CMMC Level 2 requires 110 controls, 227 objectives, a System Security Plan, 26 policies, network diagrams, and evidence forms. We built every document. You customize, you own it.
A C3PAO assessor walks in with a checklist. They want documents, evidence, and working controls — not promises.
The SSP is required before assessment begins. It must document every system component, every user, every control — with implementation narratives. A blank template fails on sight.
You need 26 domain-specific policies tied to NIST 800-171 controls. Generic IT policies from the internet fail because assessors check that they map to your actual environment.
Your CUI boundary must be defined and documented. The diagram needs to show data flows, components, and how CUI is separated. "We'll draw it later" is a finding.
That's what documentation from scratch costs when you pay an expert to write it. Or you use our bundle, customize for your environment, and arrive prepared.
Purpose-built for 5–25 person defense contractors. Not theoretical frameworks — actual documents an assessor will accept, day one.
There are three ways to get CMMC documentation. Here's what they actually cost.
| Approach | Cost | Timeline | SSP | Policies | Evidence Forms | Ocelot Bundle |
|---|---|---|---|---|---|---|
| Write it yourself | $0 + 200+ hours | 3–6 months | ✓ | — | — | |
| Hire a consultant | $8,000–$20,000 | 2–4 months | ✓ | ✓ | — | |
| Generic templates (online) | $99–$599 | Days | ✓ | — | — | |
| Ocelot Complete Bundle | $1,497 one-time | Same day | ✓ Written | ✓ All 26 | ✓ 19 forms | Complete |
Practical articles for ISSOs, IT managers, and ops directors at small DIB contractors.
Most small contractors fail on the boundary definition, not the technical controls. Here's what assessors actually want to see.
Read article →SPRS is self-reported, but it's not a free number. Here's how the math works and why inflating it creates legal exposure.
Read article →From M365 GCC architecture decisions to what happens if you fail your assessment — answers without the consulting invoice.
View all →The complete documentation package for a CMMC Level 2 assessment. Built on NIST SP 800-171A Rev 3. Covers all 110 controls and 227 objectives. Used by 5–25 person defense contractors preparing for C3PAO assessment.
Five-tab Excel workbook. All 110 controls, all 227 objectives from NIST 800-171A Rev 3. Live SPRS score calculator that auto-updates as you mark controls SAT/OTS/N/A.
Complete SSP with pre-written implementation narratives for all 110 controls. Fill in your environment details — system boundary, components, users, CUI types — and it's done.
Complete library covering all 14 NIST 800-171 control domains. Each policy is formatted, numbered, dated, and mapped to the controls it satisfies.
Four draw.io XML architectures covering the most common DIB contractor environments. Import, customize your component names, export. Done.
19-tab Excel workbook with structured forms for capturing control evidence. Plus 10 operational procedure templates (onboarding, offboarding, patch mgmt, incident response, and more).
Six role-based interview guides for extracting accurate control information from IT admins, HR, facilities, executives, and end users. Includes follow-up probes and red flag indicators.
5–25 person companies holding or bidding on DoD contracts who need CMMC Level 2 documentation without a $15,000 consulting engagement.
The person responsible for getting the company compliant. You know what the controls mean — you just need the documents written so you can focus on implementation.
Managed service providers who support defense contractors. White-label pricing available for firms who want to offer documentation services to their clients.
The SSP is the cornerstone of your CMMC assessment. Assessors read it first. It must document every system component, every user, every control — with implementation narratives. Ours come pre-written.
Five-tab Excel workbook built natively on NIST SP 800-171A Rev 3. Covers all 110 controls and all 227 assessment objectives. Your SPRS score auto-calculates as you work.
26 security policies covering all 14 NIST 800-171 control domains. Formatted with version tracking, review dates, and control mappings. Assessors see policies that look like they came from an organization that takes compliance seriously.
Practical articles for ISSOs, IT managers, and compliance leads at small defense contractors.
Most small contractors fail on the boundary definition, not the technical controls. Here's what assessors actually want.
Read →SPRS is self-reported but it's not a free number. Here's how the math works and why inflating it creates legal exposure.
Read →Most small DIB contractors don't need GCC-High. Here's how to figure out which tier your contract actually requires.
Coming soonAssessors frequently find that contractors have policies but no procedures — or vice versa. Here's what each one needs to say.
Coming soonThe first thing a C3PAO assessor asks for isn't your firewall config. It's your SSP. Here's how the first day actually goes.
Coming soonA single misaddressed email containing CUI is a reportable incident under DFARS 252.204-7012. Here's the 72-hour process.
Coming soonWhen a C3PAO assessor arrives at your facility, one of the first documents they'll request is your network diagram. Not to see what switches you have — to see if you actually know what's in scope.
The diagram is evidence that you understand your own CUI boundary. If it's vague, outdated, or missing components the assessor can physically observe, it signals that your entire SSP may be unreliable.
The most common network diagram finding at small DIB contractors isn't a missing technical control — it's that the CUI boundary is undefined or inconsistent with the SSP.
Experienced C3PAO assessors have described a consistent checklist they work through when reviewing a diagram. Here's what they're looking at:
Most small DIB contractors fall into one of four architecture types. The right diagram template depends on how your environment is actually built:
Walk your IT admin through the diagram before your assessment date. Ask them to identify any component they can see on the network that isn't shown. Close those gaps. Then reconcile the diagram against your SSP's system boundary description — every component in the diagram should appear in the SSP and vice versa.
The diagram and the SSP tell the same story. If they contradict each other, assessors notice.
SPRS — the Supplier Performance Risk System — is where DoD contractors self-report their NIST SP 800-171 compliance score. You calculate it, you submit it. No one checks it before you win a contract.
But that's changing. False SPRS scores are now the subject of False Claims Act litigation. In 2022, the DOJ announced its first civil case against a contractor for submitting a fraudulent SPRS score. The number isn't free.
A SPRS score of 110 submitted by a company with known, unmitigated gaps is not just a compliance failure — it's potential federal liability under the False Claims Act.
SPRS starts at 110. Each control that is Not Implemented (OTS — Other Than Satisfied) deducts points. The deduction per control varies from 1 to 5 points depending on the control's weight in NIST 800-171A. Controls marked Satisfied (SAT) or Not Applicable (N/A) don't deduct.
The minimum score is -203. The maximum is 110. A brand-new company with nothing implemented scores -203. A company with every control satisfied scores 110.
Most small DIB contractors scoring honestly fall somewhere between -50 and +80, depending on their environment maturity.
DoD has not published a passing threshold for SPRS. There is no minimum score required to hold a contract today. The score exists for contracting officers to assess relative risk between competitors.
What matters for CMMC assessment isn't the SPRS score — it's that every control the score is based on is documented in your SSP and assessable. The score is a byproduct of your assessment workbook, not a standalone number to optimize.
The right process: complete the assessment workbook control by control, honestly documenting SAT, OTS, or N/A for each. The workbook calculates the score for you. Submit that score to SPRS. Document your POA&M for every OTS control.
The wrong process: look up the maximum score and submit it without completing the assessment.
Review what's included, then complete your purchase securely via Lemon Squeezy.