BlackWatch Compliance is a Cyber-AB Registered Provider Organization. We guide defense contractors through every step of CMMC certification — before the deadline costs you your contract.
Every service your organization needs — from first assessment to certification day and beyond.
Deep recon of your cybersecurity posture across all 110 NIST 800-171 controls. Full threat map and remediation roadmap delivered.
Your System Security Plan — the most scrutinized document in any C3PAO assessment. We build it bulletproof and evidence-ready.
Hands-on execution to close every gap. Control implementation, system hardening, and evidence collection — done right.
Custom policies, procedures, POA&M, and evidence packages — everything a C3PAO assessor needs to see on day one.
A live-fire simulation of the C3PAO assessment. We surface and eliminate every remaining vulnerability before it counts.
Continuous overwatch between your 3-year C3PAO cycles. Always audit-ready. Always protected. Never caught off guard.
Fast-track cohorts, generic templates, and automated tools work for the median contractor. The median contractor doesn't exist in the real DIB. We built BlackWatch for the ones with complex scopes, dual-agency obligations, legacy systems, and supply chains that don't fit a standardized mold — because those are the contractors who need a real advisor in their corner, not a portal. Our mission is simple: get you certified and keep you that way, without surprises.
David brings 17 years of hands-on network and security engineering experience — spanning Cisco, Palo Alto, SD-WAN, and cloud platforms across AWS, GCP, and Azure — to the compliance advisory space. Where most practitioners understand the regulatory framework in theory, David understands the infrastructure it has to govern in practice. That combination means BlackWatch clients get SSPs, scoping decisions, and remediation guidance grounded in how systems actually work, not how they're supposed to work on paper.
Michelle is the compliance architecture and client strategy force behind BlackWatch. With her Cyber-AB RP credential in hand, she brings structured rigor to every engagement — ensuring that gap assessments, SSP development, and documentation packages aren't just technically accurate, but defensible under the scrutiny of a live C3PAO assessment. Michelle's approach is built around one principle: a compliance posture you can't explain and defend isn't a posture — it's a liability.
Most CMMC programs are built for the simplest possible environment. If you see yourself below, you need more than a fast-track program — you need BlackWatch.
Multiple facilities with inconsistent security postures across locations. A single SSP can't cover you unless every site is scoped, documented, and normalized. Fast-track programs assume one environment. You don't have one.
You hold contracts under DFARS and FAR or HSAR simultaneously — two CUI regimes, two incident-reporting clocks, two sets of safeguarding obligations that don't always align. Most advisors know one side. We know both.
You completed a fast-track program or self-assessment and hit a wall — failed assessment, open POA&M items, or gaps that automation missed. You've learned what a template can't cover. Now you need someone to build what the template left out.
Your prime is pushing CMMC requirements downstream and your contract award is tied to certification status. You don't have nine months. You need a practitioner who can build a defensible posture under a compressed timeline without cutting corners that become findings.
Subcontractors, suppliers, or a managed service provider have access to systems touching CUI. That makes you responsible for compliance you don't fully control. Your SSP must account for flow-down obligations and third-party access — no template handles this.
Export control obligations layer on top of your CMMC requirements. ITAR and EAR intersect with CUI classification, personnel access controls, and foreign national restrictions in ways that require deliberate scoping before a single SSP control is written.
Free 30-min session. We map your fastest path to certification.
Full 110-control audit. Complete findings with prioritized actions.
Close every gap. Build every document. Harden every control.
Full C3PAO simulation. Find and fix anything before it counts.
Assessment day. You walk in prepared. You walk out certified.
Every engagement is scoped in writing. You always know exactly what you're getting.
For small contractors under 50 employees pursuing Level 1 readiness.
End-to-end Level 2 preparation from gap assessment through C3PAO day.
Ongoing support to keep you audit-ready between 3-year assessment cycles.
The new clause is live and flowing down past the micro-purchase threshold. Most small defense contractors don't yet know where they're exposed. This 5-minute self-diagnostic shows you exactly where the gaps are — before a contracting officer, prime, or auditor finds them first.
Book a free 30-minute CMMC Strategy Session. No pitch. No pressure. Just a clear path to certification.