BLACKWATCH
Compliance  ·  LLC  ·  CMMC RPO
Defend  ·  Certify  ·  Prevail
Initializing Secure Connection
0%
Cyber-AB Registered Provider Organization

Defend. Certify. Prevail.

CMMC Compliance · Built for Defense Contractors

BlackWatch Compliance is a Cyber-AB Registered Provider Organization. We guide defense contractors through every step of CMMC certification — before the deadline costs you your contract.

Live Intelligence
Contractors Exposed
300K
Currently Certified
<1%
C3PAO Wait Time
18MO
Phase 2 Status
ACTIVE
Scroll to explore
CMMC Level 1 Compliance Gap Assessments System Security Plans NIST 800-171 Alignment Remediation Consulting Pre-Assessment Readiness Ongoing Compliance Retainers POA&M Development Defense Industrial Base Experts CMMC Level 1 Compliance Gap Assessments System Security Plans NIST 800-171 Alignment Remediation Consulting Pre-Assessment Readiness Ongoing Compliance Retainers POA&M Development
Arsenal

Full-Spectrum
CMMC Services

Every service your organization needs — from first assessment to certification day and beyond.

01
🔍

Gap Assessment

Deep recon of your cybersecurity posture across all 110 NIST 800-171 controls. Full threat map and remediation roadmap delivered.

From $4,000
02
📄

SSP Development

Your System Security Plan — the most scrutinized document in any C3PAO assessment. We build it bulletproof and evidence-ready.

From $15,000
03
🛠️

Remediation

Hands-on execution to close every gap. Control implementation, system hardening, and evidence collection — done right.

$225–$275/hr
04
📁

Documentation Suite

Custom policies, procedures, POA&M, and evidence packages — everything a C3PAO assessor needs to see on day one.

From $8,000
05
🎯

Mock Assessment

A live-fire simulation of the C3PAO assessment. We surface and eliminate every remaining vulnerability before it counts.

From $8,000
06
🔄

Compliance Retainer

Continuous overwatch between your 3-year C3PAO cycles. Always audit-ready. Always protected. Never caught off guard.

From $1,500/mo
Phase 2 Is Active.
Your Window Is Closing.
93
Authorized C3PAOs
80K
Need Level 2
18mo
Avg Wait Time
The Firm

Built by Practitioners.
Not Theorists.

BlackWatch was founded on a simple observation: the Defense Industrial Base is full of contractors being failed by compliance programs built for someone else's environment.

Fast-track cohorts, generic templates, and automated tools work for the median contractor. The median contractor doesn't exist in the real DIB. We built BlackWatch for the ones with complex scopes, dual-agency obligations, legacy systems, and supply chains that don't fit a standardized mold — because those are the contractors who need a real advisor in their corner, not a portal. Our mission is simple: get you certified and keep you that way, without surprises.

DR
David Rymer
Co-Founder & CMMC Registered Practitioner

David brings 17 years of hands-on network and security engineering experience — spanning Cisco, Palo Alto, SD-WAN, and cloud platforms across AWS, GCP, and Azure — to the compliance advisory space. Where most practitioners understand the regulatory framework in theory, David understands the infrastructure it has to govern in practice. That combination means BlackWatch clients get SSPs, scoping decisions, and remediation guidance grounded in how systems actually work, not how they're supposed to work on paper.

CMMC Registered Practitioner · Cyber-AB
17 Years Network & Security Engineering
Cisco · Palo Alto · SD-WAN · AWS · GCP · Azure
DFARS · NIST 800-171 · CUI Scoping
MF
Michelle Flono
Co-Founder & CMMC Registered Practitioner

Michelle is the compliance architecture and client strategy force behind BlackWatch. With her Cyber-AB RP credential in hand, she brings structured rigor to every engagement — ensuring that gap assessments, SSP development, and documentation packages aren't just technically accurate, but defensible under the scrutiny of a live C3PAO assessment. Michelle's approach is built around one principle: a compliance posture you can't explain and defend isn't a posture — it's a liability.

CMMC Registered Practitioner · Cyber-AB
Compliance Strategy & Program Architecture
SSP Development · POA&M Management
C3PAO Assessment Preparation
17+
Years Combined Network & Security Experience
2
Cyber-AB Registered Practitioners on Staff
110
NIST 800-171 Controls We Know Cold
100%
U.S. Owned · Nationwide Coverage
Client Profiles

Not Every Contractor
Fits the Template.

Most CMMC programs are built for the simplest possible environment. If you see yourself below, you need more than a fast-track program — you need BlackWatch.

🏭

The Multi-Site Manufacturer

Multiple facilities with inconsistent security postures across locations. A single SSP can't cover you unless every site is scoped, documented, and normalized. Fast-track programs assume one environment. You don't have one.

Multiple Facilities OT/IT Boundary Complex CUI Scope
⚖️

The Dual-Agency Contractor

You hold contracts under DFARS and FAR or HSAR simultaneously — two CUI regimes, two incident-reporting clocks, two sets of safeguarding obligations that don't always align. Most advisors know one side. We know both.

DFARS + HSAR DHS/DoD Overlap Dual CUI Regimes
🔁

The Post-Failure Contractor

You completed a fast-track program or self-assessment and hit a wall — failed assessment, open POA&M items, or gaps that automation missed. You've learned what a template can't cover. Now you need someone to build what the template left out.

Open POA&M Items Assessment Gaps Remediation
⏱️

The Sub Under Pressure

Your prime is pushing CMMC requirements downstream and your contract award is tied to certification status. You don't have nine months. You need a practitioner who can build a defensible posture under a compressed timeline without cutting corners that become findings.

Prime-Driven Deadline Contract at Risk Compressed Timeline
🔗

The Contractor with a Supply Chain

Subcontractors, suppliers, or a managed service provider have access to systems touching CUI. That makes you responsible for compliance you don't fully control. Your SSP must account for flow-down obligations and third-party access — no template handles this.

Sub/Supplier CUI Access MSP Risk Flow-Down Obligations
🌐

The ITAR/EAR Contractor

Export control obligations layer on top of your CMMC requirements. ITAR and EAR intersect with CUI classification, personnel access controls, and foreign national restrictions in ways that require deliberate scoping before a single SSP control is written.

ITAR Obligations EAR Compliance CUI + Export Overlap
Mission Brief

Your Path
to Certified

01

Strategy Call

Free 30-min session. We map your fastest path to certification.

02

Gap Assessment

Full 110-control audit. Complete findings with prioritized actions.

03

Remediation

Close every gap. Build every document. Harden every control.

04

Mock Audit

Full C3PAO simulation. Find and fix anything before it counts.

05

Certified

Assessment day. You walk in prepared. You walk out certified.

Investment

Transparent Pricing.
No Surprises.

Every engagement is scoped in writing. You always know exactly what you're getting.

Starter
$4,000
starting · Level 1 scope

For small contractors under 50 employees pursuing Level 1 readiness.

  • Level 1 Gap Assessment
  • 15-Control Review
  • Remediation Roadmap
  • Policy Templates
  • 30-Day Support
Get Started
Most Requested
Level 2 Complete
$35,000
starting · full readiness

End-to-end Level 2 preparation from gap assessment through C3PAO day.

  • 110-Control Gap Assessment
  • Complete SSP Development
  • Full Policy & Procedure Suite
  • POA&M Development
  • 40 Hours Remediation
  • Mock C3PAO Assessment
  • C3PAO Referral & Coordination
Get Started
Retainer
$1,500
per month · continuous

Ongoing support to keep you audit-ready between 3-year assessment cycles.

  • Monthly Compliance Reviews
  • Annual Affirmation Support
  • Policy Updates
  • Incident Response Guidance
  • Priority Support Line
Get Started
Free Resource · No Cost

Are You Ready for FAR 52.222-90?

The new clause is live and flowing down past the micro-purchase threshold. Most small defense contractors don't yet know where they're exposed. This 5-minute self-diagnostic shows you exactly where the gaps are — before a contracting officer, prime, or auditor finds them first.

  • Pinpoint which contracts and mods are actually in scope
  • Catch the flow-down language that gets subs to refuse signing
  • See whether your records & verification posture would survive review
  • Know if you're running a compliance system — or a fire drill
◆ The Readiness Check
FAR 52.222-90
Readiness Check
A BlackWatch self-diagnostic for DIB contractors
Get the Free Checklist →
Instant access · PDF download
Ready to
Prevail?

Book a free 30-minute CMMC Strategy Session. No pitch. No pressure. Just a clear path to certification.

Cyber-AB Registered Provider Organization  ·  100% U.S. Owned  ·  Nationwide
📞  1-800-682-6495   |   ✉  info@blackwatchcompliance.com