If you are looking for a CMMC practitioner, we assembled an assortment of reputable companies that you can evaluate as a possible fit for your specific needs. These CMMC practitioners range from consultants, to Managed Service Providers (MSP), to compliance-focused documentation solutions, all the way to manufacturers. Since every CMMC practitioner has their own specialty you need to do your own due diligence.

The bottom line is you get what you pay for with CMMC consulting services!

ComplianceForge 855-205-8437
support@complianceforge.com
https://complianceforge.com/ (editable cybersecurity & data privacy documentation solutions - policies, standards, procedures, SCRM plan, etc.)
https://nist800171.com/ (NIST 800-171 & CMMC documentation solutions)
https://nist800161.com/ (NIST 800-161 R1 supply chain risk management solutions)

Specialty: ComplianceForge sells professionally-written NIST 800-171 & CMMC policy templates that can save your organization hundreds of hours. ComplianceForge documentation currently provides coverage for both NIST 800-171 R2 and NIST 800-171 R3 that map requirements down to the Assessment Objective (AO) level for complete coverage.

ComplianceForge has been writing cybersecurity documentation since 2005 and NIST 800-171 documentation since 2016, so ComplianceForge has extensive experience in the subject of DFARS compliance-related documentation. Documentation is too important to be left up to amateurs and poorly constructed documentation can leave you not only non-compliant, but lead to higher costs from the increased billable time it takes for an assessor to sift through difficult documentation.

ComplianceForge provides editable, cost-effective cybersecurity documentation solutions that are specific to CMMC 2.0 & NIST 800-171 (CUI & NFO controls). ComplianceForge is the "easy button" approach to editable CMMC & NIST 800-171 & NIST 800-161 R1 compliance documentation:

• Policies
• Standards
• Procedures
• SCRM Plan (NIST 800-161 R1 based)
• SSP & POA&M templates
• Incident Response Plan (IRP)
• Third-Party Risk Management

Secure Controls Framework (SCF)
support@securecontrolsframework.com
https://securecontrolsframework.com

Specialty: For organizations that face more complex compliance requirements than meeting just NIST 800-171 / CMMC, the Secure Controls Framework (SCF) might be just what you are looking for. The SCF uses Creative Commons licensing, so it is free. It has complete coverage for NIST SP 800-171 R2, NIST SP 800-171 R3, NIST SP 800-172 and CMMC Levels 1-3.

The SCF is a more efficient way to operationalize cybersecurity and data privacy operations by simplifying the underlying controls that power an organization’s cybersecurity program. The reality is that most organizations struggle with defining the minimum security requirements that are necessary to address both their compliance obligations and needs for secure practices. The SCF provides a straightforward and scalable method to define those “must have” and “nice to have” requirements into a holistic control set to operationalize cybersecurity operations, risk management and third-party governance. There is no cost to use the SCF and quite a few Governance Risk and Compliance (GRC) platforms natively support the SCF as a built-in control set.

In simple terms, the SCF is a metaframework where it is a catalog of controls made up of over 100 cybersecurity and data privacy laws, regulations and frameworks. This control catalog contains roughly 1,200 controls and is logically organized into 33 domains. The structure of the SCF normalizes disparate control language into something that is usable across technology, cybersecurity, privacy and other departments where they can share the same control language.

The SCF is much more than just a control set!

• Each control has a control weighting to help understand risk, since not all controls are the same.
• There is a built-in risk catalog and threat catalog, where those risks and threats are mapped to SCF controls.
• There is a capability maturity model to help define what right looks like for your organization.
• There is a risk management model to enable holistic risk management practices at the control level.
• There is an evidence request list to define expected assessment artifacts that would be reasonably expected to satisfy controls.
• We even have assessment objectives to help provide objective criteria that can be used to assess controls.

BDO
256-733-1115
cmmc@bdo.com

Specialty: BDO provides organizations with proven experience and certified personnel to mitigate the risk of non-compliance with DoD cybersecurity contracting regulations. BDO’s highly-credentialed and experienced team can help companies achieve their assessment needs within one comprehensive tool and achieve a lower cost of implementation and management for all DoD-mandated cybersecurity compliance frameworks. 

The BDO Cyber Assessment Tool (CAT) provides comprehensive assessments for FAR 52.204-21, DFARS 252.204-7012 / NIST 800-171, NIST 800-172, CMMC Maturity Levels 1-5 as well as additional assessments for EXOSTAR cyber questionnaires.  BDO professionals assist with cyber architecting, network and systems IT technical solution implementation, policies/artifacts to CMMC assessments. BDO can provide overall package management to help keep your CMMC package current and compliant.

How To GRC
907-299-7775
learn@howtogrc.com
https://howtogrc.com/scf/

Specialty: HowToGRC is a cybersecurity firm focused on designing and implementing cost effective and scalable cybersecurity programs. HowToGRC provides CMMC and NIST SP 800-171 readiness assessments, advisory and audit preparation along with our continuous compliance management platform, CMMCplus™.  HowToGRC has considerable experience implementing and tailoring ComplianceForge products and the Secure Controls Framework (SCF).

DEFCERT
info@defcert.com
https://www.defcert.com/

Specialty: DEFCERT supports all facets of "defense contractors" that make up the Defense Industrial Base (DIB), including manufacturers, economic development organizations, managed IT service providers and technology companies. DEFCERT offers a full-range of technology and business process improvement services that includes CMMC consulting, DFARS contract obligation reviews, CMMC implementation and resource planning, system design and validation of existing implementations (to prepare for C3PAO assessment).

DiCicco, Gulman & Co. (DGC)
781-937-5191
dgcinbox@dgccpa.com
https://www.dgccpa.com/services/it-risk-assurance-and-advisory

Specialty: DGC's IT Risk Assurance & Advisory practice provides a wide variety of cybersecurity services including vulnerability assessments, penetration testing, and security and risk assessments. We provide NIST 800-171 and CMMC readiness assessments and consulting services for the DIB and are an applicant to be a Certified 3rd Party Assessment Organization (C3PAO) for CMMC.

The Net Effect
251-433-0196 x107
grs@theneteffect.com https://www.theneteffect.com

Specialty: Since 1996, The Net Effect has been crafting individually-tailored solutions for security and compliance problems, with minimal disruption to clients' existing business processes. The Net Effect provides a range of consulting services, from security assessments and gap analysis to documentation and employee training. Compliance requirements supported include CMMC, NIST SP 800-171, DFARS 252.204-7012, FAR 52.204-21, C2M2 and NIST CSF.

SecuriThink
612-276-2658
Hello@SecuriThink.com
https://securithink.com

Specialty: What will CMMC cost your organization? SecuriThink Step Zero™ answers that question with a verified level of accuracy in as little as 72 hours. It’s a cyber tool for business decision-makers ‒ forged in Mergers and Acquisitions (M&A) now wielded by compliance leaders, risk managers, and underwriters.

SecuriThink consultants have been managing DoD cybersecurity requirements for 14 years.  We’ve been the CISO or external advisor to the person who is. We know commercial enterprises where Defense contracts are only part of the business so making the business case to the owner or the Board, and the C-suite is key. The SecuriThink team has lived this journey. We know what done looks like. Let us make getting there easier for you.

Sentinel Blue
571-485-9030
info@sentinelblue.com
https://www.sentinelblue.com/dfars-cmmc/

Specialty: Sentinel Blue specializes in bringing the leadership, expertise, and technical capabilities required for DFARS compliance to the Small to Medium Enterprises (SME) in the Defense Industrial Base (DIB). We do common sense security - a lot of consultants don't get it about the realities that smaller companies face with limited budget and expertise, so we can right size an approach for your specific needs. Sentinel Blue is also a CMMC Third-Party Assessor Organization (C3PAO).

C3 Integrated Solutions
978-312-7668
info@c3isit.com
https://c3isit.com/cmmc-solutions/steel-root-compliance-program/

Specialty: C3 Integrated Solutions combines technology, processes, personalized guidance, and day-to-day management into a cohesive solution focused on supporting defense contractors that seek to achieve CMMC certification. 
 
Organizations that adopt one of our Steel Root solutions eliminate compliance barriers to valuable DoD contracts by following a systematic and compliance-first approach to passing the CMMC assessment.

Summit7
256-585-6868
cmmc@summit7.us
https://info.summit7systems.com/cmmc-l3-requirements

Specialty: Summit 7 specializes in the Aerospace and Defense (A&D) industry. Summit 7 won the 2020 Microsoft US Partner Award in Security and Compliance for its Office 365 and Azure Government solutions regarding CMMC, DFARS, NIST SP 800-171, ITAR, and CUI. 

Specialty: NeQter Labs is a cybersecurity software company dedicated to providing affordable DFARS/NIST SP 800-171/CMMC compliance solutions to the SMB market. Our Compliance Engine platform combines Security Incident Event Management (SIEM), active alerting, inventory, and vulnerability scanning into a single solution.

Specialty: The CimTrak Integrity Suite, developed by Cimcor, is a robust security, compliance, and integrity management tool that offers real-time integrity monitoring, assessment, and remediation of critical IT assets. Those capabilities include system hardening, configuration management, change management, change prevention, roll-back and remediation, allow-listing, file reputation, STIX/TAXII feeds, and a built-in ticketing system.

You can see how Cimcor can benefit your CMMC / NIST 800-171 compliance efforts with this applicability matrix.

Beryllium InfoSec
763-546-8354
info@berylliuminfosec.com
https://www.berylliuminfosec.com

Specialty: Beryllium specializes in providing NIST SP 800-171 and CMMC compliance solutions, specifically working with SMB’s to successfully segment CUI from their main network and to properly minimize the scope of the CUI environment. Our flagship product, CUICK TRAC™, combines a virtual, privately-hosted enclave, as part of a continuously-monitored and managed security program that helps SMBs become compliant in an affordable, practical and secure way.

Space Coast Cyber
321-294-3565
info@spacecoastcyber.com
https://www.spacecoastcyber.com

Specialty: Space Coast Cyber is a boutique training company that specializes in advanced cybersecurity education and certification training. We are passionate about our profession and want to help build the cybersecurity community one class at a time with a current focus on Cybersecurity Maturity Model Certification (CMMC) training as an authorized Licensed Training Provider (LTP). 

While cybersecurity training is our primary focus and mission, we do engage in limited consulting as our availability allows. Focus areas for consulting are NIST SP 800-171 / CMMC implementation, C3PAO Quality Assurance or assessment team staff augmentation, fractional Information Systems Security Engineering (vISSE) services, NIST Risk Management Framework services, and NIST SP 800-161 Cybersecurity Supply Chain Risk Management (C-SCRM) strategy development and security program management.

Cybersec Investments
800-960-8802
info@cybersecinvestments.com
https://www.cybersecinvestments.com/cmmc

Specialty: Cybersec Investments is a CMMC Third-Party Assessor Organization (C3PAO) and provides CMMC / NIST SP 800-171 consulting for Small to Medium Enterprises (SME) who need outside expertise to both understand and implement the requirements needed to comply. 

Kieri Solutions
301-253-5150
info@kieri.com
https://www.kieri.com

Specialty: Kieri Solutions is a CMMC Third-Party Assessor Organization (C3PAO) with demonstrated expertise in CMMC, NIST SP 800-171, FedRAMP, and DFARS. Kieri Solutions specializes in gap analysis, architecture review and design, process engineering and resource planning. Kieri Solutions is cloud and remote-work friendly and focuses on enabling organizations to become and stay compliant over time. Clients range from small businesses to Fortune 500 companies, including providing guidance to MSPs and cloud service providers who want to make sure their offerings correctly support their DIB clients.

Win-Tech, Inc.
770-423-9358 sales@win-tech.net
https://www.win-tech.net/

Specialty: Custom, build-to-print, aerospace and defense machine shop. Veteran-owned small business (VOSB) with in-house machining and fabrication capabilities. Win-Tech supports both prototype and production projects (aluminum, titanium, and other metals, plastics and composites) as well as consulting services to manufacturers pursuing cybersecurity compliance in the industry. Win-Tech speaks CMMC and would like to be your manufacturer of choice (we do subcontracting)!

• NIST SP 800-171 compliant
• AS9100D-Certified
• DDTC-Registered
• JCP Certified