CMMC Level 2 Readiness. Engineered Right.

We help defense contractors and MSPs clarify CUI scope, achieve NIST SP 800-171 readiness, and build the documentation, evidence, and shared responsibility that stand up to assessment.

Reach Out to ForgePoint Now
Services For Managed Service Providers
Services For Prime and Sub Prime contractors

The Roadblocks We Help You Solve

  • A question mark icon on a dark background, indicating an unknown or unspecified image.

    Unclear CUI Scope

    Most organizations are unsure what's in scope leading to gaps, rework, and compliance risk.

  • Abstract icon of a person connected to various digital devices and nodes

    MSP Responsibility Confusion

    Shared responsibility isn't always clear. We define roles, responsibilities, and expectations — upfront.

  • An icon representing a document or a piece of paper with text.

    Documentation & Evidence Gaps

    Strong security isn't enough. We turn controls into complete, assessment-ready evidence.

Find Your Path

Modern multi-story commercial building with glass and white panels, large windows, and a landscaped entrance.

For Defense Contractors

Clarify whether Level 2 applies, where CUI may live, what NIST SP 800-171 readiness looks like, and what documentation and evidence need to exist.

EXPLORE CONTRACTOR SOLUTIONS →

Cloud icon with a shield in front of it, symbolizing cloud security or protection.

For MSPs

Support CMMC-exposed clients without becoming the accidental compliance authority, documentation owner, and executive risk translator by default.

EXPLORE MSP SOLUTIONS →

Services for Defense Contractors

  • Outline of a shield symbol.

    CMMC Level 2 Boundary Brief

    Rapid scoping to define CUI boundaries, clarify what's in scope, and reduce risk before committing to major spend.

    Learn more →
  • A minimalist black silhouette of a cat with pointed ears, whiskers, and a curved tail.

    Level 2 Readiness Assessment

    Control-by-control gap analysis aligned to NIST SP 800-171 and CMMC Level 2 with findings and remediation priorities.

    Learn more →
  • Icon of a document with bullet points and a folded corner

    SSP & POA&M Buildout

    Assessment-ready documentation with clear roadmaps and traceability. Built to reflect your actual environment, not a template.

    Learn more →
  • Silhouette of a person wearing a suit and tie

    Fractional CMMC Program Lead

    Ongoing leadership to drive implementation and sustain readiness. Expert guidance without a full-time hire.

    Learn more →
  • A shield with a checkmark symbol inside, representing security or protection.

    CMMC Level 1 Readiness Check

    Validate your FCI-only baseline against basic cybersecurity practices before advancing to a Level 2 pathway.

    Learn more →

Services for MSPs

A graphic of a person with a smiling face and five connected icons of faces around their head, representing social connections or networking.

MSP Shared Responsibility Review

clarify what the MSP owns, what the client owns, and what other vendors own.

LEARN MORE →

A pie chart with several segments and a bar graph in the lower-left corner.

CMMC Client Portfolio Triage

classify clients by likely exposure, urgency, and next-step path.

LEARN MORE →

Icon of two hands shaking, representing partnership or agreement.

CMMC Advisory Partner for MSPs

recurring advisory support for client conversations, safe positioning, CMMC opportunity .

LEARN MORE →

The Forge Point Method

  • Target reticle icon on a dark background

    1. Scope

    Define the boundary before recommending spend.

  • Icon of a map with a location pin

    2. Map

    Map readiness against practical NIST SP 800-171 expectations.

  • Gear with clock and pie chart inside

    3. Separate

    Separate client, MSP, vendor, and leadership responsibilities.

  • Stack of documents with a magnifying glass and checkmark.

    4. Structure

    Structure SSP, POA&M, and evidence around how the environment actually operates.

  • Cartoon of a girl with glasses and flowers in her hair, smiling.

    5. Decide

    Turn compliance uncertainty into executive decisions and accountable next steps.

CMMC Level 1 and Level 2 Are Not the Same Path

Level 1

  • Basic safeguarding of Federal Contract Information (FCI)

  • 17 practices

  • Self-assessment

  • FCI-focused basic safeguarding only

  • Good start. Not sufficient for CUI environments.

VS

Level 2

  • Protection of Controlled Unclassified Information (CUI)

  • 110+ practices (NIST SP 800-171)

  • Third-party assessment required

  • Deeper readiness, documentation, and evidence model

  • Required for most DoD contracts handling CUI

Heath Kellerman

Led by Experience. Focused on Outcomes.

ForgePoint Cyber is led by Heath Kellerman. Heath is an engineering-first CMMC practitioner with nearly 20 years of technical experience, more than 10 years in the MSP/security ecosystem, and direct experience across onboarding, deployment engineering, Zero Trust, SIEM/MDR, identity, cloud security, endpoint protection, compliance delivery, and partner enablement.

We combine deep technical expertise with practical advisory to help organizations achieve readiness the right way — efficiently, clearly, and with confidence.

Founder & Principal Consultant

ForgePoint Cyber

  • ~20 years of technical experience

  • 10+ years in MSP/security ecosystem

  • Zero Trust, SIEM/MDR, Identity, Cloud

  • Endpoint protection & compliance delivery

  • Deployment engineering & partner enablement

Calendar with a clock icon

Ready to take the next step?

Use the contractor path to identify the smallest paid engagement that produces a useful decision.

Schedule a Readiness Conversation
Schedule a Readiness Conversation