Cyber AB Registered RPO · CMMC Level 2 Readiness
CMMC readiness & RPO advisory
August Schell is a CMMC Registered Provider Organization, registered with the Cyber AB. Think of us as the accountant who prepares your return: we get you audit-ready for CMMC Level 2 — scoping, readiness, gap analysis, NIST SP 800-171 remediation, and managed CUI enclaves — and we can sit beside you through your certification assessment.
The engagement
What getting audit-ready covers
Six workstreams, scoped to what you actually need.
See the work →01The work
What our RPO advisory delivers
Readiness is more than documentation. We work the full path — from defining what’s actually in scope to sitting beside you on assessment day.
02Managed CUI enclave
A compliant home for CUI — without rebuilding everything
Bringing your whole environment into scope is the expensive way to comply. A managed enclave gives CUI a secure, segmented home — and shrinks your assessment boundary with it.
Build
Aligned to NIST SP 800-171
We design and build a secure, segmented enclave for storing and processing CUI — aligned to the 110 controls from day one, so compliance is the architecture rather than an afterthought.
Manage
We run it, you use it
August Schell operates the enclave as a managed service. Your team works inside it; ours keeps the technical controls implemented, monitored, and consistent.
Document & advise
Ready for your assessor
We document the enclave for your assessment and advise you through the business-process controls only your team can own — the people-and-process half of CMMC.
Typically a one-year commitment, scoped to your environment and user count. Your starting-at pricing arrives with our first reply.
Ask about the enclave03NIST SP 800-171
Implement, don’t just document
CMMC Level 2 assesses the 110 controls in NIST SP 800-171. Writing them down isn’t the same as living them — and assessors know the difference.
Documentation-only preparation is one of the most common reasons organizations fail. We help you implement and operationalize each control with real evidence — so what’s on paper matches what an assessor finds.
04Prepare or certify
Two roles, kept independent.
Think of it like your taxes: an RPO is the accountant who prepares your return — and can sit beside you in the audit. A C3PAO files it. Cyber AB rules keep the two independent.
If you need preparation
RPO — readiness & advisory
Scoping, readiness assessment, gap analysis, NIST SP 800-171 remediation, and managed CUI enclaves. This page. We get you audit-ready, and we can sit with you through the assessment itself.
Request an RPO evaluation →If you’re ready to certify
C3PAO — certification assessment
The formal CMMC Level 2 assessment, performed by our all-W-2, in-house Lead CCAs. This is the assessment that goes on record in SPRS.
C3PAO Assessment →Prepare with us, certify independently. August Schell is both an RPO and an authorized C3PAO — but Cyber AB rules mean we can’t certify a client we prepared within the last three years. If we get you ready, August Schell will coordinate an independent C3PAO for your certification. Want us to assess you instead? Start with the C3PAO Assessment.
05Why August Schell
One partner for the whole path
RPO advisory, managed services, and — independently — C3PAO certification under one roof. The people who prepare you will still be here for your three-year recertification.
- Registered RPO — registered with the Cyber AB to prepare organizations for CMMC.
- Authorized C3PAO — authorized by the Cyber AB following a DIBCAC assessment, with the conflict-of-interest line drawn exactly where the Cyber AB draws it.
- Engineering-first history — readiness work delivered by the same firm that has built and secured federal infrastructure for 30+ years.
- Rockville, Maryland — 1700 Rockville Pike, Suite 405, in the heart of the federal corridor.
06FAQ
Common questions
What’s the difference between an RPO and a C3PAO?
An RPO prepares you — advisory and remediation. A C3PAO performs the formal certification assessment. By Cyber AB rules, the same firm can’t do both for you within three years.
What is a CMMC readiness assessment?
An advisory evaluation of your posture against CMMC requirements — it surfaces control gaps, risks, and scoping issues. It is not a certification.
How long does it take to get CMMC-ready?
Commonly several months to a year for Level 2, depending on your starting maturity, environment, and CUI scope.
What’s a CUI enclave?
A compliant, segmented environment for storing and processing CUI. We can build and manage it for you and document it for your assessment.
Are our MSPs and cloud providers in scope?
Yes — external providers that affect your security controls are in the assessment boundary, and cloud services handling CUI must meet FedRAMP Moderate or equivalent.
Do you work with smaller businesses?
Yes. Most organizations we get audit-ready are small and mid-size defense suppliers. Readiness scopes to your environment and size, so you focus effort where it actually moves your assessment.
How soon can you start?
Usually within a few weeks. Tell us your target certification date and we’ll work backward to a realistic readiness plan.
07Request
Request an RPO evaluation
Tell us where you stand. The right team — readiness or certification — replies within one business day with next steps and your starting-at pricing.
