A C3PAO assessment is the wrong place to discover surprises. Every unmet control found on assessment day costs you time, money, and — when a contract award hangs on your certification — revenue. A readiness assessment puts you back in control: you learn exactly where you stand against all 110 NIST SP 800-171 controls, what it takes to close each gap, and how to scope the work before anyone with a scoresheet walks through your door.
Schedule Your Readiness AssessmentOur readiness assessment is not a questionnaire and a PDF. Former Big Four auditors walk your environment control by control and hand you five concrete deliverables. You leave knowing exactly what a C3PAO would find — and exactly what to do about it, in what order, at what level of effort. That clarity is what lets you set a realistic budget and timeline instead of guessing.
Explore CMMC 2.0 RequirementsEvery one of the 110 NIST SP 800-171 controls is evaluated against your actual environment — met, partially met, or not met — with the supporting evidence, or the gap, documented for each.
We calculate your NIST 800-171 self-assessment score on the official -203 to +110 scale, ready to submit to the Supplier Performance Risk System — so the number you report to the DoD matches reality.
A sequenced plan that tells you which gaps to close first, what each fix actually involves, and the relative effort required — so you can budget and staff the work realistically.
Enclave or enterprise? We tell you whether isolating CUI in a secure enclave would shrink your assessment boundary and your cost — or whether enterprise-wide compliance fits how you operate.
A plain-English briefing for leadership: where you stand today, what it takes to get assessment-ready, and the decisions only executives can make — scope, budget, and timeline.
The process is tight and predictable, and you work directly with senior assessors — not junior staff learning on your dime. Every engagement follows the same four steps, scaled to the size and complexity of your environment. Most engagements run three to four weeks.
We map where FCI and CUI actually enter, move through, and leave your business — contracts, systems, people, and data flows — and agree on the assessment boundary. Getting scope right up front is what keeps everything after it efficient.
We examine your System Security Plan, policies, procedures, and existing documentation against each applicable control. Assessors don't take your word for it, and neither do we: if it isn't documented, it doesn't count.
We verify that controls actually operate — configurations, access restrictions, multi-factor authentication, logging, encryption — not just that they're written down. This is where paper compliance and real compliance part ways, and where most surprises hide.
You get your scored results across all 110 controls, your calculated SPRS number, and a prioritized remediation roadmap — delivered in a working session with your team, plus a separate executive readout for leadership.
Run this checklist before you book an assessor — or before you book us. If you can answer yes to all ten, you're ahead of most of the Defense Industrial Base. Every no is a finding waiting to happen.
1. Do you know exactly where CUI enters, moves through, and leaves your environment — including email, file shares, and endpoints?
2. Do you have a current System Security Plan that describes how each of the 110 controls is implemented — not just that it is?
3. Have you calculated and submitted a NIST 800-171 self-assessment score to SPRS — and can you defend every point of it?
4. Is multi-factor authentication enforced for all users — including administrators and remote access — not just some?
5. Is CUI encrypted in transit and at rest using FIPS-validated cryptography?
6. Do you have documented, tested incident response procedures that can meet the 72-hour DoD reporting requirement in DFARS 252.204-7012?
7. Are audit logs collected, retained, and actually reviewed — and would you notice if they stopped?
8. Have your subcontractors and cloud providers been vetted for where your CUI can legally live? Not every cloud qualifies.
9. Is security awareness training documented for every employee who touches FCI or CUI, with records to prove it?
10. Could you produce evidence for any given control — configurations, screenshots, tickets, logs — within a day of being asked?
You're hiring judgment, not a template. Here's whose judgment you get.
Essendis was built by former Big Four auditors and top-tier security engineers. We know how assessors think, what they sample, and where they dig — because we've done the digging. Your readiness assessment is run to the standard a C3PAO will hold you to.
Engagements are directed by our founders: Jim Schraepfer, CISO — a Deloitte alum holding CISA, CISM, CDPSE, CISSP, CCSP, and HCISPP — and Michael Schraepfer, CTO, holding CISSP, ITIL, and AWS Solutions Architect credentials. Credentials matter here because judgment matters here.
We've prepared defense contractors for the table and audited environments from the other side of it. When our client RPS Defense went through its CMMC Level 2 assessment with C3PAO A-LIGN, on an environment built with Essendis, it scored a perfect 110/110 — no POA&M required.
The roadmap you receive is yours. Remediate with your own team, hand it to your current IT provider, or keep working with us — there's no lock-in and no obligation. If your gaps trace back to scoping, many contractors close them fastest by moving CUI into a purpose-built secure enclave. If a C3PAO assessment is on your horizon, our Level 2 compliance services take you from roadmap to assessment-ready. Either way, you'll decide with a complete picture of where you stand.
Explore the CUI Secure EnclaveSee CMMC Level 2 Compliance Services