DoD / CMMC
Protect Your Contract Eligibility.
CMMC Level 1 and Level 2 Readiness.
Managed IT and cybersecurity for Defense Industrial Base contractors. We build, document, and maintain the technical environment required to meet your CMMC obligations.
Who We Serve
NTG provides managed IT and cybersecurity services to DoD contractors throughout the Defense Industrial Base (DIB). Whether you are a small subcontractor handling Federal Contract Information (FCI) or a prime contractor managing Controlled Unclassified Information (CUI), we help you build, document, and maintain the technical environment required to meet your CMMC obligations and protect your contract eligibility.
CMMC compliance is not a one-time project. It requires an ongoing security program. NTG builds that program and runs it for you, so you can focus on delivering on your contracts rather than managing cybersecurity frameworks.
Requirements
CMMC Level 1 vs. Level 2
Understanding what each level requires for your environment.
| CMMC Level 1 | CMMC Level 2 | |
|---|---|---|
| Who it applies to | Contractors handling Federal Contract Information (FCI): any company that receives or creates information provided by or generated for the government under a contract. | Contractors handling Controlled Unclassified Information (CUI): information that requires safeguarding per law, regulation, or government policy. |
| Practice requirements | 17 practices drawn from FAR 52.204-21. Basic cyber hygiene covering fundamental safeguarding of federal systems. | 110 practices aligned to all 14 domains of NIST SP 800-171. Advanced cyber hygiene protecting CUI throughout your environment. |
| Assessment type | Annual self-assessment. No third-party assessor required. | Triennial third-party assessment by a C3PAO (Certified Third-Party Assessment Organization) for most contractors. Some may qualify for self-assessment. |
| Documentation required | Basic policies and procedures demonstrating the 17 practices are in place. | System Security Plan (SSP), Plan of Action and Milestones (POA&M), and evidence supporting all 110 practices. |
| When it takes effect | Required now under existing DFARS clauses. Contractors must already comply. | Being phased into DoD contracts. Required in contracts that include DFARS 252.204-7021. |
| How NTG helps | Gap assessment against the 17 practices, remediation, and self-assessment documentation support. | Full gap assessment, remediation across all 110 controls, SSP and POA&M development, and C3PAO preparation. |
What We Deliver
What NTG Delivers for DoD Contractors
Contract Eligibility Protection
CMMC non-compliance means losing the ability to bid on or hold DoD contracts. We protect that eligibility by building and maintaining a compliant environment before your assessment.
Assessment-Ready Documentation
The SSP, POA&M, and supporting evidence don't write themselves. We build and maintain the documentation that C3PAO assessors and contracting officers expect to see.
CUI Environment Protection
We identify where CUI lives in your environment, scope what needs to be protected, and implement the controls required to keep it secure and contained.
SPRS Score Improvement
DoD contractors must submit a NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS). We help you accurately calculate, document, and improve that score.
Nationwide Onsite Support
Whether your facilities are in one state or spread across the country, NTG provides remote management and coordinates vetted local technicians when hands-on work is required.
Ongoing Compliance Management
CMMC is not a one-time certification. Controls must be maintained. NTG provides continuous monitoring, patch management, and annual reviews to keep your environment in scope.
Gap Analysis
The Most Common Gaps We Find in Contractor Environments
Before we recommend any solution, NTG conducts a gap assessment against the applicable CMMC level. Here are the issues we find most frequently, and what we do about them.
No Multi-Factor Authentication on Critical Systems
MFA is required under NIST 800-171 control 3.5.3. Many contractors still rely on passwords alone for remote access, admin accounts, and cloud services. We deploy and enforce MFA across your environment.
CUI Stored Without Encryption or Access Controls
Contractors often don't know exactly where CUI lives: shared drives, email, laptops. They haven't applied encryption or restricted who can access it. We scope, segment, and protect CUI wherever it resides.
No System Security Plan (SSP)
Level 2 requires a documented SSP covering all 110 controls. Most small and mid-size contractors have never written one. We develop your SSP and maintain it as your environment evolves.
No Formal Incident Response Plan
NIST 800-171 requires a documented incident response capability (control 3.6.1 and 3.6.2). Most contractors have no written plan and no defined escalation path. We build and test your incident response procedures.
Inadequate Audit Logging
CMMC Level 2 requires audit logs to be generated, reviewed, and protected. Contractors frequently have logging disabled, logs that are not reviewed, or logs that are easily deleted. We configure, centralize, and monitor audit logs across your environment.
Commercial Microsoft 365 Used for CUI
Standard M365 is not authorized for CUI. Contractors handling CUI who use commercial M365 are out of scope. We help you evaluate whether Microsoft 365 GCC or GCC High is required and manage the migration.
Services
Core Services for DoD Contractors
CMMC Gap Assessment
Evaluation of your current environment against Level 1 (17 practices) or Level 2 (110 practices). Produces a prioritized remediation list with cost and effort estimates.
NIST SP 800-171 Implementation
Technical implementation of all 110 controls across the 14 CMMC domains: access control, configuration management, incident response, risk assessment, and more.
System Security Plan (SSP)
Development and maintenance of your SSP documenting how each required control is implemented in your specific environment.
POA&M Management
Creation and ongoing management of your Plan of Action and Milestones: the document that tracks gaps, remediation timelines, and responsible parties.
SPRS Score Calculation and Support
Accurate scoring of your NIST 800-171 self-assessment, documentation for submission to SPRS, and a roadmap for improving your score.
CUI Scoping and Segmentation
Identification of where CUI exists in your environment, segmentation to limit its exposure, and access controls ensuring only authorized users interact with it.
M365 GCC / GCC High Migration
Assessment of whether commercial M365 is sufficient or migration to GCC/GCC High is required, followed by managed migration and ongoing administration.
Managed Endpoint Security and Patching
EDR, antivirus, and automated patch management on all devices in scope, with documentation supporting CMMC configuration management controls.
Incident Response Planning and Testing
Written incident response plan tailored to your environment, with annual tabletop exercises and documented test results.
Continuous Monitoring and Audit Logging
24/7 monitoring, centralized log management, and regular log review, with reports that support ongoing CMMC compliance evidence.
C3PAO Assessment Preparation
Pre-assessment readiness review, evidence package preparation, and support coordinating with your chosen C3PAO assessor.
CMMC Level 2
The 14 Practice Domains
CMMC Level 2 is built on NIST SP 800-171, which organizes its 110 security practices across 14 domains. NTG implements and documents controls across all 14.
AC
22 practices
AT
3 practices
AU
9 practices
CM
9 practices
IA
11 practices
IR
3 practices
MA
6 practices
MP
9 practices
PE
6 practices
PS
2 practices
RA
3 practices
CA
4 practices
SC
16 practices
SI
7 practices
FAQ
Frequently Asked Questions
Know Where You Stand Before Your Assessor Does
NTG starts every CMMC engagement with a no-cost gap assessment. You will see your current posture against Level 1 or Level 2 requirements, your SPRS score estimate, and a prioritized remediation plan, before committing to anything.