CMMC Compliance for smaller
DoW Contractors
The fastest, most affordable path to CMMC Level 1 & Level 2 self
attestation for DoW contractors doing under $3M
We are a CyberAB Registered Practitioner Organization (RPO) – an organization authorized by The Cyber AB to provide CMMC readiness, advisory and support services through the employment of Registered Practitioners (RPs). Unlike traditional RPOs, we provide our CMMC readiness services leveraging our Agentic AI CMMC Compliance Automation
platform – ComplySec360™ which fast tracks compliance at a fraction of the cost. The RPO designation is intended for organizations operating within the defense industrial base (DIB) and supply chain that support organizations pursuing Cybersecurity Maturity Model Certification (CMMC) compliance.
Days
0
To self-attestation
ready
%
0
Reduction in compliance
effort
Controls
0
NIST 800-171 Rev. 2
requirements
Deliverables
0
Everything CMMC
requires
Our Assessors, CCPs and RPs
Where Human Expertise Meets AI Intelligence
We collaborate with Authorized C3PAOs, CMMC Lead Assessors, CMMC Certified Professionals and Registered Practitioners to deliver integrated platform, readiness, and accredited assessment support—combining expert guidance and automation to achieve audit-ready security and compliance outcomes.
Matthew Titcombe
CMMC Therapist™ | Lead CMMC Certified Assessor | Authorized C3PAO
Matthew Titcombe is a CMMC Certified Assessor (CCA) and President of Peak InfoSec, an Authorized CMMC Third-Party Assessment Organization (C3PAO). Known as the “CMMC Therapist™,” he helps defense contractors transform struggling security programs into executive-led, audit-ready operations.
Matthew also serves as the Vice-Chairman for the CMMC Information Institute, a nonprofit organization that helps Organizations Seeking CMMC Certification (OSCs) cut through the fog of misinformation surrounding CMMC.
Peak InfoSec is a Department of Veterans Affairs Certified Service-Disabled Veteran-Owned Small Business (SDVOSB) headquartered in Colorado, focused on employing veterans. The firm delivers CMMC and NIST SP 800-171 assessments, penetration testing, compliance audits, security architecture, product sourcing, deployment, optimization, and ongoing security operations support for organizations across the Defense Industrial Base.
Peak InfoSec is a Department of Veterans Affairs Certified Service-Disabled Veteran-Owned Small Business Peak InfoSec is a Department of Veterans Affairs Certified Service-Disabled Veteran-Owned Small Business Peak InfoSec is a Department of Veterans Affairs Certified Service-Disabled Veteran-Owned Small Business
John Shamasko
CMMC Jesus | Lead CMMC Assessor | CISSP | CIPM
John is a Lead CMMC Certified Assessor with extensive JSVA and DIBCAC High assessment experience, formally trained by The Cyber AB. He serves as Vice Chair of the Assessment Guidance Committee within the C3PAO Advisory Council, helping shape national assessment standards.
John is the Lead Assessor at The CMMC Team (C3PAO), a certified organization comprised of Cyber AB–trained Certified CMMC Assessors, Certified CMMC Professionals, and Registered Practitioners supporting organizations in achieving CMMC compliance and readiness.
Raj holds a degree in Mechanical Engineering from University of Madras. He is a Certified Information Security Manager (CISM) and a CMMC Registered Practitioner. He lives in New Jersey with his wife, two children, and a dog named Rocky. Information Security Manager (CISM) and a CMMC Registered Practitioner. He lives in New Jersey
Raj holds a degree in Mechanical Engineering from University of Madras. He is a Certified Information Security Manager (CISM) and a CMMC Registered Raj holds a degree in Mechanical Engineering from University of Madras. He is a Certified Information Security Manager (CISM) and a CMMC Registered
Raj holds a degree in Mechanical Engineering from University of Madras. He is a Certified Information Security Manager (CISM) and a CMMC Registered
Raj holds a degree in Mechanical Engineering from
Raj Sahas
Registered Practitioner and CMMC Certified Professional
Raj is a CMMC Certified Professional (CCP), Registered Practitioner (RP) and a strategic cybersecurity leader / CISO who builds security programs that enable growth and operational resilience while actively reducing enterprise risk. With 25+ years across Fortune 500, government, public sector, private enterprise, and mission-driven nonprofits, he aligns security initiatives to business objectives so they deliver measurable outcomes. A former MSSP co-founder, Raj has built and led SOC operations, scaled global programs, and guided organizations through complex compliance – CMMC, FedRAMP, ISO 27001, SOC 2, HIPAA, PCI – turning frameworks into working controls and clear evidence.
Beyond technical depth, Raj is recognized for executive communication and board-level reporting that turns risk into decisions. His work spans the full security lifecycle: strategy and program design, risk quantification, policy and governance, cloud security, vulnerability management, business-safe penetration testing, incident response, and crisis management.
Our Authorized C3PAO
The Problem
CMMC is easier for enterprises with dedicated security
teams – smaller DoW contractors face a steeper path
Traditional CMMC consulting can cost $50K-$150K and take 12-18 months. For SMEs with under $3M in DoW contracts,
the economics often don’t make sense. The compliance costs can outweigh the revenue opportunity.
$150K
Typical CMMC consulting cost
Legacy firms charge $50K-$150K for Level 2. For most SMEs, the compliance costs can outweigh the
18mo
Typical path to compliance
Traditional timelines run 12-18 months. DoW contracts are being awarded and lost right now
110
NIST 800-171 controls required
Level 2 demands all 110 controls: documented, assessed, and demonstrated. A full-time job for months without
4%
Contractors actually ready
Only 4% of DoW contractors passed independent CMMC evaluations: despite 75% believing they were compliant
ComplySec360™ Changes The Equation
Built specifically for small DoW contractors — agentic AI automation, expert-led delivery, and a
structured 30-day programme that produces every artifact for self-attestation and C3PAO assessment,
at a fraction of traditional cost.
Which Level Do You Need?
Level 1 or Level 2 – ComplySec360™ Covers Both
If your contracts involve FCI only, you need Level 1. If they involve CUI, you need Level 2. ComplySec360™ assesses
your contracts and maps you to the right level on day one.
CMMC Level 1
Foundational Cyber Hygiene
- For contractors handling Federal Contract Information (FCI). Annual self-attestation.
- 15 requirements across 6 domains
- Annual self-attestation – no C3PAO required
- SPRS score submission to DoW required
- Applies to FCI-only contracts (no CUI)
- ComplySec360™ delivers Level 1 package in day
CMMC Level 2
Advanced Cyber Hygiene
- For contractors handling Controlled Unclassified Information (CUI). 110 NIST 800-171 Rev. 2 requirements. Self-attest or C3PAO.
- All 110 security requirements across 14 domains
- Self-attestation for non-prioritised acquisitions
- Full C3PAO evidence package – assessor-ready
- SSP, POA&M, SPRS score – produced and documented
- CUI Data Flow Diagram included in SSP
Eight Deliverables.
Everything CMMC Requires
Every artifact required for self-attestation and C3PAO assessment – built from your actual environment,
not copied from a generic template library
1
Readiness Assessment
AI-assisted evaluation against every CMMC
requirement. Know where you stand before spending a
dollar on remediation.
2
Gaps & Action Items
Requirement-by-requirement gap register with concrete
remediation actions, owners, and effort estimates.
3
Policies & Procedures
Complete CMMC-aligned policy suite tailored to your
organisation.
4
System Security Plan + CUI DFD
Fully developed SSP with clear CUI Data Flow Diagram –
the first document a C3PAO assessor examines.
5
Traceability Matrix
Control-to-evidence matrix mapping every CMMC
requirement to the artifacts that demonstrate
implementation.
6
Control Implementations
Implementation statements for every requirement meeting
the Examine, Interview, and Test evidence standard.
7
Final Assessment + SPRS Score
Structured internal assessment producing your SPRS
score – accurate, documented, and defensible for DoW
submission.
8
Plan of Action & Milestones
Formally structured POA&M with open deficiencies,
owners, compensating controls, and target dates.
Mandatory for Level 2.
The 30 Day Sprint
Four Weeks. Full Compliance
ComplySec360™ compresses what traditionally takes 12–18 months into a structured 30-day sprint – without
cutting corners. Every deliverable built for self attestation is simultaneously C3PAO assessment-ready.
Week 1
Assess & Hope
- Readiness assessment, system boundary, CUI identification, gap register
Week 2
Build & Document
- SSP, CUI Data Flow Diagram, policies, control implementation statements.
Week 3
Remediate
- Gap closure, traceability matrix completion, evidence collection.
Week 4
Assess & Attest
- Final assessment, SPRS score, POA&M, self-attestation submitted to DoW.
C3PAO Assessment Ready - From Day One
When your contract requires a formal C3PAO assessment, you are already prepared. The same
deliverables that power your self-attestation are the exact evidence package a C3PAO assessor will
examine. No starting over. No additional cost.
The Cost Difference
A Fraction of What Traditional Consulting Charges
Traditional Consulting
$50K - $150K
12-18 months. In-house security team required. Generic templates
ComplySec360™
$25K - $50K
30 days. Built from your environment. C3PAO-ready output
Why ComplySec360™
Built Differently for Contractors Who Work Differently
Not adapted from an enterprise GRC platform. Designed from the ground up for the SME where one person
manages contracts, IT, and compliance simultaneously
ComplyGenie™ AI Agents
AI agents read your actual environment, identify CUI flows, and generate your SSP and implementation statements.
30 Days, Not 18 Months
Our structured sprint delivers everything for
self-attestation in 30 days without
compressing quality or cutting corners.
CISSPs & CMMC Practitioners
Certified experts review every deliverable. The
output meets the exact evidence standard a
C3PAO assessor will apply
Fraction of the Cost
Purpose-built for contractors under $3M in
DoW revenue. The compliance cost should
never exceed the contract value.
Self-Attest & C3PAO Ready
Build your evidence package once for both
purposes. The same deliverables power self-
attestation and a formal C3PAO assessment.
Built for One-Person Compliance
Designed for the SME where one person
manages contracts, IT, and compliance.
ComplySec360™ does the heavy lifting.
Schedule A Call With Our
Certified CMMC Professionals
