CMMC & SOC 2 Assessment Services

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) mandate, designed to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the defense supply chain.

CMMC compliance is now REQUIRED for all contractors and subcontractors working with the DoD!

If your organization is not ready, you risk losing your ability to win or renew contracts with key primes like Lockheed Martin, Raytheon, Northrop Grumman, and others. 

https://www.lockheedmartin.com/en-us/suppliers/news/features/2025/cybersecurity-program-rule.html

                                         Flexible Federal Contracting Options
                                              UEI SAM:  PE7HUTN95ZE3

                                                           CAGE: 15MH8

• November 10, 2025: CMMC clause required in most new DoD contracts. Level 1 or 2 Self-Assessment must be complete.

• October 1, 2026: All Contractors and Subcontractors must be compliant with CMMC requirements.

• January 15, 2027: CMMC Level 2 must be fully certified for contract renewal eligibility.
   

Our Level 1 Self-Assessment service is designed for companies handling Federal Contract Information (FCI).

Services include:

• Technical Risk Assessment: We review your current Security Posture and identify gaps.

• Endpoint, Cloud and M365 Auditing: In-depth review of your Device, Cloud, and Microsoft 365 Environment.

• Self-Assessment and Documentation: We guide you through the CMMC Level 1 Self-Assessment, generate your System Security Plan (SSP) and Plans of Action & Milestones (POA&Ms), and assist with Supplier Performance Risk System (SPRS) submission.

• Required Monthly Monitoring: Ongoing Security Monitoring to ensure continued Compliance and Threat Detection.
   

Level 2 is required for organizations handling Controlled Unclassified Information (CUI) and involves the implementation of all 110 NIST 800-171 security practices.

Services include:

• Implementation & Gap Remediation: Comprehensive Mapping and Implementation of NIST 800-171 Controls.

• Comprehensive Documentation: Creation of required SSP, POA&Ms, Risk Register, and Evidence Collection Artifacts.

• M365 Enforcement & User Training: Lock down your Microsoft 365 Tenant and provide Targeted User Training.

• Monthly Cyber Risk Reporting & Compliance Review: Regular reviews to ensure ongoing alignment with CMMC and provide Executive-Ready Reports.
   

• Official RPO Status: Listed with CyberAB — trusted by prime contractors and DoD supply chain leaders - https://cyberab.org/Member/RPO-66202-Willis-Security-Llc
   
• 25+ Years Experience: Deep expertise in Regulated Industries, Compliance, and Security Program Delivery
   
• End-to-End Service: From Initial Gap Assessment through Documentation, Training, and Ongoing Support
   
• Audit-Ready Deliverables: All materials meet DoD and prime requirements — ready for Audit or Spot Checks
   
• Continuous Monitoring: Maintain your Compliant Status with Ongoing Risk Management and Reporting
   
• U.S.-Based, No Outsourcing: Your engagement is handled in-house, by our expert team of domestically located Engineers, Analysts and Executives 

William Knight - Founder, CEO and CTO is a Seasoned Security and Compliance Leader with Multi-Year Ownership of SOC 2 Type 2 Programs in High-Scrutiny, Enterprise Environments. 

At InfoArmor (acquired by Allstate), William led consecutive SOC 2 Type 2 audit cycles, matured control design and operational effectiveness, and stood up disciplined evidence operations across Security, IT, Engineering, Product, and Legal.  Creating an Enterprise-Grade Program that helped enable InfoArmor’s successful acquisition by Allstate in 2018. 

“Will is a smart, resourceful problem solver… I worked with Will and his team over the last two audit cycles and could not be more impressed with his leadership and mentoring style. Will values and seeks out cross-functional collaboration to increase awareness of security standards and champion the maturity of an organization’s security posture.”

                 — Ben Duguay, Allstate Identity Protection (LinkedIn, May 24, 2021)

 SOC 2 Type 2 is an independent AICPA attestation that evaluates the design and operating effectiveness of your controls over time, aligned to the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).

Enterprise Clients, Investors and Cyber Insurers now Demand SOC 2 Type 2 Compliance as a Baseline Requirement for doing Business. Especially, in SaaS, Finance, Healthcare and MSP Sectors. 

Why SOC 2 Compliance Matters:

• $4.88M – Global average cost of a Data Breach in 2024

              Source: https://www.ibm.com/reports/data-breach

• 15–20% Drop in Cyber Insurance Premiums with SOC 2 Source: https://drata.com/blog/why-cyber-insurance-and-soc-2-compliance-are-essential-for-smbs-and-startups

• Required by Fortune 500 Procurement and Vendor Risk Programs

• Speeds up Enterprise Sales, M&A Readiness and Due Diligence

• Aligns with Investor expectations and Third-Party Risk Reviews

Discovery & Scoping Phase 

• Define Trust Criteria, Assess Gaps, Map Readiness
• Duration: Days 1–30 

Remediation & Alignment Phase

• Implement Controls, Write Policies, Align Tooling
• Duration: Days 30–90 

Observation Period Phase

• Prove Controls operate consistently and generate valid Evidence
• Duration: 3–12 Months 

Audit & Attestation Phase

• CPA-led Review Results in Official SOC 2 Type 2 Report
• Duration: Varies per CPA

Renewal & Monitoring Phase

• Evidence Collection, Internal Reviews, Readiness Maintained
• Ongoing (Annual)  

• Readiness Assessment – Identify Control Gaps and define Compliance Roadmap
• Policy & Control Development – Build aligned procedures using AICPA TSC
• Technical Remediation – Configure tools, assign control owners, close findings
• Audit Prep – Package clean, structured evidence folders for your Auditor
• vCISO & vSC Services – Ongoing Program Management, Advisory, and Documentation
• Audit POC – We manage Audit Communications, Responses, and Uploads
• Audit Firm Selection – We help you choose the right CPA
• Post-Audit Readiness – Monthly Reporting, Evidence Checks, and Risk Dashboards

• 25+ Years in Regulated Cybersecurity (SaaS, MSP, Healthcare, FinTech)
• Certified Experts: CISSP, CISA, CISM, CRISC, ISO 27001
• Audit-Ready Evidence organized and tracked throughout the year
• Strategic & Tactical Support from Board-Level Briefings to Firewall Configs
• US-Based Team – No outsourcing, no cookie-cutter templates