Performance Data

Compliance that stands up to an audit.

We help defense contractors and high-trust organizations earn and keep certifications like ISO/IEC 27001:2022 and CMMC 2.0—with a practical, evidence-first approach.

ISO/IEC 27001:2022 Auditing & Certification Readiness

  • Readiness/GAP Assessment: Scope your ISMS, evaluate against Clauses 4–10 and Annex A’s 93 controls(organized into Organizational, People, Physical, and Technological themes).

  • ISMS Build-Out: Risk methodology, Statement of Applicability, policies, procedures, KPIs, internal audit plan, management review.

  • Internal Audit (1st/2nd Party): Independent internal audits that mirror certification body techniques.

  • Transition from 2013 → 2022: Plan and execute your migration ahead of the October 31, 2025 deadline.

  • Certification Support: Liaise with your selected accredited certification body and close findings.

CMMC 2.0 Readiness, Self-Assessment Support & C3PAO Preparation

  • Scoping & Boundary Definition: Identify in-scope assets and enclaves per CMMC scoping guidance and 32 CFR Part 170.

  • Control Implementation: Align with NIST SP 800-171 Rev. 2 for Level 2; plan for Level 3 items referencing NIST SP 800-172.

  • Assessment Pathways:

    • Level 1: Annual self-assessment and affirmation for FAR 52.204-21 safeguards (FCI).

    • Level 2: Self-assessment or C3PAO certification depending on the contract; we prep you for either, using the official Level 2 Assessment Guide.

    • Level 3: Government-led (DIBCAC) assessments for prioritized programs; we align artifacts and operational practices accordingly.

  • Evidence & SPRS: Build assessment-objective-level evidence and prepare Supplier Performance Risk System (SPRS) submissions and POA&M closeout plans.

  • C3PAO Coordination: We coordinate with The Cyber AB ecosystem and C3PAOs so your package is audit-ready.

Expanded Security Systems

  • NIST CSF 2.0 alignment and control rationalization with ISO 27001/CMMC

  • Vulnerability & Patch Governance (ties to RA, SI, CM families)

  • Secure Development Lifecycle (maps to ISO 27001 A.8; CMMC SC/CM)

  • Supplier Security (third-party risk, data handling, flow-downs)

  • Awareness & Training (role-based, evidence-producing)

  • Incident Response & Exercises (tabletops with audit-ready after-action records)

ISO 27001 & CMMC: Fast Facts

  • ISO/IEC 27001:2022 is the current ISMS standard; Annex A now has 93 controls across 4 themes(Organizational, People, Physical, Technological).

  • Organizations must transition from ISO 27001:2013 to 2022 by October 31, 2025 or certifications expire/are withdrawn.

  • CMMC 2.0 has three levels: Level 1 (FCI, self-assessment), Level 2 (CUI, NIST 800-171 Rev. 2), Level 3 (subset of NIST 800-172, government-led).

  • DoD has finalized the CMMC program rule at 32 CFR Part 170 with phased implementation across solicitations and contracts.

  • NIST released SP 800-171 Rev. 3 (final) — DoD guidance currently aligns CMMC Level 2 with Rev. 2 while organizations prepare for Rev. 3 deltas.