CMMC · Export Controls · Sanctions Compliance

What you need to pass your CMMC assessment and keep your contracts.

Fixed-scope CMMC Level 2 readiness assessments for defense contractors requiring a documented path to certification, remediation prioritization, and contract continuity. ITAR/EAR and sanctions review integrated where required.

For defense contractors, biotech firms, advanced technology companies, and outside counsel facing cybersecurity, export-control, or sanctions compliance requirements.

Assess CMMC Readiness View Representative Engagements
CISSP-certified, (ISC)² Published open-source analytical methodology Fixed-fee and retainer engagements Nationwide remote availability

CMMC Level 2 Is Now Contract-Gating

Contractors without demonstrable readiness face elevated risk of bid exclusion beginning in the 2026–2027 acquisition cycle. Phase 1 enforcement is active. C3PAO assessments become mandatory for applicable contracts in November 2026.

  • SPRS score below 88 → no conditional certification path
  • No System Security Plan → assessment cannot proceed
  • Missing MFA or centralized logging → high-probability failure condition

See recent analysis: CMMC Level 2 Readiness Risk in the U.S. Defense Industrial Base →

Services

What I deliver

Structured readiness, remediation, and advisory engagements for organizations preparing for near-term C3PAO assessment, export-control review, or sanctions program development. Typical CMMC readiness engagements: 4–6 weeks.

Flagship · Entry Engagement

CMMC Level 2 Readiness Assessment

Full assessment against NIST SP 800-171 Rev 2. Gap matrix, SSP outline, POA&M, priority remediation roadmap. Integrated with ITAR handling controls where applicable.

Fixed fee · 4–6 weeks · Deliverables defined at scoping
Triggered · Follow-On

ITAR/EAR Classification & Compliance

ECCN and USML commodity jurisdiction determinations. Deemed export risk assessments. Technology Control Plans. Voluntary Self-Disclosure preparation.

Fixed fee · 2–4 weeks
Triggered · Follow-On

Sanctions Compliance Program Design

OFAC compliance frameworks aligned with the 2019 Framework for Compliance Commitments. Counterparty risk mapping. Screening program architecture and testing.

Fixed fee · 4–10 weeks
Advanced

CFIUS Cybersecurity Risk Assessment

Pre-filing cybersecurity risk assessments for transactions subject to CFIUS review. Network architecture analysis, data flow mapping, mitigation agreement compliance.

Hourly advisory · 2–6 weeks
Retainer

Virtual CISO

Part-time security leadership. Risk assessment, policy development, incident response planning, board-level reporting, and regulatory engagement. 15–25 hours/month.

Monthly retainer · Ongoing
Advanced

Technical Advisory for Counsel

Technical analysis supporting litigation teams on cybersecurity standards of care, export control matters, sanctions compliance disputes, and digital forensics.

Hourly advisory · Per engagement
Representative Engagements

What this looks like in practice

Anonymized engagement patterns illustrating typical scope, deliverables, and outcomes. No client-identifying information is disclosed.

CMMC + ITAR Integration

Defense subcontractor preparing for Level 2 certification while handling export-controlled technical data

Small electronics manufacturer (under 200 employees) with active DoD subcontracts required CMMC Level 2 readiness while also handling ITAR-controlled design files shared by the prime contractor. Assessment identified 34 control gaps, three ITAR handling deficiencies, and an undocumented CUI data flow to a cloud environment.

Deliverables: Gap matrix, SSP, POA&M, CUI boundary diagram, ITAR handling control recommendations, remediation priority roadmap.
Biotech Export Control Review

Biotech firm with foreign national research staff requiring deemed export analysis

Mid-market biotech company (300+ employees) with R&D staff holding citizenship in countries subject to EAR restrictions. Required deemed export analysis for controlled technology access, controlled technology segmentation, and a Technology Control Plan satisfying BIS requirements.

Deliverables: Deemed export risk assessment, ECCN classification memos for three product lines, Technology Control Plan, staff briefing materials.
CFIUS Diligence Support

Transaction counsel requiring cybersecurity risk analysis for foreign acquisition review

Outside counsel retained for CFIUS filing needed technical cybersecurity risk analysis for a cross-border acquisition involving a company with access to controlled unclassified information. Required network architecture review, data flow assessment, and a concise risk memo suitable for inclusion in the filing.

Deliverables: Cybersecurity risk assessment, data flow diagram, mitigation recommendation memo, architecture narrative for counsel.
Sanctions Compliance Architecture

Technology firm with international counterparty exposure requiring OFAC screening program

Software company expanding into markets with sanctions-adjacent counterparty risk. Required a compliance framework aligned with OFAC guidance, including screening architecture, escalation protocols, and a control matrix covering nine counterparty risk categories.

Deliverables: OFAC compliance framework, screening program architecture, escalation decision tree, control matrix, staff training materials.
Recent Analysis

Published risk assessment

CMMC Level 2 Readiness Risk in the U.S. Defense Industrial Base

Evidence, Drivers, and a 90-Day Remediation Path — March 2026
Read the Full Analysis View Publication Repository
A non-trivial proportion of SMB defense contractors may not achieve CMMC Level 2 readiness without structured external remediation. One industry survey reported the average SPRS score among respondents at -12 against a required threshold of 88.
Documentation deficiency, control implementation gaps, and audit preparation failure are assessed as the primary structural drivers of non-readiness. These patterns appear consistent across the DIB.
Contractors entering late 2026 without initiated gap assessment face elevated risk of contract ineligibility during the 2026–2027 acquisition cycle.
Who I Help

Typical clients

Organizations where cybersecurity compliance intersects with export controls, sanctions law, or foreign investment requirements.

Small defense contractors

Machine shops, electronics manufacturers, and software subcontractors (50–500 employees) facing CMMC Level 2 deadlines with no dedicated compliance staff. Typical pain: a contract-gating CMMC requirement with no clear path to assessment readiness.

Biotech and technology firms

Companies with international operations, foreign national R&D employees, or dual-use products requiring ITAR/EAR classification, deemed export analysis, and sanctions screening programs.

Outside counsel and PE/VC funds

Law firms needing technical cybersecurity analysis for CFIUS filings or export control matters. Investment funds requiring cybersecurity due diligence on acquisition targets in defense, biotech, or technology sectors.

Typical Deliverables

SSP & POA&M Package

System Security Plan and Plan of Action and Milestones for C3PAO assessment readiness.

Classification Memo

ECCN/USML jurisdiction and classification determination with supporting rationale.

Technology Control Plan

Deemed export controls for foreign national employees accessing controlled technology.

Sanctions Control Framework

OFAC compliance architecture with screening, escalation, and audit procedures.

Transaction Risk Memo

CFIUS cybersecurity risk assessment and mitigation recommendation for M&A transactions.

Board Security Briefing

Executive-level risk assessment and compliance status report for retainer clients.

Assessment Risk

What fails CMMC assessments

Based on publicly available C3PAO guidance and practitioner reporting, the following conditions are assessed as likely to produce assessment failure or conditional denial.

  • No current, tailored System Security Plan (SSP) — assessment cannot proceed without one
  • No multi-factor authentication for remote or privileged access — critical 5-point control deficiency
  • No centralized audit logging or evidence of log review — Audit and Accountability controls cannot be demonstrated
  • Evidence not collected, organized, or retrievable — implemented controls treated as not implemented for scoring
  • CUI boundary not defined or documented — assessment scope cannot be established
  • SPRS score below 88 with no viable POA&M path — no route to conditional certification

Presence of any single condition above is consistent with elevated risk of assessment failure. Presence of multiple conditions simultaneously is consistent with high probability of assessment failure.

Methodology & Published Research

How the work gets done

Published open-source analytical work supporting the sanctions, export-control, and risk-assessment methodology used in client engagements. Available for review before the first call.

Every compliance assessment, classification review, and risk analysis delivered by this practice follows the same analytical methodology documented in the WP-2026 research series: dual-axis probability and confidence labeling, explicit statement of limits and unknowns, structured evidence tiers, and prohibition on advocacy language.

The series was produced between January 15 and March 28, 2026. Full provenance is available via GitHub commit history.

Corpus Summary
62 documents across 10 analytical domains
374 georeferenced enforcement nodes
Interactive global enforcement map
Three documented red-team audit passes
Structured using ODNI analytic tradecraft principles
Licensed under CC BY 4.0

SIEGE-01 — Multi-Channel Financial Denial Framework

Seven-channel simultaneous pressure architecture with network classification and falsifiable indicators.
Core Framework

AML-01 — Illicit Finance Node Control Matrix

20 node types, nine illicit finance categories, eight-column control structure. Three-pass statutory audit.
Methodology

PERSIST-01 — Litigation-Resilient Statecraft Architecture

Six authority rails, four-tier standards of proof, neutral designation-selection rule.
Strategic Architecture

SENI-01 — Strategic Enforcement Node Index

374-node global sanctions enforcement targeting register with interactive georeferenced map.
374 Nodes
About

Collin George

Independent cybersecurity and compliance consultant. Founder, Center for Competitive Statecraft and Strategic Policy—an independent research initiative producing open-source policy analysis on sanctions enforcement, financial intelligence, and competitive statecraft.

Professional background in cybersecurity engineering and international trade compliance across biotech and technology sectors. Graduate coursework in intelligence analysis (Johns Hopkins University) and security studies (University of Central Florida, 3.875 graduate GPA). Clinical Laboratory Technician at the University of Washington Medical Center, Department of Laboratory Medicine and Pathology.

The analytical methodology documented in the WP-2026 series is applied directly in client engagements. Compliance assessments, classification reviews, and risk analyses follow the same structured evidence standards, confidence labeling, and explicit limits that govern the published research.

Certifications

  • CISSP — (ISC)²
  • BS Cybersecurity, Summa Cum Laude
    Columbia Basin College, 2019

Graduate Coursework

  • Intelligence Analysis — Johns Hopkins University
  • Security Studies — University of Central Florida (3.875 GPA)

Research Identifiers

Regulatory Domains

  • CMMC / NIST 800-171
  • ITAR / EAR / BIS Entity List
  • OFAC / Sanctions / AML-BSA
  • CFIUS / FIRRMA
  • IEEPA / CAATSA / ECRA
Entry Point

Initial readiness diagnostic

Structured 10–15 minute diagnostic

Estimate your current readiness posture and identify primary failure risks before committing to a full engagement. Designed for organizations preparing for near-term CMMC assessment.

  • Estimated SPRS range
  • Key control gaps
  • Assessment readiness risk level
  • Recommended next steps
Assess CMMC Readiness
Engagement Model
01

Gap Assessment

02

Control Remediation

03

Documentation & Evidence

04

Assessment Readiness

Typical engagements: 4–6 weeks. Structured around gap assessment, remediation prioritization, and evidence readiness. Designed for organizations preparing for near-term C3PAO assessment.

Contact

Assess your CMMC readiness

Fixed-fee scoping Two-business-day response Secure communication available No sensitive materials via web form

Engagement inquiry

Use the form below to request a structured readiness diagnostic or scoped assessment discussion. Response within two business days. Initial scoping call at no charge.

Important: Do not submit classified, export-controlled, privileged, or otherwise restricted information through this form. Limit submissions to high-level scoping information. Submission of this form does not create a consulting engagement, confidentiality obligation, or attorney-client relationship absent a signed engagement agreement.

Response time

Initial response within two business days. Scoping proposals typically delivered within one week of discovery call.

Engagement format

Fixed-fee project engagements and monthly retainers. Fully remote with nationwide availability. Initial scoping call at no charge.

Secure communication

Encrypted communication is available for sensitive inquiries. Contact via the form to initiate.

Direct email

cgeorge@collinbgeorge.com

Scope of services

Services are advisory in nature and do not constitute legal advice. Where regulatory interpretation or legal determinations are required, coordination with qualified legal counsel is recommended.