WHO WE SERVE · DEFENSE & MILITARY · DEFENSE INDUSTRIAL BASE
Independent compliance program governance for defense contractors and subcontractors operating under DFARS, CMMC, and the supply-chain attestation regimes that did not exist a decade ago and now define survival.
THE INDUSTRIAL BASE REALITY
The defense industrial base operates under a compliance regime that did not exist a decade ago and now defines survival. CMMC 2.0 finalized into 32 CFR Part 170 in late 2024. NIST 800-171 r3 is on the runway. The DOJ Civil Cyber-Fraud Initiative is producing eight-figure settlements. Cyber insurance underwriters are tightening exclusions. Supply-chain visibility expectations push deeper every cycle. Sentinel governs the compliance program. We never assess our own work.
220K+
defense industrial base companies in scope under CMMC 2.0 across Levels 1, 2, and 3
110
NIST 800-171 controls a Level 2 contractor must implement, evidence, and sustain
3 yr
recertification cycle for CMMC Level 2 prioritized acquisitions through C3PAO assessment
$9M
Aerojet Rocketdyne settlement that established the False Claims Act framework for cyber-fraud enforcement
CHALLENGE
CMMC 2.0 finalized into 32 CFR Part 170 in late 2024, and contracts began incorporating it through 2025. NIST 800-171 r3 is on the runway. The DOJ Civil Cyber-Fraud Initiative has produced settlements in the eight-figure range, with whistleblower attorneys actively recruiting cases. Cyber insurance underwriters are tightening exclusions. The supply-chain visibility expectations from Section 1633 NDAA push deeper every cycle. Most consultancies in this market position as assessors. Sentinel governs the compliance program. We never assess our own work. The independence is the differentiator.
THE PRESSURES
These are the structural pressures we hear from CISOs, compliance officers, and program managers across primes, mid-tier subcontractors, and the small businesses still deciding whether the DIB is worth the cost. Sentinel’s role is to help your organization navigate them with documentation that survives audit, regulator, and attorney.
32 CFR Part 170 went effective late 2024; phased contract incorporation began Q4 2024 and Q1 2025. Full incorporation projected to phase across roughly three years. Companies waiting for the rule to settle are watching contracts pass to competitors who started the work earlier. The runway has shortened.
Aerojet Rocketdyne, Penn State, MORSE. Settlements continue. Whistleblower attorneys are actively recruiting cases. The legal framework treats false NIST 800-171 self-attestation as a False Claims Act violation, with treble damages exposure. The compliance documentation is also the FCA defense.
NIST published 800-171 r3 in May 2024. DoD has signaled likely delayed mandate, but the changes are substantial. Restructured control families, additional emphasis on Identity, Cryptography, Supply Chain. Companies that plan early reduce remediation churn. Companies that wait will repeat their Level 2 work.
Carriers are increasingly asking for CMMC compliance documentation as a renewal gating factor. Some are excluding cyber-event coverage where attestation gaps are documented. The compliance program is also the insurance posture.
Section 1633 NDAA and parallel DoD guidance push prime contractors to demonstrate flow-down compliance through multiple sub-tiers. The vendor-questionnaire approach most primes used five years ago is no longer adequate. Documented good-faith flow-down is the new bar.
CISA advisories naming the DIB as priority target. Pre-positioning campaigns documented. The compliance regime is partially a defense investment, partially a regulatory posture, and partially a threat-actor deterrent. All three apply at the same time.
Sentinel’s DIB approach is built on a structural principle most consultancies blur: we are never the assessor. We do the pre-assessment, the implementation, the remediation, and the ongoing governance. We do not also do the C3PAO assessment that determines whether your work passed. Conflict-of-interest rules in the Cyber AB community prohibit it. Common sense reinforces it. Four principles follow.
Sentinel does not seek C3PAO authorization. We will not assess your environment for the certification record. We will help you prepare for the assessment a C3PAO conducts, and we will help you remediate findings the C3PAO surfaces. Independence between pre-assessment and assessment protects everyone.
The body of evidence we produce is structured under the assumption that a DOJ inquiry, a whistleblower complaint, or a DIBCAC follow-up could review it. The decision records, the implementation rationale, and the change history are all retained at FCA-discovery grade. This is the defensive posture compliance work demands now.
Sentinel does not resell GRC platforms, security tools, or compliance-as-a-service offerings. We do not partner with them. We do not take referral fees. The platform recommendation you get is the recommendation we would make if it were our own compliance program.
Our governance work documents what we find and surfaces evidence. It does not become a party to disputes between you and your C3PAO, between you and DOJ inquiry, or between you and your prime’s compliance officer. Sentinel documents, never litigates.
CORE CAPABILITIES
Every engagement is anchored in six disciplines that protect contractors from bad implementations, weak documentation, and the False Claims Act exposure that follows attestation gaps.
Independent oversight of multi-quarter or multi-year CMMC, NIST 800-171, and NIST 800-172 implementation programs. Phase gates aligned to assessment-readiness milestones. Decision records that survive change of management, change of CISO, and the long arc of compliance survival.
Documented adequacy review for the GRC platform, the security tooling, the documentation system, the change-management workflow, and every other technology decision a compliance program requires. We do not resell any of them. The buyer’s voice in vendor-side meetings.
The documentation grade comes from public-safety, government, and critical-infrastructure environments where every decision becomes a public record. State auditor, OIG, GAO, FOIA. The documentation grade is the same one a DOJ inquiry demands. The pedigree maps directly into DIB compliance.
Translating NIST 800-171 / 800-172 control intent into platform configuration. The team that owns is-this-how-AC-2-should-actually-behave decisions, when the GRC platform vendor and the security team are not aligned.
Body-of-evidence preparation aligned to NIST 800-171 / 800-172 control catalog. Documentation that survives a C3PAO assessment, a DIBCAC inquiry, a customer security questionnaire, or a DOJ FCA discovery process.
Documenting whether the implemented controls are operating as designed in the months after assessment day. Findings advisory and non-binding. Critical for the long arc of recertification and the defensive posture against FCA exposure.
Most CMMC firms position around point-in-time assessment readiness. Sentinel positions around the multi-regime stack as a whole, with the four practices as the load-bearing structure that holds across CMMC level changes, NIST 800-171 r3 transition, and the next regulatory inflection nobody has named yet.
The levels keep rising. We keep the floor stable.
Each addresses a specific decision or program burden contractors face under CMMC, NIST 800-171, and DFARS clause flow-down. All are governed by the SVA standard: findings advisory, non-binding, documentation grade defensible against DOJ FCA inquiry.
A 60-to-90-day fixed-fee engagement producing CMMC Level 2 readiness. Includes gap analysis against all 110 NIST 800-171 controls, prioritized remediation roadmap, evidence-package buildout, and a mock assessment with C3PAO-aligned scoring methodology. Independent of any C3PAO firm. No incentive to inflate gaps.
Multi-quarter retainer-based engagement for contractors who need ongoing compliance program governance. Includes control implementation guidance, body-of-evidence build, change management as the environment evolves, periodic posture reviews, and SPRS score management. Built for the long arc of compliance survival.
Targeted at primes and large mid-tier contractors managing CMMC flow-down to subcontractors. Includes flow-down clause review, sub-tier risk assessment methodology, vendor questionnaire design, attestation tracking, and supply-chain illumination per Section 1633 NDAA requirements. Documents the prime’s good-faith compliance flow-down for DOJ FCA defense.
OUR PRACTICES
Every Sentinel engagement draws on the practices that match the program’s stage. We bring them in proportionally; we never sell the whole stack when only part of it earns its keep.
PROGRAM MANAGEMENT
How we govern your program.
Program execution discipline for installation IT modernization across multi-year capital programs. Phase gates that survive Installation Commander rotations, change of contractor, and budget fluctuation. Decision logs that survive Service-level program reviews and IG inquiries.
CHANGE MANAGEMENT
How we prepare your operators.
Operator readiness for new public-safety technology fielding on installations. Dispatcher transition training, MP/SF system rollouts, F&ES system updates, BWV program launches. The rhythms that determine whether the new system actually works on day one of operation.
CONFIGURATION AUTHORITY
How we own the configuration.
Configuration authority for the installation public-safety stack. Translating installation-specific operational SOPs into platform configuration. The team that owns “is this how the dispatcher’s CAD should behave during a base-wide alarm activation?” decisions.
VALUE ASSURANCE
How we prove the mission outcome.
Independent governance documenting whether the installation’s PS-technology investments are delivering operational outcomes: response times, system availability, audit readiness, mutual-aid responsiveness. Findings advisory and non-binding. Critical for command-level briefings and IG inquiries.
After engagement closes, Sentinel Sustain keeps the practice active across the life of the investment. Three tiers: Core, Active, and Strategic.
Learn more →DEEP EXPERTISE
Sentinel’s DIB bench is rooted in cross-domain compliance fluency, audit-grade documentation discipline, and the program governance experience that bridges control implementation with sustained operation. The CMMC community credentials are in flight on the bench; the firm-level governance discipline is operational today.
WE KNOW THE TRICKS
The CMMC compliance market is crowded and uneven in quality. The same vendor playbook that ran on healthcare HIPAA compliance and on PCI-DSS compliance is running again here. Here is what we look for, before the contract is signed.
01
Vendor pitches a turnkey CMMC compliance solution. Buy the platform, satisfy all 110 controls. The reality is that controls require operational implementation, not just platform deployment. The platform automates documentation; it does not automate operational compliance. Six months in, the C3PAO finds the gaps. We test the operational implementation, not the platform deployment, before the assessment is scheduled.
02
A C3PAO firm offers remediation consulting alongside their assessment practice. The Cyber AB community prohibits the same firm from doing both on the same client. Some firms blur the line through affiliated entities, sister organizations, or transitional engagement structures. We require structural separation in writing before any engagement begins.
03
Vendor encourages a contractor to self-attest at Level 2 when the contract permits it, on the theory that a C3PAO assessment can wait. The reality is that self-attestation creates the same FCA exposure as a third-party assessment, and the contractor carries the entire defense burden. We model the FCA risk profile against the contract requirement before the attestation is filed.
04
Prime contractor pushes CMMC flow-down to subcontractors with a generic clause and a vendor questionnaire. Section 1633 NDAA expectations have moved past this. DOJ inquiries into the prime can reach into sub-tier compliance evidence. We design flow-down with documentation that meets the new bar before the next contract cycle.
05
Vendor sells the initial CMMC implementation at a low cost-per-control, then prices the recertification at three times the original. The contractor, having committed to the vendor architecture, has limited leverage. We model TCO across the full recertification cycle, not just the initial assessment, before the platform commitment is signed.
WHO YOU ARE WORKING WITH
The people on the other side of every Sentinel DIB engagement have run compliance programs in environments where every record was discoverable the day it was created. The bench is built around audit-grade documentation discipline, multi-system program governance, and cross-domain compliance fluency. Where the bench has gaps, we name them, and we name what is in flight.
Justin co-founded Sentinel after a career running technology programs in environments where compliance documentation IS the product. State government, county operations, law-enforcement agencies. The audit-grade documentation discipline he applies to DIB compliance is the same one he applied to systems where every record was discoverable the day it was created.
Jason co-founded Sentinel after sitting on every side of the technology-program table. Vendor, integrator, program office, operator. His practitioner-grade perspective on multi-system program governance is what shaped Sentinel’s vendor-neutral standard. The same wrench-carrying credibility he brought to PSAP modernizations applies to CMMC compliance program governance.
Sentinel rotates senior compliance practitioners onto DIB engagements based on the program stage and regulatory regime. The bench is being built around former DIBCAC and DCMA cyber leadership, with RPA credentials in flight. Composition is documented in the engagement letter; bench gaps are named, never hidden.
Also Supporting Your Program
The right engagement depends on where your organization is in the compliance arc, what your existing compliance bench looks like, and what your customer or prime is asking you to demonstrate. Each subscription has a clear scope, deliverable structure, and exit point. Subscriptions stack.
Managed Technology Subscription
End-to-end managed operations for the compliance platforms Sentinel helped you stand up. Sustainment, vendor coordination, evidence-trail maintenance, version-upgrade discipline, and incident response. The compliance posture is still defensible at the next prime audit because someone is still accountable for it.
The organization needs ongoing operations of a Sentinel-built compliance program; the cost of an attestation lapse exceeds the cost of in-house compliance ops; or the prime relationship demands continuous accountability.
We govern the operation. We never sell the platforms.
Read more about Sustain →Retained Governance & Advisory
Ongoing retainer with quarterly governance reviews, pre-decision advisory, and an open line for prime escalation, DCMA inquiry response, and vendor accountability. The organization has independent counsel on the compliance and technology side of the table, every cycle.
The organization holds a multi-year compliance posture; the prime relationship is mission-critical; or the next assessment, re-attestation, or contract recompete is already on the calendar.
Sentinel documents. We do not litigate.
Read more about Guardian →Anchored to a Signature Practice or Defined Deliverable
Anchored to one of SDF, SRM, SDB, or SVA, or to a single defined deliverable: CMMC Level 2 Pre-Assessment Sprint, NIST 800-171/172 Implementation Program, or Supply-Chain Attestation Support. Fixed scope, named practice or deliverable, defined timeline.
The compliance program need is well-defined and wants a contained, scope-bounded engagement that produces a defensible compliance file before assessment day.
Independent. Practitioner-led. Vendor-neutral.
See how the practices apply →Specialized Services + Practice + Sentinel Institute
A specialized service plus a signature practice plus Sentinel Institute training combined into a tailored compliance program. Best when the team needs to learn the discipline as the discipline is being applied, particularly during initial CMMC scoping or major posture rebuild.
The organization is building compliance capability from scratch and wants the institutional capacity to operate it without ongoing external dependency.
Cutting-edge. Never bleeding-edge.
See the Institute deep-dive →READY WHEN YOU ARE
Tell us where you are in the compliance arc. Pre-assessment, in remediation, post-assessment, or planning for recertification. We will tell you honestly whether Sentinel is the right fit, or recommend someone better if we are not. The conversation costs nothing. The decision costs less when an independent voice is in the room.
