– DEFENCE AND CMMC · HANS STUDY

Defence industrial base compliance, with the technical work that actually holds up

CMMC 2.0 in the United States. CPCSC in Canada. NIST SP 800-171 underneath both. Independent technical advisory for defence contractors and subcontractors who need the architecture, the controls, and the documentation in a state that survives an assessment, not just an internal review.

What this is, and what it is not

This is technical advisory for defence industrial base organizations preparing for CMMC 2.0 in the US, CPCSC in Canada, or NIST SP 800-171 alignment in either country. The work focuses on the technical layer that the framework actually depends on. Network segmentation. Identity and access management. Logging and audit. Backup and recovery. Endpoint and server hardening. Boundary protection. The controls that fail an assessment when the documentation does not match what the network is doing.

This is not a paper-only compliance shop. The deliverable is an environment that holds up technically, with documentation that accurately describes it.

Where independent advisory adds value

CMMC 2.0 Level 2 readiness

Architecture review against the 110 NIST 800-171 controls. Gap assessment. Remediation roadmap. Evidence and documentation preparation that matches what an assessor will actually look at.

CPCSC alignment for Canadian DIB

Canadian Programme for Cyber Security Certification advisory for organizations doing or pursuing defence work in Canada. Architecture, controls, and documentation aligned to the framework.

NIST SP 800-171 baseline

Independent assessment against all 14 control families. Realistic reading on which controls are met, partially met, or not met, and a roadmap that prioritizes the ones that actually move the assessment.

CUI enclave architecture

Network segmentation for controlled unclassified information. Boundary design between CUI and non-CUI environments. Practical answers for organizations where the entire network does not need to be in scope.

Microsoft Windows hardening

Active Directory architecture, Windows Server hardening, Group Policy and security baselines, Microsoft 365 in CUI-aware configurations. Detailed work on the Microsoft side, where most CMMC environments live.

SSP and POA&M development

System Security Plan and Plan of Action and Milestones documentation that accurately describes the environment, identifies open gaps, and stands up to the level of scrutiny an assessment applies.

Standards and frameworks in scope

  • CMMC 2.0, Cybersecurity Maturity Model Certification (US DoD)
  • CPCSC, Canadian Programme for Cyber Security Certification
  • NIST SP 800-171, protecting controlled unclassified information
  • NIST SP 800-53, security controls for federal information systems
  • NIST SP 800-172, enhanced requirements for CUI
  • ITSG-33, Government of Canada IT security risk management
  • ISO/IEC 27001, information security management
  • TIA-942, data centre infrastructure standard

What field experience looks like

I have worked across federal infrastructure, defence environments, and organizations supporting Canadian and US defence supply chains. The advisory draws on direct experience with the Microsoft Windows server side of CMMC and CPCSC environments, the network architecture that determines what is in scope, and the operational reality of running a CUI enclave at a small or mid-size organization without taking the rest of the business offline.

For organizations that are early in the journey, an architecture review and gap assessment is usually the right first engagement. For organizations close to assessment, the focus is on closing the highest-impact gaps and aligning documentation to actual technical state.

Bring in independent advisory before the assessment is booked

Architecture review, gap assessment, remediation oversight, and SSP/POA&M development are all available as discrete engagements. The earliest point of engagement is also the highest-impact point.

Start a conversation