Cybersecurity Services for Defense Contractors

Security and Compliance Solutions for the Defense Industrial Base

Preparing for CMMC 2.0– Securing Our Nation’s Supply Chain. 

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012: Safeguarding Covered Defense Information and Cyber Incident Reporting. Original release 2015. Required implementation NLT December 31, 2017. 

DFARS 252.7019: Notice of NIST SP 800-171 DoD Assessment Requirements – Informs contractors of the requirement to assess the Information System against NIST 800-171 and report in Supplier Performance Risk Systems (SPRS). 

DFARS 252.7020: NIST SP 800-171 DoD Assessment Requirements – On or after November 30, 2020, the contracting officer shall, prior to awarding a contract, task order or delivery order to, or exercising an option period or period of performance with, an offeror or contractor that is required to implement NIST SP 800-171 in accordance with the clause  DFARS 252.204-7012, verity that the summary level score of a current NIST SP 800-171 DoD Assessment is posted in SPRS for each covered contractor information system that is relevant to an offer, contract, task order or delivery order. 

DFARS 252.7021: Cybersecurity Maturity Model Certification (CMMC) Requirements –The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.

Preparing for CMMC

Defense contractors must implement the required cybersecurity measures outlined in NIST SP 800-171 controls plus the additional 20 controls for CMMC. According to DFARS 252.204-7021, organizations seeking to do business with Department of Defense will require certification, performed by a Certified Third Party Assessment Organization (C3PAO) every three years. These Organizations Seeking Certification (OSC) should plan for a comprehensive cybersecurity approach to protect corporate assets, information and systems. Cyber readiness means a contractor has taken the appropriate steps to create resilient and secure information systems which includes the capability for an appropriate and rapid response when an incident does occur. 

CMMC Compliance & Consulting | Schedule Initial Assessment


We are pleased to announce that the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) has recognized Riverstone Solutions, Inc. (RSI) as a Registered Provider Organization (RPO).  RSI is registered to provide advice, consulting, pre-assessment readiness reviews, documentation, and recommendations for the CMMC to their clients. 

Riverstone Solutions is a Microsoft Silver Partner, with Information Technology expertise for both on-premise and cloud solution planning and implementation of secure and compliant systems.  We are skilled in Federal contracting requirements for protecting ITAR and Controlled Unclassified Information (CUI) and Federal Information Systems.

Cyber Readiness and Assessment

RSI works with defense contractors to achieve CMMC goals in a variety of ways, including:

  • Planning – determination of specific certification needs.
  • Readiness Review – determination of target certification level and identification of deficiencies;
  • Remediation – ensuring processes are conducted and documented in a manner to provide supporting evidence during certification assessment.


Phase 1:          Discovery

Phase 2:          NIST 800-171 or CMMC ML3 Compliance Assessment

Phase 3:          Plan of Action and Milestones (POA&M)*

Phase 4:          System Security Plan (SSP)*

Phase 5:          Cybersecurity Policies*

Phase 6:          SPRS Score and Recommendations

 *Documentation Package Offering


Beyond the POAM – IT System Remediation

Riverstone Solutions is an Information Technology company. We are well versed in maintaining and remediating corporate infrastructure to attain and maintain cybersecurity requirements. This includes tasks such as implementation of Multi-Factor Authentication, securing corporate networks and email systems, and establishing SIEM like logging and audit capabilities. If your company has a plan of action, we can help to execute and drive outstanding actions back to green.