StandFast · The Platform
How StandFast Covers
How StandFast Covers
the Terrain
CMMC Level 2 spans 14 domains and 110 controls. Most DIB contractors don't fail because they lack the will to comply — they fail because they lack a system to stay compliant after the assessment ends. StandFast is that system.
Postured
Controls implemented and documented.
Monitored
Environment watched continuously.
Maintained
Compliance sustained between assessments.
The StandFast Team
Three perspectives.
Three perspectives.
One mission.
StandFast is built by veterans and practitioners who have lived the compliance mission — not consultants who learned it from a textbook. The Marshal, the Vaquero, and the Ranger each bring something different to the watch.
The Marshal
Knows the Law
"The regulation exists for a reason. Understand it. Apply it. Stand behind it."
The Marshal brings order to the compliance landscape — translating regulatory requirements into documented, defensible controls your team can actually operate. When the assessor walks in, the Marshal's work is already done.
Incident Response
Security Assessment
Personnel Security
Physical Protection
The Vaquero
Knows the Terrain
"You cannot defend ground you have not mapped. Know your environment before your enemy does."
The Vaquero has ridden this country. Every network boundary, every access point, every gap in the fence line. Where CUI flows, where risk accumulates, where the perimeter is thinner than it looks. The terrain doesn't surprise the Vaquero.
Access Control
Configuration Mgmt
Identification & Auth
Risk Assessment
The Ranger
Keeps the Watch
"Compliance is not a destination. The watch doesn't end because the assessment passed."
The Ranger is still out there at 0300 when nobody else is looking. Continuous monitoring, real-time alerting, integrity checking — the Ranger's job is to catch what slips through before it becomes a breach, a finding, or a 72-hour report.
Audit & Accountability
System Integrity
Comms Protection
Awareness & Training
Maintenance
Media Protection
The 14 Domains
Every domain.
Every domain.
Addressed.
CMMC Level 2 is built on 14 NIST SP 800-171 control families covering everything from how users log in to how you handle a breach. StandFast is built around all of them — not as a checklist, but as an integrated, continuously operating system.
3.1 · AC · 22 Controls
Access Control
StandFast enforces Zero Trust access architecture — every user, device, and connection is verified before access is granted, regardless of where they're connecting from. Certificate-based authentication replaces password-only access. Role-based permissions ensure users have exactly what their role requires, nothing more. Remote access is encrypted, authenticated, and monitored.
What this means for you: No more shared admin credentials, over-permissioned users, or blind spots on who accessed what. Access is controlled, logged, and reviewable.
3.2 · AT · 3 Controls
Awareness & Training
The StandFast Learn portal — the site you're on right now — is our answer to this domain. Doc-U-Chunk, the Glossary, the Self-Assessment, and the Controls Tracker exist to build genuine security awareness across your team. Not a once-a-year video nobody watches — real, usable knowledge that sticks.
What this means for you: Your team understands what they're protecting and why. Awareness isn't a checkbox — it's the first line of defense.
3.3 · AU · 9 Controls
Audit & Accountability
Automated, tamper-evident audit logging across every system in your environment. StandFast captures who did what, when, and from where — and surfaces anomalies in real time. Logs are retained, protected from unauthorized modification, and reviewed continuously. Audit management is limited to authorized personnel only.
What this means for you: When something happens — or when an assessor asks — the record is there, complete, and defensible.
3.4 · CM · 9 Controls
Configuration Management
Infrastructure as Code keeps every system in a documented, auditable baseline state. Drift from that baseline is detected automatically and flagged for review. Changes go through a controlled process — nothing gets deployed that wasn't reviewed and approved. Unnecessary services, ports, and functions are disabled by default.
What this means for you: Your environment is what the documentation says it is. No surprises. No undocumented changes hiding in production.
3.5 · IA · 11 Controls
Identification & Authentication
StandFast's identity layer manages the full lifecycle of every account — provisioning, MFA enforcement, password policy, inactivity lockout, and deprovisioning. Cryptographically protected credentials throughout. Identifier reuse is prevented. Privileged accounts are treated as high-risk assets and controlled accordingly.
What this means for you: Every account is tracked and controlled from the moment it's created to the moment it's closed. No orphaned accounts. No weak credentials.
3.6 · IR · 3 Controls
Incident Response
StandFast maintains an operational incident response capability — not just a plan on paper. Detection feeds directly into documented response procedures. The 72-hour DoD reporting window is built into the workflow. Annual testing validates the capability before the real thing tests it for you.
What this means for you: When something goes wrong, your team knows exactly what to do and when. The DoD gets notified on time. You don't improvise under pressure.
3.7 · MA · 6 Controls
Maintenance
Automated patch management and controlled maintenance windows ensure systems stay current without unplanned disruption. Remote maintenance sessions are authenticated with MFA and terminated on completion. Equipment removed for maintenance is tracked and sanitized before return to service.
What this means for you: Maintenance is documented, controlled, and secure. Patches don't pile up. Remote sessions don't leave open doors.
3.8 · MP · 9 Controls
Media Protection
StandFast's advisory practice covers physical and digital media handling from day one — classification, marking, transport controls, sanitization, and destruction procedures. Removable media is controlled. Backup CUI is encrypted at rest. The policies are documented and your team knows them.
What this means for you: CUI doesn't walk out the door on an unmarked USB drive. Retired hardware doesn't expose data. The chain of custody is documented.
3.9 · PS · 2 Controls
Personnel Security
Onboarding and offboarding procedures are defined, documented, and enforced. Access is provisioned on confirmed need and deprovisioned immediately on separation — automated where possible. Screening processes are in place before sensitive system access is granted.
What this means for you: Former employees don't retain access. New employees are screened before they touch CUI. The people side of security is as controlled as the technical side.
3.10 · PE · 6 Controls
Physical Protection
StandFast's assessment practice evaluates physical security controls and provides remediation guidance tailored to your facility. Physical access to systems containing CUI is limited to authorized individuals. Visitor management, physical access logs, and alternate work site controls are documented in your SSP.
What this means for you: Your physical environment is documented and defensible. Assessors don't find unlocked server rooms or unescorted visitors in sensitive areas.
3.11 · RA · 3 Controls
Risk Assessment
Continuous vulnerability scanning with prioritized remediation tracking. Periodic formal risk assessments document the threat landscape, vulnerabilities, and your current risk posture. New vulnerabilities are identified and acted on — not queued indefinitely. This is not a one-time exercise.
What this means for you: You know your risk posture in real time, not just at assessment time. Vulnerabilities are remediated on a defined schedule, not when someone gets around to it.
3.12 · CA · 4 Controls
Security Assessment
StandFast maintains your System Security Plan as a living document — updated when your environment changes, not just before your next assessment. Control effectiveness is validated on an ongoing basis. POA&M items are tracked to actual closure. Assessment readiness is a continuous state, not a 90-day sprint.
What this means for you: You are ready for assessment every day, not just on assessment day. Your SSP reflects reality. Your POA&Ms close.
3.13 · SC · 16 Controls
System & Communications Protection
Zero Trust architecture at the network layer. Encrypted communications throughout — in transit and at rest. Boundary controls and network segmentation limit lateral movement. Deny-by-default network policy allows only what is explicitly authorized. FIPS-validated cryptography is used wherever CUI is handled. No CUI moves unprotected.
What this means for you: Your network is not flat and open. Communications are encrypted. Boundaries are enforced. A breach in one area stays contained.
3.14 · SI · 7 Controls
System & Information Integrity
Real-time threat detection, file integrity monitoring, and malicious code protection across your environment. Security advisories are tracked and acted on within defined timelines. Inbound and outbound communications traffic is monitored for attack signatures and anomalous behavior. Unauthorized use of systems is flagged and investigated.
What this means for you: Threats don't sit undetected in your environment for months. Malware is caught. System integrity is verified. The Ranger is always watching.
The StandFast Promise
Not a product.
Not a product.
A posture.
StandFast is not a tool you deploy and forget. It is a continuously operating compliance posture — built, maintained, and monitored on your behalf so that your team can focus on the mission, not the framework.
When your C3PAO walks in for the assessment, the work is already done. When the assessment ends, the watch continues. That is what "The Watch Never Ends" means in practice.
Start the ConversationBefore Assessment
Gap analysis, SSP development, control implementation, POA&M creation. You enter the assessment ready.
During Assessment
Evidence is organized, documentation is current, your team knows what assessors will ask. No scrambling.
After Assessment
Continuous monitoring keeps your posture from drifting. The platform watches so you don't have to.
Every Day
Postured. Monitored. Maintained. Your compliance posture is a living, breathing state — not a snapshot in time.
Ready to talk about your compliance posture?
StandFast is built for DIB contractors who are serious about CMMC — and serious about not spending $105,000 on an assessment they aren't ready for. Let's talk about where you are and what it takes to get you there.