Reality check · CMMC-L2
CMMC Level 2 is now contractually enforceable. Find the gaps before your prime does.
A pre-assessment walk for DoD prime and subtier contractors heading into a CMMC Level 2 third-party assessment. We find the gap between your documented cybersecurity program and your operational reality before the C3PAO does.
CMMC 2.0 is now contractually enforceable. The DFARS 252.204-7021 clause flows down. Primes are auditing subtiers. The C3PAO assessment costs more, takes longer, and gates more revenue than any other compliance audit a defense manufacturer faces. The Reality Check is the readiness check that tells you whether your SSP is truthful and whether your POA&M is honest. Both are operational decisions, not cybersecurity decisions, and that is why the engagement is led by a partner who builds the underlying systems.
Quick answer
The CMMC 2.0 Reality Check is a pre-assessment walk for Department of Defense prime and subtier contractors heading into a CMMC Level 2 third-party (C3PAO) assessment. Brass & Bench partners come onsite for four to seven days, review your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) against your operational reality, walk all 110 NIST SP 800-171 controls, and deliver a bound gap-matrix report. Pricing is $40,000 to $75,000 all-inclusive depending on the size of your CUI (Controlled Unclassified Information) environment and whether you are pursuing self-assessment (Level 1), C3PAO assessment (Level 2), or DIBCAC assessment (Level 3). Most clients use this engagement three to six months ahead of a contractual CMMC requirement deadline.
By Jason Santiago · Founding Partner. Executive Strategy, AI Architecture & Custom Software · Updated May 14, 2026The gap
What the registrar finds that your internal audit missed.
CMMC Level 2 gaps cluster in seven control families.
Access Control (AC): particularly AC-2 and AC-17. Account management discipline, separation of privileged and standard accounts, remote-access controls. Common gap: shared service accounts, dormant accounts that were never disabled, contractor accounts with admin privileges that outlast the contract. C3PAO will pull the user list and the disablement log on day one.
Configuration Management (CM): particularly CM-2 through CM-7. Baseline configurations, change-control, least-functionality, software inventory. Common gap: the documented baseline does not match the actual deployed configuration; the change-control log shows entries but the post-change configuration verification is missing.
Identification and Authentication (IA): particularly IA-2 and IA-5. MFA for all privileged accounts and all network access. Common gap: MFA is enabled for cloud SaaS but not for the on-premises engineering network where the CAD files containing CUI actually live. The C3PAO follows the CUI, not the policy document.
Incident Response (IR): particularly IR-2, IR-3, IR-6. Incident response training, tabletop exercises, and reporting timelines. Common gap: the IR plan exists but training records are stale; tabletop exercise documentation is missing or covers a scenario unrelated to actual CUI exposure paths.
Audit and Accountability (AU): particularly AU-2, AU-6, AU-12. Audit log generation, review cadence, and retention. Common gap: logs are generated but the review cadence the SSP claims is not happening, and the retention falls short of the 90-day-minimum / 1-year-target the practice expects.
System and Communications Protection (SC): particularly SC-7, SC-8, SC-13. Boundary protection, transmission encryption (FIPS-validated), cryptographic protection. Common gap: encryption is in place but not FIPS-validated; or boundary protection exists at the network edge but the CUI flows through a vendor SaaS that does not maintain FedRAMP Moderate.
System and Information Integrity (SI): particularly SI-2, SI-3, SI-4. Flaw remediation, malicious code protection, system monitoring. Common gap: patching cadence in the SSP does not match the actual vulnerability-scanner data; antivirus is deployed but the engineering workstations have exceptions for the CAM software that effectively disable protection on the most CUI-exposed endpoints.
The path
How we close the gap before the audit.
The Reality Check is structured around the CUI flow, the SSP truthfulness, and the POA&M honesty.
Day zero. Remote intake. Your current SSP, the POA&M, your asset inventory, your network diagram with CUI boundary, your MFA enrollment report, your patch and vulnerability management reports, your IR plan and last twelve months of IR records, your audit log configuration and last quarter of audit review records, your training records for security awareness and IR roles, your CUI handling procedures, and a list of all third-party services that touch CUI with their compliance attestations.
Day one. CUI flow walk. Jason Santiago and one supporting partner trace the CUI through every system, every endpoint, every supplier, and every transmission. The CUI flow is the most useful artifact in the entire engagement and it almost always diverges from the SSP boundary diagram.
Day two. SSP control-by-control walk. All 110 NIST 800-171 controls are walked against operational reality. The team uses the same scoring rubric the C3PAO will use, with NIST SP 800-171A as the assessment guide. Each control gets a Met, Partially Met, or Not Met. Partially Met and Not Met findings are scored against the assessment methodology so the projected CMMC score is accurate.
Day three. POA&M honesty review. Every open POA&M item is evaluated for plan-of-action realism, milestone achievability, and the contractual-deadline runway. Items where the milestone has slipped without a re-baselined POA&M are flagged because the C3PAO will read those as evidence the POA&M is theater.
Day four. Tooling and evidence sample. The team randomly samples evidence artifacts the C3PAO is likely to request: account-management logs, configuration-baseline change records, audit-log review tickets, patch-management exception logs, IR tabletop exercise records, security training completion records.
Day five. Findings build. The bound gap-matrix report is built in real time. Every finding gets a control citation, a severity rating, a remediation effort estimate, and an effect on the projected CMMC score. The report includes a remediation-sequenced runway against the contractual deadline.
Day six (if needed). For environments with significant cloud or hybrid architecture, the engagement extends to validate FedRAMP / FedRAMP-equivalence attestations from third-party services.
Day seven (optional). Tabletop exercise execution. Brass & Bench facilitates a realistic CUI-exposure tabletop with the team, documents the outcomes, and refreshes the IR plan against the exercise findings. This day is sometimes scoped separately depending on engagement scope.
The bound report ships within forty-eight hours of onsite wrap. We have direct experience walking the CMMC controls at firearms, ammunition, defense, and aerospace manufacturers where the DoD contract value gates the company's enterprise strategy. The recommended-path appendix sequences remediation against your contractual CMMC deadline and identifies any controls that need C3PAO-equivalent third-party tooling to close.
CMMC-L2 audit coming up? Let's find the gap first.
The first call is a thirty-minute conversation. We tell you whether the Conformance Reality Check is the right product, or whether you need something different.