Skip to main content


Critical Infrastructure Compliance Assessment

Preparing for DoD NIST SP 800-171 assessment and Cybersecurity Maturity Model Certification (CMMC)? Our team of specialists can help lay the groundwork for your success.

Lead Contacts


Building on the NIST SP 800-171 cybersecurity best practices, the U.S. Department of Defense has added a new type of certification – CMMC – which subcontractors must also receive in order to qualify for DoD contracts. We can help you complete your NIST SP 800-171 compliance and guide you through the CMMC process.

Our security and compliance professionals have more than 20 years of experience in compliance – and in securing systems that safeguard the information used in projects for the DoD. We’ve performed scores of NIST SP 800-171 compliance assessments, assisting in the development and implementation of system security plans, as well as plans of action and milestones.

Our team members serve on Defense Industrial Base (DIB) Cybersecurity working groups involved in the planning and rollout of CMMC. And we’ve worked in a variety of critical infrastructure sectors, operations and industries, providing guidance on cybersecurity threat, vulnerability, security and risk assessment (CTVSRA) and evaluating government and commercial clients’ compliance.

United States' adversaries are exfiltrating the equivalent of about $600 billion a year using cybersecurity attacks.
—  Katie Arrington, CISO for DoD Acquisition Office

Here’s How
Unlike some other compliance “experts,” we have firsthand experience: We’ve completed our own NIST SP 800-171 assessment for Thornton Tomasetti and are now in preparation for CMMC – so we know exactly what to expect. We can help you develop policies, procedures and plans that meet the requirements of both:

  • System security plans. We itemize the policies, technology and processes needed to make sure your information is secure.
  • Plans of action and milestones. We prescribe effective, budget-friendly security solutions to close any gaps identified during the compliance assessment.
  • Incident response plans. Our experts formulate policies and guidelines – and identify resources – to enable a methodical, robust response to security incidents.
  • Risk assessment plan. We provide convenient, easy-to-understand reports prioritizing the risks that threaten the security of your information. 
  • Configuration change plans. We guide you through the appropriate procedures for managing changes to your information systems to safeguard continued security.
  • Continuous monitoring plans. Our team helps you maintain an ongoing awareness of how your information is protected from threats, vulnerabilities and breaches.

And we offer a complete range of services to help your firm achieve certification:

  • Compliance assessments. We identify any discrepancies between your current system and compliance requirements. Then we apply the DoD’s scoring methodology to the assessment result in preparation for entry in the Supplier Performance Risk System (SPRS).
  • CMMC preparation. We provide guidance to assist you in preparing for your CMMC certification.
  • Compliance audit readiness. Our team coordinates evidence collection and activities to make sure you’re ready for the assessment and CMMC. 
  • Compliance audit assistance. We provide comprehensive support for assessment activities, including document assembly, policy references and more.
  • Scorecards. You’ll receive at-a-glance summaries of your firm’s compliance activities – from start to completion.

Time is running out for subcontractors to comply with NIST SP 800-171 and CMMC requirements, so please contact us. We’ll help you understand what they mean to your organization.