Services

How the engagements work

Each service is scoped to your contracts and your environment. You can start small with a snapshot and move into the deeper work only if it makes sense for you. The list below runs from first look to assessment day.

Readiness Snapshot

A short, structured review to establish where you stand right now. We look at your contract language, the type of information you handle, and your current practices against the CMMC level that applies. It is the low-commitment starting point that tells you whether you are close or have real work ahead.

You receive: a plain-language summary of your current state, the CMMC level that applies to your contracts, and a short list of the gaps to address first.

Gap Assessment

A detailed review of your systems, policies, and day-to-day practices against the applicable NIST SP 800-171 and CMMC requirements. Each requirement is marked as met, partially met, or not met, with notes on what evidence exists today and what is missing. This is the factual baseline the rest of the work builds on.

You receive: a requirement-by-requirement gap register, a prioritized findings list, and a summary written for leadership as well as technical staff.

SSP and POA&M Development

Development of your System Security Plan, the document that describes how your organization meets each requirement, together with a Plan of Action and Milestones that records open gaps and a realistic schedule to close them. These are the core documents an assessor expects to see, and they need to reflect what your organization actually does.

You receive: a System Security Plan mapped to the applicable controls, and a POA&M with owners, target dates, and milestones for each open item.

Assessment Preparation

Hands-on help getting ready for a Level 1 self-assessment or a Level 2 assessment conducted by an accredited C3PAO. We organize your evidence, walk through likely questions, and run a practice review so the day of the assessment holds no surprises. The certification decision itself rests with the assessor and the DoD; our role is to help you be prepared for it.

You receive: an organized evidence set mapped to each requirement, a mock review with findings, and a readiness checklist to work through before assessment day.

Scope note. Echelon Advisory Group provides readiness advisory services only. We help you assess your current state, build documentation, and prepare. We are not a C3PAO, we do not perform certification assessments, and we do not issue certifications or guarantee any assessment or contract outcome. Pricing is scoped per engagement after a short conversation about your contracts and environment.

Start with a snapshot

Tell us a little about your contracts and your environment and we will suggest a sensible first step.