Improve your business operations and make steady progress toward certification by working with a Virginia CMMC Registered Practitioner.
Need ongoing support after you’re certified? We also offer CMMC managed IT services for businesses througout Virginia.
Our CMMC services integrate compliance requirements into every operational and support task — so you’re audit-ready every day, not just at assessment time
Our team can handle the remediation tasks with our managed IT services to resolve vulnerabilities and keep your systems compliant.
Your SSP is detailed documentation on how cybersecurity is practiced in your organization. This document is critical during your assessment. We will collaborate with you to make sure that the document is complete, accurate, and a useful reference tool.
Your IRP identifies the team responsible for handling cybersecurity incidents; describes how you prevent, detect, and respond to incidents; and details how you determine the severity of an event.
Our incident response planning services
We help you identify and prioritize security weaknesses, define corrective actions, establish milestones, and monitor progress. If your assessor finds items that need further attention, we’ll use the POA&M to work through them within the remediation window.
We’ll help you determine whether you need GCC High and make sure that your Microsoft 365 environment is properly configured for the type of data you handle.
Governance, risk, and compliance tools for CMMC compliance simplify inventory, documentation, planning, CUI marking, and budgeting. We’ll help you get comfortable with and make the best use of your GRC tool.
Virginia’s defense contractor community — from the NoVA and DC corridor to Richmond, Fredericksburg, and Hampton Roads — is among the most concentrated in the country. Your competitors are getting assessed, your primes are adding CMMC requirements to subcontracts, and the window for a “we’ll handle it later” approach is closing.
We work with Virginia contractors wherever they are in the process — establishing a baseline SPRS score, closing gaps, or preparing for a formal assessment.
Registered Practitioners
Consultants on Team
Years in Business
U.S.-Based Staff
Certified by Cyber AB
CMMC consulting is the right fit if you have internal IT or an existing MSP handling your day-to-day tech — and you need a compliance expert working alongside them.
✓ Your company handles FCI or CUI as part of a defense contract
✓ You need expert guidance on requirements, documentation, and assessment prep — not someone to run your IT
✓ You have internal IT staff or a current MSP who will implement the changes
✓ You want a right-sized compliance plan, not an enterprise solution designed for a 500-person contractor
Most consultants hand you a report. We do the technical work behind it.
See what our Registered Practitioner Organization does differently — and how one Virginia contractor went from a negative SPRS score to 110, without breaking the bank.
We offer both. The right choice depends on one question: does your organization have the internal capacity to implement what a consultant recommends?
THIS PAGE
You have internal IT staff — or another MSP managing your infrastructure — and you need a CMMC Registered Practitioner to guide your compliance program. We advise and document; your team implements.
Best if you…
An honest note: Consulting-only works well when you have internal capacity to act on our recommendations. If your team is already stretched thin, a gap analysis without implementation support often creates more stress, not less.
or project-based · no managed IT plan required
SEPARATE SERVICE
We manage your IT and your compliance. Every daily IT decision — patching, monitoring, documentation, incident response — is made with your CMMC requirements in mind. You don’t need to become a CMMC expert. We handle the implementation, not just the advice.
If getting a gap analysis report with a list of 80 things to fix — and no one to fix them — sounds like your worst nightmare, this is the right path.
+ compliance tooling · requires base managed IT plan
Not sure which fits? That’s the most common situation. Our free 30-minute consultation will tell you exactly which path makes sense — and we’ll be straight with you if consulting-only isn’t the right call for where you are right now. Schedule a free consultation →
Nine steps from where you are to certification. Most clients engage us at step one — but it’s never too late to start.
01
Form an implementation team
Identify key stakeholders and partners. This is a good time to bring on a Registered Practitioner.
02
Identify the CMMC level you need
Do you need CMMC Level 1 or Level 2? Most small businesses with defense contracts need Level 2.
03
Define compliance scope
Identify all systems that touch or protect FCI or CUI.
04
Run a gap analysis
Analyze your current security controls and itemize all deficiencies.
05
Gap remediation
Implement the policies, procedures, and systems required to meet the standard – the longest step.
06
Select an assessor
Find a Certified Third-Party Assessor Organization (C3PAO). Demand currently outpaces supply — find one early.
07
Get assessed
An assessment for a smaller business could cost $35,000 and $75,000+, depending on scope.
08
Submit your report to the DoD
You must meet at least 80% of the criteria to go on to the next step.
09
Become certified
You’ll have 180 days to correct any issues. The Cyber AB will issue you a certificate that’s good for three years.
A Richmond-area aviation contractor went from a negative SPRS score to a perfect 110 — audit-ready, without runaway IT costs. Here’s how we got them there.
They came to us six years ago looking for a full-time IT person, discovered staff augmentation made more sense, and eventually brought us on as their managed IT services provider. CMMC compliance was part of the picture, but so was the day-to-day work: user support, onboarding, conference room systems, VPN and device refreshes.
On the compliance side, we’ve kept their System Security Plan and POA&M current, managed the move to Microsoft GCC High, and helped them write and document the policies that come with every system change. They’re ready for their audit.
Talk with an experienced engineer who is also a CMMC Registered Practitioner. We offer a complimentary initial consultation — no pitch, just an honest look at where you are and what it’ll take to get certified.
You’ll work directly with our Registered Practitioners and senior consultants — not a salesperson.
Ian MacRae
FOUNDER · CMMC REGISTERED PRACTITIONER
Ian built E-N Computers from a repair shop into a regional MSP. As a CMMC Registered Practitioner, he leads the CMMC consulting practice — and because his background covers both business operations and technical implementation, he approaches compliance as something that has to work inside a real business, not just pass an audit. He’s worked with hundreds of small businesses on cybersecurity and compliance.
Donald Holland
IT CONSULTANT
Donald brings 20+ years of DoD cybersecurity experience — including RMF lifecycle management, system accreditation, and secure infrastructure design — and has been through DoD-conducted audits firsthand. He holds CompTIA Security+ CE, CASP+, and AWS Cloud Practitioner certifications, and is currently pursuing CISSP, CMMC Certified Professional, and RP.
Jonathan Pollock
IT CONSULTANT
CMMC compliance is as much a project management challenge as a technical one — which is where Jonathan’s background earns its keep. A Naval Academy graduate and former Marine Corps Captain, he managed units of up to 299 personnel and equipment accounts worth over $40 million. Credentials: B.S., United States Naval Academy; Certified Scrum Professional.
If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a defense contract, you need to reach CMMC compliance. The Cyber AB strongly recommends working with a Registered Practitioner as you get there.
Registered Practitioners are IT and cybersecurity professionals specially trained to help defense contractors prepare for CMMC assessments.
E-N Computers is an RPO with two Registered Practitioners on staff. Ian MacRae leads our CMMC consulting practice. Our team also includes Donald Holland and Jonathan Pollock, who bring specialized DoD cybersecurity and compliance program management expertise.
“Navigating the CMMC certification process can be complex and time-consuming, especially for organizations new to the requirements. That’s why it’s crucial to leverage the expertise of a trusted third-party organization that has been authorized by the Cyber AB to assist you.”
The Cyber AB
What’s the difference between CMMC consulting and managed IT services?
What’s the difference between CMMC consulting and managed IT services?
CMMC consulting guides you while your internal IT staff or current MSP does the technical work. CMMC managed IT services means we’re doing the IT work for you — implementing controls, maintaining systems, and keeping you compliant on an ongoing basis.
For clients who want both, we can bundle consulting into a managed services engagement. It’s usually the most cost-effective path.
How much does CMMC consulting cost?
Our CMMC consulting costs about $800 to $1,500 per month, depending on your company size, current IT setup, and whether you need CMMC Level 1 or Level 2. Most clients reach compliance in 12 to 18 months.
For comparison, independent CMMC consultants typically charge $250–$400 per hour, with total project costs often reaching $50,000 or more. Our monthly retainer model is designed specifically to make compliance affordable for smaller businesses.
How long does an engagement take?
CMMC compliance itself typically takes up to two years from start to certification — which is why starting now matters. The remediation phase (step 5 in the process) is typically the longest, often taking one to two years depending on your current security posture.
What is a CMMC consultant?
CMMC consultants are IT professionals who specialize in cybersecurity and the Cybersecurity Maturity Model Certification program. Registered Practitioners (RP/RPA) are recognized by The Cyber AB as having the training and experience to help defense contractors identify gaps and prepare for assessment. Registered Practitioner Organizations (RPO) are companies with at least one RP on staff.
Does my company need to be CMMC certified?
If your company handles FCI or CUI as part of a federal defense contract, yes. Most defense contractors that work directly or indirectly with the Department of Defense are subject to CMMC requirements.
What are the CMMC levels?
Level 1 covers 15 basic security requirements and can be completed through annual self-assessment. Level 2 requires meeting 110 controls aligned with NIST SP 800-171 and must be assessed by a C3PAO every three years — most small businesses with defense contracts need Level 2. Level 3 applies to a small number of prime contractors and is government-led.
Who performs CMMC assessments?
Assessments are performed by Certified Third-Party Assessment Organizations (C3PAOs). The RPO you work with for consulting cannot also be your C3PAO — they’re separate roles by design. Only US citizens can be on the assessor team.
Do you need a Registered Practitioner Organization?
You’re not required to use an RPO, but it helps considerably. The Cyber AB recommends working with a trusted third-party organization authorized to assist you — particularly for Level 2, where the documentation and technical requirements are substantial. An RPO has at least one Registered Practitioner on staff and is accountable to The Cyber AB’s code of professional conduct.
Guides, case studies, and tools for defense contractors navigating compliance
CMMC Managed IT
Finding help
Best CMMC RPOs near Washington, DC
Best Virginia Registered Practitioner Organizations
Case Study: Virginia Government Contractor Nears CMMC Compliance
Best CMMC assessors near Washington, DC
CMMC consulting services for small and medium-sized businesses
Virginia CMMC consulting services
Understanding CMMC
Schedule a complimentary consultation with a Registered Practitioner. We’ll give you an honest read on where you stand and what it’ll take to get certified.
LOCALLY OWNED • FOUNDER LED • NO VENTURE CAPITAL • CMMC RPO • U.S. STAFF
How can we help?
