CMMC Practitioners

If you are looking for a CMMC practitioner, who isn't a complete and utter douchebag, here is an assortment of reputable companies that you can evaluate as a possible fit for your specific needs. The CMMC-COA has a fidoucheiary duty to the DIB to highlight some good players in this space, which range from consultants, to Managed Service Providers (MSP), to compliance-focused documentation solutions. Since every CMMC practitioner has their own specialty you need to do your own due diligence.

These CMMC Practitioners have vowed to abide by the CMMC-COA's stringent code of professional conduct*:

  1. I won't be a douchebag.

  2. For real though, I won't be a douchebag.

*PLEASE NOTE - This is all supposed to be in good humor, so it is sad that some people are humorless. There are a lot of good CMMC practitioners out there, who are not on this list. There are also a lot of shitty companies that just want to separate you from your hard earned $$. Just because a company is not listed on this page, does not mean it is full of a bunch of douchebags who don't know anything about NIST SP 800-171 or CMMC.  Sadly, it is amazing how many consultants have contacted us to complain that they are not listed on the "not a douchebag" list. It is not binary - you are not automatically a douchebag if you are not listed on this page, so for those who complain, go out and prove yourself over and over again. At that point, we may add you. Then again, we might not. We only want to highlight companies we have some experience with and know the quality of their work. If we wouldn't use your services or refer you to clients, then you won't be on this list. Period.

1-Horizontal logo.jpg



Specialty: ComplianceForge providers cybersecurity documentation solutions that are specific to CMMC & NIST SP 800-171 for policies, standards, procedures, SSP/POA&M templates, business plans, incident response, and more. It is the "easy button" approach to cybersecurity documentation needs.


Steel Root


Specialty: Steel Root provides managed cybersecurity and IT services to help companies in the U.S. Defense Industrial Base (DIB) achieve DFARS compliance and prepare for CMMC.

sentinel blue.png

Sentinel Blue


Specialty: Sentinel Blue specializes in bringing the leadership, expertise, and technical capabilities required for DFARS compliance to the Small to Medium Enterprises (SME) in the Defense Industrial Base (DIB). We do common sense security - a lot of consultants don't get it about the realities that smaller companies face with limited budget and expertise, so we can right size an approach for your specific needs.

NeQter Labs


Specialty: NeQter Labs is a cybersecurity software company dedicated to providing affordable DFARS/NIST SP 800-171/CMMC compliance solutions to the SMB market. Our Compliance Engine platform combines Security Incident Event Management (SIEM), active alerting, inventory, and vulnerability scanning into a single solution.



Specialty: CORTAC provides end-to-end DFARS and CMMC guidance and services and leverages cybersecurity and information assurance as a competitive advantage while reducing the compliance and contracting risks of meeting ITAR, EAR, DFARS, & CMMC requirements.




Specialty: SecurityWaypoint focuses on the compliance and governance aspects of your cybersecurity needs. We provide vCISO (virtual CISO) services to Small to Medium Enterprises (SME) for NIST SP 800-171 & CMMC, including building a customized project plan based on the CMMC Kill Chain to manage CMMC-related compliance activities in a risk-prioritized approach. Experienced with the Secure Controls Framework (SCF) for complex compliance requirements.

Peak InfoSec 

Specialty: Peak InfoSec is a Certified 3rd-Party Assessment Organization (C3PAO) that serves all tiers of the Defense Industrial Base (DIB). Peak Infosec specializes in turning cybersecurity programs around to conform to the business’ operational requirements.  Its focus isn’t just on the technology, but to make your entire security culture change to what you want it to be.




Specialty: Summit 7 specializes in the Aerospace and Defense (A&D) industry. Summit 7 won the 2020 Microsoft US Partner Award in Security and Compliance for its Office 365 and Azure Government solutions regarding CMMC, DFARS, NIST SP 800-171, ITAR, and CUI. 

Original on Transparent.png

Cybersec Investments


Specialty: Cybersec Investments provides CMMC / NIST SP 800-171 consulting for Small to Medium Enterprises (SME) who need outside expertise to both understand and implement the requirements needed to comply. 

DiCicco, Gulman & Co. (DGC)

Specialty: DGC's IT Risk Assurance & Advisory practice provides a wide variety of cybersecurity services including vulnerability assessments, penetration testing, and security and risk assessments. We provide NIST 800-171 and CMMC readiness assessments and consulting services for the DIB and are an applicant to be a Certified 3rd Party Assessment Organization (C3PAO) for CMMC.

© 2021. CMMC Center of Awesomeness (CMMC-COA)

The operator of this website disclaims any liability whatsoever for the use of this delightfully entertaining and educational website. Use the CMMC-COA at your own risk. The CMMC-COA is not meant to be politically correct, so it is your profound mistake if you think it is meant to be.


If you have compliance questions, you really, really, really need to consult a competent cybersecurity professional to discuss your specific needs. This website is for educational purposes only and does not render professional services - it is not a substitute for dedicated professional services from a competent cybersecurity professional. There is no endorsement of any kind for products or services listed on this website - It is entirely your responsibility to conduct appropriate due diligence and due care in selecting and engaging with a product or service in your implementation of the CMMC practices and processes.

We do not warrant or guarantee that the information will not be offensive to any person. You are hereby put on notice that by accessing and using the website, you assume the risk that the information and documentation contained in the web site may be offensive and/or may not meet your needs and requirements. The entire risk as to the use of this website, or its contents, is assumed by you. If you don't like these terms, then tough shit - don't use the website or any of the content it provides... go do your own research and work, since it will be good for you.


​We reserve the right to refuse service in accordance with applicable statutory and regulatory parameters.

  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon