The Session Arc: 8 Sessions for L1, 12 for L2 — How CMMC Compliance Actually Gets Done
The week-by-week roadmap for both packages — from kickoff call to SPRS submission.
Most CMMC consulting engagements are open-ended — you pay by the hour and hope it ends. Both Overwatch Tools packages are the opposite: a defined number of sessions with a defined arc. Eight sessions for Level 1. Twelve for Level 2. Fixed scope. Fixed price. A finish line you can actually see from the start.
If you've ever shopped for CMMC consulting, you've probably gotten the same answer twice: "It depends." Depends on your environment. Depends on how much help you need. Depends on the assessor. The quote comes back as an hourly rate and a vague timeline, and somewhere in the back of your mind you know the number on the final invoice isn't going to match the number on the proposal.
That model exists because most consultants build their business around it. Open-ended engagements protect the consultant, not the client. The further you get into the project, the harder it is to walk away — so the project keeps going.
We built both packages to work the opposite way. Level 1 Turnkey is 8 bi-weekly sessions. Level 2 CUI Enclave is 12 bi-weekly sessions. Both have a defined start, a defined arc, and a defined endpoint: your self-assessment, packaged and SPRS-submitted. This post walks through exactly what happens in each one.
Why Bi-Weekly Cadence Works for Both
The most common scheduling instinct is weekly. The most common reality is that small contractors can't actually do the implementation work between weekly sessions while still running their business. Bi-weekly gives you the breathing room to actually do the work — and an expert checkpoint every two weeks to keep momentum.
The pattern is the same at both levels:
- Session: 1 hour, focused, with artifacts and worksheets prepared in advance
- Between sessions: roughly 2 weeks of implementation, supported by the artifact library, configuration guides, and templates
- Next session: review what got done, work through what didn't, set the next stretch
Sessions are checkpoints, not the work itself. The artifacts are your playbook. The sessions keep you on the path.
The L1 Turnkey Arc: 8 Sessions, Kickoff to SPRS
Level 1 covers 15 practices mapped to 142 required artifacts. The 8-session arc takes a contractor from "where do we even start" to a submitted SPRS self-assessment and date-stamped documentation package. Most clients complete their L1 assessment in 2–4 weeks of focused effort, though the calendar timeline depends on existing infrastructure, platform choice, and how quickly you can implement between sessions.
We confirm your scope (what's in, what's out), do a baseline assessment of where you stand against the 15 L1 practices, and map out which artifacts you already have versus which need to be built. You leave with a clear plan and the artifact library ready to use.
We work through the policy set and supporting procedures — right-sized for a small business, not adapted from enterprise templates. By the end of session 3, your written policies are in place and your procedure documents are tailored to how you actually operate.
We walk through the configuration guides for your platform (Microsoft 365 or Google Workspace) and every device class you have in scope — Windows, Mac, mobile, plus your network. You implement; we troubleshoot and validate. This is where most of the implementation muscle gets built.
We work through every artifact's evidence requirement — what counts, what doesn't, where to capture it, and how to organize it in your Evidence Locker. By the end of session 7, your evidence is collected, dated, and assessment-ready.
We do a final walk-through, score your self-assessment, package the documentation, and walk you through SPRS submission. You finish with a date-stamped, submitted self-assessment and a maintenance plan for the year ahead.
That's the whole arc. Eight sessions. One hour each. A defined endpoint. Most clients complete their L1 assessment in 2–4 weeks of focused work — though the exact calendar timing depends on your starting infrastructure and how much time you can dedicate between sessions.
Want to talk through your starting point and which package fits your business?
Book a Free 30-Minute ConsultationThe L2 CUI Enclave Arc: 12 Sessions, Scoped for 110 Practices
Level 2 is a bigger surface area — 110 practices mapped to 182 defined artifacts, across 14 CMMC domains (AC, AT, AU, CM, IA, IR, MA, MP, PE, PS, RA, CA, SC, SI). The L2 CUI Enclave Package adds four sessions to handle that scope and to support enclave-specific work: SSP completion, POAM framework, Risk Register, and the dedicated CUI enclave architecture.
⚠️ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope. Not sure which applies to your contract? A free 30-minute consultation is the right first step.
The arc is structured in five groups:
We define the CUI footprint — what data, what users, what devices, what flows — and lock down the enclave scope. We make the platform decision (Google Workspace for Government or Microsoft 365 GCC High) and lay out the enclave architecture. The goal: a scope that's as small as your contract allows.
Four sessions covering the 14 L2 domains — Access Control, Identification & Authentication, Audit, Configuration Management, Incident Response, and the rest. We work through the practices, the supporting policies, and the procedures that connect them to your daily operations.
Platform configuration in your chosen environment (GWS for Gov or M365 GCC High) plus device hardening for your dedicated CUI workstations — Windows laptops or Chromebooks scoped to the enclave only. Every task has a time estimate, so implementation is plannable around your day job.
We complete your System Security Plan using the pre-filled template, build out your POAM framework, populate the Risk Register, and walk through the evidence checklist. By the end of session 11, your full documentation package is in place.
Final review, SPRS scoring, self-assessment packaging, and submission. You finish with your L2 self-assessment submitted, your enclave fully documented, and a maintenance rhythm in place for the year.
The L2 arc is longer because the scope is bigger — but it's still defined. You know what session 1 looks like. You know what session 12 looks like. Everything in between has a purpose. And because every task has a time estimate attached, L2 is implementable part-time over the 12-session arc.
Between Sessions: Where the Real Work Happens
The sessions are the checkpoints. The implementation happens in between. That's the honest framing, and it's also why this model works for small contractors who can't afford to halt the business for compliance.
In the two weeks between any session, the typical pattern looks like this:
- Open the artifacts and configuration guides covered in the last session
- Apply the templates to your specific environment (your tenant, your devices, your team)
- Capture evidence as you go — screenshots, exports, signed documents — into the Evidence Locker
- Flag anything that's not working or doesn't match your environment for the next session
- Show up to the next session with the work done (or with the specific blocker that stopped it)
We provide templates, configuration guides, and consulting. Clients implement. We don't ship a team to your office, and we don't touch your production environment. What we do is make sure you have everything you need to do the work right — and a checkpoint every two weeks to confirm you're on track.
Fixed Scope vs. Open-Ended Hourly: Why It Matters
The Quiet Cost of Open-Ended Hourly Consulting
When the engagement isn't scoped, four things tend to happen:
- Scope creep is silent. "Just one more session" stops being a one-time thing.
- You can't budget. The final number is a surprise. Often a bad one.
- You can't compare. Hourly proposals from different consultants don't tell you anything useful about total cost.
- You can't plan. Without a defined arc, you can't tell your contracting officer when you'll be assessment-ready.
Fixed-scope consulting flips all of that. L1 is $2,495/year for 8 sessions. L2 is $3,495/year for 12 sessions. If you need both, it's $5,990/year combined. There is no hourly meter running. There is no scope creep. There is a finish line, and you can plan your contracts around it.
L1, L2, and Combined: Side-by-Side
| L1 Turnkey | L2 CUI Enclave | L1 + L2 Combined | |
|---|---|---|---|
| Annual price | $2,495/yr (Save $500 — reg. $2,995) |
$3,495/yr | $5,990/yr |
| Consulting sessions | 8 bi-weekly (1 hr each) | 12 bi-weekly (1 hr each) | 20 sessions total |
| CMMC scope | Level 1 — Self-Assessment | Level 2 — Self-Assessment (enclave) | Full FCI + CUI coverage |
| Practices → Artifacts | 15 → 142 | 110 → 182 | 125 practices · 324 artifacts |
| Supported platforms | M365 or Google Workspace | M365 GCC High or GWS for Gov | Both, side by side |
| Typical completion | L1 assessment in 2–4 weeks | Part-time across 12-session arc | Sequenced — L1 first, then L2 |
| Documentation deliverables | Evidence Locker, SPRS report, self-assessment package | SSP, POAM, Risk Register, evidence checklist, SPRS report | All of the above |
Combined pricing is a real consideration for contractors who handle both FCI and CUI — your main business runs on L1, and your CUI work runs in a scoped L2 enclave. Together: $5,990/year for full compliance coverage.
What You Won't Find in Either Arc
A few things to be honest about up front, because they matter:
- We don't do hands-on implementation. No remote-into-your-server, no "we'll handle the device hardening for you." You implement, supported by templates, configuration guides, and the consulting checkpoint every two weeks.
- We don't sell hardware. Dedicated CUI laptops or Chromebooks for L2 are something you procure. We provide the configuration guides.
- We don't promise specific assessment outcomes. What we promise is a complete, defensible, well-documented self-assessment package. The DoD can audit any L1 self-assessment at any time, and L2 self-assessments must hold up to C3PAO scrutiny once the self-assessment window closes. Our job is to make sure yours does.
- We don't promise calendar-exact timelines. "Most clients complete L1 in 2–4 weeks" is real — but it depends on your existing infrastructure, your platform choice, and how much time you can put into implementation between sessions.
What the Sessions Add Up To
By the end of either arc, you have the same thing: a submitted self-assessment and the documentation to defend it.
For L1, that's 142 artifacts captured, an Evidence Locker organized by practice, and an SPRS-submitted score. For L2, that's 182 artifacts plus a completed SSP, a POAM framework, a Risk Register, and a fully scoped CUI enclave that survives outside scrutiny. In both cases, you're not just compliant on paper — you have a maintenance rhythm in place to stay compliant through the year.
Both packages also start the same way: a free 30-minute kickoff consultation to confirm scope, set expectations, and get session 1 on the calendar.
That's the path. It's defined. It's structured. And whether you need L1, L2, or both, the next step is the same: a free conversation to figure out where you are and which arc fits.
Ready to See What Your Session Arc Would Look Like?
The free 30-minute consultation covers your CMMC scope (L1, L2, or both), your platform options, and what the session arc would look like for your specific business. No obligation. No sales pitch.
Book Your Free 30-Minute Consultation
Overwatch Tools · CMMC Compliance for Small Defense Contractors · Chesapeake, Virginia
overwatchtools.com
