What's Actually in the Box: A Full Inventory of Your CMMC Toolkit
When most contractors hear "CMMC toolkit," they picture a folder of policy templates they could've downloaded for free. Then they open the box. Here's everything that's actually inside.
You think it's "just templates." It isn't. The word "templates" is the single most expensive misunderstanding a contractor can carry into a CMMC project โ because it makes the whole thing look smaller than it is.
Say "CMMC toolkit" to most small contractors and a very specific picture forms in their head: a zip file with a dozen Word documents. An Access Control Policy. An Incident Response Policy. Some checkboxes. Things you could, honestly, find floating around the internet if you searched long enough.
So they price it that way. A folder of templates is worth, what, a couple hundred dollars? And then they either try to assemble that folder themselves for free, or they buy a generic template pack, and they sit down to "knock out CMMC over a weekend."
That weekend turns into a quarter. The quarter turns into a stalled project and a contract deadline getting uncomfortably close. Because the folder of policies was never the work. It was maybe ten percent of it.
This article opens the box. Not to sell you on volume for its own sake โ but because the actual surface area of CMMC compliance is so much larger than "templates" suggests that under-scoping it is the most common way small contractors fail. So let's lay out, plainly, what's inside.
The "It's Just Some Policy Templates" Trap
Here's why the misconception is dangerous, and it has nothing to do with whether templates are good or bad. It's about scope.
CMMC isn't a documentation exercise that lives in a folder. It's a requirement that your actual environment โ the laptops your people use, the phones they check email on, the network in your office, the Wi-Fi in the home office where half your team works โ is configured a specific way, and that you can prove it. Policies describe what's supposed to be true. The rest of the work is making it true and documenting the proof.
When a contractor pictures "just templates," they mentally erase all of that. They don't account for the device configuration. They don't account for the network setup. They don't account for the home offices. They don't account for evidence collection, which is its own distinct deliverable. And they definitely don't account for the platform-specific reality that a Microsoft 365 environment and a Google Workspace environment require completely different configuration steps to reach the same control.
โ The under-scoping spiral. Contractor assumes "a folder of docs" โ prices and plans for a weekend โ hits the device-config and evidence reality at week two โ realizes the scope is 5x what they budgeted โ momentum dies โ the project stalls right as the contract deadline arrives. The failure point isn't the templates. It's the surface area nobody warned them about.
This is the thing nobody tells you up front, and it's exactly why we built the packages the way we did. The value isn't a prettier policy template. The value is that every piece of that hidden surface area is accounted for, defined, and guided โ so you never hit the "wait, there's how much more?" wall halfway through.
So here's the inventory. We've grouped it so it stays scannable โ we're not going to list all 142 or 182 artifacts individually. The point isn't the line items. The point is the categories, because the categories are where the surprise lives.
The Turnkey CMMC Level 1 Package
This is the package for contractors handling Federal Contract Information (FCI) who need to self-assess against CMMC Level 1. Here's what's inside.
Platform-Specific Policies and Procedures
Not generic boilerplate. Policies and the step-by-step procedures behind them, written for your actual platform โ Microsoft 365 or Google Workspace. No translating enterprise documents into your environment.
8 Device & Network Configuration Guides
The part everyone forgets. Step-by-step config for Windows, Mac, iOS, Android, plus home-office and small-office network setups, and more. This is the "make it actually true" half of CMMC.
Implementation Procedures & Workflows
The order of operations. What to do, in what sequence, so the 142 artifacts come together as a coherent project instead of 142 disconnected to-dos.
The Evidence Locker
Upload evidence to each artifact as you implement. It auto-organizes by domain, practice, and artifact โ no manual folder wrangling โ tracks completeness, and exports a date-stamped ZIP with automated compliance reports. Assessment-ready in one click.
Self-Assessment Documentation + SPRS Report
Your self-assessment, packaged and date-stamped, plus the SPRS scoring and submission report you actually need to file. The finish line, built in.
8 Bi-Weekly Expert Consulting Sessions
One hour each. This is what keeps momentum from dying at week two. You're not handed a box and left alone โ you've got an expert on the calendar to keep you moving.
Why this matters: Look at that list and notice how little of it is "policy templates." Five of the six categories are about the environment, the proof, and the guidance. Most L1 clients complete their assessment in 2โ4 weeks โ and the reason it's that fast isn't a shortcut. It's that none of the hidden surface area is hidden anymore.
The L2 CUI Enclave Package โ What Gets Added
If you handle Controlled Unclassified Information (CUI) under a DoD contract, Level 1 isn't enough. The L2 CUI Enclave Package covers a substantially larger surface area โ built specifically for small businesses with limited CUI needs who qualify for self-assessment.
โ ๏ธ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope.
182 Artifacts Across 14 Domains
110 practices mapped to 182 defined artifacts spanning all 14 CMMC domains โ AC, AT, AU, CM, IA, IR, MA, MP, PE, PS, RA, CA, SC, and SI. Every requirement broken into a concrete deliverable.
Dedicated CUI Enclave Configuration Guides
Built for a focused CUI enclave on Microsoft 365 GCC High or Google Workspace for Government โ your choice. No Active Directory, no SIEM, no enterprise IT required.
Pre-Filled System Security Plan (SSP)
The cornerstone L2 document, delivered as a pre-filled template rather than a blank page. You tailor it to your environment instead of writing it from scratch.
POAM Framework & Risk Register
A Plan of Action & Milestones framework to track remediation, plus a Risk Register to document and manage risk โ both structured and ready to populate.
Evidence Checklist + SPRS Docs
An evidence checklist mapped to the L2 requirements, plus SPRS scoring and self-assessment documentation, so the proof and the submission are accounted for end to end.
Time Estimates on Every Task
Every task carries a time estimate, so the whole enclave is implementable part-time. You can fit it around the work you're already doing instead of stopping everything.
Notice what the L2 box is really about: it adds the documentation backbone โ the SSP, POAM, and Risk Register โ and the enclave configuration that a CUI environment demands, on top of everything the L1 box already covers in spirit. The surface area is larger because CUI is a higher bar. But the framing never changes: it's right-sized for a small business, not scaled for an enterprise.
Want a walkthrough of what would be in your box specifically?
Book a Free 30-Minute Consultation"We Provide It, You Implement It" โ The Framing That Makes the Breadth Achievable
Reading an inventory this long, a fair reaction is: "That's a lot. Who's actually doing all of it?"
Here's the honest answer, and it's the framing the whole model rests on: we provide the templates, the configuration guides, and the consulting. You implement, with our support at every step.
That distinction matters, and we're deliberate about it. We don't log into your tenant and configure your environment for you. We don't ship you hardware. What we do is remove every "figure it out from scratch" moment from the process. The policy is written for your platform โ you review and adopt it. The device guide is step-by-step โ you follow it. The Evidence Locker is built โ you upload as you go. The SSP is pre-filled โ you tailor it. And on the bi-weekly calls, when you hit something that doesn't fit cleanly, you've got an expert to work it through with.
The breadth is exactly why this is achievable instead of overwhelming. A blank CMMC requirement is paralyzing. A defined artifact with a template, a guide, a time estimate, and a consultant on the calendar is just a task. The volume isn't the burden โ it's the map. Every item in the box is one fewer thing you have to invent yourself.
This is the difference between buying a box of parts and buying a guided build. The parts alone would still leave you staring at the hardest questions in CMMC โ what does "compliant" look like on a personal iPhone? how do I prove my quarterly access review actually happened? what goes in an SSP for a three-person CUI enclave? โ with no answer. The guided build answers them and walks you through.
Over the Next Five Pieces, We'll Open Each Part of the Box
This was the wide-angle inventory. The rest of the series goes inside each major piece โ because each one deserves a closer look than a single bullet on a list can give it.
The Device & Network Config Guides โ the work nobody scopes
Policies vs. Procedures โ why you need both, and what generic packs miss
The Evidence Locker โ turning implementation into assessment-ready proof
The L2 Documentation Backbone โ SSP, POAM & Risk Register, demystified
SPRS & Self-Assessment Docs โ crossing the finish line and filing it right
Follow along, and by the end you'll understand not just that the box is full, but exactly what each piece does and why it's there.
What It Costs to Open the Box
L1 Turnkey Package
15 practices โ 142 artifacts, 8 device & network config guides, Evidence Locker, SPRS docs, 8 bi-weekly sessions.
L2 CUI Enclave Package
110 practices โ 182 artifacts, enclave config guides (GCC High or Google Workspace for Government), pre-filled SSP, POAM, Risk Register, 12 bi-weekly sessions.
Combined L1 + L2
Everything in both boxes โ the complete inventory across both levels.
โ ๏ธ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope.
Want a Walkthrough of What Would Be in Your Box?
Bring your setup โ your platform, your team size, your CUI situation. In 30 minutes we'll map exactly which box fits and what would be inside it for you. No pitch, no obligation. If you're closer than you think, we'll tell you that too.
Book Your Free Consultation Explore the PackagesYou're not buying templates. You're buying everything you'd otherwise have to figure out, build, and organize yourself.
