CMMC 2.0, NIST 800-171r2, FAR 52.204-21

Compliance Experts


A Small Security Firm You Can Trust - Greater Boston

Cyberfox Security is a CMMC approved Registered Provider Organization (RPO). We provide professional cybersecurity consultation and services to Defense Industrial Base (DIB) and Defense Supply Chain (DSC) contractors. We specialize in CMMC and NIST 800-171 Gap reviews and remediation. Our experienced CMMC Registered Providers (RPs) work alongside clients to simplify the web of CMMC requirements and help them meet CMMC compliance. We have extensive experience working with DoD, Defense Industrial Base (DIB) contractors, and Federally Funded Research and Development Centers (FFRDCs) in the areas of cybersecurity and compliance.

Why Cyberfox Security?                                                                                                                                                                                                                               

Our experts have been in this industry for over 25 years, and include Air Force veterans, who have worked with DoD and the US Intelligence Community, and have advised many defense contractors to include ACS Defense Inc., Lockheed Martin Corp., Northrop Grumman Corp., and several Federally Funded Research and Development Centers (FFRDCs) in the areas of cybersecurity and compliance with DoD and Intelligence Community Directives and standards such as ICD 503, NIST 800-53, NIST 800-171, and others.  We know how government auditors and assessors interpret directives and standards, what they are looking for and the best way to prepare for audits because we have served in these capacitis.  You can trust the knowledge and experience that we bring to your table. 

In addition, we are a CMMC 2.0 Registered Provider Organization (RPO) with CMMC 2.0 Registered Practitioners (RP) and CISSPs on staff.  Most recently, one of our consultants completed Certified CMMC Professional (CCP) Training. This is the first requirement in becoming a Certified CMMC Auditor (CCA).

Our Gap Assessment Deliverables Include (required by DoD)

• Gap Assessment Report of Findings.
• System Security Plan (SSP).
• Tailored Plan of Actions and Milestones.
• Supplier Performance Risk Score (SPRS).                                                                                                                                                                              

Recent CMMC 2.0 Changes                                                                                                                                                                                        
Responsibility for CMMC has moved from under DoD Office of Undersecretary of Acquisition and Sustainment to the DoD Chief Information Officer. 
The DoD CIO is responsible for the security of all DoD systems, Army, Navy, Air Force and Marine Corps, including classified system. This change means the office is now also responsible for Defense Industrial Base Contractors (DIBS) systems that are subject to CMMC. Under the DoD CIO all DIB contractors that have CUI in their contracts will be required to be assessed by a Thirty Party Assessor Organization (3CPAO) and achieve CMMC 2.0, Level 2 Certification.  The DoD CIO streamed a townhall session on February 10 to discuss these changes and other pending changes. Other DIB contractors that have only Federal Contract Information (FCI)  requirements can still self-assess under FAR 52.204-21.
A note of caution: we have worked with several companies at both CMMC Level 1 and Level 2 that have conducted self-assessments and calculated a SRPR score in the (+40 to +60) range and submitted those scores to DoD. These companies subsequently ask Cyberfox to conduct gap reviews for them.  Results of our gap reviews yielded SPRS scores ranging from (-18 to -200).  Under CMMC 2.0 company executives will be required to certify with a signature that scores they submit are accurate.  This potentially leaves them at risk of violating the False Claims Act.

Additional CMMC Related Services Include

  • CMMC Security and Compliance Program Development.
  • vCISO Services to advise and help maintain compliance after a CMMC Assessment.

Consultation & Assessments New England

Consultation & Assessments



Training & Documentation New England

Training & Documentation

Contact us today to schedule your new client consultation
or to learn about our services.

(833) 463-6804

About Us

The owner and founder of our security firm has been in this industry for over 25 years. He is a retired Air Force veteran and has worked with and advised many companies to include ACS Defense Inc., Lockheed Martin Corp., Northrop Grumman Corp., and several Federally Funded Research and Development Centers (FFRDCs). You can trust the knowledge and experience that he brings to your table. We offer a wide variety of personalized business relationships with our partners. Our business model is best-value pricing and we work hard to help clients make optimal security decisions without attempting to oversell.

Thank you for your interest. We look forward to hearing from you soon.

(833) 463-6804
By Appointment Only

Mailing Address
Cyberfox Security Consulting
PO Box 183
Norfolk, MA 02056

Service Area
Greater Boston

 Facebook Twitter linkedin