We guide you through every step toward certification and help you implement the technical controls you need to pass.
Not just advice. Actual work. Need ongoing support after you’re certified? We also offer CMMC managed IT services for businesses in our service area.
Registered Practitioners
Consultants on Team
Years in Business
U.S.-Based Staff
Certified by Cyber AB
Our CMMC add-on integrates compliance requirements into every operational and support task — so you’re audit-ready every day, not just at assessment time
Our team can handle the remediation tasks with our managed IT services to resolve vulnerabilities and keep your systems compliant.
Your SSP is detailed documentation on how cybersecurity is practiced in your organization. This document is critical during your assessment. We will collaborate with you to make sure that the document is complete, accurate, and a useful reference tool.
Your IRP identifies the team responsible for handling cybersecurity incidents; describes how you prevent, detect, and respond to incidents; and details how you determine the severity of an event.
Our incident response planning services
We help you identify and prioritize security weaknesses, define corrective actions, establish milestones, and monitor progress. If your assessor finds items that need further attention, we’ll use the POA&M to work through them within the remediation window.
We’ll help you determine whether you need GCC High and make sure that your Microsoft 365 environment is properly configured for the type of data you handle.
Governance, risk, and compliance tools for CMMC compliance simplify inventory, documentation, planning, CUI marking, and budgeting. We’ll help you get comfortable with and make the best use of your GRC tool.
CMMC consulting is the right fit if you have internal IT or an existing MSP handling your day-to-day tech — and you need a compliance expert working alongside them.
✓ Your company handles FCI or CUI as part of a defense contract
✓ You need expert guidance on requirements, documentation, and assessment prep — not someone to run your IT
✓ You have internal IT staff or a current MSP who will implement the changes
✓ You want a right-sized compliance plan, not an enterprise solution designed for a 500-person contractor
Most consultants hand you a report and walk away. Our team handles the technical work — the configurations, policies, and systems that actually move your SPRS score. And our CMMC Managed IT add-on layers compliance controls, documentation, and audit support directly onto your managed IT plan — so you have one partner for both IT and compliance.
See what our Registered Practitioner Organization does differently — and how one contractor went from a negative SPRS score to 110, without breaking the bank.
We offer both. The right choice depends on one question: does your organization have the internal capacity to implement what a consultant recommends?
THIS PAGE
You have internal IT staff — or another MSP managing your infrastructure — and you need a CMMC Registered Practitioner to guide your compliance program. We advise and document; your team implements.
Best if you…
An honest note: Consulting-only works well when you have internal capacity to act on our recommendations. If your team is already stretched thin, a gap analysis without implementation support often creates more stress, not less.
or project-based · no managed IT plan required
SEPARATE SERVICE
We manage your IT and your compliance. Every daily IT decision — patching, monitoring, documentation, incident response — is made with your CMMC requirements in mind. You don’t need to become a CMMC expert. We handle the implementation, not just the advice.
If getting a gap analysis report with a list of 80 things to fix — and no one to fix them — sounds like your worst nightmare, this is the right path.
+ compliance tooling · requires base managed IT plan
Not sure which fits? That’s the most common situation. Our free 30-minute consultation will tell you exactly which path makes sense — and we’ll be straight with you if consulting-only isn’t the right call for where you are right now. Schedule a free consultation →
Nine steps from where you are to certification. Most clients engage us at step one — but it’s never too late to start.
01
Form an implementation team
Identify key stakeholders and partners. This is a good time to bring on a Registered Practitioner.
02
Identify the CMMC level you need
Do you need CMMC Level 1 or Level 2? Most small businesses with defense contracts need Level 2.
03
Define compliance scope
Identify all systems that touch or protect FCI or CUI.
04
Run a gap analysis
Analyze your current security controls and itemize all deficiencies.
05
Gap remediation
Implement the policies, procedures, and systems required to meet the standard – the longest step.
06
Select an assessor
Find a Certified Third-Party Assessor Organization (C3PAO). Demand currently outpaces supply — find one early.
07
Get assessed
An assessment for a smaller business could cost $50,000 or more.
08
Submit your report to the DoD
You must meet at least 80% of the criteria to go on to the next step.
09
Reach 100% compliance and become certified
You’ll have 180 days to correct any issues. The Cyber AB will issue you a certificate, which will be good for three years.
Our client – a Richmond area aviation contractor – is well on the road to CMMC compliance – without killing their business with overwhelming IT costs. Here’s how they did it with our CMMC managed IT services (which includes CMMC consulting).
This particular government contractor (who also serves commercial clients) came to us about six years ago. At first, they were looking for a full-time IT person but then saw the value of our staff augmentation services. Not long after, they hired us as a managed IT services provider.
Six years may seem like an incredibly long time to be on the road to CMMC compliance, but we weren’t just working on CMMC over those years. A lot of what we’ve been doing is day-to-day user support that includes everything from onboarding to setting up conference room phone systems to refreshing their VPN, computers and server.
As far as compliance is concerned, our client started off with a negative SPRS score, which is not unusual.
An SPRS score can range from -203 to 110. To achieve CMMC certification, you’ll have to reach a minimum score of 88 and a Plan of Action and Milestones (POA&M) for the remaining items. Our client is now at 110. We’ve been staying on top of their System Security Plan and their Plan of Action & Milestones and preparing them for their audit.
We took a huge step last year when we moved this client into a Department of Defense approved cloud product. Moving to a FedRAMP-approved tenant like Microsoft GCC High reworks everything – your email and all your settings have to be redone, all of your devices need to be managed, and you have to build out more policies than before – and document them.
Every time you change out a system, you’re going to have to revisit policies and procedures, so we are helping our client write those, which takes substantial time and effort.
Talk with an experienced engineer who is also a CMMC Registered Practitioner. We offer a complimentary initial consultation — no pitch, just an honest look at where you are and what it’ll take to get certified.
Ian MacRae
FOUNDER · CMMC REGISTERED PRACTITIONER
Ian built E-N Computers from a small repair shop into a top-tier regional MSP. His background spans both business operations and technical implementation — which means he understands compliance not just as requirements to check off, but as something that has to work inside a real business.
He is a CMMC Registered Practitioner, authorized to provide CMMC implementation consulting for Department of Defense contractors. He leads the CMMC consulting practice and has worked with hundreds of small businesses on cybersecurity and compliance.
Donald Holland
IT CONSULTANT
Donald brings more than 20 years of DoD cybersecurity experience — and has seen compliance from both sides of the table. His background includes RMF lifecycle management, system accreditation, and secure infrastructure design for government programs, including direct experience working through DoD-conducted audits.
Jonathan Pollock
IT CONSULTANT
CMMC compliance is as much a project management challenge as a technical one. Jonathan’s background earns its keep here — a Naval Academy graduate and former Marine Corps Captain, he managed units of up to 299 personnel and equipment accounts worth over $40 million.
If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a defense contract, you need to reach CMMC compliance. The Cyber AB strongly recommends working with a Registered Practitioner as you get there.
Registered Practitioners are IT and cybersecurity professionals specially trained to help defense contractors prepare for CMMC assessments.
E-N Computers is an RPO with two Registered Practitioners on staff. Ian MacRae leads our CMMC consulting practice. Our team also includes Donald Holland and Jonathan Pollock, who bring specialized DoD cybersecurity and compliance program management expertise.
“Navigating the CMMC certification process can be complex and time-consuming, especially for organizations new to the requirements. That’s why it’s crucial to leverage the expertise of a trusted third-party organization that has been authorized by the Cyber AB to assist you.”
The Cyber AB
What’s the difference between CMMC consulting and managed IT services?
What’s the difference between CMMC consulting and managed IT services?
CMMC consulting guides you while your internal IT staff or current MSP does the technical work. CMMC managed IT services means we’re doing the IT work for you — implementing controls, maintaining systems, and keeping you compliant on an ongoing basis.
For clients who want both, we can bundle consulting into a managed services engagement. It’s usually the most cost-effective path.
How much does CMMC consulting cost
Our CMMC consulting costs about $800 to $1,500 per month, depending on your company size, current IT setup, and whether you need CMMC Level 1 or Level 2. Most clients reach compliance in 12 to 18 months.
For comparison, independent CMMC consultants typically charge $250–$400 per hour, with total project costs often reaching $50,000 or more. Our monthly retainer model is designed specifically to make compliance affordable for smaller businesses.
How long does an engagement take?
CMMC compliance itself typically takes up to two years from start to certification — which is why starting now matters. The remediation phase (step 5 in the process) is typically the longest, often taking one to two years depending on your current security posture.
What is a CMMC consultant?
CMMC consultants are IT professionals who specialize in cybersecurity and the Cybersecurity Maturity Model Certification program. Registered Practitioners (RP/RPA) are recognized by The Cyber AB as having the training and experience to help defense contractors identify gaps and prepare for assessment. Registered Practitioner Organizations (RPO) are companies with at least one RP on staff.
Does my company need to be CMMC certified?
If your company handles FCI or CUI as part of a federal defense contract, yes. Most defense contractors that work directly or indirectly with the Department of Defense are subject to CMMC requirements.
What are the CMMC levels?
Level 1 covers 15 basic security requirements and can be completed through annual self-assessment. Level 2 requires meeting 110 controls aligned with NIST SP 800-171 and must be assessed by a C3PAO every three years — most small businesses with defense contracts need Level 2. Level 3 applies to a small number of prime contractors and is government-led.
Who performs CMMC assessments?
Assessments are performed by Certified Third-Party Assessment Organizations (C3PAOs). The RPO you work with for consulting cannot also be your C3PAO — they’re separate roles by design. Only US citizens can be on the assessor team.
Do you need a Registered Practitioner Organization?
You’re not required to use an RPO, but it helps considerably. The Cyber AB recommends working with a trusted third-party organization authorized to assist you — particularly for Level 2, where the documentation and technical requirements are substantial. An RPO has at least one Registered Practitioner on staff and is accountable to The Cyber AB’s code of professional conduct.
Guides, case studies, and tools for defense contractors navigating compliance
CMMC Managed IT
Finding help
Understanding CMMC
Schedule a complimentary consultation with a Registered Practitioner. We’ll give you an honest read on where you stand and what it’ll take to get certified.
LOCALLY OWNED • FOUNDER LED • NO VENTURE CAPITAL • CMMC RPO • U.S. STAFF
How can we help?
