A former employer recently reached out to me to ask if I could help them achieve level 2 CMMC certification. The owner said she was working with a nonprofit designed to assist small businesses but was quite confused since she is "not a tech person".

Fast forward to me saying I could work on it/translate tech as a side project... and suddenly there are no preexisting documents. I'm asking for policies, asset lists, diagrams, basically all of the usual related documents. This is how I've learned the company does not have a single IT person. I found one 2023 Security Review document but they've supposedly been L1 since 2021? The company provides bodies to support government contracts and those individuals never use company networks for work or CUI.

I can always create documents designed to meet the requirements, but obviously this is a much bigger lift than I was originally picturing. This leads me to the question: Is it even realistically possible for a company of about a dozen people to be L2 certified without a fulltime IT person/department?

Side note: Do not DM to sell your services.