Whether you're a Level 1 self-attestor or staring down a Level 2 third-party assessment, the work is the same: scope your environment, implement the practices, gather the evidence, post a score that survives scrutiny. Fortress runs the playbook end-to-end so you can focus on winning the contract.
Most defense subs aren't undercompliant because they don't care. They're undercompliant because the documentation burden is enormous and the consequences of getting it wrong — DoJ False Claims Act exposure, a botched SPRS posting, losing a prime — are real. The 110 NIST 800-171 controls don't fit naturally into a 12-person company's workflow. The Level 1 self-attestation looks deceptively simple, until your prime asks you to defend it.
We built Fortress for the contractor who wants to do this right and doesn't have a full-time compliance team to do it.
The full Level 1 self-attestation kit. All 17 L1 practices, evidence templates, a SPRS-ready scoring worksheet, and a delivered package you keep. For teams who want the artifact without the relationship.
Everything in Self-Service, plus async Registered Practitioner review of your assessment before you post your SPRS score. Tammie helps you draft control responses; we review them before they go to your prime. The cost of a single audit prep mistake is higher than this subscription, and we've seen the mistakes.
Level 2 is a different conversation. The CMMC Level 2 ecosystem requires a CMMC Third-Party Assessor Organization (C3PAO) on the certification side and someone like us on the readiness side. We scope the engagement to your environment — NIST 800-171 control implementation, DFARS 7012 evidence package, optional CUI scoping consultation, and (for L2 Managed) full-engagement delivery up to the C3PAO assessment date.
If you need a dedicated Registered Practitioner across multiple frameworks — say you're CMMC for the contract but also HIPAA because you handle veteran health data — Vanguard pairs you with a single point of accountability across all of it.
Trained on NIST 800-171, DFARS 7012, and the assessment language your auditors actually use. Ask her to draft a control implementation, interpret a practice, or pressure-test how you're scoping CUI. She remembers your engagement, your environment, your decisions.
Each of the 110 controls gets its own assessment surface with evidence requirements, scoring, and notes. You build the package one control at a time, with Tammie helping at every step.
When you're ready to post your score, we generate the package — control-by-control responses, evidence inventory, and a scoring worksheet that matches the SPRS rubric. Your prime can verify your work, and so can a C3PAO.
A credentialed Registered Practitioner reviews your scoping decisions, control responses, and evidence quality before any of it leaves your environment. The point is to catch the things that would have come back as findings before they cost you a contract.
CMMC is the only compliance framework on this site where getting it wrong has direct legal consequences — a misposted SPRS score is a False Claims Act exposure. We won't pretend otherwise, and we don't sell shortcuts. We sell a process that produces a defensible result.
Twenty minutes of intake, a delivered gap analysis tuned to NIST 800-171, and a real PDF you can take to your prime or sit with. Roll the $624 into Fortress within 14 days.
Get the Brief →