CMMC Level 2 Readiness. Engineered Right.
We help defense contractors and MSPs clarify CUI scope, achieve NIST SP 800-171 readiness, and build the documentation, evidence, and shared responsibility that stand up to assessment.
The Roadblocks We Help You Solve
-
Unclear CUI Scope
Most organizations are unsure what's in scope leading to gaps, rework, and compliance risk.
-
MSP Responsibility Confusion
Shared responsibility isn't always clear. We define roles, responsibilities, and expectations — upfront.
-
Documentation & Evidence Gaps
Strong security isn't enough. We turn controls into complete, assessment-ready evidence.
Find Your Path
For Defense Contractors
Clarify whether Level 2 applies, where CUI may live, what NIST SP 800-171 readiness looks like, and what documentation and evidence need to exist.
For MSPs
Support CMMC-exposed clients without becoming the accidental compliance authority, documentation owner, and executive risk translator by default.
Services for Defense Contractors
-
CMMC Level 2 Boundary Brief
Rapid scoping to define CUI boundaries, clarify what's in scope, and reduce risk before committing to major spend.
-
Level 2 Readiness Assessment
Control-by-control gap analysis aligned to NIST SP 800-171 and CMMC Level 2 with findings and remediation priorities.
-
SSP & POA&M Buildout
Assessment-ready documentation with clear roadmaps and traceability. Built to reflect your actual environment, not a template.
-
Fractional CMMC Program Lead
Ongoing leadership to drive implementation and sustain readiness. Expert guidance without a full-time hire.
-
CMMC Level 1 Readiness Check
Validate your FCI-only baseline against basic cybersecurity practices before advancing to a Level 2 pathway.
Services for MSPs
MSP Shared Responsibility Review
clarify what the MSP owns, what the client owns, and what other vendors own.
CMMC Client Portfolio Triage
classify clients by likely exposure, urgency, and next-step path.
CMMC Advisory Partner for MSPs
recurring advisory support for client conversations, safe positioning, CMMC opportunity .
LEARN MORE →
The Forge Point Method
-
1. Scope
Define the boundary before recommending spend.
-
2. Map
Map readiness against practical NIST SP 800-171 expectations.
-
3. Separate
Separate client, MSP, vendor, and leadership responsibilities.
-
4. Structure
Structure SSP, POA&M, and evidence around how the environment actually operates.
-
5. Decide
Turn compliance uncertainty into executive decisions and accountable next steps.
CMMC Level 1 and Level 2 Are Not the Same Path
Level 1
Basic safeguarding of Federal Contract Information (FCI)
17 practices
Self-assessment
FCI-focused basic safeguarding only
Good start. Not sufficient for CUI environments.
VS
Level 2
Protection of Controlled Unclassified Information (CUI)
110+ practices (NIST SP 800-171)
Third-party assessment required
Deeper readiness, documentation, and evidence model
Required for most DoD contracts handling CUI
Led by Experience. Focused on Outcomes.
ForgePoint Cyber is led by Heath Kellerman. Heath is an engineering-first CMMC practitioner with nearly 20 years of technical experience, more than 10 years in the MSP/security ecosystem, and direct experience across onboarding, deployment engineering, Zero Trust, SIEM/MDR, identity, cloud security, endpoint protection, compliance delivery, and partner enablement.
We combine deep technical expertise with practical advisory to help organizations achieve readiness the right way — efficiently, clearly, and with confidence.
Founder & Principal Consultant
ForgePoint Cyber
~20 years of technical experience
10+ years in MSP/security ecosystem
Zero Trust, SIEM/MDR, Identity, Cloud
Endpoint protection & compliance delivery
Deployment engineering & partner enablement
Ready to take the next step?
Use the contractor path to identify the smallest paid engagement that produces a useful decision.