit?
No. It is a practical readiness review designed to help you understand where you stand before self-assessment or future assessment planning. It does not issue an audit opinion or certification.