CMMC
Send a message
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Defense contractors must demonstrate that they can safeguard sensitive government information before they can win and maintain Department of Defense (DoD) contracts. The Cybersecurity Maturity Model Certification (CMMC) program was created to verify that contractors protect both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Beginning November 10, 2025, and rolling out over a three-year period, CMMC requirements will be incorporated into all new DoD contracts. Contractors that fail to meet the appropriate CMMC compliance level may not be eligible to receive or maintain contract awards.
The CMMC compliance framework is based on the security controls defined in NIST SP 800-171, with requirements organized across multiple maturity levels. CMMC Level 1 consists of a self-assessment focused on foundational cybersecurity practices and can often be completed internally if appropriate safeguards are already in place.
CMMC Level 2, however, requires an independent third-party assessment covering 110 NIST SP 800-171 security controls and is significantly more complex to implement and validate without experienced compliance and cybersecurity guidance.
Stratus Services demonstrates proven expertise in Department of Defense cybersecurity compliance as Alaska’s first Managed IT Service Provider to achieve CMMC Level 2 certification. This certification reflects the implementation of the security controls required to protect Controlled Unclassified Information (CUI) under the CMMC framework and NIST SP 800-171.
Our experience implementing these controls within our own environment provides practical insight into the technical, operational, and documentation challenges organizations face while preparing for certification. We apply that experience in our CMMC compliance consulting approach to help defense contractors design secure environments, implement required safeguards, and prepare for formal C3PAO assessments.
Organizations looking for structured implementation support can explore our CMMC compliance packages and managed services options.
Organizations preparing for CMMC certification require both technical expertise and practical experience implementing cybersecurity controls that protect Controlled Unclassified Information (CUI). Stratus Services brings real-world experience helping organizations design compliant environments and prepare for formal assessments.
Our team offers:
"Stratus Services played a pivotal role in assisting CRW Engineering Group, Inc. in the development and implementation of our policies and procedures. Their deep expertise in Department of Defense (DoD) regulations, particularly NIST SP 800-171, alongside their comprehensive understanding of both physical and cybersecurity, was instrumental in guiding us to achieve CMMC Level 2 certification. Their support ensured that we met the highest standards of security, compliance, and operational excellence."
– Anthony Robinson, PLS, CFedS
CRW Engineering Group
Before implementing controls, we define the scope of your CMMC environment. This includes identifying systems that process, store, or transmit Controlled Unclassified Information (CUI), mapping data flows, evaluating shared services, and determining which assets fall in or out of scope. Proper scoping reduces unnecessary compliance costs and ensures that only required systems are assessed.
We evaluate your current security posture against the specific CMMC level required for your contract. Our assessment reviews technical controls, documentation, policies, user access, network architecture, and cloud environments. You receive a detailed gap assessment that identifies deficiencies, prioritizes remediation tasks, and outlines a practical roadmap to achieve compliance in preparation for the formal C3PAO assessment.
CMMC compliance requires documented, enforceable policies aligned with NIST SP 800-171 controls. We help develop or refine policies for access control, incident response, configuration management, media protection, audit logging, risk assessment, and system security planning. Our documentation is structured to meet auditor expectations and to reflect how your organization actually operates, not generic templates that fail under review.
We implement and configure the technical safeguards required for CMMC compliance. This includes network segmentation to isolate CUI environments, firewall configuration, secure remote access controls, endpoint protection, encryption for data at rest and in transit, and multi-factor authentication across privileged and standard user accounts. All implementations are aligned with NIST SP 800-171 security requirements and documented for assessment readiness.
CMMC is not a one-time certification. We provide ongoing monitoring, vulnerability scanning, log review, configuration audits, and periodic policy updates to maintain compliance between formal assessments. Our continuous compliance support ensures that controls remain effective, documentation stays current, and your organization is prepared for annual affirmations and three-year assessment cycles.
The following are some of the most common questions we receive from current and potential clients.
Yes, we have been a certified Cyber AB Registered Provider Organization (RPO) since 2022 and renew annually, as required. Feel free to review our certification.
Yes. As of February 2026, Stratus Services is Alaska's only CMMC L2 certified MSP. For clients, this means you can rest assured that our platform is used to deliver services to clients every day, the controls are proven, operational, and audit-ready. This results in fewer unknowns, faster paths to compliance, and a partner delivering services on infrastructure that has already met the CMMC bar.
Yes. Our MSP support model is ready to support clients looking to manage IT services and CMMC compliance all under one roof.
Yes. As of 2026, Stratus employs two Registered Practitioners (RPs), two Registered Practitioner Advanced (RPAs), and one of the only two Lead CMMC Certified Assessors (LCCAs) in the state of Alaska. Feel free to review our certification.
Stratus has experience implementing and maintaining CMMC compliance across many sectors. We support Department of Defense (aka Department of War) contractors and subs, specializing in areas such as construction, engineering, manufacturing, and more. We are proud have successfully guided large, Alaska-based engineering firms to pass their CMMC Level 2 Certification Assessment, graduating some of the first CMMC L2 firms nationally.
Additionally, as an IT consulting organization, we also have extensive experience with other compliance-forward organizations such as finance, mortgage & title, and medical offices.
Yes. We offer scoping services to help assist you in figuring out what CMMC level will be required based on your specific needs. This is a core tenant of proper CMMC planning. For more information, we recommend this blog post on the topic: CMMC Level 2 Scoping: Understanding Asset Categories for Compliance
Yes, we offer a comprehensive CMMC implementation package that includes the creation of new policies and revision of existing policies.
Yes, for those pursuing CMMC Level 2 compliance, SSPs are included for alignment with CA.L2-3.12.4. While SSPs are not required for Level 1 compliance, arrangements can be made for an SSP if this is requested. POA&Ms will be developed as needed to address any identified deficiencies.
Yes. While we are a fully staffed Managed Service Provider and can provide these services as added support to CMMC Compliance contracts, we are more than willing to work with internal or existing third-party MSP teams to implement a CMMC-compliant environment.
We offer services to ensure continued compliance with CMMC requirements that support your yearly self-assessments and/or triennial third-party assessments.
As of August 2025, the DoD’s planned rollout of CMMC compliance will be tiered in three different phases. Level 1 requirements will be enforced on contracts when the 48 CFR final rule is released, which is expected to happen by October 2025 earliest, and February 2026 at latest. Level 2 requirements will be enforced a year after the Level 1 rollout. Level 3 requirements will be enforced a year after the Level 2 rollout. HOWEVER, once the 48 CFR final rule is in place, program managers can require higher levels of CMMC before the enforcement date set in place by the DoD.
With CMMC requirements already appearing in DoD contracts, organizations should begin preparing well before their first required assessment. Don't wait, start yours today.
