CMMC 2.0 · NIST SP 800-171 · DFARS 252.204-7012

CMMC readiness for small defense manufacturers — without the six-figure consultant.

Fixed-fee gap assessments. An SPRS score you can defend. A remediation roadmap your existing IT person can execute — no rip-and-replace, no scare tactics.

  • Fixed fees, quoted up front
  • Works with your current IT
  • Atlanta-based · serving the Southeast & remote

Who we serve

You got the letter from your prime. Now what?

If you machine parts, fabricate assemblies, build electronics, or move materiel for the defense supply chain, CMMC is now written into contracts — and your primes are asking for SPRS scores today. The big consultancies quote $50,000+ engagements. Generalist IT providers don't understand CUI scoping. You need someone in between.

Hardpoint Compliance works with small defense subcontractors — typically 25 to 250 people — who need to demonstrate NIST SP 800-171 compliance without derailing operations or replacing the IT setup that already works.

  • Precision machine shops
  • Aerospace & defense fabricators
  • Electronics assembly
  • Defense logistics & distribution
  • Any sub holding FCI or CUI under a DoD flow-down

Services

Start small. Scale when it makes sense.

Step 0 — Free

Readiness Call + Self-Scoping Checklist

$0 · 45 minutes

Where you actually stand, in plain language: what your contracts require, whether you handle CUI, and what your realistic next step is. You leave with a one-page self-scoping checklist either way.

Step 1

SPRS Quick Score

Typically $3,500–$5,000 · one week

A rapid review of your NIST 800-171 self-assessment: a defensible SPRS score, the justification behind every point, and your top-10 gap list. The low-friction way to stop guessing.

Step 2

Gap Assessment + Roadmap

Typically $12,000–$25,000 · 3–4 weeks

The full engagement: all 320 assessment objectives, evidence review, an SSP skeleton, a POA&M, and a prioritized remediation roadmap with real costs — sequenced so your existing IT person can execute it.

Every engagement is fixed-fee and scoped in writing before work begins.

How it works

Three steps. No mystery.

  1. 01

    Scope

    A short call and a structured questionnaire: which contracts you hold, what data you touch, where CUI actually lives. Most companies over-scope — this is where money gets saved.

  2. 02

    Assess

    Objective-by-objective against NIST SP 800-171A — interviews plus evidence, not a checkbox survey. You get findings you can hand to an assessor with a straight face.

  3. 03

    Roadmap & Support

    A prioritized, costed remediation plan — and if you want it, ongoing retainer support until you're through your assessment and beyond.

About

Why “Hardpoint”?

A hardpoint is where the weapon attaches to the aircraft — the mounting structure everything else depends on. We're where your compliance attaches to your business: engineered, load-bearing, and built to hold under inspection.

Hardpoint Compliance LLC is an Atlanta-based practice founded by Preston Lucas — a career IT and security leader with 18 years of hands-on experience running enterprise infrastructure, Microsoft 365 security, and live NIST-framework compliance programs, and a BS in Cybersecurity. We speak both languages: the assessor's and the shop floor's.

Practitioner, not salesperson

The person you talk to is the person who does the work.

Built for small shops

Right-sized engagements, plain-language deliverables, no enterprise bloat.

Straight answers

If you don't need us — or don't need CMMC Level 2 at all — we'll tell you on the free call.

FAQ

Questions every owner asks

Do we actually have to do this, or is CMMC another deadline that will slip?

The underlying obligation — NIST SP 800-171 under DFARS 252.204-7012 — has been in contracts for years. CMMC is the enforcement wave: it's now appearing in new solicitations and flowing down from primes. Even where CMMC language hasn't reached your contract yet, primes are already requiring SPRS scores from suppliers. Waiting doesn't make it cheaper; it compresses your timeline.

What's an SPRS score and why does my prime keep asking for it?

It's your NIST 800-171 self-assessment score (the scale runs from -203 to 110), posted to the DoD's Supplier Performance Risk System. Primes check it before awarding work. An inflated score you can't defend is worse than a low one — misrepresentation carries False Claims Act risk. We produce scores with the evidence trail behind every point.

Level 1 or Level 2 — which one is our problem?

Roughly: if you only touch Federal Contract Information, Level 1 (17 practices, self-assessed). If you touch Controlled Unclassified Information — drawings, specs, technical data marked for control — Level 2 (110 controls, and for most defense work a third-party assessment). Scoping which one applies, and shrinking where CUI lives, is usually the highest-value work we do.

How long does it take to get ready?

Depends entirely on your starting point and scope. A focused small shop can often reach a defensible posture in a few months; complex environments take longer. That's a scoping-call answer, not a brochure answer — which is why the first call is free.

Do you guarantee we'll pass certification?

No — and you should walk away from anyone who says yes. Certification decisions belong to the assessor, not the consultant. What we guarantee is honest scoping, evidence-based findings, and deliverables built to the same objectives an assessor will test against.

Do we have to replace our IT company?

No. We do the compliance layer and work alongside your existing IT provider — most of the remediation roadmap is written specifically so they can execute it. If gaps require new capability, we'll say so plainly and let you decide who builds it.

Contact

Find out where you stand — free, 45 minutes, no pitch.

Tell us what your prime is asking for and what you make. We'll tell you what your realistic next step is — even if it's “you don't need us.”

Based in Atlanta, Georgia · serving small manufacturers across the Southeast and remote nationwide.