AFTER YEARS OF ANTICIPATION, IT IS NOW OFFICIAL:
The Department of Defense (DoD) has published the Cybersecurity Maturity Model Certification (CMMC) Final Rule in the Federal Register under Title 48 of the Code of Federal Regulations (48 CFR Parts 204, 212, 217, and 252).
This Final Rule became effective November 10, 2025, and transitions the new CMMC 2.0 from simple “policy guidance” into a Binding Contractual Requirement for ALL DoD Contractors and Subcontractors that possess, store, and/or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Our goal is to help you successfully prepare for and implement CMMC Compliance by providing your organization with timely, experienced-based insights and guidance.
Helping Achieve Compliance Without the Confusion
We will identify ways to strengthen your physical security posture and implement appropriate cybersecurity programs to help you ensure the flow of classified information (FCI and CUI) throughout your organization is protected from threats.
We will help you understand the Regulatory Requirements and will provide clear, actionable guidance for implementing and assessing the necessary controls. This includes translating the CMMC’s technical and procedural expectations into practical steps for:
- Preparing for a CMMC Assessment
- Implementing the Level 1, Level 2, and/or Level 3 Requirements
- Engaging effectively with Assessment Organizations
Our Mission:
Make Compliance Clear, Practical, and Affordable
At Core 6+, our goal is to help your organization successfully prepare for and implement CMMC compliance — without unnecessary complexity or cost.
We provide experienced-based guidance to strengthen both your physical security and cybersecurity posture, ensuring that the flow of sensitive data (FCI and CUI) within your organization stays protected and compliant.
Our role is to translate government jargon into plain, actionable steps you can actually use — helping you:
- Prepare for your CMMC Assessment
- Implement the required Level 1, Level 2, or Level 3 controls
- Work confidently with certified assessors and auditors
CMMC Assessment Readiness Services
1. Discovery & Scoping
Initial Evaluation & Overview
We start with a clear explanation of CMMC requirements, identifying exactly which aspects apply to your organization and what level (1, 2, or 3) is required.
Project Plan & Timeline
We’ll help you build a realistic project plan with milestones, team responsibilities, education sessions, and a practical budget tailored to your organization’s size and resources.
Asset Identification
We’ll inventory all relevant systems, servers, network devices, virtual machines, applications, and facilities — along with data and people who access or store FCI/CUI.
Network & Data Flow Mapping
Together, we’ll build a Network Diagram and CUI Data Flow Diagram to show exactly how data moves inside and outside your environment — including any third-party or cloud providers.
2. Define Boundaries & Reduce Scope
CUI Boundaries
We’ll identify the physical, administrative, and technical boundaries that control who can access your sensitive data — from locks and walls to encryption and network segmentation.
Define Your Enclave
Your “enclave” includes all systems and controls that protect FCI/CUI.
If your network is mostly “flat,” this may include nearly every device and user — we’ll help you clearly define it for assessment purposes.
Scope Reduction Opportunities
We’ll look for ways to minimize compliance costs by reducing how many systems fall under CMMC. Techniques include network segmentation, data minimization, encryption, tokenization, masking, redaction, and vendor rationalization.
External Service Providers (ESPs / CSPs)
We’ll evaluate your outside providers to determine if they process, store, or transmit CUI — ensuring their services meet CMMC standards.
3. Assess Controls & Document Gaps
Asset Categorization & Inventory
We’ll classify assets as In-Scope or Out-of-Scope, document how data is processed and stored, and identify applicable controls and configurations.
Gap Analysis & Readiness Review
We assess where you stand today by evaluating each control as:
- Implemented
- Outsourced
- Partially Implemented
- Alternatively Implemented
- Planned but Not Yet Implemented
- Not Applicable
Comprehensive Readiness Report (Action Plan)
You’ll receive a clear, prioritized roadmap showing every gap and the steps needed to meet your required CMMC level — including recommendations for policy, process, and technical updates.
4. Implementation Support & Documentation
Control Implementation Support
As needed, we’ll help you build or refine the required controls, policies, and procedures — focusing on real-world practicality for small organizations.
Evidence Collection (Artifacts)
We help you gather and organize the artifacts auditors expect:
- Policies and Procedures
- Configuration Screenshots
- Logs, Monitoring Evidence, and Reports
- Training Records
- Compliance Documentation
5. Readiness & Final Documentation
Readiness Assessment
Once your improvements are in place, we’ll verify that your controls are functioning as intended and ready for formal assessment.
Plan of Action & Milestones (POA&M)
We’ll translate your findings into a living document that defines ownership, milestones, and due dates — prioritizing by risk and audit criticality.
System Security Plan (SSP)
We’ll help you write your SSP — the core document required for CMMC — clearly describing your systems, security controls, and implementation details.
Our team ensures your SSP fully aligns with your POA&M and accurately reflects your current environment.
Why Choose Core 6+
- Small-Organization Focused: We specialize in helping small businesses and nonprofits who don’t have dedicated IT staff.
- A La Carte and Affordable: Pay only for what you actually need — not bloated service bundles.
- Hybrid MSP Experience: We combine hands-on technical expertise with real-world compliance insight.
- Plain English Guidance: We explain every requirement clearly, without overwhelming you with jargon.
Let’s Get You Ready
If your organization handles DoD-related information — directly or through a subcontract — now is the time to prepare.
Schedule your free 15-minute Discovery Call to learn where you stand and how Core 6+ can help you meet CMMC requirements with confidence.
The CMMC Assessment Readiness Services We Provide, Include But Are Not Limited To:
Initial Evaluation, Discovery and Scoping
A general overview of the CMMC requirements to introduce you to the scale of CMMC and identify which aspects are applicable and required specifically for your organization.
Create A Project Plan
Which will include timelines, resources, educating your team on the CMMC process, identifying your specific CMMC objective, and establishing a budget.
Identify Organizational Assets
We must identify all Assets (systems, system components, virtual machines, servers, network devices, security components, and external services), Facilities (physical locations), Information (hard copy media nd soft copy media) and People associated with, use, review, transmit or store FCI and/or CUI
High-Level Network Diagram
We need to create an initial network diagram to provide a basis for understanding the network elements and overlaying the CUI Data Flow Diagram.
Initial CUI Data Flow Diagram
We need to create a map of the CUI flow within and across all assets – including third-parties and subcontractors – to identify CUI inputs, creation, processing, transmission and storage.
Identify CUI Boundaries
We need to identify the CUI Access Controls as it relates to the Physical Boundaries (direct Physical Access, including barriers like fences, walls, doors; containers like file cabinets and safes; physical controls like conduit systems and network disconnects), Administrative Boundaries (Policies, Procedures and Processes) and Technical Boundaries (Routing, Encryption, Network Components and Network Architecture).
Define Your Enclave
For the purposes of CMMC, an Enclave is the collection of information system components and all associated controls within the declared system boundaries that protect FCI and/or CUI. Organizations with “flat” networks (or limited segmentation) within their technology infrastructure will most likely identify one Enclave encompasses almost all systems, applications and users, including any External Service Providers (ESPs) and/or Cloud Service Providers (CSPs)
Identify Opportunities For Scope Reduction
There are eight (8) Scope Reduction Techniques that may be used to reduce the number of systems, components and personnel that fall within the boundary: Network Segmentation; Data Minimization; Encryption; Tokenization; Data Masking; Redaction; Business Process Re-engineering; and Vendor and Service Provider Rationalization.
Identify ESP Access to CUI and/or SPD
We must consider the use of all External Service Providers (ESPs), including Cloud Service Providers (CSPs) within your environment, specifically as it relates to whether the ESPs process, store or transmit CUI or Security Protection Data (SPD).
CMMC Asset Categorization
In general, CMMC assets are categorized as IN-SCOPE or OUT-OF-SCOPE, but each CMMC Level (1, 2, or 3) details the treatment of the asset and how the assets is to be assessed.
Creating the FCI/CUI Asset Inventory
This includes items such as the Data Flow and Network Diagrams, as well as Storage, Process and Transmission Plans, FCI/CUI Assets list, Activity and Administrative Controls, Physical Controls, Technical Controls and Settings, and other applicable Services and Solutions.
Revised CUI Data Flow Diagram
Utilize all the information garnered to create a much more detailed CUI Data Flow Diagram including all pertinent and IN-SCOPE aspects of access, use, transmission and storage of CUI.
Determine Initial CMMC Control Gaps
Depending on which CMMC Level (1, 2, or 3) you are required to comply with dictates the amount of Control Elements. Our goal is to identify whether each aspect should be listed as Implemented, Implemented but Outsourced, Partially Implemented, Alternatively Implemented, Not Implemented but Planned to be Implemented, or Not Applicable with the appropriate documentation supporting each response.
Document Initial Control Attributes
During this Initial Control Review, we will utilize responses such as: Documented, Known, Capable, Implemented, Integrated, Confirmed, Evidenced, etc. to identify where you stand with each Control Element, so we can best create an Action Plan for completing the documentation and preparing for the appropriate assessment.
Comprehensive Readiness Report (Action Plan)
We evaluate your current FCI/CUI protection controls against the CMMC requirements, including any of your policies, procedures, logs or other relevant documentation and clearly define a Comprehensive Readiness Report detailing all identified gaps and weaknesses.
Help Implementing Controls, Policies and Documentation
We will help – as requested, and to the extent which we can – build, execute, validate, and document the technical, administrative and procedural changes needed to comply with your CMMC Level.
Collect Artifacts (Evidence)
Artifacts serve as the evidence to prove an assessed organization’s security controls and practices meet the CMMC Control Requirements. This includes Policies, Procedures, Technical Configurations, Logs and Monitoring Evidence, Training Records, Compliance Documentation, Screen Captures and Data Outputs, etc.
Perform Readiness Assessment
When ready, we will assess the existing controls within the appropriate Enclaves and determine if there is sufficiency to meet the CMMC Requirements.
Develop Your Plan Of Action & Milestones (POA&M)
We will convert findings into a POA&M, including owners, milestones and due dates. We will prioritize actions based on risk and audit criticality.
Create and Align Your System Security Plan (SSP)
The SSP is a formal document that describes the system, lists the system security requirements, and provides a description of how each requirement is (or will be) met. We will make sure your SSP accurately reflects your CMMC requirements and your POA&M.