Brassrook

NIST 800-171 · CMMC Level 2

SSPs and POA&Ms, built to pass.

Audit-ready compliance documentation for small defense contractors. Fixed price. Human-reviewed. Delivered in Word, ready for your assessor.

Request intake link How it works

At a glance

  • System Security Plan and Plan of Action & Milestones, drafted against your stack.
  • 10 business-day SLA from intake to delivery.
  • Fixed price: $3,000 early-adopter, $5,000 standard.
  • Deposit at kickoff, balance on delivery.

The problem

CMMC Level 2 is coming. The paperwork is not optional.

Deadline pressure

Primes are already writing CMMC requirements into subcontracts. Assessments take months to schedule, and an incomplete SSP is a first-week finding.

Consultant sticker shock

Traditional cyber consultancies quote $15,000 to $50,000 or more for a single SSP and POA&M engagement. Big 4 firms don't quote small contractors at all.

DIY-and-fail risk

Free DoD templates exist. They don't explain how to implement 110 controls against your actual stack. A draft that misses an assessor's objectives costs time you don't have.

The product

A fixed-price SSP and POA&M, drafted against your actual environment.

How it works

  1. 01 Request an intake link. We email a secure resume-any-time form covering your stack, organization, and compliance scope.
  2. 02 Complete the intake (about 30 to 60 minutes). Answers autosave. Attach existing policies if you have them.
  3. 03 We draft the SSP and POA&M against NIST 800-171 control objectives, mapped to your stack.
  4. 04 Every document goes through human QA before it reaches you. You get a Word file, ready for edits or assessor submission.

What you get

  • System Security Plan. All 110 NIST 800-171 Rev 2 controls, with implementation statements keyed to your environment.
  • Plan of Action & Milestones. Every planned or partially-implemented control, with remediation targets.
  • One revision round included. Adjust for changes on your side without a new engagement.
  • Word-format deliverables. Editable, no vendor lock-in, no portal to maintain.

Pricing

Early-adopter (first 10)
$3,000
Standard
$5,000
Terms
Deposit at kickoff, balance on delivery

Why us

We're building this for the assessment we're about to sit.

Brassrook exists because its founder is taking his own organization through a CMMC Level 2 assessment. Every control, every implementation statement, every POA&M entry we produce is one we'd defend in front of our own C3PAO.

That's the honest moat: we are not a consultancy selling compliance theater. We are a shop that ships the documentation we ourselves rely on, at a price small defense contractors can actually pay.

Brassrook does not perform C3PAO assessments or represent clients to the assessor. We draft and revise the SSP and POA&M documentation that your assessment will rely on.

Request an intake link

Start your SSP and POA&M.

Enter your email. We'll send you a secure, resume-any-time intake form. No account to create, no password to manage.

By requesting an intake link, you agree we'll email you the link and follow up about your engagement. No other marketing, no list sharing.