Service

CMMC Boundary Snapshot

DoD contract on the line. CMMC required. But what data do you actually have? Where does your CUI boundary end? We sort it out, draw the lines, and show you every gap against NIST 800-171.

10 business days
110 NIST 800-171 controls
SPRS score estimate
Get Started — $2,990

This is for you if:

  • You have a DoD contract that requires CMMC compliance
  • You're bidding on defense work and need to prove readiness
  • You're not sure what CUI you have or where your boundary is
  • You need to know your SPRS score before submitting it
110
Controls assessed
14
Control families
L2
CMMC ready
10
Days delivery
Denali

What you get

01

FCI/CUI Classification

Which data you have, where it lives, and what protection level it needs. No more confusion about what counts.

02

System Boundary Diagram

Visual map of your CUI environment. What's in scope, what's out, and where the boundaries are.

03

NIST 800-171 Gap Analysis

All 110 controls assessed. What you meet, what you don't, and what needs work before your C3PAO shows up.

04

SPRS Score Estimate

Your estimated Supplier Performance Risk System score based on current state. Required for DoD contracts.

05

POA&M Template

Plan of Action and Milestones for any gaps. Shows the DoD you have a path to full compliance.

06

Evidence Requirements List

Exactly what documentation your C3PAO will ask for. No surprises during the assessment.

The process

8 steps from kickoff to complete CMMC readiness assessment.

1

Submit intake

Online form

2

Share docs

Contracts & policies

3

FCI/CUI review

Classification

4

Boundary mapping

Scope definition

5

NIST 800-171

Gap assessment

6

SPRS calc

Score estimate

7

POA&M draft

Remediation plan

8

Delivery

Full report

Denali
Denali
Scope

What's included

Included
  • Complete FCI/CUI classification
  • System boundary diagram
  • NIST 800-171 gap analysis (all 110 controls)
  • SPRS score calculation
  • POA&M template with gaps
Also
  • Evidence requirements checklist
  • C3PAO preparation guide
  • Control family prioritization
  • 30-day email support

Important

This engagement constitutes a readiness assessment and does not result in CMMC certification. Official CMMC certification requires assessment by an authorized CMMC Third-Party Assessment Organization (C3PAO). This assessment prepares your organization for the certification process.

CMMC Levels explained

CMMC has three levels. Most contractors need Level 1 or Level 2. Level 3 is for the most sensitive work.

Level 1

Foundational

Basic cyber hygiene. 17 practices. Self-assessment allowed. For contracts with FCI only.

~15% of defense contractors

Level 2

Most common

NIST 800-171 aligned. 110 practices. Third-party assessment required for most. For contracts with CUI.

~80% of defense contractors

Level 3

Expert

NIST 800-172 based. Government-led assessment. For highest-priority programs and critical assets.

~5% of defense contractors

Before vs After

Without assessment

Not sure what CUI you have

Boundary is "somewhere around here"

No idea what SPRS score to submit

C3PAO coming and you're not ready

Hoping for the best

With CMMC Snapshot

FCI and CUI classified and mapped

Boundary drawn with clear scope

SPRS score calculated and documented

Know exactly what C3PAO will ask

Ready for assessment

Result

You know where you stand

Common questions

What's the difference between FCI and CUI?

FCI (Federal Contract Information) is info the government gives you or you create for them. CUI (Controlled Unclassified Information) is more sensitive and has specific handling requirements. CMMC Level 1 covers FCI, Level 2 covers CUI.

Do I need CMMC Level 1 or Level 2?

Depends on your contract. If you handle CUI, you need Level 2. If it's just FCI, Level 1 might be enough. We'll help you figure out which applies based on your actual contract requirements.

What if I don't know if I have CUI?

Most companies aren't sure. That's why data classification is the first thing we do. We'll look at your contracts and data flows to figure out exactly what you have.

When does CMMC become mandatory?

It's being phased in. Some contracts already require it, others are coming soon. If you're bidding on DoD work, you should be preparing now.

Can you help us get certified?

This package is assessment only—showing you where you stand and what needs work. For certification, you'll need a C3PAO (certified assessor). But this gets you ready for that conversation.

What's a SPRS score and why do I need it?

SPRS (Supplier Performance Risk System) is the DoD's database for tracking contractor security. You self-report your score based on NIST 800-171 compliance. A low score can disqualify you from contracts.

Get your CMMC situation sorted.

We classify your data, draw your boundary, assess against NIST 800-171, and give you a clear picture of where you stand. 10 days, $2,990.

Get Started