Step 1 · Identify Your Profile
Who Are You
in the DIB?
Select the profile that best describes your organization. Most BlackWatch clients see themselves in more than one.
✓
🏭
The Multi-Site Manufacturer
Multiple facilities, inconsistent postures across locations
✓
⚖️
The Dual-Agency Contractor
DoD and civilian contracts running simultaneously
✓
🔁
The Post-Failure Contractor
Been through a program — still exposed
✓
⏱️
The Sub Under Pressure
Prime pushing requirements downstream with a deadline
✓
🔗
The Contractor with a Supply Chain
Subs and MSPs inside your CUI boundary
✓
🌐
The ITAR/EAR Contractor
Export control layered on top of CMMC
Step 2 · Check Your Indicators
How Complex Is
Your Environment?
Check every box that applies to your organization. Two or more checked means a standardized fast-track program carries real risk for you.
Scope & Environment
✓
Multiple performance locations or facilities
Each site may have a different security posture that must be individually assessed and documented.
✓
Legacy on-premise systems that cannot migrate to GCC High
On-prem environments require manual SSP coverage that automated tools routinely miss.
✓
OT/IT boundary where manufacturing systems touch CUI
Operational technology environments create scoping complexities no template anticipates.
✓
Uncertain or evolving CUI boundary
If you're not certain which systems, people, or processes touch CUI — your scope isn't defined yet.
Contract & Regulatory Complexity
✓
Contracts under both DoD (DFARS) and civilian agencies (FAR/HSAR)
Different CUI regimes, incident-reporting clocks, and safeguarding obligations apply simultaneously.
✓
ITAR or EAR obligations layered on top of CMMC requirements
Export control intersects with CUI classification in ways that require deliberate scoping.
✓
Prime pushing CMMC requirements down to you as a subcontractor
You're certifying under pressure with a contract performance deadline driving the timeline.
Supply Chain & Subcontractor Risk
✓
Subcontractors or suppliers inside your CUI data flow
Third-party access to CUI creates downstream compliance obligations you are responsible for.
✓
Managed service providers or external IT with system access
MSP access must be scoped, documented, and controlled — inherited trust is not inherited compliance.
Prior Compliance History
✓
Previously attempted a fast-track or DIY CMMC program
If you have open POA&M items or unresolved gaps from a prior program, the clock is already running.
✓
SPRS score below 70 or self-assessment not yet submitted
A low or missing SPRS score is a contracting liability today — not just a future certification problem.
✓
No current SSP, or SSP built from a template you can't fully defend
An SSP you can't defend under direct assessor questioning is not an SSP — it's a liability.
Check the boxes above to see your complexity assessment.