CMMC Phase 1 is live — 48 CFR is in effect

CMMC Level 2 readiness for small defense subcontractors

You make parts for the DoD. We make sure you can keep doing that. Purpose-built software and expert engineering for shops with 10–150 employees handling CUI.

Book a Free Scoping Call → See Pricing
220,000+
Defense contractors & subcontractors affected by CMMC
Nov 2026
Phase 2 begins — third-party C3PAO assessments required
6–12 mo
Average time to reach audit readiness for small manufacturers
The Problem

Three questions that keep small DIB subs up at night

You're a machine shop, not a cybersecurity firm. CMMC shouldn't require you to become one. But right now, you're stuck.

01

"What controls apply to my business?"

110 controls in NIST 800-171. Not all of them apply to every shop. But figuring out which ones do — and which are inherited from your MSP or Microsoft — takes expertise you don't have on staff.

02

"What does 'implemented' actually look like?"

The standard says "limit system access to authorized users." Great — but what does that mean for your 50-person shop with M365 and a shared drive? You need concrete, small-business-specific implementation guidance.

03

"Can I show evidence an assessor will accept?"

A C3PAO won't take your word for it. They need screenshots, config exports, policy documents, and audit logs — organized by control, dated, and defensible. A folder of random files won't cut it.

How It Works

From confused to assessment-ready

Our platform and engineering services answer all three questions — in language you actually understand.

Step 01

Scope your environment

A guided intake determines your CMMC level, which controls apply, and which are inherited from your cloud provider or MSP. No guesswork — deterministic logic based on your actual setup.

Step 02

Implement with guidance

For each applicable control, see exactly what an assessor looks for, what "implemented" means for a small shop, and common failure modes. AI-assisted policy drafts give you a head start. You own final approval.

Step 03

Prove it with evidence

Upload screenshots, PDFs, and config exports into a structured evidence vault — tagged by control, dated, and organized the way an assessor expects. Export a complete evidence bundle when you're ready.

The Platform

Built for shops, not security teams

Every feature exists to answer one of the three questions. Nothing else made the cut.

🎯

Scoping Engine

Guided intake determines applicable controls, inherited responsibilities, and risk flags. Your 110 controls become a manageable, prioritized list.

📋

Control Workspace

Plain-English explanations, assessor expectations, small-business examples, and common failure modes for each high-leverage control.

🗄️

Evidence Vault

Structured uploads tagged by control ID, evidence type, and date. Export an organized, assessor-ready bundle — not a folder of random screenshots.

📝

Policy Generator

AI-drafted policies for Access Control, Incident Response, Configuration Management, and more. Editable, mapped to controls, watermarked "Draft — requires review."

AnchorPoint — Control Workspace
Access Control
AC.L2-3.1.1
Authorized Access
AC.L2-3.1.2
Transaction Control
AC.L2-3.1.3
CUI Flow Control
AC.L2-3.1.5
Least Privilege
Identification & Auth
IA.L2-3.5.1
Identification
IA.L2-3.5.3
MFA
AC.L2-3.1.1

Limit system access to authorized users

Partially Implemented
What an assessor looks for

Evidence that only authorized personnel can access systems that store, process, or transmit CUI. This includes user account lists, access approval records, and disabled/removed accounts for departed employees. For M365 environments: Entra ID user list, Conditional Access policies, and guest access settings.

Evidence (2 of 3 uploaded)
PDF
entra-id-user-export.pdf Jan 15, 2026
PNG
conditional-access-screenshot.png Jan 15, 2026
Missing: Guest access policy export
Pricing

Transparent pricing. No surprises.

Choose the level of support that matches where you are in your CMMC journey.

Tier 1
Platform
Self-service access to the full AnchorPoint platform for teams with some internal security knowledge.
$499 /month
Annual commitment. $4,990/yr billed annually.
  • Scoping & applicability engine
  • 15–20 high-leverage control workspace
  • Evidence vault with structured tagging
  • AI-drafted policy generator (6–8 core policies)
  • Readiness dashboard
  • Read-only MSP/auditor access
  • Evidence bundle export
Start Free Trial →
Most Popular
Tier 2
Guided Readiness
Platform access plus expert check-ins, evidence review, and policy guidance over 6 months.
$2,500 /month
6-month engagement ($15,000 total). Then $499/mo for ongoing access.
  • Everything in Platform tier
  • Kickoff scoping session (2–3 hrs)
  • Monthly 1-hour expert check-ins
  • Evidence review & feedback for MVP controls
  • AI-generated policy review by a human expert
  • Priority email support
  • "Is this evidence good enough?" — answered
Book a Scoping Call →
Tier 3
Full Readiness Engineering
End-to-end readiness: gap assessment, enclave design, SSP development, mock assessment, and more.
$25–50K
Fixed fee. Scoped per engagement. 3–6 month timeline.
  • Everything in Guided Readiness
  • Full 110-control NIST 800-171 gap assessment
  • CUI scoping & enclave design
  • Network & scope map generation
  • SSP development (draft + review cycles)
  • Technical control implementation guidance
  • Evidence collection strategy per control
  • Mock assessment / pre-assessment dry run
  • POA&M development
  • 12 months platform access included
Request a Proposal →
Free Tool

Not sure where you stand? Take the Readiness Self-Check.

Answer 5 questions about your business. Get an instant assessment of your likely CMMC level, key risk areas, and a realistic timeline — no sales call required.

Take the Free Self-Check →
About AnchorPoint

Your fixed point in CMMC readiness

AnchorPoint exists because small defense subcontractors deserve better than a generic GRC platform with CMMC bolted on — or a $300/hr consultant with a spreadsheet.

We exclusively serve shops with 10–150 employees that handle CUI and need CMMC Level 2 readiness. That focus means every feature, every piece of guidance, and every policy template is built for your exact situation: your size, your M365 environment, your constraints.

We're not assessors. We don't certify you. We get you to the point where a C3PAO won't waste your time or theirs.

🛡️
Registered Practitioner (RP)
📋
NIST 800-171 Specialist
☁️
Microsoft 365 / GCC Expert
Why Small Shops Choose Us
Average time to assessment-ready 6 months
Typical cost vs. traditional consulting 40-60% less
Onboarding time < 60 min
Employee range we serve 10–150
Controls covered in MVP 15–20 high-leverage
FAQ

Common questions

Does AnchorPoint certify us for CMMC?
No. Only an accredited C3PAO can certify your organization. AnchorPoint prepares you for that assessment — we help you scope your environment, implement controls, collect evidence, and generate policies. We get you to the point where you're ready for a C3PAO, not certified by one. Think of us as the training before the exam.
Do we need GCC High to use AnchorPoint?
Not for our MVP. We support organizations on M365 Commercial or GCC. GCC High is ideal for many CUI-handling organizations, but it's not universally required and it's a significant cost jump. We'll help you determine what's actually necessary for your situation during scoping. If GCC High is the right move, we'll tell you — but we won't push you there prematurely.
How is this different from Vanta, Drata, or other GRC platforms?
Those platforms are excellent for SaaS companies pursuing SOC 2 or ISO 27001. They're built for engineering teams at software companies. AnchorPoint is built for small defense subcontractors — machine shops, fabricators, and manufacturers who handle CUI, don't have a CISO, and need CMMC Level 2 specifically. Every piece of guidance in our platform is written for your context, not adapted from a generic security framework.
What if we already have an MSP?
Great — your MSP handles your IT. AnchorPoint handles your CMMC readiness. We give your MSP read-only access to the platform so they can see which controls are their responsibility, what evidence they need to provide, and where gaps exist. Many of our clients' MSPs tell us the platform replaces the spreadsheets they were using to track compliance tasks.
How long does it take to get assessment-ready?
For a typical small subcontractor, 6–12 months is realistic. Companies that are starting from scratch (no existing policies, no MFA, no documented controls) are on the longer end. Companies with a decent IT foundation and an MSP can move faster. Our Guided Readiness and Full Readiness Engineering tiers are designed to compress that timeline as much as responsibly possible.
Does the AI in the platform make compliance decisions?
No. AI is used to draft policies, explain controls in plain English, and highlight possible gaps — but it never makes compliance determinations, scores your readiness as pass/fail, or interprets whether your evidence is sufficient. Those decisions are made by you (with guidance from our experts in Tier 2 and Tier 3). We believe compliance determination must always involve human judgment.
What happens after we're assessment-ready?
You keep your platform subscription active. Your evidence vault, policies, and control statuses need to stay current — CMMC isn't a one-time event. You'll need to maintain your security posture and prepare for re-assessment every three years. AnchorPoint gives you the ongoing structure to do that without rebuilding from scratch each cycle.