📋 Phase 1 Engagement

CMMC Level 2 Roadmap (Phase 1)

A focused 2–4 week engagement to assess your current state, define your CUI boundary, and build a realistic project plan to get CMMC Level 2 “ready” for a C3PAO.

Schedule a Roadmap Call Download Roadmap Overview
What It Is

Your First Step to CMMC Level 2 Readiness

The Cadra CMMC Level 2 Roadmap is a short, structured engagement where we:

  • Assess your current environment, CUI boundary, and CUI processes
  • Identify gaps against NIST 800‑171 / CMMC Level 2
  • Develop a practical project plan to get you to “C3PAO‑ready”
We do not perform technical implementation or write all of your CMMC documentation in this phase. Those activities come later, if you choose to move forward with additional phases.

This Roadmap is about clarity: knowing what you have today, what’s missing, and how to get from here to ready.

Who It’s For

Is This Roadmap Right for You?

This engagement is ideal if you:

  • Are a small or mid‑size DoD contractor or subcontractor handling CUI/FCI
  • Expect CMMC Level 2 in your contracts or from your primes
  • Have some security controls and tools in place but no clear picture of “are we close or far?”
  • Work with an internal IT team and/or MSP who will own implementation work
  • Need a concrete, realistic plan you can share with leadership, IT, and your prime
The Process

What Happens During the Roadmap

Over 2–4 weeks, we work through four core activities:

1

Current State Assessment

  • Review your existing network, systems, users, and high‑level architecture
  • Understand how you currently handle access, encryption, logging, and CUI workflows
  • Perform discovery on any existing policies, procedures, and security documentation
2

CUI Boundary & Process Mapping

  • Identify where CUI is created, processed, stored, and transmitted
  • Define the CMMC assessment boundary and in‑scope systems
  • Map key CUI processes (who does what, where, and with which tools)
3

Readiness & Gap Analysis

  • Compare your current state to NIST 800‑171 / CMMC Level 2 requirements
  • Highlight likely gaps—especially in access control, encryption, and evidence/logging
  • Prioritize issues by risk and effort so you know what matters most first
4

Project Plan Development

  • Build a practical project plan for your team and technical partners to execute
  • Outline workstreams (identity & access, endpoint, email, backups, policies)
  • Define milestones, dependencies, and rough timelines to reach “C3PAO‑ready”
  • Clarify what should be handled by your MSP versus internal staff
What You Receive

Roadmap Deliverables

At the conclusion of the Roadmap, you’ll receive:

  • 📄
    Current State Summary A concise view of your existing environment and CUI handling
  • 🗺️
    CUI Boundary Diagram (planning-level) Showing in‑scope systems, users, and data flows
  • 📊
    Readiness Snapshot A high‑level view of where you align, partially align, or do not align with CMMC Level 2 controls
  • 📋
    Prioritized Project Plan A sequenced list of initiatives your technical team/MSP can execute, mapped to NIST 800‑171/CMMC requirements
  • 📑
    Executive Briefing A short presentation you can use with leadership and primes explaining where you are today and your path to readiness
We do not produce a finished SSP, POA&M, or full policy set in this phase. Instead, we give you the plan those artifacts will be built from.
The Bigger Picture

Phase 1 Now. Documentation and Remediation Later.

Think of the Roadmap as Phase 1 of your CMMC Level 2 journey.

This Engagement

Phase 1 – Roadmap

Assessment, CUI boundary, readiness snapshot, and project plan.

Implementation Advisory

Working alongside your technical team/MSP as they execute the project plan.

Detailed Gap Assessment

A second-look gap assessment after changes are made to validate progress.

Full CMMC Documentation

SSP, POA&M, policies, procedures, and supporting evidence packages.

Pre‑Assessment Readiness Review

Final validation before your C3PAO engagement begins.

You’re not committing to all those phases now. You’re committing to a focused, 2–4 week engagement that answers: What will it really take for us to be CMMC Level 2 ready?

Why Cadra

Why Cadra for Phase 1

🎯

CMMC Level 2 Specialization

We work every day with organizations in your exact situation—needing clarity before committing to major changes.

🔓

Independent of Tools & MSPs

We don’t sell products or implementation services, so your roadmap is technology‑agnostic and tailored to you.

⚙️

Practical, Not Theoretical

We focus on what your team can realistically execute in stages, not idealized “perfect” environments.

📝

Documentation-Centric Mindset

Even in Phase 1, we think ahead to how your future controls will be justified and evidenced during assessment.

Get Started

Timeline, Investment, and How to Get Started

⏱ Timeline

Typical Roadmap duration: 2–4 weeks from kickoff. Engagement includes discovery sessions, document review, analysis, and a final readout workshop.

💼 Investment

Offered as a fixed‑fee engagement based on your size and complexity. After a short discovery call, we’ll provide a scoped proposal with a firm price so there are no surprises.

How to Get Started

  1. Schedule a 15–20 minute discovery call.
  2. We confirm fit, scope, and timeline and send a fixed‑fee proposal.
  3. Upon approval, we schedule kickoff and send a clear information request list so we can hit the ground running.
Schedule a Roadmap Call Request Roadmap Proposal

Ready to Get Clarity on Your CMMC Journey?

A 2–4 week engagement that tells you exactly where you stand and what it takes to get CMMC Level 2 ready.

Schedule a Roadmap Call Download Roadmap Overview