Skip to content
CyberAutopsySHIELD · COMPLIANCE
CMMC Level 2ServicesThe MethodIndustriesResourcesAbout Client PortalBook Contract Risk Audit →
SERVICES

Four engagement tiers. One outcome: certified.

Every engagement is fixed-scope and ends in an artifact you can hand directly to a C3PAO. We do not bill by the hour or by the seat. We bill against deliverables that survive audit.

TIER I

Gap Assessment

2-week sprint
Fixed engagement fee

Find every gap. Score every control. Submit to SPRS.

A two-week clinical sweep against the 110 controls of NIST SP 800-171. We map your CUI boundary, score every control to NIST 800-171A determination statements, and produce the three foundational artifacts.

Best for

Contractors who have not yet submitted an SPRS score, or who suspect the existing score is inflated.

Deliverables
  • Authorization Boundary Memo, signed
  • System Security Plan (SSP) v1
  • Plan of Action & Milestones (POA&M)
  • SPRS score, calculated and submission-ready
  • Executive briefing to CEO/Board
Engage on Tier I
TIER II

Remediation Surge

90-day sprint
Scope-based

We fix it. With your team, on your stack, in 90 days.

A surge engagement that takes a Gap Assessment from documented to implemented. Our compliance surgeons work alongside your IT and security staff to close controls in weekly war rooms. We do not deliver a backlog — we deliver Implemented status, with artifacts.

Best for

Contractors who have a Gap Assessment and an award deadline they cannot miss. The most common engagement type.

Deliverables
  • Weekly war rooms with your IT, GRC, and engineering leads
  • Implemented status across the 110 controls
  • Evidence Library indexed for C3PAO consumption
  • Re-scored SPRS submission
  • POA&M closure tracking against the 180-day clock
Engage on Tier II
TIER III

Audit Escort

Audit window
Per-engagement

We sit beside you for the C3PAO assessment.

A partner-led engagement during your formal C3PAO assessment. Findings get answered in the room with documentation already drafted. The assessor reads the packet you handed them, not a packet they had to assemble from your inbox.

Best for

Contractors whose audit is scheduled and whose internal team has not been through a C3PAO engagement before.

Deliverables
  • Pre-audit Assessment Packet review
  • Live evidence defense across audit days
  • Real-time clarification memos to the assessment team
  • Post-audit close-out with finding remediation
  • Certification handoff
Engage on Tier III
TIER IV

Annual Retainer

Ongoing
Annual

The certificate is not the end. It is the moment the clock resets.

Continuous monitoring of control posture, configuration drift detection, annual senior official affirmation, and quarterly evidence refresh. Your SPRS score stays current because someone is watching it weekly, not annually.

Best for

Certified contractors who are operating under a recertification clock and cannot afford drift.

Deliverables
  • Quarterly control re-test against NIST 800-171A
  • Configuration drift monitoring on critical systems
  • Annual senior official affirmation support
  • POA&M closure governance
  • C-suite briefings, twice yearly
Engage on Tier IV
THE GUARANTEE

Certified, or we don’t stop.

If you engage CyberAutopsy on Gap Assessment plus Remediation Surge and fail your C3PAO assessment, we work the finding to closure at no additional fee. The terms are explicit in the engagement letter. We say it in writing because we have built our practice to never invoke it.

Book a Contract Risk Audit →