CMMC RPO & Readiness Advisory | August Schell

Cyber AB Registered RPO · CMMC Level 2 Readiness

CMMC readiness & RPO advisory

August Schell is a CMMC Registered Provider Organization, registered with the Cyber AB. Think of us as the accountant who prepares your return: we get you audit-ready for CMMC Level 2 — scoping, readiness, gap analysis, NIST SP 800-171 remediation, and managed CUI enclaves — and we can sit beside you through your certification assessment.

The engagement

What getting audit-ready covers

Six workstreams, scoped to what you actually need.

See the work →
30+ years
Federal & defense experience
U.S. based & U.S. owned
All W-2
In-house team
1 of 9
Cyber AB firms holding both RPO + C3PAO with more than 10 years in business
ISO 9001
Certified quality system

01The work

What our RPO advisory delivers

Readiness is more than documentation. We work the full path — from defining what’s actually in scope to sitting beside you on assessment day.

Scoping & boundary definition
Identify your FCI and CUI and define what’s in scope. Scope mistakes are a top cause of failed assessments — this is where every engagement starts.
Readiness assessment
An advisory evaluation of your current posture against CMMC requirements. It surfaces gaps, risks, and scoping issues — it is not a certification, and we’re honest about that distinction.
Gap analysis
Control-by-control status, gaps, and risks against the 110 NIST SP 800-171 controls — so you know exactly what stands between you and certification.
Remediation & documentation
System Security Plans, policies, POA&Ms, and evidence built to hold up under assessment — not paperwork for its own sake.
Business-process implementation
CMMC isn’t only technical; much of it is process. This is the part most organizations underestimate, and the part we work through with you.
Assessment support
We can sit with you during your C3PAO assessment — standard in our RPO support, the same way your accountant can sit with you in an audit.

02Managed CUI enclave

A compliant home for CUI — without rebuilding everything

Bringing your whole environment into scope is the expensive way to comply. A managed enclave gives CUI a secure, segmented home — and shrinks your assessment boundary with it.

1

Build

Aligned to NIST SP 800-171

We design and build a secure, segmented enclave for storing and processing CUI — aligned to the 110 controls from day one, so compliance is the architecture rather than an afterthought.

2

Manage

We run it, you use it

August Schell operates the enclave as a managed service. Your team works inside it; ours keeps the technical controls implemented, monitored, and consistent.

3

Document & advise

Ready for your assessor

We document the enclave for your assessment and advise you through the business-process controls only your team can own — the people-and-process half of CMMC.

Typically a one-year commitment, scoped to your environment and user count. Your starting-at pricing arrives with our first reply.

Ask about the enclave

03NIST SP 800-171

Implement, don’t just document

CMMC Level 2 assesses the 110 controls in NIST SP 800-171. Writing them down isn’t the same as living them — and assessors know the difference.

Documentation-only preparation is one of the most common reasons organizations fail. We help you implement and operationalize each control with real evidence — so what’s on paper matches what an assessor finds.

110
NIST SP 800-171 controls implemented and evidenced for CMMC Level 2
Months
Getting Level 2-ready commonly takes several months to a year, depending on where you start
Level 3
For Level 3, we align advanced engineering to NIST SP 800-172

04Prepare or certify

Two roles, kept independent.

Think of it like your taxes: an RPO is the accountant who prepares your return — and can sit beside you in the audit. A C3PAO files it. Cyber AB rules keep the two independent.

If you need preparation

RPO — readiness & advisory

Scoping, readiness assessment, gap analysis, NIST SP 800-171 remediation, and managed CUI enclaves. This page. We get you audit-ready, and we can sit with you through the assessment itself.

Request an RPO evaluation →

If you’re ready to certify

C3PAO — certification assessment

The formal CMMC Level 2 assessment, performed by our all-W-2, in-house Lead CCAs. This is the assessment that goes on record in SPRS.

C3PAO Assessment →

Prepare with us, certify independently. August Schell is both an RPO and an authorized C3PAO — but Cyber AB rules mean we can’t certify a client we prepared within the last three years. If we get you ready, August Schell will coordinate an independent C3PAO for your certification. Want us to assess you instead? Start with the C3PAO Assessment.

05Why August Schell

One partner for the whole path

RPO advisory, managed services, and — independently — C3PAO certification under one roof. The people who prepare you will still be here for your three-year recertification.

30+
Years serving federal and defense missions
U.S. based & U.S. owned
1 of 9
Cyber AB firms holding both RPO and C3PAO with 10+ years in business
All W-2
In-house team — no 1099 subcontractors on your engagement
ISO 9001
Certified quality management system behind the practice
  • Registered RPO — registered with the Cyber AB to prepare organizations for CMMC.
  • Authorized C3PAO — authorized by the Cyber AB following a DIBCAC assessment, with the conflict-of-interest line drawn exactly where the Cyber AB draws it.
  • Engineering-first history — readiness work delivered by the same firm that has built and secured federal infrastructure for 30+ years.
  • Rockville, Maryland — 1700 Rockville Pike, Suite 405, in the heart of the federal corridor.
Cyber AB Authorized C3PAO seal PRI Registrar ISO 9001 certified seal

06FAQ

Common questions

What’s the difference between an RPO and a C3PAO?

An RPO prepares you — advisory and remediation. A C3PAO performs the formal certification assessment. By Cyber AB rules, the same firm can’t do both for you within three years.

What is a CMMC readiness assessment?

An advisory evaluation of your posture against CMMC requirements — it surfaces control gaps, risks, and scoping issues. It is not a certification.

How long does it take to get CMMC-ready?

Commonly several months to a year for Level 2, depending on your starting maturity, environment, and CUI scope.

What’s a CUI enclave?

A compliant, segmented environment for storing and processing CUI. We can build and manage it for you and document it for your assessment.

Are our MSPs and cloud providers in scope?

Yes — external providers that affect your security controls are in the assessment boundary, and cloud services handling CUI must meet FedRAMP Moderate or equivalent.

Do you work with smaller businesses?

Yes. Most organizations we get audit-ready are small and mid-size defense suppliers. Readiness scopes to your environment and size, so you focus effort where it actually moves your assessment.

How soon can you start?

Usually within a few weeks. Tell us your target certification date and we’ll work backward to a realistic readiness plan.

07Request

Request an RPO evaluation

Tell us where you stand. The right team — readiness or certification — replies within one business day with next steps and your starting-at pricing.

Add your name.
Add your company.
Add your work email so the right team can reach you.
Tell us what you’re trying to accomplish.

Prefer email? rpo@augustschell.com · or call (301) 838-9470