Know Exactly Where You Stand Before You Spend a Dollar on Remediation
A complete gap assessment that maps all 110 NIST 800-171 controls, defines your compliance boundary, builds your POA&M roadmap, and helps you choose the right path forward — for a flat $15,000.
10 structured deliverables. No hourly billing. No open-ended scope. No surprises.
The Engagement
A Diagnostic, Not a Remediation Project
The Level 2 Gap Assessment maps all 110 CMMC Level 2 controls against your current environment, documents every gap, assigns risk priorities, and produces a structured remediation roadmap for every finding.
✓ What This Engagement Includes
- Scope validation across all systems, users, and data flows
- Full NIST SP 800-171 control mapping — 110 practices, 320 objectives
- Gap identification with specific documentation for every finding
- Policy and procedure development in audit-ready language
- Evidence guidance, review, and effectiveness testing
- POA&M creation with timelines, owners, and resource estimates
- SSP alignment to your actual technical environment
- Readiness scoring and maturity index
- C3PAO assessment coaching for your entire team
✕ What This Engagement Does Not Include
- Implementation of POA&M remediation items
- Hardware or software procurement
- Managed IT services or ongoing security operations
- The formal C3PAO assessment itself
This separation is intentional. The right remediation path depends entirely on what the gap assessment reveals — you shouldn't commit resources until you have the full picture.
The Most Important Decision You'll Make
Your Scope Changes Everything
Your CMMC scope is the boundary that defines which systems, devices, users, and processes must meet all 110 Level 2 security controls. Everything inside that line requires full compliance. Everything outside it doesn't. The size of this boundary directly determines the cost, effort, and timeline of everything that follows.
⬛ Broad Scope
Entire office environment in scope. 110 controls applied to every system, every user, every process. Maximum cost and timeline.
◻ Narrow Scope
Isolated CUI boundary. 110 controls applied only within the defined perimeter. Dramatically less implementation burden.
Two Paths Forward After Your Gap Assessment
Your Findings. Your Decision. No Pressure.
The gap assessment reveals which path makes financial and operational sense for your organization. We help you evaluate both — honestly.
Remediate Your Existing Environment
Implement security controls across your current infrastructure. Compliance Cavalry provides the complete POA&M roadmap with every gap documented, prioritized, and assigned. Your team executes the remediation work.
Best For Organizations Where
- The existing environment is reasonably organized
- Gap count is manageable based on assessment findings
- Printing CUI on-site is a genuine business requirement
- Resources exist to implement controls across current infrastructure
Reduce Scope with a Secure Cloud Enclave
Move all CUI handling into Security Cavalry's Cavalry Enclave™ — a pre-built Microsoft GCC/GCC High cloud environment. Your CMMC scope shrinks to just the enclave boundary, dramatically reducing what needs to be implemented. Learn more about Security Cavalry’s enclave solution →
Best For Organizations Where
- The existing environment has extensive gaps or broad complexity
- The cost and timeline of full remediation is significant
- A faster, pre-built path to compliance is preferred
- The team can work without printing CUI on-site
⚠ Important Tradeoff — We Tell You This Upfront
The enclave model requires all CUI work to happen through a secure virtual browser. CUI is never downloaded to local devices and cannot be printed from on-site printers. If printing CUI in your physical workspace is a genuine operational need, Path B may not be the right fit.
Compliance Cavalry does not sell the enclave — Security Cavalry does, independently. We help you evaluate both paths based on real gap assessment findings, not sales pressure.
What You Get
10 Structured Deliverables. Zero Ambiguity.
Every deliverable is audit-ready, organized in your Cavalry GRC Tool, and designed to survive C3PAO scrutiny — not collect dust in a shared folder.
Scope Validation
We confirm which systems, users, processes, and data flows are in scope for Level 2, including enclave boundaries. This is where the compliance picture gets real.
NIST SP 800-171 Full Control Mapping
Every one of the 110 practices and 320 assessment objectives mapped against your current processes, technical safeguards, and documentation. No shortcuts.
Gap Identification & Documentation
Every missing, incomplete, or inconsistently applied control documented specifically. An honest list of exactly what isn't meeting the standard — and why.
Policy & Procedure Development
Audit-ready documentation for every control, written in language that holds up to assessor scrutiny. Requirements apply regardless of which path you choose.
Evidence Review & Effectiveness Testing
We identify what evidence is required for each control, guide your team in gathering it, and then review and validate what’s collected — configurations, logs, training records, access controls. We test effectiveness, not just existence.
POA&M Creation
Every gap gets a formal Plan of Action & Milestones with timelines, owners, and resource estimates. Your remediation roadmap for any path forward.
Risk Prioritization
Gaps ranked by compliance impact and operational risk so your resources go to the highest-priority items first.
System Security Plan (SSP) Alignment
Your SSP will describe your actual technical environment and real control implementations — not an aspirational version that won't survive scrutiny.
Readiness Scoring
A maturity index and readiness score gives you and your leadership a quantified, defensible view of where you stand relative to Level 2 certification.
C3PAO Assessment Coaching
We prepare your staff and leadership for the formal assessment: interview format, evidence presentation, documentation walkthroughs, and confident responses.
Pricing
Flat Fee. Full Scope. No Surprises.
Complete Level 2 Gap Assessment
Flat fee covering all 10 deliverables. No hourly billing. No scope creep. No change orders. You know the total investment before you start.
- Scope validation
- Full 110-control mapping
- Gap documentation
- Policy & procedure development
- Evidence testing
- POA&M roadmap
- Risk prioritization
- SSP alignment
- Readiness scoring
- C3PAO coaching
Common Questions
Frequently Asked Questions
Because the right remediation path depends entirely on what the gap assessment reveals. We can't responsibly scope remediation before we know the actual gaps. Doing the diagnostic first means your implementation investment is based on real findings, not assumptions — and many clients find the gap assessment changes the approach they would have taken.
Security Cavalry, a separate entity in the Team Cavalry family, provides the Cavalry Enclave™ — a pre-built Microsoft GCC/GCC High cloud environment for CUI. If your gap assessment reveals that the enclave could significantly simplify your compliance path, we'll walk through both options clearly. You engage Security Cavalry directly and independently.
The enclave model requires all CUI work to happen through a secure virtual browser. CUI is never saved to local devices, which means it can't be printed from on-site printers. If printing CUI at your location is a regular operational need, the enclave may not be the right approach. We always surface this tradeoff proactively.
No. Compliance Cavalry is not a C3PAO. We prepare you for the assessment — which eliminates any conflict of interest and ensures our only incentive is your readiness.
Typically 8–24 weeks, but it depends heavily on environment complexity, gap volume, and how quickly your team can provide information about how your organization currently covers each control. The more visibility we have into your environment and the more responsive your team is during the engagement, the faster we can move. We provide a full project timeline during your discovery call.
We review it against the actual C3PAO assessment standard. Many organizations have SSPs that describe intentions rather than implementations — a significant risk during assessment that we surface and correct.
Yes — Compliance Cavalry serves defense contractors across the entire country. All engagements are fully remote-capable.
Your Compliance Picture Starts Here
Schedule a free 30-minute discovery call. We'll help you understand whether Level 2 applies to your organization, what your scope likely looks like, and which path forward makes the most sense.