If we miss the first assessment, we don't stop.
No second invoice. That's our problem to manage, not yours to pay for.
CMMC Level 2 Implementation We're in this with you,
01 / Pass guarantee 02 / Zero CUI on our systems 03 / Fixed-fee SOW
We're in this with you,
until your assessment passes.
Fixed fee. Your CUI never lives on our systems. A senior team with decades in regulated cybersecurity, working inside your environment until your C3PAO signs off.
Cyber AB Registered Practitioner · RPA in progress · RPO application to follow · Senior-only delivery
Your data never leaves your environment.
We work inside your tenant, on your access. Nothing about your CUI ever lives here.
SOW signed before we start. That's the price.
No hourly billing. No discovery phase that quietly extends.
Major C3PAOs are sequencing 2026 capacity now. The companies that start now get assessed. The rest wait.
We should talk.
01 "Our prime just sent a letter and we need a decision." Triage in 2 weeks 02 "We're trying to scope down to control cost." Enclave architecture 03 "We started CMMC work and lost track of where we are." Real SPRS score 04 "We need to know if defense work still makes sense." Honest assessment 05 "Our annual affirmation is coming and we don't know what to attest to." CMMC Continuous Compliance → annual affirmation support
Three promises. And how we keep them.
Almost every CMMC firm makes versions of these promises in their pitch. Below is how we make them structural — written into the contract, signed by both sides.
01 Pass guarantee
If we miss the first assessment, we keep working — no second invoice.
We agree a fixed fee at the start, signed in a Statement of Work. If your C3PAO says no on the first attempt, we don't stop and we don't bill you again. We'd rather take the hit than build a business that survives by billing more hours.
Senior team by design — decades in regulated cybersecurity. Senior-only delivery. No juniors on your environment.
02 Zero CUI on Ancitus systems
Your data never leaves your environment.
Most consultants need access to your CUI to do their work. Once they have it, your data temporarily lives on their laptops, in their email, on their SharePoint. That's a new attack surface you didn't have before they walked in. We work entirely inside your tenant, through your authenticated access. If we get breached tomorrow, your CUI is unaffected.
Documented in a Customer Responsibility Matrix that travels with every engagement.
03 Fixed-fee SOW
SOW signed before we start. No discovery phase that quietly extends.
We don't bill by the hour. There's no "discovery" phase that mysteriously needs another six weeks. The number on the SOW is the number you pay. If we underestimate the scope, that's our problem to manage — not yours to pay for. The horror stories about $40,000 quotes turning into $250,000 invoices? We made those impossible.
Fixed-fee SOW for Gap Assessment, Implementation, and Continuous Compliance — locked before any work begins.
Pick the stage you're actually at.
CMMC Gap Assessment
Best for: contractors who don't yet know where they stand.
We map your environment to NIST 800-171, document your real SPRS score, scope down where we honestly can, and hand you a defensible starting point. The kind of report you can show a board, a prime, or a buyer without flinching.
See what's includedCMMC Implementation
Best for: contractors with a fixed assessment date — or a prime asking when they'll have one.
Gap to assessment-ready in twelve to eighteen weeks, run with sprint methodology — fixed scope, fixed timeline, fixed fee. Technical remediation inside your environment, full documentation pack, mock assessment delivered by partner Lead CCAs, evidence package indexed to NIST 800-171A. The complete job, not a roadmap.
See what's includedCMMC Continuous Compliance
Best for: contractors who passed and need to stay passed for the next three years.
Compliance drift between assessments now has financial teeth. In March 2025, MORSECORP agreed to pay $4.6 million to settle False Claims Act allegations — partly for letting its SPRS score go stale after a gap analysis showed it had dropped to -142. We stay in the engagement: quarterly evidence reviews, annual affirmation prep, control drift detection, regulatory change monitoring.
See what's includedThe DoD says Phase 2. Your prime says sooner.
Public deadlines describe when CMMC becomes contract-eligibility. Your private deadline — driven by your prime contractor — is almost always earlier.
| Phase | Date | What it means | Status |
|---|---|---|---|
| Phase 1 | Nov 10, 2025 | Self-assessments required in new DoD solicitations. | Live |
| Phase 2 | Nov 10, 2026 | C3PAO Level 2 certification required for contracts handling CUI. | 7 months |
| Phase 3 | Nov 10, 2027 | Option exercise on existing contracts triggers requirement. | 19 months |
| Phase 4 | Nov 10, 2028 | Full enforcement across the entire Defense Industrial Base. | 31 months |
Major primes are moving ahead of the DoD timeline. Boeing, L3Harris, and HII have already communicated CMMC requirements to their supply chains. If your prime hasn't sent the letter yet, treat this as your warning.
What most consultancies don't lead with.
Three honest positions about who we are and what we don't do. Decide for yourself if they matter.
RP held. RPA in progress. RPO to follow.
Deepak Pal Singh is a Cyber AB Registered Practitioner, with Registered Practitioner Advanced (RPA) in progress. Ancitus's Registered Provider Organization application follows. Cyber AB processing typically takes four to eight weeks from application. We'll update this page the day each approval lands. You can monitor our credential status directly on the Cyber AB Marketplace.
We don't carry CCA credentials. That's deliberate.
CCAs work on assessment teams at C3PAOs. We're an implementation consultancy. Cyber AB rules prohibit a single firm from both implementing controls for a client and then assessing that client — to protect assessment integrity. So we don't hold CCA credentials. What we do hold is deep familiarity with NIST 800-171A — the assessment guide your assessor will use — so we know exactly what they'll look for.
We don't make money on your cloud licenses.
Most CMMC consultants will tell you to move to GCC High because they hold a Microsoft AOSG partnership and earn margin on every license they sell you. We don't. We'll recommend GCC High when it's right — and Azure Government, GCC plus an enclave, or AWS GovCloud when those are right. Our income is your engagement fee. Not your monthly Microsoft bill.
Senior team. By design. Read more about the team
Hire a senior team. Not a senior pitch with junior delivery.
Most large advisory firms have a senior partner front the sale and hand the work to junior consultants. We're built differently. Deepak Pal Singh personally leads every Ancitus engagement — first scoping call to certificate in hand. Delivery is executed by a team of senior engineers with deep regulated-environment experience. The team is growing. The principle stays: no juniors. Ever.
"You meet the principal. You stay with the principal. And the engineers under direct supervision are senior practitioners — not juniors learning on your environment. That's how every Ancitus engagement runs."
— Deepak Pal Singh, Founder & Principal
20+
Years across regulated environments — financial services, energy, telecoms
100%
Senior-only engineering team
0
Junior consultants on any client engagement
Tools we built. Yours to use.
Built for our own engagements. Released to the wider DIB community because the path to Level 2 should be navigable, not gated.
Shared Responsibility Matrix
Every NIST SP 800-171 control mapped against four cloud platforms — GCC High, Azure Government, AWS GovCloud, and Google Assured Workloads. 110 requirements, 320 assessment objectives, inherited / shared / customer ownership documented for each.
Open the matrixCMMC Readiness Assessor
Take 30 questions across 14 control families. Get your real estimated SPRS score using actual NIST 800-171 weighting. Per-family heatmap showing where you stand and what to fix first. No email required to use; gated only to save and share.
Notify me on launch Discovery call
Let's see where you stand.
Thirty minutes. No pitch. We'll review your situation, give you a candid read on the work involved, and recommend a path — even if that path isn't us.
Book a Discovery Call