CMMC Consulting
CAPE — CMMC Level 2 Assessment Preparation Engagement
A fixed-price engagement that takes you from system inventory to a defensible System Security Plan, POA&M, and SPRS score — with a clear go / no-go call on whether you're ready for a CMMC Level 2 assessment.
- CMMC scope definition and boundary diagram
- Baseline or reviewed System Security Plan (SSP)
- Plan of Action & Milestones (POA&M) with severity, ownership, and remediation targets
- Defensible SPRS score with guidance on what can and cannot be claimed
- Change Management Plan for the remediation period
- Fixed-price engagement — no hourly meter running
CAPE — CMMC Assessment Preparation Engagement
CAPE is Giga-Green’s structured methodology for taking a DIB supplier from system inventory to CMMC Level 2 assessment readiness. It is a decision engagement: you finish knowing whether you’re ready to pass a Level 2 assessment, and if not, exactly what has to change.
CAPE is fixed-price. Scope is set at kickoff. The price doesn’t move if the work turns out to be harder than expected.
What CAPE delivers
1. CMMC Scope Definition & Diagram
- Finalized in-scope / out-of-scope system list
- Enclave and security-boundary documentation
- Diagrams your assessor can walk without needing a translation layer
2. System Security Plan (SSP)
- Review of your existing SSP, or a baseline SSP if you don’t have one
- Alignment to NIST 800-171 Rev 2/3 and CMMC Level 2 expectations
- Written to survive assessor scrutiny — not just to check a box
3. Plan of Action & Milestones (POA&M)
- Explicit mapping of unmet controls
- Severity classification (pass/fail risk to your assessment)
- Remediation ownership — customer vs vendor vs shared
- Realistic timelines tied to the 180-day CMMC Final Rule window
4. SPRS Score Validation
- Calculated, defensible Supplier Performance Risk System score
- Guidance on what you can claim, what you can’t, and where auditors push back
- Ready for submission when the contract requires it
5. Change Management Plan
Change management defines how updates to the SSP and evidence are documented during the remediation window — not execution of remediation itself. It keeps your documentation and your environment aligned as you close POA&M items.
What CAPE does not do
CAPE produces documentation and a decision. It does not:
- Implement technical controls
- Configure tools or migrate data
- Write custom policies (beyond the SSP structure)
- Act as your C3PAO assessor
Those are remediation work — a separate engagement once CAPE has told you what needs to change. Being explicit about this line is why CAPE stays fixed-price and predictable.
The outcome: ready or not ready
At the end of CAPE you’ll know one of two things:
- Ready for assessment. Your SSP, POA&M, and SPRS score support a Level 2 pass. Schedule the C3PAO.
- Not ready for assessment. Here is exactly what must change — technical, procedural, or documentation — and here is the POA&M that maps the work.
There is no vague “close to ready.” The whole point is to eliminate that ambiguity before you commit to a C3PAO assessment window.
Add-on: Documentation & Assessment Coach
Optional add-on for organizations that want an SME on the sideline during the assessment itself:
- Ongoing documentation review and alignment as your environment changes
- Policy and procedure refinement
- A qualified guide at your side (CCA-eligible) during the C3PAO assessment week
What comes next
CAPE is the on-ramp. After it, most clients move into one of these paths:
- Remediation — data migration, enclave / GCC High builds, VDI, policy authoring, tabletop exercises, training. Anything a POA&M item might require.
- Manage — ongoing CMMC program support at a level that matches your team: ad-hoc consulting, change management, incident reporting, annual checkups, or full program management.
Whatever comes next, CAPE gives you the map.
Frequently asked questions
What does CAPE stand for?
CMMC Assessment Preparation Engagement. It's Giga-Green's structured methodology for taking a DIB supplier from system inventory to assessment-ready documentation.
What does CAPE actually produce?
Five artifacts your assessor will ask for: (1) a CMMC scope definition and boundary diagram, (2) a System Security Plan aligned to NIST 800-171 Rev 2/3 and CMMC Level 2, (3) a POA&M mapping unmet controls with severity and ownership, (4) a validated SPRS score with defensible claim guidance, and (5) a Change Management Plan for the remediation window.
What does CAPE *not* do?
CAPE does not implement technical controls, configure tools, write custom policies, or act as the assessor. Those are remediation work — a separate engagement once CAPE has told you what needs to change.
How is CAPE different from a generic gap assessment?
A generic gap assessment gives you a list of findings. CAPE produces the four documents (SSP, POA&M, SPRS, Scope) your C3PAO actually asks for during a Level 2 assessment — plus a change management plan for the remediation window. It's a preparation engagement, not just a diagnostic.
Is CAPE fixed-price or hourly?
Fixed-price. Scope is set during a scoping call and the price does not change if the work turns out to be more complex than expected. This is a deliberate design choice — CMMC engagements have too many unknowns to bill hourly without turning the customer into the scope-management team.
What happens after CAPE?
If CAPE concludes you're ready, the next step is your C3PAO assessment. If it concludes you're not ready, you have a POA&M and remediation roadmap. Giga-Green can execute that remediation under a separate engagement — data migration, enclaves, policy authoring, tabletop exercises, training — or you can bring in another partner.
Related services
CMMC Consulting
Microsoft 365 GCC and GCC High Migration
End-to-end migration from Microsoft 365 Commercial to Government Community Cloud (GCC) or GCC High — the tiers Microsoft designed to house CUI under DFARS 252.204-7012 and CMMC. We help you pick the right tier and get there cleanly.
Learn more
CMMC Consulting
Network & Endpoint Hardening
Technical implementation of the CMMC controls that assessors touch first — segmentation, MFA, encryption, endpoint detection, and configuration baselines aligned to NIST SP 800-171 SC, AC, CM, and SI control families.
Learn more
CMMC Consulting
CMMC Tabletop Exercises
Facilitated tabletop exercises that satisfy the CMMC Level 2 incident response testing requirement (IR.L2-3.6.3) — and produce the evidence artifacts your assessor will ask for.
Learn more
Ready to talk?
Tell us where you are in your CMMC journey and we'll follow up within one business day.