Certified Lead CMMC Assessor (LCCA)

CMMC Compliance Consulting for DoD Contractors

CMMC 2.0 readiness and NIST 800-171 compliance consulting for DoD contractors across the Mid-Atlantic and nationwide. Backed by 15+ years in cybersecurity, direct DoD experience, and hands-on CMMC assessor certification.

Schedule a Consultation View Services
  • Lead Certified CMMC Assessor (LCCA)
  • Certified CMMC Assessor (CCA)
  • Certified CMMC Professional (CCP)
Active Credentials
Lead Certified CMMC Assessor (LCCA)
ISACA · Issued May 2026
Certified CMMC Assessor (CCA)
ISACA · Issued April 2026
Certified CMMC Professional (CCP)
ISACA · Issued March 2026
CASP+
CompTIA · Issued June 2024
CySA+ ce
CompTIA · Issued November 2022
MS Cybersecurity
NYU · CyberFellow 2023
Why It Matters

CMMC 2.0 Is Now a
Contractual Requirement

The Department of Defense has formally embedded CMMC requirements into contracts. Non-compliance means lost contracts — and potential legal liability. Understanding your level is the first step.

Level 1 — Foundational

Basic Cyber Hygiene

17 practices aligned to basic safeguarding of Federal Contract Information (FCI). Annual self-assessment.

Level 2 — Advanced

CUI Protection

110 practices aligned to NIST 800-171. Handles Controlled Unclassified Information. Triennial third-party assessments required for critical programs.

Level 3 — Expert

High-Value Asset Defense

110+ practices based on NIST 800-171 and select 800-172 requirements. Government-led assessments for the most sensitive programs.

Neal Fennimore, Lead Certified CMMC Assessor and founder of GetCMMC
Neal Fennimore
Founder, GetCMMC · LCCA
About Neal Fennimore

DoD Experience.
Real-World Expertise.

I'm Neal Fennimore, founder of GetCMMC and a Mid-Atlantic–based Lead Certified CMMC Assessor with over 15 years securing enterprise and government environments for clients across the Mid-Atlantic and nationwide.

Most recently, I served as a Digital Service Expert at the Defense Digital Service, where I was the technical lead for the Pentagon's bug bounty program, helped audit ATO processes across multiple platforms, and integrated security solutions into cloud infrastructure.

As IT Security Director at a DoD contractor, I led CMMC compliance efforts firsthand — hardening on-prem and Azure infrastructure, deploying security systems, and building business continuity programs that meet federal requirements.

I hold an MS in Cybersecurity from NYU (CyberFellow program) and carry the full CompTIA security stack alongside ISACA's LCCA, CCA, and CCP designations.

15+
Years in Security
DoD
Direct Experience
CCA
CMMC Certified
Published Work

Industry Publications

Recognized voice in cybersecurity and authentication.

Passkeys: A No-Frills Explainer On The Future Of Password-Less Authentication
Smashing Magazine · October 2023
Passkeys: What the Heck and Why?
CSS-Tricks · March 2023
What We Offer

CMMC Compliance Services

From NIST 800-171 gap analysis to mock assessments, GetCMMC provides end-to-end readiness support for defense contractors pursuing CMMC certification.

CMMC Mock Assessments

Pre-assessment evaluations led by a Lead Certified CMMC Assessor, measuring your practices against CMMC Level 1 and Level 2 requirements — so you walk into your C3PAO assessment with no surprises.

Learn more →

Gap Analysis & Readiness

Thorough review of your current security posture against NIST 800-171 controls, with a prioritized remediation roadmap before your formal assessment.

Starting at $8,000
Learn more →

Zero Trust Architecture

Design and implementation guidance for Zero Trust architectures aligned to DoD and NIST frameworks — on-prem, Azure, or hybrid environments.

Policy & Documentation

Development of System Security Plans (SSPs), Plans of Action & Milestones (POA&Ms), and all supporting policies required for CMMC compliance.

Learn more →

Cloud Security (Azure/AWS)

Hardening of cloud infrastructure to meet CMMC and FedRAMP alignment requirements, including SIEM integration, VLAN segmentation, and MDM policy.

Training & Awareness

Custom cybersecurity training programs and tabletop exercises designed for defense contractor teams navigating CMMC requirements for the first time.

Free Resources

Built for Contractors.
Free to Use.

Tools I built to help defense contractors understand and track their compliance posture before a formal assessment.

NIST SP 800-171 Rev 2
Compliance Tracker

A free, browser-based tool to walk through all 110 controls across 14 NIST SP 800-171 R2 families. Track your implementation status, view your running SPRS score, and generate a compliance summary — all stored locally in your browser with no account required.

Access Control Audit & Accountability Configuration Mgmt Incident Response Risk Assessment System Integrity + 8 more families
Open the Tool View on GitHub
SPRS Score:
110 / 110
requirements met
03.01 — Access Control 22 / 22
03.02 — Awareness & Training 3 / 3
03.03 — Audit & Accountability 9 / 9
03.04 — Configuration Mgmt 9 / 9
03.05 — Identification & Auth 11 / 11
03.06 - Incident Response 3 / 3
+ 8 more families…
Credentials

Certifications & Education

Every credential active and maintained — because the threat landscape doesn't stand still.

Lead Certified CMMC Assessor (LCCA)
ISACA
May 2026
Certified CMMC Assessor (CCA)
ISACA
April 2026
Certified CMMC Professional (CCP)
ISACA
March 2026
SecurityX ce (CASP+)
CompTIA
June 2024
CySA+ ce
CompTIA
November 2022
PenTest+ ce
CompTIA
June 2021
CAE-Cyber Operations (CAE-CO)
National Security Agency
June 2024
CAE-Cyber Defense (CAE-CD)
National Security Agency
June 2024
CloudNetX
CompTIA
July 2024
Cloud+ ce
CompTIA
November 2024
Server+ ce
CompTIA
April 2024
Linux+ ce
CompTIA
December 2021
Security+
CompTIA
January 2020
MS Cybersecurity
New York University
247Y-XKGT-NNEY
January 2023
BS Software Development
Western Governors University
24RB-08F2-N9EI
January 2023
Common Questions

CMMC Compliance FAQ

Quick answers to the questions defense contractors ask most about CMMC 2.0, NIST 800-171, and the assessment process.

What is CMMC 2.0 and who needs it?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for verifying that contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Any company in the defense supply chain — primes and subcontractors alike — will need to meet the CMMC level specified in their contracts.

What is the difference between CMMC Level 1 and Level 2?

Level 1 covers 17 basic safeguarding practices for FCI and allows annual self-assessment. Level 2 requires all 110 NIST SP 800-171 controls for handling CUI, and most contracts involving CUI require a triennial third-party assessment by a C3PAO.

How long does it take to prepare for a CMMC assessment?

Most small and mid-sized contractors need 6 to 18 months to reach Level 2 readiness, depending on their starting posture. A gap analysis early in the process gives you a realistic timeline and a prioritized remediation roadmap.

What is an SPRS score?

Your SPRS (Supplier Performance Risk System) score reflects your self-assessed implementation of NIST SP 800-171, ranging from -203 to a perfect 110. DoD contracting officers can view it, and an accurate score is required under DFARS 252.204-7019/7020.

Does GetCMMC perform official CMMC certification assessments?

No — official Level 2 certification assessments are conducted by authorized C3PAOs. GetCMMC provides consulting, gap analysis, remediation support, and mock assessments led by a Lead Certified CMMC Assessor so you walk into your C3PAO assessment fully prepared.

What to Expect

How Engagements Work

A clear, senior-led path from where you stand today to walking into your C3PAO assessment prepared — led personally at every step by a Lead Certified CMMC Assessor.

  1. Discovery Call

    A short conversation about your contracts, the CMMC level you need, your timeline, and your current security posture — so we both know whether it's a fit before any commitment.

  2. Gap Analysis

    A thorough review of your environment against all 110 NIST SP 800-171 controls, delivered as a prioritized findings report and your current SPRS score.

  3. Remediation Roadmap

    We work the plan together — System Security Plan (SSP), POA&M, technical hardening, and the supporting policies CMMC requires — closing gaps in priority order.

  4. Mock Assessment

    An assessor-led dry run against the official criteria, so you walk into your C3PAO assessment with no surprises and the evidence to back every control.

Get In Touch

Start Your Compliance Journey

Whether you're starting from scratch or preparing for a formal assessment, let's talk through where you stand and what it takes to get compliant.

Senior-led, capacity-limited. Every engagement is led personally by a Lead Certified CMMC Assessor (LCCA) — never handed off to junior staff. To protect that standard, I take on a limited number of clients at a time. Most inquiries get a reply within 1–2 business days.

Your information is kept confidential and never shared. See our privacy policy.

Message sent!

Thanks for reaching out. Neal will be in touch within 1–2 business days.