
CMMC Compliance Services
Built to Last, Not Just to Pass
Most CMMC support stops at the assessment. You get certified, the consultant moves on, and a year later the program has quietly drifted out of shape. SimIS works the other way. We treat certification as a milestone in a security program built to last, not a finish line you cross once. We help you understand what applies to you, prepare the evidence to prove it, and keep that posture real long after the assessor has gone. Talk to us about building compliance that holds.
Orient: Know What Actually Applies to You
FCI vs. CUI Determination
A clause appeared in your contract, and now you have questions: which level applies, what data you actually handle, and what you may already owe. This is where we answer them, calmly and in plain terms, before anything expensive begins.
Everything in CMMC flows from one question: what kind of government information do you actually handle? Federal Contract Information points you toward Level 1, Controlled Unclassified Information toward Level 2, and companies guess wrong in both directions. We walk your contracts and data flows with you and give you a clear, defensible answer, so the rest of your effort is aimed at the right target.
Assessment Scoping
Scope is the quietest decision in CMMC and the one that most often decides whether an effort succeeds. Draw the boundary too wide and you take on cost and controls you never needed. Draw it too narrow and your assessment falls apart. We help you define which systems, people, and data are in scope and which can be kept out, so your program rests on a boundary that holds up.
Level Determination
Level 1 or Level 2 is not a preference, it is a consequence of the work you do and the data your contracts place in your hands. We confirm which level applies to you now and which may be coming as your contracts evolve, so you prepare once for where you are actually headed rather than redoing the work later.
Current-State SPRS Read
You may already have an obligation in the Supplier Performance Risk System without realizing it. We establish where your compliance stands today and what the system currently reflects, giving you an honest starting line and a clear picture of the distance to where you need to be.
Level 1 Readiness: Meet Your Obligation with Confidence
Level 1 Self-Assessment Support
Level 1 is the most common CMMC obligation and the most underestimated. The requirements are fewer, but the self-assessment and the affirmation behind it still have to be right. We get you there quickly and correctly, without turning a manageable task into a project.
Level 1 rests on fifteen basic safeguarding requirements, and the real work is applying them honestly to how your business actually operates. We guide you through the self-assessment and help you tell what genuinely meets each requirement from what only looks like it does, so the result is one you can stand behind. The goal is an assessment that is both accurate and quick to reach.
First Affirmation, Done Right
A Level 1 self-assessment is only complete when your affirming official signs it in SPRS, and that affirmation is a real statement your company is making, not a formality to rush. We make sure what you are about to attest to is true and well-documented, so the person signing it can do so without hesitation. Done right, the annual affirmation becomes a routine you repeat, not a question you carry.
Quick-Start Remediation
Most Level 1 self-assessments surface a few practical gaps, such as multifactor authentication, access controls, or basic documentation. We help you close them quickly, drawing on the technical hardening described on our Cybersecurity Services page, so a short list of findings becomes a clean result rather than a stalled one.
Level 2 Readiness: Build a Program You Can Prove
Gap Assessment
Level 2 is real work: a hundred and ten requirements, a documented system, and evidence that holds up under a third party's review. We run it as a guided engagement led by someone who has done it, so you build a genuine program rather than a paper one.
We measure your environment against all hundred and ten Level 2 requirements and give you a clear, prioritized picture of where you stand. This is the foundation everything else builds on, an honest map of the distance between where you are and what the assessment expects.
System Security Plan Development
Your System Security Plan is the document an assessor reads first, and it has to describe your environment as it truly is, not as you wish it were. We develop an SSP that reflects your actual systems and controls accurately, because a plan written to the real world is the one that survives scrutiny.
POA&M and Remediation Sequencing
Few companies meet every requirement on the first pass, and that is expected. We turn your gaps into a Plan of Action and Milestones with a sequence that makes sense, addressing what matters most and what unblocks other work first, so remediation moves in a deliberate order instead of all at once.
Policy and Procedure Development
Controls without governance behind them do not hold. We develop the policies and procedures that define how the work actually gets done, tailored to how your company operates rather than copied from a template, so the program is something your team can follow and an assessor can verify.
Evidence Development
Level 2 is proven with evidence, and assembling it the night before an assessment is how programs fail. We help you build and organize your evidence on a structured foundation as you go, so proof of compliance is something you maintain continuously rather than scramble to recreate.
Mock Assessment
Before you sit for the real thing, we run a dry run against the same requirements an assessor will use, so you find the weak spots while you can still fix them. You walk into your assessment knowing what to expect, with no surprises waiting in the evidence or the plan.
Sustain: Keep Your Certification Real
Annual Affirmation Support
The provider who prepared you usually disappears the moment you pass. We stay. Sustainment is how your certification keeps its meaning between assessments, through every change that would otherwise pull it out of shape.
Every year, your affirming official attests in SPRS that your program is still in place, and that statement stays easy only when the program behind it stays true. We keep your controls and evidence current through the year, so the annual affirmation is a routine confirmation of reality rather than a moment of doubt. The promise stays a formality because the work behind it never lapsed.
Evidence Freshness
Evidence decays quietly. Screenshots age, logs go unreviewed, training records scatter, and a program that was solid at assessment can look hollow a year later. We keep your evidence current and organized on an ongoing basis, so you are always ready to show your posture instead of reconstructing it.
Scope-Change Governance
Your boundary does not stay still. New contracts, tools, vendors, and ways of sharing files appear, and each one can quietly move what is in scope without anyone noticing. We watch for those changes and keep your scope and documentation matched to reality, so the program you certified is still the program you are running.
Ongoing Program Cadence
The work of staying ready is recurring, and most small companies cannot dedicate someone to it. Through a scheduled program review, or a fractional security lead who owns the whole rhythm, we keep the recurring tasks on track between assessments. This is the same sustainment cadence described on our Cybersecurity Services page, here aimed squarely at keeping your certification defensible over time.