CMMC Level 2 readiness, right-sized for small defense shops.

For 10-to-150-person manufacturers that handle CUI and don't have a full-time IT team. We do the readiness work — scoping, your SSP, your POA&M, remediation — so you can keep running your shop and still be ready for your assessment.

Get a free scoping diagnostic
No cost. No obligation. You walk away with a one-page picture of where you stand.
The situation

You handle CUI. The clock is real. The tools aren't built for you.

  • A prime flowed CUI down to you, or you already know Level 2 applies.
  • Phase 2 lands November 10, 2026 — self-attestation stops being enough for most CUI contracts.
  • The quotes you're getting are enterprise-sized, and the software platforms assume an IT department you don't have.
  • Getting ready realistically takes 6–12 months of real work — and assessor calendars are already backing up.
Phase 2 deadline
Nov 10, 2026
Time remaining
days
hrs
min
sec

The day self-attestation ends for most CUI contracts. Count backward from here — and add the time it takes to actually get ready.

The requirement isn't new.
The proof is.
How it works

A clear path, run for you.

01

Scope

Find exactly where your CUI lives and what's actually in scope. This is the #1 cost lever — getting it wrong is where shops overpay.

You get a defined assessment boundary
02

Gap assessment

An honest read against all 110 NIST 800-171 controls: what you have, what's missing.

You get your gaps against all 110 controls
03

SSP + POA&M

We write the documents an assessor reads first — specific to your environment, not a boilerplate template.

You get an assessor-ready SSP and POA&M
04

Remediation, coordinated

We quarterback the technical fixes with your IT or MSP. We don't disappear and leave you a to-do list.

You get fixes done and evidence captured
05

Assessment-ready hand-off

When you're ready, we hand you to an independent, accredited C3PAO for the official assessment. We prepare you; they certify you. Those roles are kept separate by rule — and that separation protects you.

You get a clean, independent assessment
Why "right-sized"

Built for the small end of the defense industrial base.

Sized for you

The same standard the big shops meet — without the big-shop overhead or price tag.

Plain English

We translate NIST-speak into shop-floor language. You'll understand every step.

Everything traced to source

Every claim about what you must do points back to the actual government requirement. In compliance, being confidently wrong is the danger — so we don't guess, we verify.

One accountable person

You talk to a real person — not a ticket queue.

Built for the shops that keep the line running.

Who you're working with

Ilias Shin, founder of Kerux Systems.

I built Kerux because the shops that keep this country's defense supply chain running — the 10-, 50-, 100-, 140-person machine shops — are getting the least help with CMMC and paying the most for it. My job is to make Level 2 readiness understandable, fairly priced, and handled, for shops your size.

The name comes from the Greek kḗryx — a herald, one who carries a message faithfully. That's the standard I hold for the work.

Start here

Start with a free scoping diagnostic.

Thirty minutes. We map where your CUI lives and give you a straight read on your 110-control gap — a one-page roadmap of what getting ready actually means for you. No charge, no obligation.

No cost, no obligation — we reply within one business day.
Prefer email? ilias@kerux.us