CMMC Expertise
Send a message
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Whether you need third party assistance to prepare for your CMMC Audit, full managed IT services from a CMMC-knowledgable MSP/MSSP, or simply looking to lock in your CMMC Level 1 self-assessment, Stratus Services is here to help.
We are prepared to handle your CMMC needs and ensure you are ready to crush your audit and maintain your compliance in the meantime.
CMMC Level 1 is the entry-level certification aimed at protecting Federal Contract Information (FCI) for DoD contractors. It focuses on basic cyber hygiene and implementing foundational cybersecurity practices.
We help small and medium-sized businesses achieve CMMC Level 1 compliance, ensuring your organization meets the Department of Defense’s baseline cybersecurity requirements.
Built in FedRAMP-authorized cloud environments, this solution ensures basic cyber hygiene to meet all Level 1 cybersecurity requirements today, while laying the foundation for Level 2 compliance in the future.
Before you can achieve CMMC compliance, the most important step is deciding how you'll get there. Whether you're building a secure environment from the ground up or integrating compliance into your existing operations, your approach determines everything—from cost and complexity to timeline and long-term success.
Regardless of approach Stratus Services is your full time partner in CMMC compliance. Our CMMC focused managed services are designed to take you from the ground floor to a CMMC Level 2 certification and ongoing compliance afterwards. Each of the packages below include CMMC-compliance managed services billed on a per user basis.
An enclave is often the right choice for companies who's business is only partially DoD based, as well as for companies who are looking to achieve compliance quickly.
Stratus Services' CMMC-ready Aegis & Vanguard Enclaves provide turn key solutions for companies seeking to obtain CMMC certification quickly; fully managed enclaves preconfigured to meet the technical requirements for CMMC, along with all the policy, procedure, and paperwork required to meet the non technical ones.
Stratus Services follows a shared responsibility model where no control is fully on the customer. Depending on the approach as many as 85% of the controls are squarely the responsibility of Stratus Services, with the rest being a shared responsibility Stratus will help you implement.
The Aegis & Vanguard Enclave packages includes policies and procedures which Stratus Services compliance proffesionals will help tailor to your organization and on going consulting up to, during, and after an assessment.
Our Aegis Enclave is a cloud native virtual enclave built to meet all technical controls required for CMMC.
Our Vanguard Enclave is for organizations with on-prem requirements and that use physical CUI.
Companies whose business practices don't align with the restrictions of an enclave usually need to take the 'all-in' approach to CMMC compliance. This involves bringing all users and existing IT infrastructure into compliance.
Stratus Services cut it's teeth on these types of projects and developed the the Atlas model for CMMC compliant managed services. Due to the complexities and nuances of an all-in approach, Stratus Services will work with you to tailor our solution to fit your needs. Shared responsibility follows an 80/20 breakdown but will vary slightly depending on your needs.
The following compliance services are included in each of the packages listed above.
The following technical services are included in each of the packages listed above.
Stratus’ Virtual CISO (vCISO) support provides ongoing compliance support to your organization. Stratus Services will manage and oversee all aspects of your CMMC compliance program. Stratus Services will provide policies, procedures, and ad hoc consulting to you and your local IT provider on adherence to CMMC requirements. As a standalone vCISO, Stratus Services will not be responsible for any technical administration and will not have administrative access to configure the enclave. Details of which controls Stratus Services is responsible for will be documented in a Shared Responsibility Matrix and during a C3PAO assessment Stratus Services will bear responsibility for their status. This vCISO add-on is included in our Atlas package.
Documentation: System Security Plan | User Agreements | Access Control Policy | Vulnerability & Patch Management | Audit Management Policy & Procedure | Systems Communication Policy | Change Management Policy | Configuration Management Policy | Risk Assessment Policy | User Agreements
Assessment Services: Assessment Preparation | Evidence Gathering | Assessment Participation
Security & Compliance Monitoring Services: POA&M Tracking | Incident Tracking | Vulnerability Tracking | Risk Assessment | Security Awareness Training
CMMC Program Support & Advisory Services: CMMC Progress Check ins – Weekly | Change Management Meetings – Monthly | Ad hoc consulting – 5 hours monthly | Annual Self-Assessment/Attestation | Security Control Monitoring
The following are some of the most common questions we receive from current and potential clients.
Yes, we have been a certified Cyber AB Registered Provider Organization (RPO) since 2022 and renew annually, as required. Feel free to review our certification.
Yes. As of 2025 Stratus employees three Registered Practitioners (RPs), two Registered Practitioner Advanced (RPAs), and one CMMC Certified Professional (CCP). Feel free to review our certification.
Stratus has experience implementing and maintaining CMMC compliance across many sectors that support the DIB, such as construction, engineering, manufacturing, and more. We are proud have successfully guided a large, local engineering firm to pass their CMMC Level 2 Certification Assessment this year (2025), one of the first nationally!
Additionally, as an IT consulting organization, we also have extensive experience with other compliance-forward organizations such as finance, mortgage & title, and medical offices.
Yes. We offer scoping services to help assist you in figuring out what CMMC level will be required based on your specific needs. This is a core tenant of proper CMMC planning. For more information, we recommend this blog post on the topic: CMMC Level 2 Scoping: Understanding Asset Categories for Compliance
Yes, we offer a comprehensive CMMC implementation package that includes the creation of new policies and revision of existing policies.
Yes, for those pursuing CMMC Level 2 compliance, SSPs are included for alignment with CA.L2-3.12.4. While SSPs are not required for Level 1 compliance, arrangements can be made for an SSP if this is requested. POA&Ms will be developed as needed to address any identified deficiencies.
Yes. While we are a fully staffed Managed Service Provider and can provide these services as added support to CMMC Compliance contracts, we are more than willing to work with internal or existing third-party MSP teams to implement a CMMC-compliant environment.
We offer services to ensure continued compliance with CMMC requirements that support your yearly self-assessments and/or triennial third-party assessments.
As of August 2025, the DoD’s planned rollout of CMMC compliance will be tiered in three different phases. Level 1 requirements will be enforced on contracts when the 48 CFR final rule is released, which is expected to happen by October 2025 earliest, and February 2026 at latest. Level 2 requirements will be enforced a year after the Level 1 rollout. Level 3 requirements will be enforced a year after the Level 2 rollout. HOWEVER, once the 48 CFR final rule is in place, program managers can require higher levels of CMMC before the enforcement date set in place by the DoD.