Compliance

CMMC Compliance

Prepare your organization for CMMC certification. Before the auditor arrives.

CMMC compliance assessment from Sherlock Forensics prepares defense contractors for Cybersecurity Maturity Model Certification. Gap analysis against NIST SP 800-171 controls, penetration testing of CUI-handling systems, remediation roadmap and documentation support. CISSP, ISSAP, ISSMP certified. Since 2006. From $8,000 CAD.

Get Started Call 604.229.1994

Overview

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense's framework for verifying that defense contractors protect Controlled Unclassified Information (CUI). Starting in 2025, CMMC requirements appear in DoD contract solicitations. No certification means no contract.

Level 1 (Foundational): 17 practices for Federal Contract Information protection. Self-assessment.

Level 2 (Advanced): 110 practices aligned to NIST SP 800-171. Third-party assessment required for critical programs.

Level 3 (Expert): 110+ practices with NIST SP 800-172 enhancements. Government-led assessment.

Sherlock Forensics helps defense contractors at Level 2 and Level 3. We assess your current security posture against NIST 800-171 controls, identify gaps, conduct penetration testing on CUI-handling systems and deliver a remediation roadmap that prepares you for your C3PAO assessment.

Process

Our Assessment Process

1. Scope Definition: Identify all systems that store, process or transmit CUI. Map your CUI boundary and data flows. Define the assessment scope.

2. Gap Analysis: Evaluate your implementation of all 110 NIST SP 800-171 controls. Document which controls are fully implemented, partially implemented or not implemented. Produce a Plan of Action & Milestones (POA&M).

3. Penetration Testing: Test the security of CUI-handling systems through active exploitation. Validate that access controls, encryption, network segmentation and monitoring work as intended.

4. Remediation Roadmap: Deliver a prioritized plan addressing every gap. Include specific implementation guidance, estimated effort and timeline. Provide System Security Plan (SSP) templates.

5. Validation: After remediation, conduct a follow-up assessment to verify gaps are closed and you are ready for your C3PAO certification assessment.

Get Started

The contract deadline is not waiting.

CMMC requirements are appearing in DoD solicitations now. Start your readiness assessment today so you are certified when the contracts drop.

Since 20064.8/5 ratingCISSP, ISSAP, ISSMP certified
Order Assessment

Questions

CMMC FAQ

What is CMMC and who needs it?
CMMC is the DoD's framework requiring defense contractors to demonstrate cybersecurity maturity. Any organization handling CUI or FCI for DoD contracts needs certification.
Which level requires pentesting?
Level 2 requires NIST 800-171 security assessment controls. Level 3 adds adversarial testing requirements. Pentesting is best practice for Level 2 and effectively required for Level 3.
How long does preparation take?
6-12 months for most organizations. Includes gap assessment, remediation, documentation and pre-assessment validation.
How much does it cost?
Sherlock readiness assessments start at $8,000 CAD including gap analysis, pentest and remediation roadmap.
Can Canadian companies get CMMC certified?
Yes. CMMC applies to all organizations in the defense supply chain regardless of country.