CMMC Business Assessment


Diversified Tech Solutions  ·  Defense Contractor Compliance CMMC Readiness Assessment
Know Where You Stand Before the Assessor Does
CMMC Level 2 requires documented compliance with all 110 controls in NIST SP 800-171. Most small defense contractors don’t know which controls they satisfy and which they don’t. Our gap assessment tells you exactly where you stand — and what to fix before a C3PAO assessor arrives.
CMMC Level 2 NIST SP 800-171 110-Control Gap Analysis SSP & POA&M Support Defense Contractor Specialists
What’s at Stake CMMC Is Not Optional. It Is Not Going Away. Defense contractors handling Controlled Unclassified Information (CUI) must achieve CMMC Level 2 certification to bid on and receive DoD contracts. The consequences of non-compliance are direct and severe.
📋 Contract Disqualification

Without CMMC certification, your company cannot bid on DoD contracts that require it. That scope is expanding to cover most defense work.

⏱️ Assessment Lead Time

C3PAO assessments require scheduling months in advance. Companies that wait until a contract requires CMMC discover they can’t get assessed in time to bid.

📂 Documentation Burden

CMMC Level 2 requires a System Security Plan documenting how each of the 110 controls is implemented. Assembling this without preparation takes months.

🔍 Undetected Gaps

Most companies believe they satisfy more controls than they actually do. Gap assessments routinely uncover 20-40 partially or fully unaddressed controls.

The 110 Controls — What They Cover NIST SP 800-171 Covers 14 Domains

Our gap assessment evaluates your current state against all 110 controls across every domain. You already have Control 3.8.3 (Media Protection — data sanitization) documented from your DTS data destruction service. Here’s what the rest covers.

Access Control (22 controls)

Who can access CUI, under what conditions, and with what authentication.

Audit & Accountability (9 controls)

Logging, audit trail retention, and accountability for system activity.

Configuration Management (9 controls)

Baseline configurations, change control, and least-functionality settings.

Identification & Authentication (11 controls)

User identity, MFA requirements, and password management.

Incident Response (3 controls)

Incident handling capability, reporting, and testing.

Maintenance (6 controls)

System maintenance controls, remote maintenance security.

Media Protection (9 controls)

CUI on physical and digital media — including 3.8.3 (sanitization) you already have documented.

Personnel Security (2 controls)

Screening individuals with CUI access, termination procedures.

Physical Protection (6 controls)

Physical access to CUI systems and facilities.

Risk Assessment (3 controls)

Periodic risk assessments, vulnerability scanning, remediation.

Security Assessment (4 controls)

Periodic evaluation of controls, plan of action management.

System & Communications Protection (16 controls)

Network segmentation, boundary protection, encryption in transit.

System & Information Integrity (7 controls)

Malware protection, security alerts, software patching.

Awareness & Training (3 controls)

Security awareness training for all personnel with CUI access.

What You Receive Documentation That Survives a C3PAO Review
110-Control Gap Report

Every control rated: Satisfied, Partially Satisfied, or Not Satisfied. Evidence citations for satisfied controls.

Priority Remediation Roadmap

Gaps ranked by risk and remediation complexity. A clear order of operations for closing findings before assessment.

SSP Draft Template (Readiness Package)

System Security Plan template pre-populated with your satisfied controls. You complete the narrative. We provide the structure.

POA&M Template

Plan of Action and Milestones document for identified gaps — required for your CMMC assessment package.

Evidence Documentation Guidance

For each satisfied control, what documentation the assessor will look for and how to organize it.

30-Day Follow-Up Support

Email access as you work through the remediation roadmap and SSP development.

Service Tiers
Gap Analysis $4,000 – $6,000 Full 110-control gap assessment against your current environment. Written gap report and remediation roadmap.
  • Intake questionnaire + 2 working sessions
  • 110-control gap assessment report
  • Satisfied / partial / not satisfied rating per control
  • Priority remediation roadmap
  • 30-day email support
Readiness Package $6,000 – $8,000 Gap Analysis plus SSP draft template and POA&M. You arrive at your C3PAO assessment with documentation in hand.
  • Everything in Gap Analysis
  • SSP draft template pre-populated
  • POA&M document for identified gaps
  • Evidence documentation guidance per control
  • 60-day email support
Annual Maintenance $2,000 – $4,000/yr Annual SSP and POA&M review. Updated documentation reflecting technology or process changes. Required to maintain CMMC standing.
  • Annual SSP review and update
  • POA&M progress review
  • Control re-assessment for changed areas
  • Updated compliance documentation
Important Scope Clarification

We provide readiness assessment and documentation support — not a formal CMMC certification. CMMC Level 2 certification must be conducted by an accredited C3PAO (CMMC Third-Party Assessment Organization). Our service prepares you to pass that assessment by identifying gaps, building your documentation package, and establishing evidence for satisfied controls. Companies that go through a readiness assessment before their C3PAO review consistently achieve better outcomes and fewer findings.

Already Using DTS for Secure Data Destruction?

Your DTS data destruction certificate already documents Media Protection Control 3.8.3 — one of the 110 NIST SP 800-171 requirements. That’s the starting point. Our CMMC Readiness Assessment covers the other 109 and builds the documentation package around your existing evidence. DTS data destruction clients receive a 10% discount on any CMMC Readiness tier.

Find Out Where You Stand Against the 110 Controls

Start with a free 20-minute call. We’ll ask a few questions about your environment and tell you honestly whether a formal gap assessment makes sense for your situation and timeline.

Diversified Tech Solutions  ·  Johnson City, TN  ·  avery@diversifiedtechsolutions.com
CMMC Readiness Assessment available remotely to defense contractors nationwide.