The language is dense, and the work — multi-factor authentication, encryption, logging, written policies, a System Security Plan — is more than a busy team can absorb on the side of the desk. Plenty of providers will sell you tools and leave you to figure out the documentation and the gaps yourself. We don't. The same team that measures your gaps writes the documentation, does the remediation, and stays on to manage the controls — so nothing gets lost in a handoff.
We measure your environment against every applicable control and hand you a current SPRS score plus a prioritized findings report — exactly where you stand and what's missing.
The audit-ready document that describes how you meet each control. The DoD expects to see it; we write it with you, in language an assessor will accept.
The companion record of every open gap, how it'll be closed, and by when — what keeps you credible while remediation is still in progress.
The hands-on work: MFA, encryption, logging, endpoint protection, network segmentation, policies, and training — closing POA&M items on a schedule you can plan around.
Compliance isn't a one-time project; it's a state you maintain. We keep the controls in place, monitor them, and update the documentation as things change.
We prepare you for your formal third-party C3PAO assessment so that when it comes, you pass on the merits — not on a scramble.
We assess your environment against every applicable NIST 800-171 control, calculate your current SPRS score, and hand you a prioritized findings report. You know precisely where you stand before committing to anything further.
We document your System Security Plan and build a Plan of Action & Milestones for the gaps — the two records the DoD expects, written so an assessor will accept them.
We do the hands-on work to close POA&M items — identity controls, encryption, logging, segmentation, endpoint protection, policies, and staff training — sequenced so the highest-impact gaps get handled first.
We keep the controls in place, monitor and re-document as things change, and get you ready for your third-party C3PAO assessment when the time comes.
No — and be cautious of anyone who claims they are. Certification is granted by an independent, accredited third-party assessor (a C3PAO); no consultant or IT provider can both prepare you and certify you, because the rule deliberately separates those roles. What LRG provides is the readiness work — assess, document, remediate, and manage the controls — so that when your official assessment comes, you pass on the merits.
Five things, delivered as one continuous engagement: a gap assessment against NIST 800-171 with your current SPRS score, a written System Security Plan (SSP), a Plan of Action & Milestones (POA&M) for the gaps, the hands-on remediation work to close them, and ongoing management to keep the controls in place. The advantage of one team doing all of it is continuity — the people who find the gaps are the people who fix and maintain them.
Very likely yes. If Controlled Unclassified Information — or even basic Federal Contract Information — flows down to you from a prime, you carry the same obligation they do, usually CMMC Level 2. This reaches well beyond obvious defense contractors: manufacturers, machine shops, engineering firms, and service vendors in a defense supply chain are routinely in scope. The common surprise is a prime suddenly requiring your SPRS score before the next purchase order.
The System Security Plan (SSP) describes how your business meets each required control; the Plan of Action & Milestones (POA&M) records any gaps and your plan to close them. Together they're the paperwork the DoD expects to see — and a credible POA&M is often what keeps you eligible to bid while remediation is still underway. We write both with you rather than leaving you to assemble them yourself.
Plan for months, not weeks — the timeline depends on how mature your IT is today. A business with solid IT hygiene might be ready in a few months; one starting from scratch on MFA, encryption, logging, and documentation should expect longer. We scope and price the work in clear phases so you can budget it rather than facing one open-ended bill. The biggest cost driver is waiting — remediation and a third-party assessment both take time to schedule.
The layered controls — MFA, endpoint protection, segmentation — that satisfy the technical side of NIST 800-171.
Patching, monitoring, identity, and documentation that keep you compliant day to day.
Physical, network, and identity layers — exactly what CMMC requires you to cover.