NEW YORK, Apr. 7, 2026 – Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance, and data privacy services to modern-day SaaS businesses, today announced a partnership as an Official Small Business Partner of the Brooklyn Nets.

This Small Business Partner Program empowers New York-based businesses by unlocking collaboration opportunities with one of the NBA’s most iconic teams. The collaboration merges Rhymetec’s mission to provide seamless, premium security partnerships with the Brooklyn Nets' dedication to community and team excellence.

Partnership Highlights

For Rhymetec, the partnership represents continued growth and expansion of its presence in New York, where the company was founded in 2015. What began as a penetration testing company serving local startups has grown into a global cybersecurity and compliance partner supporting more than 1,000 organizations worldwide.

"In 2015, I was riding around New York City on my bike, delivering Google Homes to the offices of companies I wanted to work with. To go from those local roots to partnering with an iconic New York institution like the Brooklyn Nets is a massive milestone for our team,"  — Justin Rende, founder and CEO of Rhymetec.

What started in New York City with a single client has quickly grown into a global operation. Today, Rhymetec has served more than 1,000 clients, ranging from early-stage startups to established enterprises. Rhymetec removes cloud security complexities so innovative companies can grow faster and achieve their goals without limits.

Through the Brooklyn Nets Small Business Partnership, Rhymetec reinforces its commitment to the city where it all began, bringing its message of seamless, proactive cybersecurity to the NBA arena stage.

About Rhymetec

Rhymetec delivers premium cybersecurity and data privacy solutions for modern SaaS businesses, combining human expertise with innovative technology. The company builds, deploys, and manages offensive security, compliance, and data privacy programs directly within clients' environments, enabling organizations to move fast, operate confidently, and focus on what matters most. With Rhymetec as a partner, companies can move freely, grow without limits, and focus on building the business they envision. For more information, visit www.rhymetec.com and follow Rhymetec on LinkedIn.

In the early stages of building a SaaS company, security and regulatory requirements often take a back seat to product development and user acquisition. But as you scale, ignoring SaaS compliance quickly becomes a major liability. Without the right frameworks in place, enterprise deals stall, procurement reviews drag on, and investor confidence drops. Compliance is no longer just a box to check, it’s a prerequisite for growth. 

This guide breaks down what every startup needs to know about navigating compliance frameworks, overcoming common scaling challenges, and building a security program that actively drives your business forward.

Defining SaaS Compliance (And Why It’s Different From Traditional IT Compliance) 

Traditional IT compliance was created for companies that owned their infrastructure and operated within a fixed network. These types of environments were easier to protect in many ways because data remained inside physical systems. 

Your modern SaaS company now works in a shared environment where customer data moves through hosted platforms, third-party integrations, and multiple geographic regions. Control depends heavily on coordination between the provider and the SaaS company, not on direct ownership of the systems involved.

This model requires constant attention to how data flows, where it is stored, and who can access it. Cloud vendors manage the infrastructure, but SaaS providers remain responsible for how their own applications handle customer information. 

Modern frameworks such as SOC 2 and ISO 27001 reflect this reality. They assess whether a company’s security and privacy controls operate within a constantly changing environment. A mature SaaS compliance program aligns daily operations with controls and allows companies to scale while maintaining trust with customers and partners.

Why Compliance Matters For SaaS Companies

Compliance is no longer a nice-to-have for SaaS companies. Enterprise customers, investors, and partners now expect proof that their data is being handled securely and in line with recognized standards. 

Voluntary frameworks like SOC 2 and ISO 27001, along with laws such as GDPR, have become prerequisites for closing deals, especially in regulated industries or when selling across international markets. 

Compliance also serves to strengthen operational resilience. A well-defined security program reduces the risk of breaches, downtime, and regulatory penalties, ultimately driving better control over areas that often expand faster than a startup’s internal oversight can keep up such as vendor relationships. 

Compliance provides SaaS providers a substantial competitive advantage. Companies with more mature security postures move faster through procurement reviews, shorten sales deals, and retain customer trust. 

In short, compliance signals reliability. It shows customers that your company is built for longevity and with security top-of-mind.

Common SaaS Compliance Frameworks and Regulations

SaaS companies operate in a complex regulatory environment where customers, auditors, and investors expect proof of strong security and privacy practices. 

The right framework(s) depend on a company’s size, geographic reach, and industry, but they all share the same overarching goal: To provide objective evidence that data is protected and risks are managed. So, what are some of the most commonly needed frameworks for SaaS compliance?

SOC 2

SOC 2 is the most common starting point for SaaS companies in North America. The aim is to assess how a company safeguards data based on five trust principles: security, availability, processing integrity, confidentiality, and privacy. 

SOC 2 reports have become standard in procurement reviews for B2B SaaS vendors seeking to work with larger enterprises. 

ISO 27001

ISO 27001 provides an international framework for managing information security.

To meet the requirements, organizations must build out an ISMS (Information Security Management System) that guides a company’s internal processes and controls. Many global SaaS providers pursue ISO 27001 certification to meet European client expectations or to operate across multiple regions. 

HIPAA

HIPAA applies to healthcare-related SaaS platforms that handle protected health information. Compliance requires both technical and procedural safeguards that are designed to limit access and prevent unauthorized disclosure.

GDPR

GDPR defines strict data protection and privacy obligations for any company handling personal information from individuals in the EU. It impacts how SaaS providers collect consent from users, store personal data, and transfer information outside the EU. 

For startups, GDPR compliance often feels complex because obligations extend beyond technical safeguards. Even small teams must document processing activities, manage data subject requests, and maintain extensive records. 

Even early-stage SaaS companies with limited EU customers are expected to show compliance readiness when raising capital or entering enterprise contracts. Working with an experienced GDPR consultant helps startups prioritize risk area and implement controls that satisfy both regulators and potential clients. 

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is a non-negotiable framework for any SaaS platform that handles, processes, or stores credit card information. Even if your startup leverages third-party payment processors like Stripe or PayPal to offload the heaviest security burdens, you still have compliance obligations to ensure your environment is secure and that cardholder data isn't exposed during transmission. 

Maintaining PCI DSS compliance not only protects your customers from devastating financial data breaches but also protects your startup from severe non-compliance fines or the complete loss of credit card processing privileges.

Meanwhile, recently emerged DORA requirements and NIS 2 requirements further expand compliance expectations for SaaS companies that serve European financial or critical infrastructure sectors. 

The Biggest Compliance Challenges For SaaS Startups

Achieving SaaS compliance is rarely a straightforward journey, particularly for scaling startups trying to balance security with rapid growth. Some of the most common hurdles include:

SaaS Compliance Checklist 

To keep your team organized, we’ve broken down the SaaS compliance journey into distinct, actionable phases. Use this checklist as a blueprint for your own compliance roadmap.

How Compliance Automation Tools Fit In

Compliance automation platforms like Drata, Vanta, and Secureframe have become standard tools in the SaaS ecosystem. 

They simplify evidence collection, automate recurring tasks, and give teams a centralized view of their compliance status. For fast-growing startups managing common frameworks like SOC 2 or ISO 27001, these tools reduce the administrative burden that typically would slow down audits and reporting cycles.

However, compliance automation tools are not a substitute for governance or expertise. 

They work based on predefined templates and checklists, which don’t always reflect the unique risks or control environments of each organization. A platform might confirm that a policy exists, but it can’t fully determine whether it is effective, accurate, or aligned with how the business actually operates.

Automation accelerates progress but is limited without a strategy. 

Human oversight is still critical. A vCISO can interpret the data surfaced by automation tools and align technical controls with regulatory obligations and business goals. With the right support and expertise, compliance is transformed from a one-time project into an ongoing security program that scales with your business.

The Role of a vCISO in SaaS Compliance and Maintaining Compliance As You Scale

While automation platforms manage the evidence, a Virtual Chief Information Security Officer (vCISO) manages the strategy. For SaaS startups, partnering with a vCISO bridges the gap between software tools and actual security maturity.

A vCISO acts as an extension of your team, bringing executive-level security expertise without the overhead of a full-time hire. They are instrumental in scoping your audit correctly, customizing policies so they actually fit your startup's workflow, and translating complex regulatory requirements into actionable engineering tasks. When an automation tool flags a failing control, a vCISO doesn't just check a box, they help you remediate the root cause.

More importantly, a vCISO helps you maintain SaaS compliance as you scale. As your company adds new features, enters new geographic markets, or targets larger enterprise customers, your threat landscape evolves. 

By combining the efficiency of automation tools with the strategic oversight of a vCISO, SaaS companies can turn compliance from a stressful administrative burden into a powerful driver for growth and enterprise trust.

Take the Guesswork out of SaaS Compliance

Contact Rhymetec to learn how our vCISO services can help you build a scalable security program, ace your next audit, and win enterprise trust.

The defense industrial base is entering a new era of accountability. With the DoD’s Cybersecurity Maturity Model Certification (CMMC) requirements becoming mandatory, organizations handling Controlled Unclassified Information (CUI) must demonstrate a security posture that is not only compliant, but operationally sustainable.

Complying with the 110 NIST 800-171 controls is essential for maintaining and winning contracts, but for many defense contractors, achieving compliance feels like a costly, complex, and disruptive overhaul.

That’s why Rhymetec is partnering with PreVeil, the leading CMMC and ITAR compliance solution for small and midsize businesses. Together, we bring defense contractors a complete, streamlined path to CMMC readiness and certification:

"We're thrilled to partner with Rhymetec to support defense contractors. Their expertise in managed IT services combined with our proven CMMC encryption solutions creates

a powerful offering for organizations navigating the compliance journey.” — Jamie Leupold, Director of Channel Sales and Alliances, PreVeil.

A New Standard for CMMC Readiness

Meeting DoD standards takes more than just buying software: it requires gap assessments, System Security Plans (SSPs), and continuous monitoring. 

This partnership brings organizations an integrated solution designed for both compliance and operational continuity:

For Defense Startups and SMBs

For smaller defense contractors, maintaining contract eligibility is business-critical, but heavy IT migrations are often out of reach. With this partnership, SMBs no longer have to compromise on security or budget.

For Mid-Market and Enterprise Organizations

As your organization grows, so does the complexity of your supply chain and the flow of CUI. Protecting sensitive data across a larger attack surface requires proven, scalable solutions.

With Rhymetec and PreVeil, security leaders get:

A Smarter Way Forward

CMMC is the mechanism the DoD is using to determine who can participate in the future of the defense supply chain.

This partnership ensures organizations don’t approach it as a checklist, but as a strategic capability.

By aligning PreVeil’s compliant collaboration platform with Rhymetec’s end-to-end CMMC readiness program, defense contractors gain the clarity, control, and confidence to move into assessment, and beyond it, with momentum. 

Contact us to move toward CMMC readiness with Rhymtec and PreVeil.

About PreVeil

PreVeil’s encrypted Email & Drive platform is used by over 2,000 organizations to improve their security & achieve CMMC & ITAR compliance. PreVeil can be deployed in hours & integrates directly with Gmail, Outlook, File Explorer, & Mac Finder. All files & emails are automatically encrypted end-to-end, which eliminates central points of attack & means no one other than intended recipients can read your sensitive information—not even PreVeil. PreVeil has been used by over 50 defense contractors & C3PAOs to achieve perfect 110 scores on their CMMC assessments.

About Rhymetec

Rhymetec is the trusted partner of over 1,500 organizations globally in all of their cybersecurity and compliance needs. Founded in NYC in 2015, Rhymetec delivers information security programs that enable organizations to move faster, meet regulatory demands, and scale with confidence. Our fully in-house team of dedicated vCISOs and seasoned penetration testers manages every phase of your cybersecurity and compliance journey, enabling you to focus on what matters most: growing your business.

Artificial intelligence is accelerating software development and reshaping the security expectations that surround it.  Developers are shipping code faster than ever, often with the assistance of AI tools. 

However, this same technology has also changed the economics of attacking software. Adversaries are using AI to lower the cost of reconnaissance and iterate through exploits at scale.

In a recent webinar hosted by Rhymetec and XBOW, Christian Mouer, Director of Offensive Security at Rhymetec and Bill Nichols, Head of Customer Success at XBOW explored how an AI-powered penetration testing model allows organizations to increase testing velocity, validate real attack paths faster, and gain broader visibility across modern applications, while maintaining the depth and context required for meaningful risk reduction.

Why Traditional Penetration Testing Timelines No Longer Match Modern Development

Many organizations still rely on annual or semi-annual point-in-time tests, an engagement begins, a snapshot is taken, and a report is delivered weeks later. That approach worked when applications changed slowly and release cycles were measured in quarters.

Today, development moves continuously. New features, endpoints, and integrations are introduced on a weekly, sometimes daily, basis. By the time a traditional test is completed, the environment it assessed has already evolved.

To keep pace, defenders cannot simply scale humans linearly with software output: it is cost and time-prohibitive. This is where autonomous offensive security comes in.

From Theoretical Exposure to Proven Exploitability

One of the most consistent pain points for security teams is the volume of unverified findings produced by automated tools. Large scan outputs require significant internal effort to determine what is real, what is exploitable, and what actually matters to the business.

The approach demonstrated in the webinar prioritizes validation. Exploits are executed against the live environment, attack paths are confirmed, and results are correlated before they are ever delivered.

That shift changes the nature of the final report. Instead of a backlog of potential issues, organizations receive a focused set of confirmed vulnerabilities with clear evidence of impact.

“Hypotheses are cheap. Proof isn’t. We don’t surface a finding unless the system can validate that it’s real.” — Bill Nichols, XBOW

For security and engineering teams, this significantly reduces the time spent reproducing issues and allows remediation efforts to begin immediately.

Expanding Coverage Without Extending Engagement Length

Application ecosystems have grown far beyond a single web interface. Modern environments include large API surfaces, multiple user roles, third-party integrations, and complex authorization logic.

Manually mapping and testing that entire landscape within a standard engagement window forces difficult tradeoffs. Teams must choose between depth in a few areas or lighter coverage across the whole application.

Autonomous execution removes that constraint. Continuous attack surface mapping and parallel exploit testing allow a far greater portion of the environment to be assessed in the same timeframe.

“It’s another pen tester on the team. If we work together, we're able to cover so much more ground than we would have otherwise." — Christian Mouer, Rhymetec

This expanded coverage is what makes deeper, human-led analysis possible later in the engagement.

Reallocating Human Expertise to High-Value Security Work

When the most time-intensive phases of testing, such as reconnaissance, enumeration, and initial exploitation, are handled autonomously, the role of the tester changes.

Instead of spending the majority of the engagement identifying entry points, offensive security experts are able to focus on:

“When we’re cutting down that investigative time, it gives us additional days to validate, find more vulnerabilities, and explore more deep-dive attack paths.” — Christian Mouer, Rhymetec

This is where the greatest risk reduction occurs and where human experience delivers the most value.

The Hybrid Approach: Why AI Doesn't Replace Humans

A common misconception about AI powered penetration testing is that it aims to replace human testers. In practice, the model works as an extension of the testing team rather than a substitute for it.

While XBOW can map an attack surface and execute exploits 24/7, it lacks the business context and nuance that a Rhymetec offensive security expert provides.

Business Logic and Context

AI might flag that a user can see all emails in a system. However, a human tester understands the context: if that user is an HR Administrator, that access is intended. Rhymetec’s team supplies the critical business logic to ensure findings are relevant to the organization's specific operations.

Complex Remediation

Finding a bug is only half the battle. Fixing it without breaking the application is the other half. Rhymetec provides the "human element" of advising on remediation strategies that align with the client’s tech stack and resources.

Parallelism and Depth

The ideal workflow involves running XBOW in parallel with manual testing.

Real-World Impact: Speed and Scalability

The combination of XBOW’s automation and Rhymetec’s expertise delivers results that were previously difficult to obtain in both timeline and scope.

During the webinar, the team shared a case study of a massive web application containing approximately 650 endpoints.

This acceleration allowed the Rhymetec team to spend the remaining time validating complex findings and exploring deep-dive attack paths that the AI surfaced, ultimately delivering a comprehensive report in five days rather than three weeks.

“We’re able to turn around that pen test confidently within five business days rather than going 10 to 15 days out.” — Christian Mouer, Rhymetec

In Conclusion: AI as a Force Multiplier

As 76% of CISOs anticipate a material cyber attack in the next 12 months, the need for speed and accuracy in testing has never been higher.

Rhymetec’s AI-Powered Penetration Testing partnership with XBOW offers the perfect balance of intelligence and intuition. By automating the reconnaissance and vulnerability identification phases, we allow our certified penetration testers to focus on what they do best: validating impact, analyzing business risk, and guiding remediation.

Key Benefits of the Rhymetec x XBOW Partnership:

Contact us to learn more about how to integrate AI-powered testing into your security strategy.

Watch the Full Webinar

https://vimeo.com/1159016355?share=copy

For many organizations, navigating GDPR on their own feels overwhelming and simply isn’t feasible to carry out in-house. The seemingly endless acronyms, regulations that are constantly changing, and the looming threat of fines make it a difficult task to begin to tackle.

The role of a GDPR consultant is to step in to help you break it down into manageable pieces and take the work off your team’s plate. A consultant translates the regulation into practical steps tailored to your organization. With the right guidance, organizations can save enormous amounts of time, effectively reduce risk, and give you and your buyers confidence that customer data is handled the right way.

Why Work With A GDPR Consultant? 

Many companies make the mistake of assuming they can figure it out as they go, but the reality is that GDPR compliance is an enormous lift impacting nearly every part of a business. Data collection, vendor contracts, employee training, and incident response are just some of the areas that need attention.

A GDPR consultant brings expertise that shortens the learning curve and helps you avoid costly missteps. A consultant can provide a roadmap specifically tailored to your operations, location, and industry. This serves to reduce risk while also improving efficiencies. A good consultant will keep your business needs top-of-mind and align compliance with your broader goals. 

A GDPR consultant enables you to avoid hefty fines, reduce risk in meaningful ways, and help position your organization as trustworthy, customer-centric, and competitive in markets where data protection is non-negotiable. If your team sells into the EU or UK, privacy questions now land in every enterprise review as well. 

So, what are some signals that working with a GDPR consultant might be the right move for your business? Keep reading to learn more.

When Do You Need A GDPR Consultant?

Not every organization needs full-time compliance staff, but most will hit a point where outside expertise will mean the difference between a ‘check the box’ approach and building a defensible, long-term compliance program.

Here are some signals that it may be the right time to seek help:

In short, if compliance questions are slowing down sales, creating friction with customers, or keeping leadership awake at night, it’s a clear signal that a GDPR consultant could bring structure and peace of mind.

What Do GDPR Consulting Services Entail? 

An end-to-end GDPR consultant will operate as a partner, guiding your organization from its current state all the way through to demonstrate compliance. 

Some consultants will provide a different level of support depending on the engagement and act in a more advisory capacity. At Rhymetec, we pride ourselves on not just advising but delivering everything you need. Here is what a typical engagement would look like with our own GDPR consultants: 

Step 1 Of a GDPR Consultant Engagement: Initial Gap Assessment 

The initial gap assessment process typically begins with a deep dive into your current practices on areas to include vendor contracts, data flows, security measures, and employee awareness. This serves to show where you are versus where you need to be, and which gaps to prioritize filling first. 

Step 2: Creating A Customized Roadmap 

After the gap assessment, your GDPR consultant will build on it to create a practical, customized roadmap for your organization. Instead of generic advice and checklists, you’ll know what exactly to prioritize, have a clear path forward, and timelines mapped directly to your business operations.

Step 3: Policy and Procedure Development 

Consultants create or refine a wide range of policies and procedures to show alignment with GDPR. These include consent management processes, privacy notices, data subject rights procedures, and other internal policies. A good consultant will work closely with your team to ensure policies are not only legally compliant but are also workable for your teams and supportive of broader business goals.

Step 4: Vendor and Contract Review 

Because working with third parties can introduce compliance risks, consultants will review contracts, DPAs (Data Processing Agreements), and vendor management practices to close liability gaps. 

Step 5: Implementation Support

At this phase, all of the prior planning and groundwork laid out with policies turns into action. 

A GDPR consultant helps implement new processes, train staff, configure tools, and create governance structures so compliance becomes a part of your daily operations.

Step 6: Ongoing Monitoring and Guidance From Your GDPR Consultant

Regulations evolve, enforcement priorities shift, and your business with continue to grow. 

By working with a consultant, you can access ongoing support - whether that’s preparing for an audit, managing a regulator inquiry, or simply checking that your program stays continually aligned with the law. 

What Does A GDPR Consultant Cost?

Understandably, one of the first questions organizations will ask is, what will this actually cost us? 

The answer depends on the scope of work, the size of your company, and the level of involvement you need. There are three main types of support with varying levels of investment you can expect with a GDPR consulting engagement: 

Hourly or Project-Based Engagements 

Smaller companies or those with very specific needs or gaps to fill (such as drafting a privacy notice or reviewing a contract) may pay an hourly rate, typically ranging from €150 - 350 per hour, or a flat project fee in the €5,000-€20,000 range.

Ongoing Support or Fractional DPO Services

Some organizations opt for monthly retainers when they need ongoing support. These arrangements generally start around €2,000 - €5,000 per month and can scale up if the consultant is acting as your outsourced Data Protection Officer. 

Comprehensive Programs With A GDPR Consultant

For a fully managed engagement that starts with a gap assessment and ends with full implementation, costs often range from €20,000 €75,000, depending on complexity, number of systems, and international data transfers involved.

These may feel like hefy investments, but they are often modest compared to the alternative: In 2024 alone, regulators issued over €1.25 billion in GDPR fines across Europe, according to the European Data Protection Board’s annual report

A consultant helps lower the risk of fines, investigations, costly remediations, and the risk of losing customer trust. Ultimately, you’re paying for peace of mind, smoother operations, and a stronger reputation in a market where data protection is a must-have. 

How Does GDPR Relate To ISO 27001 and SOC 2?

GDPR is a law defining how organizations must handle personal data, while ISO 27001 and SOC 2 are voluntary frameworks designed to help organizations implement and demonstrate information security practices. 

They overlap in meaningful ways, and an experienced consultant will help you build out your information security practices in a way that addresses multiple requirements. 

At a high level, ISO 27001 requires companies to create an Information Security Management System (ISMS) that is continually improved and backed by risk assessments and documented controls. 

SOC 2 is an attestation that demonstrates whether an organization’s controls meet some combination of the 5 SOC 2 Trust Services Criteria (security, availability, confidentiality, processing integrity, and privacy).  

The overlap between GDPR and these two frameworks is not enormous, but still evident: 

What Are The Main Differences?

GDPR requires lawful bases for processing, Data Protection Impact Assessments, Article 30 records, and mechanisms for cross-border transfers. None of these items are explicitly covered by ISO 27001 or SOC 2. 

ISO 27001 demands the creation of an ISMS and a Statement of Applicability, which GDPR does not. SOC 2 is delivered as an attestation report covering a point in time or over a defined period, whereas GDPR compliance cannot be ‘certified’ and must instead be demonstrated continuously. 

What Are The Main Similarities?

GDPR’s requirement to secure personal data under Article 32 can align with ISO 27001 controls around risk management and access security, and with SOC 2’s criteria for system security. GDPR obligations around vendor contracts and data processing agreements tie directly into ISO 27001’s supplier management and SOC 2’s third-party control requirements. 

Breach responses and notification, which GDPR sets at seventy-two hours, also depend heavily on the incident response planning and evidence capture that ISO 27001 and SOC 2 enforce. Even concepts like data minimization and retention are reflected in the asset inventories and disposal practices required by both frameworks. 

A GDPR consultant can work with you to help tie these threads together and map data flows to ISO 27001 asset registers, bolt data subject request workflows onto customer service processes, align incident response with GDPR’s reporting timeline, and standardize vendor agreements to cover both contractual and regulatory risks. 

Together, GDPR combined with SOC 2 and/or ISO 27001 creates a highly defensible posture that protects customer trust and reduces risk to your organization. 

Ready To Speak To A GDPR Consultant?

If compliance questions are slowing down deals, raising concerns with leadership, or leaving your team unsure of what comes next, it may be time to get expert support.

A GDPR consultant can help you move from uncertainty to clarity with a clear roadmap, tailored guidance, and hands-on implementation. Whether you need a one-time assessment or a long-term partner, working with a consultant gives you confidence that your data protection program can stand up to regulatory scrutiny and customer expectations alike. 

If you’re ready to take the next step, start the conversation today. The sooner you bring in the right expertise, the sooner you can shift GDPR from a burden into a competitive advantage. 

The attack surface has changed. Organizations rely on dozens of cloud apps, APIs, and third-party integrations, and attackers are already using AI to find and exploit weaknesses at machine speed. Demand for penetration tests is at an all-time high. This means pentesters need to arm themselves with new ways to get the job done to keep pace with AI attacks.

That’s why Rhymetec is partnering with XBOW, the world’s leading autonomous pentesting platform. Together, we bring clients a new standard of security:

“The threat landscape isn’t static. Attackers are already leveraging automation, and defenders must respond in kind. By partnering with XBOW, we can now give our clients the speed of autonomous testing with the human guidance and compliance expertise they trust Rhymetec for.” Justin Rende, CEO, Rhymetec

“The rise of AI-powered offense demands that defenders move much faster, while also increasing the depth of their analysis. The solution is to automate all routine work with XBOW's autonomous AI hacker, so human experts can focus on the deep security design questions. This way, the human security team gains super powers, being able to move with unprecedented speed and depth. We're delighted to partner with the team of experts at Rhymetec, perfectly complementing XBOW to deliver a complete security solution.” Oege de Moor, CEO, XBOW

What to Expect 

According to Verizon’s 2025 Data Breach Investigations Report, it still takes a median of five weeks for known flaws to be remediated, and nearly half of critical edge-device vulnerabilities remain unpatched. This lag time is untenable when adversaries are exploiting at AI speed.

With Rhymetec and XBOW, organizations gain the ability to:

For Startups and Growth-Stage Companies

For early-stage teams, every security decision feels like a trade-off between speed, cost, and credibility. With this partnership, startups no longer have to choose.

For Mid-Market and Enterprise Organizations

As organizations scale, so does the complexity of their attack surface — more applications, more integrations, and more pressure to deliver secure products without slowing down. Traditional testing simply can’t cover it all.

With XBOW and Rhymetec, security leaders get:

A Smarter Way Forward

Our combined approach blends autonomous agents that never tire with human experts who bring judgment, context, and compliance guidance. The result: faster closure of common vulnerabilities, stronger defenses against subtle flaws, and the confidence that your security program can keep pace with modern development velocity.

[video width="1920" height="1080" mp4="https://rhymetec.com/wp-content/uploads/2025/09/XBOW_Clip.mp4%22][/video]

Your attack surface has changed. Your pentesting strategy should too.

👉 Contact Rhymetec to learn how AI-powered penetration testing with XBOW can strengthen your security program and accelerate compliance.


XBOW is an AI-powered penetration testing platform that scales offensive security in hours. Delivering human-level security testing at machine speed, XBOW helps organizations discover vulnerabilities before attackers can exploit them. Ranked as #1 on the HackerOne leaderboard in the U.S., XBOW was founded by the creators of GitHub Copilot and GitHub Advanced Security, and is backed by Sequoia and Altimeter.

Rhymetec is the trusted partner of over 1,500 organizations globally in all of their cybersecurity and compliance needs. Founded in NYC in 2015, Rhymetec delivers information security programs that are effective, compliant, and built to scale with your business. Our fully in-house team of dedicated vCISOs and seasoned penetration testers manages every phase of your cybersecurity and compliance journey, enabling you to focus on what matters most — growing your business.

The attack surface has changed. Organizations rely on dozens of cloud apps, APIs, and third-party integrations, and attackers are already using AI to find and exploit weaknesses at machine speed. Demand for penetration tests is at an all-time high. This means pentesters need to arm themselves with new ways to get the job done to keep pace with AI attacks.

That’s why Rhymetec is partnering with XBOW, the world’s leading autonomous pentesting platform. Together, we bring clients a new standard of security:

“The threat landscape isn’t static. Attackers are already leveraging automation, and defenders must respond in kind. By partnering with XBOW, we can now give our clients the speed of autonomous testing with the human guidance and compliance expertise they trust Rhymetec for.” — Justin Rende, CEO, Rhymetec

“The rise of AI-powered offense demands that defenders move much faster, while also increasing the depth of their analysis. The solution is to automate all routine work with XBOW’s autonomous AI hacker, so human experts can focus on the deep security design questions. This way, the human security team gains super powers, being able to move with unprecedented speed and depth. We’re delighted to partner with the team of experts at Rhymetec, perfectly complementing XBOW to deliver a complete security solution.” — Oege de Moor, CEO, XBOW

What to Expect 

According to Verizon’s 2025 Data Breach Investigations Report, it still takes a median of five weeks for known flaws to be remediated, and nearly half of critical edge-device vulnerabilities remain unpatched. This lag time is untenable when adversaries are exploiting at AI speed.

With Rhymetec and XBOW, organizations gain the ability to:

For Startups and Growth-Stage Companies

For early-stage teams, every security decision feels like a trade-off between speed, cost, and credibility. With this partnership, startups no longer have to choose.

For Mid-Market and Enterprise Organizations

As organizations scale, so does the complexity of their attack surface — more applications, more integrations, and more pressure to deliver secure products without slowing down. Traditional testing simply can’t cover it all.

With XBOW and Rhymetec, security leaders get:

A Smarter Way Forward

Our combined approach blends autonomous agents that never tire with human experts who bring judgment, context, and compliance guidance. The result: faster closure of common vulnerabilities, stronger defenses against subtle flaws, and the confidence that your security program can keep pace with modern development velocity.

Your attack surface has changed. Your pentesting strategy should too.

👉 Contact Rhymetec to learn how AI-powered penetration testing with XBOW can strengthen your security program and accelerate compliance.

XBOW is an AI-powered penetration testing platform that scales offensive security in hours. Delivering human-level security testing at machine speed, XBOW helps organizations discover vulnerabilities before attackers can exploit them. Ranked as #1 on the HackerOne leaderboard in the U.S., XBOW was founded by the creators of GitHub Copilot and GitHub Advanced Security, and is backed by Sequoia and Altimeter.

Rhymetec is the trusted partner of over 1,500 organizations globally in all of their cybersecurity and compliance needs. Founded in NYC in 2015, Rhymetec delivers information security programs that are effective, compliant, and built to scale with your business. Our fully in-house team of dedicated vCISOs and seasoned penetration testers manages every phase of your cybersecurity and compliance journey, enabling you to focus on what matters most — growing your business.

Meet JT!

My name is JT Carney, and I grew up on Long Island, NY, for the majority of my life, before heading to Penn State University for undergrad. Sports have always been a big part of my life, and I like to stay active outdoors whenever I can. Since my NY Jets always disappoint, one of the highlights throughout college was getting to watch Saquon Barkley play for PSU Football.

After graduating, COVID brought everyone back home for a bit, so I spent a year on Long Island before moving into Manhattan, where I’ve been living for the past four years.

JT Carney

Tell us a surprising fact about yourself…

I’ve traveled to over 22 countries and counting. 

If you could have any superpower, what would it be?

Teleportation - I would love the ability to instantly connect with clients and prospects face-to-face anywhere in the world without having to travel. 

What are some things you enjoy doing outside of work?

Working out, golfing, fantasy football, and most importantly, traveling around the world and trying new restaurants! 

Tell us about your role at Rhymetec…

I’m an Account Executive, coming up on my 1-year Rhymetec anniversary this October. I support our go-to-market efforts by closing deals, building strong partner relationships, and driving growth into new markets.

Why did you pursue a career in the cybersecurity industry?

I previously worked at DTCC (Depository Trust & Clearing Corporation) in financial services, but shifted into the cybersecurity industry due to conversations with friends and family who work in the industry. During COVID, the need for cybersecurity increased significantly after most organizations shifted to WFH and cyber attacks became much more common.

I knew it was an industry that would exponentially grow and wanted to be part of an industry leading organization to protect against such attacks. My shift in career mostly stemmed from my passion for sales and wanting to generate revenue for an organization and be a part of something bigger.

JT Carney

What is your favorite part about working at Rhymetec, or in the cybersecurity industry?

My favorite part is the culture at Rhymetec and how fast cybersecurity is always evolving. I love working with a team that’s constantly growing, collaborating, and pushing each other to stay ahead of the curve. No two days are the same, and you’re always discovering new risks, technologies, and customer challenges.

What is your favorite quote or the best advice you have ever received?

“Seek first to understand, then to be understood.”

From a security or compliance perspective, what advice would you give to a potential client or SaaS business?

Businesses should start viewing compliance as an ongoing program, not a one-time project. It’s not just about passing an audit; it’s about building habits and processes that actually make your business more secure and easier to scale.

JT Carney Rhymetec

If you treat it like a box-checking exercise, you’ll always feel like you’re scrambling. By embedding security and compliance into day-to-day operations, you reduce risk, build customer trust, and avoid the fire drills that come when compliance is treated as a last-minute hurdle.

Connect with JT Carney

If your business works with or plans to work with the U.S. Department of Defense or its contractors, CMMC Level 3 may be a contractual requirement for your organization. Level 3 is the highest level of CMMC, and introduces a higher bar to show that your security program can adequately protect Controlled Unclassified Information (CUI). 

At Rhymetec, our vCISOs guide companies through compliance readiness every day. We’ve created this CMMC Level 3 Checklist to help you understand the CMMC Level 3 requirements, identify gaps in your current security program, and how to prioritize remediation efforts prior to engaging a C3PAO for certification and pursuing your official government-led assessment.

With the right planning, CMMC Level 3 can be achieved without derailing business growth or overloading your internal teams. If you are unsure of which level of CMMC you need, check out our CMMC Compliance Checklist for Level 2 and our CMMC Level 1 Checklist, or contact our team today for direct, tailored guidance for your organization.


CMMC Level 3 Compliance Checklist: What Are The Steps?

**The CMMC Level 3 Assessment Guide (v2.13) is released by the DoD’s CIO office and provides specific requirements and processes for assessment. Level 3 applies to a narrow subset of contractors working on high-sensitivity DoD programs involving advanced or unique CUI. Organizations should use our checklist as a reference, but also be sure to review the official rule and guide directly while preparing for assessments by DCMA DIBCAC. 

CMMC Level 3, also known as the “Expert” level, applies to organizations supporting DoD programs involving highly sensitive or mission-critical CUI. It combines the full NIST 800-171 control set with even more safeguards, pulled from NIST SP 800-172. 

CMMC Level 3 Requirements

Step 1: Reach CMMC Level 2 

Your organization must complete a successful Level 2 CMMC assessment by a C3PAO before beginning Level 3. This ensures all 110 NIST SP 800-171 controls are implemented. Once you have fulfilled the requirements for your CMMC Level 2 checklist, you just need to fill in the remaining requirements for Level 3:

Step 2: Implement Necessary NIST SP 800-172 Controls

The next step is to implement selected NIST SP 800-172 controls. The DoD requires adding 24 additional controls from NIST SP 800-172, which are designed to protect CUI against advanced threats. Additionally, you will need to update your System Security Plan from Level 2 to describe how both the 110 base controls and the 24 additional controls are implemented.

Step 3: Defining Your Assessment Scope

Use the official Level 3 Scoping Guide to categorize which CUI-bearing assets and surrounding systems are in scope. You need to confirm that unrelated systems (such as public WiFI or non-CUI devices) aren’t included. 

Step 4: Undergo A Government-Led Assessment

Level 3 requires a government-led assessment by DCMA DIBCAC every three years, plus annual affirmations by the organization’s Affirming Official. The Level 2 (C3PAO) annual affirmation for the same scope must also continue.

The DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)’s role in CMMC is to conduct assessments every three years for organizations that need CMMC Level 3. This leads us into Step 5:

Step 5: Maintain and Renew Your Certification

According to official DoD documentation, here are the certification requirements for CMMC Level 3: 

CMMC Level 3 Assessment Requirements

Source: U.S. Department of Defense

Level 3 DIBCAC certifications require renewal every three years, and organizations have to also submit confirmation of compliance every year. 

CMMC Level 3 Checklist: Timelines 

The time required to meet CMMC requirements varies depending on your organization’s size, industry, and whether or not you already comply with NIST 800-171 or a similar framework. Below are timelines to show what an average organization can expect for Levels 1, 2, and 3. 

Working with a vCISO can streamline the process and fast-track you to audit readiness. Rhymetec works closely with trusted auditing partners and can connect you with them for your assessment. 

**Note: The following timeline assumes that the organization will start with a gap assessment and follow a typical implementation plan. Organizations that are already aligned with NIST 800-171 can generally proceed faster. 

CMMC Level 3 Timeline (9-12 Months) 

Gap Assessment and Planning: 1-2 Months

Advanced Technical Controls and Procedural Controls: 6-7 Months 

Validation and Final Preparation For Your Assessment (2-3 Months)

CMMC Level 3 Timeline

**Note: Level 3 readiness can be accelerated if your organization has already implemented FedRAMP or other NIST-based frameworks. Organizations with complex cloud environments can require more time for controls such as segmentation and advanced logging. The support of a vCISO from the beginning can vastly speed things up!

What About Other Federal Regulations? FedRAMP and CMMC

Many organizations are unsure whether they need to meet CMMC, FedRAMP, or both:

"Being in a marketplace where we're working with a lot of cloud service providers and a lot of software application services, that's one of the most common questions we get. There are significant differences between the two frameworks, but there are also a lot of overlapping controls." - Metin Kortak, CISO at Rhymetec

CMMC applies to DoD contractors and subcontractors working with CUI or FCI, and maps directly onto the NIST SP 800-171 security controls. 

FedRAMP is designed for cloud service providers that offer IaaS, PaaS, or SaaS to civilian federal agencies. It is based on NIST SP 800-53, and uses impact-level baselines (Low, Moderate, and High). 

"If you are a cloud service provider and you are working with the Department of Defense, there is a likely chance you need to comply with both CMMC and FedRAMP. A lot of organizations in this position will choose to pursue FedRAMP first. If you comply with FedRAMP and you implement all of the controls, you're already implementing the majority of the controls you’ll need for CMMC. The remaining work for CMMC will be working with auditors and gathering documentation.” - Metin Kortak, CISO at Rhymetec

Both frameworks require foundational security measures, including access controls, incident response, and continuous monitoring. However, FedRAMP imposes a broader and deeper set of both technical and documentation requirements, especially around cloud-hosted services. 

The good news is there’s substantial overlap—especially at FedRAMP Moderate—but the organization is still responsible for meeting all NIST SP 800-171 Rev. 2 objectives across the CMMC scope. FedRAMP-authorized CSPs help, but you must still map, evidence, and assess controls for your environment.

Organizations that need both will often opt to do FedRAMP first, as they can then leverage that foundation to streamline CMMC compliance. For a deeper dive on the differences between these two federal frameworks (and how to determine which you need), check out our blog on CMMC vs. FedRAMP.

Advantages of Engaging A CMMC Consultant To Help Meet CMMC Level 3 Requirements (The Earlier, The Better!)

The higher levels of CMMC are complex. 

If you aren’t already compliant with the relevant NIST frameworks, compliance for Levels 2 and 3 will require implementing a massive amount of technical controls and corresponding documentation. For many companies, it simply isn’t feasible to manage all of this internally. 

This is where a virtual CISO (vCISO) comes in. A vCISO acts as a CMMC Consultant, working closely with your team to understand your environment and translating technical requirements into what you actually need to accomplish. 

In-House vs. Consultant Options For CMMC Compliance

Our vCISOs at Rhymetec support you throughout the entire CMMC preparation process. We conduct your gap assessment, carry out control implementation for the controls you need, finalize documentation, and serve as the main contact point for auditors on your behalf.   

**For information on our vCISO pricing options, check out our blog on vCISO pricing. 

Outsourcing the bulk of the work required for CMMC is helpful at any point in the compliance process, but is especially transformative during the initial stages. In our experience, especially partnering with startups to meet their compliance goals, working with a vCISO from the beginning allows you to turn an onerous process into a business enabler. 

An experienced vCISO will build a security program for your organization that not only meets CMMC and requirements but scales as your business grows. They understand exactly how to structure your compliance program to enable you to more easily meet additional or future requirements in your industry, and can connect you to the best auditing partners in your space. Contact us today to learn more.


Partner For Success: Work With Rhymetec + An Accredited C3PAO 

Meeting CMMC requirements is a complex process.

The good news is that you don’t have to do it alone. Our partnership with industry leader A-LIGN, an accredited C3PAO, gives you access to both the security legwork needed to meet requirements as well as certified assessment services. 

Together, we help organizations prepare for CMMC with confidence. Whether you are just getting started or finalizing your readiness for an assessment, we’re here to support your compliance journey with security expertise and a trusted C3PAO partner. 

C3PAOs are the only organizations authorized by the CyberAB to perform official CMMC assessments. Their involvement is essentially a must-have for any contractor aiming for certification. Meanwhile, as a Registered Provider Organization (RPO), Rhymetec works hand-in-hand with A-LIGN to help you prepare for that assessment. 

RPOs are approved to offer consulting and readiness support, and help you implement required controls, remediate gaps, and make sure your security practices and documentation align with CMMC standards. Together with A-LIGN, we are proud to offer this streamlined option for our clients.

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We’ve worked with over 1,000 companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – growing their business. Contact us today to get started.

In our recent CMMC webinar, we joined forces with Vanta and A-LIGN to discuss the updated CMMC 2.0 and what organizations should be doing now to meet the requirements. Morgan Kaplan, Director of USG Strategy & Affairs at Vanta, moderated a lively discussion between Metin Kortak, Rhymetec CISO, and Matt Bruggeman, Director of Federal Sales at A-LIGN. 

This Rhymetec CMMC Compliance Checklist for CMMC Level 2 is directly based on their discussion and pulls in expert insights from the webinar. Check out the recording of the full webinar here.

CMMC Rhymetec Webinar

First, What Is CMMC?

CMMC, or the Cybersecurity Maturity Model Certification, is the Department of Defense's approach to standardizing cybersecurity requirements across its supply chain. It protects Controlled Unclassified Information (CUI) by requiring contractors (and many subcontractors as well) to meet security practices based on the type of work and data they handle. 

As Rhymetec CISO Metin Kortak explained in our webinar:

"CMMC is a framework that's been developed by the US Department of Defense, and it really applies to anyone who's working with the Department of Defense and also processes, transmits, or stores controlled unclassified information. If you're processing that information and you're also working on direct contracts with the Department of Defense, or if you're one of their subcontractors, that means CMMC might apply to you." - Metin Kortak, CISO at Rhymetec

That scope includes contractors, manufacturers, software vendors, and cloud service providers that deal with DoD contracts even indirectly. This Rhymetec CMMC Compliance Checklist breaks down what's required and how to build a roadmap that aligns with contract timelines for CMMC Level 2. (If you need CMMC Level 1, check out our CMMC Level 1 Checklist).

You can also contact our team today and we'd be happy to walk you through everything you need to know. 


Contact

How Does The Updated CMMC Version 2.0 Differ From The Original Version 1.0?

CMMC 2.0 simplifies the framework while reinforcing its core goal to protect sensitive data within the Defense Industrial Base (DIB). The shift from Version 1.0 to 2.0 reflects feedback from industry stakeholders who found the original model extremely onerous to implement:

"CMMC 1.0 was quite strict and required organizations to go through many additional requirements outside of NIST 800-171. This made the process extremely difficult, especially for organizations that need to comply with other government compliance frameworks such as FedRAMP. Based on the feedback received, 2.0 is a less strict version of CMMC, while still maintaining the core security requirements.” - Metin Kortak, CISO at Rhymetec

CMMC 1.0 introduced five maturity levels and included additional practices and documentation beyond NIST 800-171. This generated a lot of confusion for subcontractors and SaaS providers, especially those also working toward FedRAMP.

CMMC 2.0 successfully restructured the model around three levels and removed the unique CMMC-only requirements. The new version falls under basic safeguarding practices and are derived from the Federal Acquisition Regulation (FAR) 52.204-21, which directly references and relates to NIST SP 800-171 as part of its requirements.

This change reduces redundancy and increases compatibility with other federal frameworks. With the updated version, CMMC consultants have seen renewed customer interest: 

"In the past, in terms of the requirements themselves, it's been more around NIST 800-171, plus a couple of other CMMC requirements. Recently, there have been updates to the CMMC framework. They've updated from Version 1.0 to 2.0. We've seen a lot of interest from our customers about this new version of CMMC." - Metin Kortak, CISO at Rhymetec

This renewed interest is likely since the assessment requirements have evolved. The new version maintains some elements of the previous requirements, but refines the role of C3PAOs  (Certified Third Party Assessor Organizations): 

"C3PAOs come in and assess you against the requirements, depending on the level that you're at. Our goal is to validate that the sensitive data is actually being protected, because looking historically at just relying on self-attestations to 800-171 for anybody within the supply chain has not been sufficient." - Matt Bruggeman, A-LIGN

In short, CMMC 2.0 is:

  1. Better aligned with existing industry standards.
  2. Highly adaptable to real-world constraints.
  3. More accessible for businesses supporting DoD missions.

Getting Started: Determining Which Level You Need and A Gap Assessment

Before you get started on working through your CMMC compliance checklist (for whichever level you need), it’s important to understand what type of data your organization handles. 

This will determine which certification level of CMMC applies to your business:

"The first thing is understanding what type of data you process. If you don't know that, working with a partner to help you determine that can be helpful, because that's going to help you figure out which level of compliance you're going to need to do for CMMC." - Metin Kortak, CISO at Rhymetec

Determining Which Type of Organization Your Organization Handles

Two main types of information matter when it comes to CMMC:

  1. Federal Contract Information (FCI): Any information provided by or generated for the government under a contract that’s not intended for public release. Include project timelines, internal communications, and organizational charts related to a DoD contract.  
  2. Controlled Unclassified Information (CUI): More sensitive than FCI. This is information that the government has decided needs to be protected, but doesn’t meet classification levels such as “Secret” or “Top Secret”: 

“CUI is sensitive information that does not meet the criteria for classification but must still be protected. It is Government-created or owned UNCLASSIFIED information that allows for, or requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies.”  - Department of Defense

Examples of CUI include software code related to defense programs, incident response reports, training content, documentation for DoD systems, and API guides that define how systems interoperate with DoD environments. 

So, which CMMC Level Do You Need?

Based on the type of data your organization handles, there are three levels of CMMC:

Which CMMC Level Do You Need

Getting Started: Conducting A Gap Assessment 

Once you’ve identified which level applies to your organization, the next step is a gap assessment.

"For the next step, at Rhymetec, we always start with a gap assessment. A gap assessment against the NIST 800-171 controls is a must-have…It helps you determine if you have any missing controls or if you have any gaps in your compliance, so you can start putting together a roadmap for completing the remaining controls." - Metin Kortak, CISO at Rhymetec

The aim is to compare your current environment against the required controls. This process tells you what needs to be done before you’re ready to self-attest or move into the certification phase. 

CMMC 2.0 also allows you to use a Plan of Action and Milestones (POA&M) to formally track missing controls and your plan for implementing them:

“In 2.0, CMMC came out with a final action and milestones plan. This document essentially allows you to create implementation plans for controls that are missing in your gap assessment, so that you can remediate these controls within a certain amount of time. This is also something you can work with third parties on or conduct your own self-assessment.” - Metin Kortak, CISO at Rhymetec

Next, we'll break down what you need to do for each level of CMMC: 

CMMC Compliance Checklist: What Are The Level 2 Requirements?

CMMC Level 2 applies to organizations that process, store, or transmit CUI as part of their work with the Department of Defense. This includes software vendors, MSPs, and subcontractors that handle technical data, system specifications, or any other sensitive project-related information:

"If you process CUI as part of your work in the supply chain of the DoD, that's where the Level 2 requirements come in. A majority of organizations that handle CUI will require a third-party audit and CMMC certification." - Matt Bruggeman, A-LIGN

Level 2 is based on the controls in NIST SP 800-171

These controls are grouped into areas to include access control, configuration management, incident response, and audit and accountability. For a more comprehensive list of the 110 controls (with more technical detail), see the NIST SP 800-171 official documentation here

Below is a checklist with the main items broken down into three categories to give you an idea of what to expect:

1. Documentation and Assessment

Complete a full NIST 800- 171A self-assessment (or third-party assessment).

This will show which controls your organization is missing or needs to improve, and form the foundation for remediation work needed for CMMC.

Develop a System Security Plan (SSP).

The SSP documents how your organization has implemented each NIST control and serves as the core evidence package when it comes time for your external assessment by a C3PAO.

Create a Plan of Action and Milestones (POA&M) for any discovered gaps.

The purpose of a POA&M is to outline the timelines and resources needed to remediate security control deficiencies you discovered during the self-assessment.

Submit or update your SPRS score.

The Supplier Performance Risk System (SPRS) score is an indication of how many of the 110 controls you've implemented, and is required by DoD contracting officers when evaluating vendor eligibility.

Document CUI data flows.

Mapping how CUI moves through your systems (and your vendors) is a core part of scoping your security boundary and making sure this is documented in your compliance program.

2. Core Implementation Areas

Access Control.

Enforce measures to include least privilege and MFA, and manage privileged accounts.

Asset Management.

Inventory CUI systems, segment networks, and label systems appropriately.

Audit and Accountability.

Retain records and review logs for anomalies.

Configuration Management.

Establish secure baseline configurations and change control procedures.

Identification and Authentication.

Make sure your organization is using strong authentication mechanisms and unique IDs for users.

Incident Response.

Create an incident response plan if your organization doesn't already have one, and test it.

Maintenance.

Track system maintenance activities.

Media Protection.

Create policies to limit and monitor removable media and sanitize storage before reuse.

Personnel Security.

Screen employees, terminate access promptly, and deliver regular security training.

Physical Protection.

Restrict physical access to systems and facilities handling CUI.

Risk Assessments.

Perform risk assessments and remediate vulnerabilities.

Security Assessment.

Conduct internal control testing and prepare for external audits.

System and Communications Protection.

Implement boundary defenses and encryption for CUI in transit.

System and Information Integrity.

Deploy measures to include endpoint protection, monitoring for malware, and regular patching.

3. Third-Party Certification

Most organizations at Level 2 will be required to undergo an audit by a CMMC Third Party Assessment Organization (C3PAO). 

Some contractors (specifically, those working on lower-risk programs) might be permitted to self-attest for Level 2, but this is an exception.

C3PAOs validate the implementation of the 110 controls. Generally, you can expect them to conduct technical testing, interview your staff, and verify documentation. 

Preparing for Level 2 requires an enormous amount of coordinated effort across technical and operational domains. Working with a CMMC Consultant can vastly streamline the process for you.

CMMC Compliance Checklist: Level 2

CMMC Compliance Checklist: Level 2 Timelines 

The time required to meet CMMC Level 2 requirements varies depending on your organization’s size, industry, and whether or not you already comply with NIST 800-171 or a similar framework. 

Below are timelines to show what an average organization can expect for CMMC Level 2.

**The following timeline assumes that the organization will start with a gap assessment and follow a typical implementation plan. Organizations that are already aligned with NIST 800-171 can proceed faster. 

CMMC Level 2 Timeline (6-8 Months)

Gap Assessment and Planning (1-2 Months)

Control Implementation (3-4 Months)

Documentation and Internal Validation Prior to Audit (1 Month)

C3PAO Audit (1 Month)

**Note: A vCISO can streamline the process and fast-track you to audit readiness. Rhymetec works closely with trusted auditing partners and can connect you with them for your assessment. 

CMMC Compliance Checklist: Level 2 Timelines

Advantages of Engaging A CMMC Consultant (The Earlier, The Better!)

The higher levels of CMMC are complex. 

If you aren’t already compliant with the relevant NIST frameworks, compliance for Level 2 will require implementing a massive amount of technical controls and corresponding documentation. For many companies, it simply doesn’t make sense to try to manage all of this internally. 

This is where a virtual CISO (vCISO) comes in. 

A vCISO works closely with your team to understand your environment and translates CMMC requirements into what you actually need to accomplish. 

Our vCISOs at Rhymetec support you throughout the entire CMMC preparation process. We conduct your gap assessment, carry out control implementation for the controls you need, finalize documentation, and serve as the main contact point for auditors on your behalf.   

**For information on our vCISO pricing options, check out our blog on vCISO pricing. 

Outsourcing the bulk of the work required for CMMC is helpful at any point in the compliance process, but is especially transformative during the initial stages. In our experience, especially partnering with startups to meet their compliance goals, working with a vCISO from the beginning allows you to turn an onerous process into a business enabler. 

In-House vs. Consultant Options For CMMC Compliance

An experienced vCISO will build a security program for your organization that not only meets CMMC and requirements but scales as your business grows. They understand exactly how to structure your compliance program to enable you to more easily meet additional or future requirements in your industry, and can connect you to the best auditing partners in your space. 

Partner For Success: Work With Rhymetec + An Accredited C3PAO 

Meeting CMMC requirements is a complex process.

The good news is that you don’t have to do it alone. Our partnership with industry leader A-LIGN, an accredited C3PAO, gives you access to both the security legwork needed to meet requirements as well as certified assessment services. 

Together, we help organizations prepare for CMMC with confidence. Whether you are just getting started or finalizing your readiness for an assessment, we’re here to support your compliance journey with security expertise and a trusted C3PAO partner. 


C3PAOs are the only organizations authorized by the CyberAB to perform official CMMC assessments. Their involvement is essentially a must-have for any contractor aiming for certification. Meanwhile, as a Registered Provider Organization (RPO), Rhymetec works hand-in-hand with A-LIGN to help you prepare for that assessment. 

RPOs are approved to offer consulting and readiness support, and help you implement required controls, remediate gaps, and make sure your security practices and documentation align with CMMC standards. Together with A-LIGN, we are proud to offer this streamlined option for our clients. Contact us todayto learn more.

Over 80% of breaches involve weak or misused credentials, according to Verizon’s Data Breach Investigations Report. This is a clear example of just one risk that represents both a security and a compliance risk for organizations, as it impacts everything from the efficacy of your cybersecurity program to compliance audits, contracts, and revenue. 

For federal contractors handling Federal Contract Information (FCI), CMMC Level 1 directly addresses this risk and other pressing ones. Level 1 is designed to encourage basic cyber hygiene, and outlines 15 controls that help safeguard sensitive data and maintain eligibility for federal contracts.

In this blog post, we will go over a CMMC Level 1 checklist and requirements, starting with which types of organizations Level 1 applies to:  

Government contractors, subcontractors, and suppliers in the federal supply chain that handle FCI (Federal Contract Information) likely fall into CMMC Level 1. This tier is designed for contractors and subcontractors working with the Department of Defense who don't store or process sensitive technical data but still have access to basic contract details, for example.

CMMC Level 1 has 15 requirements. Your organization must meet these 15 requirements and self-attest against them each year. The requirements fall under basic safeguarding practices and are derived from the Federal Acquisition Regulation (FAR) 52.204-21

Below is our CMMC Level 1 Checklist, starting with the gap assessment process and then walking you through the 15 requirements that need to be addressed: 

Getting Started - CMMC Level 1 Checklist: Gap Assessment

"At Rhymetec, we always start with a gap assessment. A gap assessment against the NIST 800-171 controls is a must-have…It helps you determine if you have any missing controls or if you have any gaps in your compliance, so you can start putting together a roadmap for completing the remaining controls." - Metin Kortak, Rhymetec

The aim is to compare your current environment against the required controls. This process tells you what needs to be done before you’re ready to self-attest or move into the certification phase. 

CMMC 2.0 also allows you to use a Plan of Action and Milestones (POA&M) to formally track missing controls and your plan for implementing them:

“In 2.0, CMMC came out with a final action and milestones plan. This document essentially allows you to create implementation plans for controls that are missing in your gap assessment, so that you can remediate these controls within a certain amount of time. This is also something you can work with third parties on or conduct your own self-assessment.” - Metin Kortak, Rhymetec

Next, we'll break down what you need to do to meet the requirements of CMMC Level 1.

CMMC Level 1 Checklist

CMMC Level 1 Checklist

If your organization handles only FCI and not CUI, then CMMC Level 1 likely applies to you. 

"If you're only handling FCI and not CUI, you fall into Level 1. Level 1 is an order of magnitude less involved than Level 2. It actually only has 15 requirements that are heavily aligned with a subset of the NIST 800-171 framework. You must meet these 15 requirements, and then you just need to self-attest against them each year." - Matt Bruggeman, A-LIGN

This tier is designed for contractors and subcontractors working with the Department of Defense who don't store or process sensitive technical data but still have access to basic contract details, for example. The 15 requirements fall under basic safeguarding practices and map to NIST 800-171, Rev. 2, specifically from Federal Acquisition Regulation (FAR) 52.204-21

Below are the 15 action items you need to address for CMMC Level 1, divided into clear sections based on our expert advice. 

*For a full list of these items with a greater level of technical detail, see the official FAR 52.204-21 documentation

Access Control

1. Limit system access to authorized users.

To reduce the risk of unauthorized exposure of data, only users with a business need should be able to log in to systems that store or process FCI. 

In practice, what you’ll need to do is action items such as setting up role-based access controls, implementing IAM (identity and access management) tools, and regularly auditing user access to remove accounts if they are no longer needed. 

These types of security measures entail broader business benefits, as they reduce the risk of insider threats and limit the extent of potential damage in case of compromised credentials.

2. Limit system access to authorized devices.

Even if a user is not authorized, their device might be without the proper controls.

All laptops and mobile devices connected to your systems should be managed to prevent untrusted endpoints from introducing threats. Implementing Mobile Device Management or endpoint detection and response solutions are industry-standard methods to accomplish this and prevent threats from entering through untrusted endpoints.

3. Control access to system functions (e.g., user roles).

Users should only be able to perform actions appropriate for their job (such as admin tasks being restricted to IT staff). It is critical to define roles and assign permissions accordingly, and restrict admin rights to select personnel. 

These measures vastly minimize the risk of unauthorized changes or even accidental misconfigurations being made.

4. Verify control connections to external systems.

Any systems that link with a third party (such as a cloud storage provider or file-sharing services) can become gateways for data leaks. As such, they must be reviewed and approved to prevent unauthorized data transfers. 

Organizations can accomplish this by maintaining an inventory of all third-party connections, reviewing and approving integrations before use, and monitoring data flow between internal systems and external services. This serves to protect against data loss via insecure APIs or file-sharing platforms.

Identification and Authentication

5. Require user identification before granting system access.

Every action should be traceable to an individual. 

Action items to accomplish this objective include assigning unique user IDs to all personnel, eliminating any shared accounts, and enabling logging to tie activity back to specific users. 

The business value of this step is crucial, as it creates accountability and aids in forensic investigation in case of incidents.

Media Protection

6. Sanitize or destroy media containing FCI before disposal.

Leaving data on discarded devices is a common but extremely preventable risk.

Simply establishing a process to wipe drives using certified tools, physically destroy storage devices when decommissioned, and document sanitization or destruction (for audit purposes) accomplishes this and prevents data leakage from improperly discarded hardware.

7. Protect FCI stored on removable media and external drives.

Portable storage can create unique risks when used off-site, and it’s critical to protect data in the event devices are lost or stolen.

Avoiding the use of removable media altogether is the best way to circumvent this risk entirely, but if your organization has to use removable media, you should be encrypting USB drives and external hard drives and locking physical storage devices when not in use.  

Physical Protection

8. Limit physical access to systems storing or processing FCI.

Unauthorized individuals shouldn’t be able to walk up to a server or terminal. 

Acceptable measures to fulfill this requirement under CMMC Level 1 include using keycards, biometric access, or badge systems, monitoring entry points with surveillance, and keeping visitor logs. All of these measures greatly reduce the risk of physical tampering and/or data theft.

System and Communications Protection

9. Monitor and control communications at system boundaries.

Network traffic needs to be inspected and controlled to catch threats early. 

Firewalls and intrusion detection tools are used to monitor traffic entering or leaving your network and block suspicious activity, and setting up logging and alerting for traffic anomalies cues you into threats early on.

10. Implement boundary protections such as firewalls and filters.

Network segmentation can both contain threats and reduce their impact. 

Actions such as applying email filters and web proxies, enforcing traffic rule zones between zones, and creating VLANs to isolate sensitive systems will limit the radius of a breach and keep attackers from causing further harm.

11. Use cryptographic methods when transmitting FCI.

Sensitive data in transit needs to be protected from being intercepted. The recommended controls around this are enforcing TLS for all network communications, using secure transfer protocols, and encryption.

Encryption For CMMC

Systems and Information Integrity

12. Identify system flaws (e.g., patches) and manage them.

Outdated systems are prime targets for attackers. This is why it is crucially important to keep systems up to date by applying security patches regularly.

For CMMC Level 1, organizations need to be accomplishing this by prioritizing critical updates, applying patches on a schedule with a documented process, and regularly checking for software updates.

13. Take steps to protect against malicious code, such as antivirus.

Malware can compromise systems and exfiltrate data. To combat this risk, deploying anti-malware tools to block viruses and other threats that could compromise FCI are industry standard steps.

14. Monitor system activity for security events.

Without visibility, threats can go undetected for months. It’s crucial to set up a way to track system logs in order to detect unusual behavior that could indicate a breach or misuse. To accomplish this, organizations often implement a SIEM platform, or other tools to monitor for suspicious behavior. 

15. Perform periodic system scans and take corrective action. 

Running regular vulnerability scans to detect weaknesses and applying fixes or updates as needed to keep systems secure is something every organization should be doing. The business value of this last control is keeping your security posture strong and supporting audit readiness.

CMMC Level 1 Checklist: Self-Attestation For CMMC Level 1

Unlike Level 2 and Level 3, Level 1 does not require a third-party assessment. 

Instead, your organization must annually self-attest to meet all 15 practices. That attestation must come from a senior company official and be submitted through the Supplier Performance Risk System (SPRS). 

Most organizations will need to document the following for Level 1:

Although Level 1 is a massive degree less resource-intensive than Level 2 or 3, that doesn’t mean that accountability is any less important! Contractors who don’t meet these requirements can face contract risks. 

Here is how long you can anticipate CMMC Level 1 to take:

CMMC Level 1 Timeline

Partner For Success: Work With An Accredited C3PAO

Meeting CMMC requirements is a complex process, even for Level 1. 

The good news is that you don’t have to do it alone. Our partnership with industry leader A-LIGN, an accredited C3PAO, gives you access to both the security legwork needed to meet requirements as well as certified assessment services. Working with trusted partners speeds up the timeline for CMMC.

Together, we help organizations prepare for CMMC with confidence. Whether you are just getting started or finalizing your readiness for an assessment, we’re here to support your compliance journey with security expertise and a trusted C3PAO partner. 

C3PAOs are the only organizations authorized by the CyberAB to perform official CMMC assessments, if you need to go beyond self-assessments. Their involvement is essentially a must-have for any contractor aiming for certification. Meanwhile, as a Registered Provider Organization (RPO), Rhymetec works hand-in-hand with A-LIGN to help you prepare for that assessment. 

RPOs are approved to offer consulting and readiness support, and help you implement required controls, remediate gaps, and make sure your security practices and documentation align with CMMC standards. 

Together with A-LIGN, we are proud to offer this streamlined option for our clients. Contact us today to get started.