Frequently Asked Questions

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense framework that requires defense contractors to meet specific cybersecurity standards before they can bid on or retain DoD contracts. If your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), you will need CMMC certification. The final rule took effect in late 2024, and enforcement is being phased in across new contracts — making now the right time to begin preparation.

The timeline depends on your organization's current security posture and the CMMC level you are targeting. Organizations with mature IT environments and some existing controls in place can often reach Level 2 certification readiness in 6 to 12 months. Organizations starting from scratch or with significant gaps should plan for 12 to 18 months. PCShards works with you to build a realistic timeline and prioritize the actions that will have the greatest impact first.

Costs vary based on the size of your organization, the scope of your CUI environment, and how many controls need to be implemented or remediated. Our approach focuses on right-sizing your compliance boundary to reduce unnecessary scope and cost. We provide a detailed estimate after our initial assessment so there are no surprises. Many organizations find that the investment pays for itself by unlocking access to lucrative DoD contracts they could not otherwise pursue.

CMMC Level 1 covers 17 basic cybersecurity practices focused on protecting Federal Contract Information (FCI) and requires a self-assessment. Level 2 maps to the full 110 controls of NIST SP 800-171 and is required for organizations that handle Controlled Unclassified Information (CUI). Level 2 certification requires a third-party assessment by an authorized C3PAO. Most defense contractors handling sensitive data will need Level 2 compliance.

Our managed IT services provide comprehensive coverage for your organization's technology infrastructure. This includes 24/7 network monitoring and alerting, help desk support for your team, server and endpoint management, cloud hosting and migration services, data backup and disaster recovery, and strategic IT planning. We function as your complete outsourced IT department or as a seamless extension of your existing in-house team — whether you are a five-person office or a 200-person operation.

Absolutely. While CMMC and defense contractor compliance is a core specialty, a large portion of our clients are small and mid-sized businesses that simply need reliable IT support and strong cybersecurity. Every business today faces real cyber threats — ransomware, phishing, data breaches — and most small businesses do not have the resources to hire a full-time IT team. PCShards fills that gap by providing enterprise-grade managed IT, cybersecurity, and help desk support at a price point that makes sense for smaller organizations. We handle your technology so you can focus on running your business.

Small businesses are one of the most targeted groups by cybercriminals, precisely because attackers know that smaller organizations often lack dedicated security resources. Over 40 percent of cyberattacks target small businesses, and the average cost of a data breach can be devastating for a company without deep reserves. PCShards helps small businesses implement practical, right-sized security measures — endpoint protection, email security, multi-factor authentication, employee training, and backup and recovery — that dramatically reduce your risk without overcomplicating your operations or breaking your budget.

If you are a PCShards managed services client, our team responds immediately according to your incident response plan. We contain the threat, investigate the root cause, remediate affected systems, and guide your organization through any required notification or reporting obligations. We also conduct a post-incident review to strengthen your defenses and prevent recurrence. If you do not yet have an incident response plan, building one is a critical first step — and something we can help you put in place.

The Supplier Performance Risk System (SPRS) score is a numerical representation of your organization's compliance with NIST SP 800-171 security requirements. Scores range from -203 to 110, with 110 representing full implementation of all 110 controls. The Department of Defense uses SPRS scores to evaluate contractor cybersecurity posture before awarding contracts. Since November 2020, prime contractors and subcontractors handling CUI have been required to submit their SPRS score to the DoD. A low or missing score can disqualify your organization from contract opportunities. PCShards helps you accurately calculate your current score, identify the controls that will improve it most efficiently, and build a Plan of Action and Milestones (POA&M) to reach your target.

We work with both prime contractors and subcontractors throughout the defense supply chain. In fact, many of our clients are small to mid-sized subcontractors who handle CUI as part of their work on larger defense programs. CMMC requirements flow down through the supply chain, meaning subcontractors must meet the same certification levels as primes for the data they handle. We understand the unique challenges subcontractors face — smaller teams, tighter budgets, and less dedicated IT staff — and we tailor our services accordingly to help you achieve compliance without overextending your resources.

A System Security Plan is a formal document that describes your organization's security controls, how they are implemented, and the boundaries of the systems that process, store, or transmit Controlled Unclassified Information. An SSP is required for CMMC Level 2 certification and is one of the first documents a C3PAO assessor will review. It must be detailed, accurate, and maintained as a living document that reflects your current environment. PCShards develops your SSP from the ground up or reviews and strengthens your existing plan, ensuring it meets the documentation standards that assessors expect and accurately maps each NIST 800-171 control to your specific implementation.

Yes — and this is one of the most impactful things we do for our clients. Many organizations overestimate the scope of their CUI environment, which inflates the number of systems, users, and controls that fall under CMMC requirements. We conduct a thorough data flow analysis to identify exactly where CUI enters, is processed, stored, and transmitted within your organization. From there, we help you architect a well-defined compliance boundary — often using network segmentation, enclave strategies, or cloud-based CUI environments like PreVeil — to minimize the systems in scope. A smaller, well-defined boundary means fewer controls to implement, lower assessment costs, and a faster path to certification.

A gap assessment is a preliminary evaluation conducted by a consultant like PCShards to identify where your organization's current security posture falls short of CMMC requirements. It is an internal diagnostic tool — not a pass-or-fail certification event. It results in a detailed findings report and remediation roadmap. A C3PAO assessment, by contrast, is the official third-party certification audit conducted by a CMMC Third-Party Assessment Organization authorized by the Cyber AB. This is the formal evaluation that determines whether your organization earns its CMMC certification. Think of the gap assessment as your practice exam and the C3PAO assessment as the final. PCShards prepares you thoroughly through gap assessments and mock audits so that by the time your C3PAO arrives, there are no surprises.

Many defense contractors must comply with both CMMC and the International Traffic in Arms Regulations (ITAR), which restricts access to defense-related technical data to U.S. persons. These frameworks overlap but have distinct requirements. ITAR imposes strict access controls based on citizenship, which affects how you configure cloud environments, email systems, and data storage. PCShards has deep experience implementing solutions that satisfy both CMMC and ITAR simultaneously — including ITAR-compliant Microsoft 365 GCC High configurations, access controls that enforce U.S.-person-only restrictions, and documentation that addresses both regulatory frameworks. We ensure that your compliance program covers both sets of requirements without creating redundant or conflicting controls.