CMMC Readiness · Georgia Defense Suppliers

CMMC Phase 2 becomes contractual in November 10, 2026.Your assessor is booked. Your readiness partner shouldn't be.

On November 10, 2026, third-party CMMC Level 2 certification becomes the standard for new DoD awards involving CUI. Roughly 80,000 defense suppliers need Level 2 — and only a fraction are certified. The bottleneck isn't assessment; it's readiness. That's what we do, at a fixed price, in plain English.

No pitch on the triage call — we scope whether you're FCI or CUI, what level applies, and whether you even need us.

Fixed prices. No open-ended consulting meters.

You know the cost before we start. Assessment fees are 50% creditable against a retainer signed within 60 days.

CMMC Level 1 Readiness Package

$4,500

fixed price

For suppliers handling Federal Contract Information (FCI) only — most parts, components, and services suppliers.

  • Assessment of all 15 FAR 52.204-21 basic safeguarding controls
  • Plain-English findings — what passes, what fails, what it costs to fix
  • SPRS-ready documentation and annual self-assessment support
  • Affirmation guidance for your Authorized Official
Start Here

CMMC Level 2 Gap Assessment

from $9,500

fixed price, scoped by size & enclave complexity

For suppliers handling Controlled Unclassified Information (CUI) — drawings, specs, technical data on DoD programs.

  • Full NIST SP 800-171 gap analysis across all 110 controls
  • CUI scoping review — often the single biggest cost-saver
  • System Security Plan (SSP) outline and prioritized POA&M
  • Budget roadmap: what to fix now, what can wait, realistic costs
  • Deliverables structured so a C3PAO can work directly from them
Start Here

Cyber Insurance Readiness Assessment

$3,500

fixed price

For any business facing 2026 renewal requirements: MFA, EDR, tested backups, and a written incident response plan.

  • Controls review against current underwriting checklists
  • Written, tabletop-tested incident response plan
  • Named-coordinator structure insurers now require
  • Renewal-ready evidence package for your broker
Start Here

Assessment-ready — not "certified by us"

Only authorized C3PAOs certify, and a firm that remediates you cannot assess you. WRD is deliberately readiness-side: we prepare you and hand your assessor a clean package. Readiness services do not guarantee certification outcomes — anyone who guarantees certification is selling something else.

An operator across the table — not a checklist reseller.

Army Cyber Command pedigree

Our principal supervised defensive cyber operations at U.S. Army Cyber Command — the enterprise that defends Army networks. NIST 800-171 descends from the same doctrine he enforced operationally.

Local to the corridor

Based in the Augusta federal cyber corridor (Fort Gordon, Cyber Center of Excellence), within reach of the Robins AFB supplier base. We sit across the table, not across the country.

Plain-English deliverables

Findings your shop foreman and your CFO can both act on: what fails, what it costs, what order to fix it in. The POA&M is a work plan, not a compliance artifact.

Veteran-owned small business

SBA-certified service-disabled veteran-owned. We understand DoD supply-chain pressure because we sell into it ourselves.

Straight answers

What happens on November 10, 2026?

Phase 2 of the CMMC program begins under the 48 CFR acquisition rule. Third-party CMMC Level 2 certification — assessed by an authorized C3PAO, not self-attested — becomes the standard condition for new DoD contract awards involving CUI. If your contracts renew or recompete after that date, your certification status directly affects whether you can win them.

Do I need Level 1 or Level 2?

If you only handle Federal Contract Information (FCI) — basic contract data, purchase orders, specs that aren't export-controlled or marked CUI — Level 1 self-assessment applies (15 controls). If you receive, store, or create Controlled Unclassified Information — technical drawings, program data, ITAR-adjacent material — Level 2 applies (110 NIST 800-171 controls). Many suppliers overestimate their scope; a proper CUI scoping review frequently reduces the cost of compliance significantly.

Can White Rabbit Defense certify us?

No — and be cautious of anyone who says they can. Only authorized C3PAOs conduct certification assessments, and a firm that helps you remediate cannot also assess you. WRD is deliberately on the readiness side: we prepare you, build your evidence, and hand a C3PAO a clean package. We maintain referral relationships with assessors and will help you schedule one.

How long does it take to get assessment-ready?

It depends entirely on your starting posture and scope. A small FCI-only shop can be Level 1 ready in weeks. Level 2 readiness for a first-timer typically runs several months from gap assessment to assessment-ready — which is exactly why the November 10 date matters now, not next quarter. C3PAO calendars are already backed up.

Why a Georgia firm?

White Rabbit Defense sits in the Augusta federal cyber corridor — home of Army Cyber Command and the Cyber Center of Excellence at Fort Gordon — within reach of the Robins AFB supplier base. Our principal supervised defensive cyber operations at U.S. Army Cyber Command. NIST 800-171 descends from the same security doctrine he enforced operationally. You get an operator across the table, not a checklist reseller on a video call.

The clock is public. The queue is real.

Phase 2 arrives in November 10, 2026. A 30-minute call tells you what level applies to you, what it will roughly cost, and whether you have a timeline problem. Free, no pitch.

Book the Triage Call